Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(529)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Issue 8566056: This applies GUIDs to certificate and key nicknames when (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: minor fixes Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/base/x509_certificate_nss.cc ('K') | « net/base/x509_certificate_nss.cc ('k') | net/third_party/mozilla_security_manager/nsPKCS12Blob.h » ('j') | net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ***** BEGIN LICENSE BLOCK ***** 1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 * 3 *
4 * The contents of this file are subject to the Mozilla Public License Version 4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with 5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at 6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/ 7 * http://www.mozilla.org/MPL/
8 * 8 *
9 * Software distributed under the License is distributed on an "AS IS" basis, 9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
73 // Mozilla just returns here, but we continue in case there are other certs 73 // Mozilla just returns here, but we continue in case there are other certs
74 // in the list which aren't already imported. 74 // in the list which aren't already imported.
75 // TODO(mattm): should we set/add trust if it differs from the present 75 // TODO(mattm): should we set/add trust if it differs from the present
76 // settings? 76 // settings?
77 not_imported->push_back(net::CertDatabase::ImportCertFailure( 77 not_imported->push_back(net::CertDatabase::ImportCertFailure(
78 root, net::ERR_IMPORT_CERT_ALREADY_EXISTS)); 78 root, net::ERR_IMPORT_CERT_ALREADY_EXISTS));
79 } else { 79 } else {
80 // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported, 80 // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported,
81 // and it doesn't take the slot as an argument either. Instead, we use 81 // and it doesn't take the slot as an argument either. Instead, we use
82 // PK11_ImportCert and CERT_ChangeCertTrust. 82 // PK11_ImportCert and CERT_ChangeCertTrust.
83 char* nickname = CERT_MakeCANickname(root->os_cert_handle());
84 if (!nickname)
85 return false;
86 SECStatus srv = PK11_ImportCert(slot.get(), root->os_cert_handle(), 83 SECStatus srv = PK11_ImportCert(slot.get(), root->os_cert_handle(),
87 CK_INVALID_HANDLE, 84 CK_INVALID_HANDLE,
88 nickname, 85 root->GetLabel().c_str(),
89 PR_FALSE /* includeTrust (unused) */); 86 PR_FALSE /* includeTrust (unused) */);
90 PORT_Free(nickname);
91 if (srv != SECSuccess) { 87 if (srv != SECSuccess) {
92 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 88 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
93 return false; 89 return false;
94 } 90 }
95 if (!SetCertTrust(root, net::CA_CERT, trustBits)) 91 if (!SetCertTrust(root, net::CA_CERT, trustBits))
96 return false; 92 return false;
97 } 93 }
98 94
99 PRTime now = PR_Now(); 95 PRTime now = PR_Now();
100 // Import additional delivered certificates that can be verified. 96 // Import additional delivered certificates that can be verified.
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
132 // error value). (maybe make MapSecurityError or MapCertErrorToCertStatus 128 // error value). (maybe make MapSecurityError or MapCertErrorToCertStatus
133 // public.) 129 // public.)
134 not_imported->push_back(net::CertDatabase::ImportCertFailure( 130 not_imported->push_back(net::CertDatabase::ImportCertFailure(
135 cert, net::ERR_FAILED)); 131 cert, net::ERR_FAILED));
136 VLOG(1) << "skipping cert (verify) " << PORT_GetError(); 132 VLOG(1) << "skipping cert (verify) " << PORT_GetError();
137 continue; 133 continue;
138 } 134 }
139 135
140 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 136 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
141 // PK11_ImportCert instead. 137 // PK11_ImportCert instead.
142 char* nickname = CERT_MakeCANickname(cert->os_cert_handle());
143 if (!nickname)
144 return false;
145 SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(), 138 SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
146 CK_INVALID_HANDLE, 139 CK_INVALID_HANDLE,
147 nickname, 140 cert->GetLabel().c_str(),
148 PR_FALSE /* includeTrust (unused) */); 141 PR_FALSE /* includeTrust (unused) */);
149 PORT_Free(nickname);
150 if (srv != SECSuccess) { 142 if (srv != SECSuccess) {
151 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 143 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
152 // TODO(mattm): Should we bail or continue on error here? Mozilla doesn't 144 // TODO(mattm): Should we bail or continue on error here? Mozilla doesn't
153 // check error code at all. 145 // check error code at all.
154 not_imported->push_back(net::CertDatabase::ImportCertFailure( 146 not_imported->push_back(net::CertDatabase::ImportCertFailure(
155 cert, net::ERR_IMPORT_CA_CERT_FAILED)); 147 cert, net::ERR_IMPORT_CA_CERT_FAILED));
156 } 148 }
157 } 149 }
158 150
159 // Any errors importing individual certs will be in listed in |not_imported|. 151 // Any errors importing individual certs will be in listed in |not_imported|.
160 return true; 152 return true;
161 } 153 }
162 154
163 // Based on nsNSSCertificateDB::ImportServerCertificate. 155 // Based on nsNSSCertificateDB::ImportServerCertificate.
164 bool ImportServerCert(const net::CertificateList& certificates, 156 bool ImportServerCert(const net::CertificateList& certificates,
165 net::CertDatabase::ImportCertFailureList* not_imported) { 157 net::CertDatabase::ImportCertFailureList* not_imported) {
166 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); 158 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
167 if (!slot.get()) { 159 if (!slot.get()) {
168 LOG(ERROR) << "Couldn't get internal key slot!"; 160 LOG(ERROR) << "Couldn't get internal key slot!";
169 return false; 161 return false;
170 } 162 }
171 163
172 for (size_t i = 0; i < certificates.size(); ++i) { 164 for (size_t i = 0; i < certificates.size(); ++i) {
173 const scoped_refptr<net::X509Certificate>& cert = certificates[i]; 165 const scoped_refptr<net::X509Certificate>& cert = certificates[i];
174 166
175 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 167 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
176 // PK11_ImportCert instead. 168 // PK11_ImportCert instead.
177 SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(), 169 SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
178 CK_INVALID_HANDLE, 170 CK_INVALID_HANDLE,
179 cert->subject().GetDisplayName().c_str(), 171 cert->GetLabel().c_str(),
180 PR_FALSE /* includeTrust (unused) */); 172 PR_FALSE /* includeTrust (unused) */);
181 if (srv != SECSuccess) { 173 if (srv != SECSuccess) {
182 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 174 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
183 not_imported->push_back(net::CertDatabase::ImportCertFailure( 175 not_imported->push_back(net::CertDatabase::ImportCertFailure(
184 cert, net::ERR_IMPORT_SERVER_CERT_FAILED)); 176 cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
185 continue; 177 continue;
186 } 178 }
187 } 179 }
188 180
189 // Set as valid peer, but without any extra trust. 181 // Set as valid peer, but without any extra trust.
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
224 } else { 216 } else {
225 // ignore user and email/unknown certs 217 // ignore user and email/unknown certs
226 return true; 218 return true;
227 } 219 }
228 if (srv != SECSuccess) 220 if (srv != SECSuccess)
229 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); 221 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
230 return srv == SECSuccess; 222 return srv == SECSuccess;
231 } 223 }
232 224
233 } // namespace mozilla_security_manager 225 } // namespace mozilla_security_manager
OLDNEW
« net/base/x509_certificate_nss.cc ('K') | « net/base/x509_certificate_nss.cc ('k') | net/third_party/mozilla_security_manager/nsPKCS12Blob.h » ('j') | net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698