This applies GUIDs to certificate and key nicknames when

net/base/x509_certificate_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
+#include <keyhi.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prtime.h>
 #include <secder.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include "base/logging.h"
@@ skipping 659 matching lines @@
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
   ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
 
   serial_number_ = std::string(
       reinterpret_cast<char*>(cert_handle_->serialNumber.data),
       cert_handle_->serialNumber.len);
 }
 
 // static
+X509Certificate* X509Certificate::CreateFromBytesWithNickname(
+    const char* data,
+    int length,
+    const char* nickname) {
+  OSCertHandle cert_handle = CreateOSCertHandleFromBytesWithNickname(data,
+                                                                     length,
+                                                                     nickname);
+  if (!cert_handle)
+    return NULL;
+
+  X509Certificate* cert = CreateFromHandle(cert_handle, OSCertHandles());
+  FreeOSCertHandle(cert_handle);
+
+  if (nickname)
+    cert->default_nickname_ = nickname;

[wtc, 2011/12/10 00:58:43]

IMPORTANT: the default_nickname_ may not be necessary.

Please add
  if (nickname) {
    CHECK(strcmp(cert_handle_->nickname, nickname) == 0);
  | else {
    CHECK(!cert_handle_->nickname);
  }

If the CHECK never fails, then I think we can replace lines
709-710 with
  if (cert_handle_->nickname)
    return std::string(cert_handle_->nickname);

[Greg Spencer (Chromium), 2011/12/12 04:05:03]

That would be nice, but unfortunately, CERT_NewTempCertificate doesn't
initialize the nickname field properly for client certs.  It sets the nickname
on the *inner* NSSCertificate object (as the tempName field), but doesn't set it
on the CERTCertificate it returns (nickname is still NULL).  I see this as a bug
in NSS, but I'm not sure what the intentions are at each level of the onion of
structures.  Perhaps for a temporary client certificate, it's appropriate to
only set the inner NSSCertificate tempName.

For Server and CA certs, it seems to do the right thing, and if I remove
CreateOSCertHandleFromBytesWithNickname (as I could do if sending down the
nickname did nothing), then they don't work because their nickname fields aren't
set at import time.

The CERTCertificate nickname gets properly set when the temporary client
certificate is imported, because that uses the default nickname field to get
it's value.

+
+  return cert;
+}
+
+std::string X509Certificate::GetDefaultNickname(CertType type) const {
+  if (!default_nickname_.empty())
+    return default_nickname_;
+
+  std::string result;
+  if (type == USER_CERT) {
+    // Find the private key for this certificate and see if it has a
+    // nickname.  If there is a private key, and it has a nickname, then
+    // we return that nickname.
+    SECKEYPrivateKey* private_key = PK11_FindPrivateKeyFromCert(
+        cert_handle_->slot,
+        cert_handle_,
+        NULL);  // wincx
+    if (private_key) {
+      char* private_key_nickname = PK11_GetPrivateKeyNickname(private_key);
+      if (private_key_nickname) {
+        result = private_key_nickname;
+        PORT_Free(private_key_nickname);
+        SECKEY_DestroyPrivateKey(private_key);
+        return result;
+      }
+      SECKEY_DestroyPrivateKey(private_key);
+    }
+  }
+
+  switch (type) {
+    case CA_CERT: {
+      char* nickname = CERT_MakeCANickname(cert_handle_);
+      result = nickname;
+      PORT_Free(nickname);
+      break;
+    }
+    case USER_CERT: {
+      // Create a nickname for a user certificate.
+      // We use the scheme used by Firefox:
+      // --> <subject's common name>'s <issuer's common name> ID.
+      // TODO(gspencer): internationalize this: it's wrong to
+      // hard code English.
+
+      std::string username, ca_name;
+      char* temp_username = CERT_GetCommonName(
+          &cert_handle_->subject);
+      char* temp_ca_name = CERT_GetCommonName(&cert_handle_->issuer);
+      if (temp_username) {
+        username = temp_username;
+        PORT_Free(temp_username);
+      }
+      if (temp_ca_name) {
+        ca_name = temp_ca_name;
+        PORT_Free(temp_ca_name);
+      }
+      result = username + "'s " + ca_name + " ID";
+      break;
+    }
+    case SERVER_CERT:
+      result = subject_.GetDisplayName();
+      break;
+    case UNKNOWN_CERT:
+    default:
+      break;
+  }
+  return result;
+}
+
+// static
 X509Certificate* X509Certificate::CreateSelfSigned(
     crypto::RSAPrivateKey* key,
     const std::string& subject,
     uint32 serial_number,
     base::TimeDelta valid_duration) {
   DCHECK(key);
 
   CERTCertificate* cert = x509_util::CreateSelfSignedCert(key->public_key(),
                                                           key->key(),
                                                           subject,
@@ skipping 217 matching lines @@
   DCHECK(a && b);
   if (a == b)
     return true;
   return a->derCert.len == b->derCert.len &&
       memcmp(a->derCert.data, b->derCert.data, a->derCert.len) == 0;
 }
 
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {
+  return CreateOSCertHandleFromBytesWithNickname(data, length, NULL);
+}
+
+// static
+X509Certificate::OSCertHandle
+X509Certificate::CreateOSCertHandleFromBytesWithNickname(
+    const char* data,
+    int length,
+    const char* nickname) {
   if (length < 0)
     return NULL;
 
   crypto::EnsureNSSInit();
 
   if (!NSS_IsInitialized())
     return NULL;
 
   SECItem der_cert;
   der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
   der_cert.len  = length;
   der_cert.type = siDERCertBuffer;
 
   // Parse into a certificate structure.
-  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
+  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert,
+                                 const_cast<char*>(nickname),
                                  PR_FALSE, PR_TRUE);
 }
 
 // static
 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
-    const char* data, int length, Format format) {
+    const char* data,
+    int length,
+    Format format) {
   OSCertHandles results;
   if (length < 0)
     return results;
 
   crypto::EnsureNSSInit();
 
   if (!NSS_IsInitialized())
     return results;
 
   switch (format) {
@@ skipping 83 matching lines @@
 
 // static
 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
                                                 Pickle* pickle) {
   return pickle->WriteData(
       reinterpret_cast<const char*>(cert_handle->derCert.data),
       cert_handle->derCert.len);
 }
 
 }  // namespace net