This applies GUIDs to certificate and key nicknames when

net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 39 matching lines @@
 #include "net/base/x509_certificate.h"
 
 namespace mozilla_security_manager {
 
 namespace {
 
 // unicodeToItem
 //
 // For the NSS PKCS#12 library, must convert PRUnichars (shorts) to
 // a buffer of octets.  Must handle byte order correctly.
-// TODO: Is there a mozilla way to do this?  In the string lib?
+// TODO: Is there a Mozilla way to do this?  In the string lib?
 void unicodeToItem(const PRUnichar *uni, SECItem *item)
 {
   int len = 0;
   while (uni[len++] != 0);
   SECITEM_AllocItem(NULL, item, sizeof(PRUnichar) * len);
 #ifdef IS_LITTLE_ENDIAN
   int i = 0;
   for (i=0; i<len; i++) {
     item->data[2*i  ] = (unsigned char )(uni[i] << 8);
     item->data[2*i+1] = (unsigned char )(uni[i]);
@@ skipping 60 matching lines @@
 PRBool
 pip_ucs2_ascii_conversion_fn(PRBool toUnicode,
                              unsigned char *inBuf,
                              unsigned int inBufLen,
                              unsigned char *outBuf,
                              unsigned int maxOutBufLen,
                              unsigned int *outBufLen,
                              PRBool swapBytes)
 {
   CHECK_GE(maxOutBufLen, inBufLen);
-  // do a no-op, since I've already got unicode.  Hah!
+  // do a no-op, since I've already got Unicode.  Hah!

[wtc, 2011/11/29 23:13:57]

In general it's not necessary to fix minor comment problems
in third-party code.  We have forked these files, so this is
fine.

   *outBufLen = inBufLen;
   memcpy(outBuf, inBuf, inBufLen);
   return PR_TRUE;
 }
 
 // Based on nsPKCS12Blob::ImportFromFileHelper.
 int
 nsPKCS12Blob_ImportHelper(const char* pkcs12_data,
                           size_t pkcs12_len,
                           const string16& password,
                           bool is_extractable,
                           bool try_zero_length_secitem,
-                          PK11SlotInfo *slot)
+                          PK11SlotInfo *slot,
+                          net::CertificateList* imported_certs)
 {
   DCHECK(pkcs12_data);
   DCHECK(slot);
   int import_result = net::ERR_PKCS12_IMPORT_FAILED;
   SECStatus srv = SECSuccess;
   SEC_PKCS12DecoderContext *dcx = NULL;
   SECItem unicodePw;
+  SECItem attribute_value;
+  CK_BBOOL attribute_data = CK_FALSE;
+  const SEC_PKCS12DecoderItem* decoder_item = NULL;
+
   unicodePw.type = siBuffer;
   unicodePw.len = 0;
   unicodePw.data = NULL;
   if (!try_zero_length_secitem) {
     unicodeToItem(password.c_str(), &unicodePw);
   }
 
   // Initialize the decoder
   dcx = SEC_PKCS12DecoderStart(&unicodePw, slot,
                                // wincx
                                NULL,
                                // dOpen, dClose, dRead, dWrite, dArg: NULL
                                // specifies default impl using memory buffer.
                                NULL, NULL, NULL, NULL, NULL);
   if (!dcx) {
     srv = SECFailure;
     goto finish;
   }
   // feed input to the decoder
   srv = SEC_PKCS12DecoderUpdate(dcx,
                                 (unsigned char*)pkcs12_data,
                                 pkcs12_len);
   if (srv) goto finish;
   // verify the blob
   srv = SEC_PKCS12DecoderVerify(dcx);
   if (srv) goto finish;
   // validate bags
   srv = SEC_PKCS12DecoderValidateBags(dcx, nickname_collision);
   if (srv) goto finish;
-  // import cert and key
+  // import certificate and key
   srv = SEC_PKCS12DecoderImportBags(dcx);
   if (srv) goto finish;
 
-  if (!is_extractable) {
-    SECItem attribute_value;
-    CK_BBOOL attribute_data = CK_FALSE;
-    attribute_value.data = &attribute_data;
-    attribute_value.len = sizeof(attribute_data);
+  attribute_value.data = &attribute_data;
+  attribute_value.len = sizeof(attribute_data);
 
-    srv = SEC_PKCS12DecoderIterateInit(dcx);
-    if (srv) goto finish;
+  srv = SEC_PKCS12DecoderIterateInit(dcx);
+  if (srv) goto finish;
 
-    const SEC_PKCS12DecoderItem* decoder_item = NULL;
+  if (imported_certs)
+    imported_certs->clear();
+
+  // Collect the list of decoded certificates, and mark private keys
+  // non-extractable if needed.
+  while (SEC_PKCS12DecoderIterateNext(dcx, &decoder_item) == SECSuccess) {
+    if (decoder_item->type != SEC_OID_PKCS12_V1_CERT_BAG_ID)
+      continue;
+    if (!decoder_item->hasKey)
+      continue;

[wtc, 2011/11/29 23:13:57]

BUG: I would expect that a certificate without a corresponding
private key should also be added to imported_certs.

[Greg Spencer (Chromium), 2011/12/02 18:50:07]

Oooh.   Nice catch. Done.

+
+    // Once we have determined that the imported certificate has an
+    // associated private key too, only then can we mark the key as
+    // non-extractable.
+    CERTCertificate* cert = PK11_FindCertFromDERCertItem(
+        slot, decoder_item->der,
+        NULL);  // wincx
+    if (!cert) {
+      LOG(ERROR) << "Could not grab a handle to the certificate in the slot "
+                 << "from the corresponding PKCS#12 DER certificate.";
+      continue;
+    }
+
+    // Add the cert to the list
+    if (imported_certs) {
+      // Empty list of intermediates.
+      net::X509Certificate::OSCertHandles intermediates;
+      imported_certs->push_back(
+          net::X509Certificate::CreateFromHandle(cert, intermediates));
+    }
+
     // Iterate through all the imported PKCS12 items and mark any accompanying
-    // private keys as unextractable.
-    while (SEC_PKCS12DecoderIterateNext(dcx, &decoder_item) == SECSuccess) {
-      if (decoder_item->type != SEC_OID_PKCS12_V1_CERT_BAG_ID)
-        continue;
-      if (!decoder_item->hasKey)
-        continue;
-
-      // Once we have determined that the imported certificate has an
-      // associated private key too, only then can we mark the key as
-      // unextractable.
-      CERTCertificate* cert = PK11_FindCertFromDERCertItem(
-          slot, decoder_item->der,
-          NULL);  // wincx
-      if (!cert) {
-        LOG(ERROR) << "Could not grab a handle to the certificate in the slot "
-                   << "from the corresponding PKCS#12 DER certificate.";
-        continue;
-      }
+    // private keys as non-extractable.
+    if (!is_extractable) {
       SECKEYPrivateKey* privKey = PK11_FindPrivateKeyFromCert(slot, cert,
                                                               NULL);  // wincx
-      CERT_DestroyCertificate(cert);
       if (privKey) {
-        // Mark the private key as unextractable.
+        // Mark the private key as non-extractable.
         srv = PK11_WriteRawAttribute(PK11_TypePrivKey, privKey, CKA_EXTRACTABLE,
                                      &attribute_value);
         SECKEY_DestroyPrivateKey(privKey);
         if (srv) {
           LOG(ERROR) << "Could not set CKA_EXTRACTABLE attribute on private "
                      << "key.";
+          CERT_DestroyCertificate(cert);
           break;
         }
       }
     }
+    CERT_DestroyCertificate(cert);
     if (srv) goto finish;
   }
-
   import_result = net::OK;
 finish:
   // If srv != SECSuccess, NSS probably set a specific error code.
   // We should use that error code instead of inventing a new one
   // for every error possible.
   if (srv != SECSuccess) {
     int error = PORT_GetError();
     LOG(ERROR) << "PKCS#12 import failed with error " << error;
     switch (error) {
       case SEC_ERROR_BAD_PASSWORD:
@@ skipping 76 matching lines @@
 
 void EnsurePKCS12Init() {
   g_pkcs12_init_singleton.Get();
 }
 
 // Based on nsPKCS12Blob::ImportFromFile.
 int nsPKCS12Blob_Import(PK11SlotInfo* slot,
                         const char* pkcs12_data,
                         size_t pkcs12_len,
                         const string16& password,
-                        bool is_extractable) {
+                        bool is_extractable,
+                        net::CertificateList* imported_certs) {
 
   int rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password,
-                                     is_extractable, false, slot);
+                                     is_extractable, false, slot,
+                                     imported_certs);
 
   // When the user entered a zero length password:
   //   An empty password should be represented as an empty
   //   string (a SECItem that contains a single terminating
   //   NULL UTF16 character), but some applications use a
   //   zero length SECItem.
   //   We try both variations, zero length item and empty string,
   //   without giving a user prompt when trying the different empty password
   //   flavors.
   if (rv == net::ERR_PKCS12_IMPORT_BAD_PASSWORD && password.empty()) {
     rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password,
-                                   is_extractable, true, slot);
+                                   is_extractable, true, slot, imported_certs);
   }
   return rv;
 }
 
 // Based on nsPKCS12Blob::ExportToFile
 //
 // Having already loaded the certs, form them into a blob (loading the keys
 // also), encode the blob, and stuff it into the file.
 //
 // TODO: handle slots correctly
@@ skipping 92 matching lines @@
 finish:
   if (srv)
     LOG(ERROR) << "PKCS#12 export failed with error " << PORT_GetError();
   if (ecx)
     SEC_PKCS12DestroyExportContext(ecx);
   SECITEM_ZfreeItem(&unicodePw, PR_FALSE);
   return return_count;
 }
 
 }  // namespace mozilla_security_manager