This applies GUIDs to certificate and key nicknames when

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Index: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
index 3e50cd1f41704b44f2e346f30ad29e7881af3d1e..cb62147c79c84666d576057122fea2b8470e9807 100644
--- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
+++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
@@ -47,6 +47,7 @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
+#include "net/base/x509_util_nss.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 
 namespace mozilla_security_manager {
@@ -80,14 +81,12 @@ bool ImportCACerts(const net::CertificateList& certificates,
     // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported,
     // and it doesn't take the slot as an argument either.  Instead, we use
     // PK11_ImportCert and CERT_ChangeCertTrust.
-    char* nickname = CERT_MakeCANickname(root->os_cert_handle());
-    if (!nickname)
-      return false;
-    SECStatus srv = PK11_ImportCert(slot.get(), root->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    nickname,
-                                    PR_FALSE /* includeTrust (unused) */);
-    PORT_Free(nickname);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(root) is net::CA_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we're passing the certificate type instead of detecting it, this is not
necessary.

+        slot.get(),
+        root->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(root).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       return false;
@@ -139,14 +138,12 @@ bool ImportCACerts(const net::CertificateList& certificates,
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
-    char* nickname = CERT_MakeCANickname(cert->os_cert_handle());
-    if (!nickname)
-      return false;
-    SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    nickname,
-                                    PR_FALSE /* includeTrust (unused) */);
-    PORT_Free(nickname);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(cert) is net::CA_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we pass the certificate type, this is not necessary.

+        slot.get(),
+        cert->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(cert).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       // TODO(mattm): Should we bail or continue on error here?  Mozilla doesn't
@@ -174,10 +171,12 @@ bool ImportServerCert(const net::CertificateList& certificates,
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
-    SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    cert->subject().GetDisplayName().c_str(),
-                                    PR_FALSE /* includeTrust (unused) */);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(cert) is net::SERVER_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we pass the certificate type, this is not necessary.

+        slot.get(),
+        cert->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(cert).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       not_imported->push_back(net::CertDatabase::ImportCertFailure(