Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_CERT_DATABASE_H_
 #define NET_BASE_CERT_DATABASE_H_
 #pragma once
 
 #include <string>
 #include <vector>
@@ skipping 62 matching lines @@
 
   // Constants that define which usages a certificate is trusted for.
   // They are used in combination with CertType to specify trust for each type
   // of certificate.
   // For a CA_CERT, they specify that the CA is trusted for issuing server and
   // client certs of each type.
   // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is
   // trusted as a server.
   // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is
   // trusted for email.
+  // EXPLICIT_DISTRUST specifies that the cert should not be trusted, regardless
+  // of whether it would otherwise inherit trust from the issuer chain.

[wtc, 2012/05/16 23:37:12]

The difference between UNTRUSTED and EXPLICIT_DISTRUST
should be clarified.

UNTRUSTED probably should be renamed to something like
TRUST_NORMAL or TRUST_DEFAULT.

We probably should replace EXPLICIT_DISTRUST with three
separate flags: DISTRUSTED_SSL, DISTRUSTED_EMAIL, and
DISTRUSTED_OBJ_SIGN.

[mattm, 2012/05/18 03:40:54]

Done.

   // NOTE: The actual constants are defined using an enum instead of static
   // consts due to compilation/linkage constraints with template functions.
   typedef uint32 TrustBits;
   enum {
-    UNTRUSTED        =      0,
-    TRUSTED_SSL      = 1 << 0,
-    TRUSTED_EMAIL    = 1 << 1,
-    TRUSTED_OBJ_SIGN = 1 << 2,
+    UNTRUSTED             =      0,
+    TRUSTED_SSL           = 1 << 0,
+    TRUSTED_EMAIL         = 1 << 1,
+    TRUSTED_OBJ_SIGN      = 1 << 2,
+    EXPLICIT_DISTRUST     = 1 << 3,
   };
 
   CertDatabase();
 
   // Check whether this is a valid user cert that we have the private key for.
   // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS.
   int CheckUserCert(X509Certificate* cert);
 
   // Store user (client) certificate. Assumes CheckUserCert has already passed.
   // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to
   // the platform cert database, or possibly other network error codes.
   int AddUserCert(X509Certificate* cert);
 
-#if defined(USE_NSS) || defined(USE_OPENSSL)
+#if defined(USE_NSS)
   // Get a list of unique certificates in the certificate database (one
   // instance of all certificates).
   void ListCerts(CertificateList* certs);
 
   // Get the default module for public key data.
   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
   CryptoModule* GetPublicModule() const;
 
   // Get the default module for private key or mixed private/public key data.
   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
@@ skipping 33 matching lines @@
   // will be listed in |not_imported|.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportCACerts(const CertificateList& certificates,
                      TrustBits trust_bits,
                      ImportCertFailureList* not_imported);
 
   // Import server certificate.  The first cert should be the server cert.  Any
   // additional certs should be intermediate/CA certs and will be imported but
   // not given any trust.

[wtc, 2012/05/16 23:37:12]

The new trust_bits parameter should be documented.

We should reconsider the prototype of this function.  If we
import the server cert with explicit trust or distrust,
then it doesn't make sense to import its intermediate CA
certs.  Intermediate CA certs are only useful when the
server cert doesn't have a "terminal" trust record.

Does Chromium ever call this function with intermediate
CA certs in |certificates|?  If not, then I suggest we
change the prototype to take a single X509Certificate
instead.

[mattm, 2012/05/18 03:40:54]

When using the "import" option in the server tab of certificate manager, the
user could select a file with multiple certs in it.  But, we doesn't do anything
to ensure the server cert must be first in the list as ImportServerCert
requires, so I'm not too sure if this counts as actually intending to call it
with multiple certs or if I just used CreateCertificateListFromBytes since it's
easy to use with FORMAT_AUTO.

   // Any certificates that could not be imported will be listed in
   // |not_imported|.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportServerCert(const CertificateList& certificates,
+                        TrustBits trust_bits,
                         ImportCertFailureList* not_imported);
 
   // Get trust bits for certificate.
   TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const;
 
   // IsUntrusted returns true if |cert| is specifically untrusted. These
   // certificates are stored in the database for the specific purpose of
   // rejecting them.
   bool IsUntrusted(const X509Certificate* cert) const;
 
@@ skipping 26 matching lines @@
   static void NotifyObserversOfUserCertAdded(const X509Certificate* cert);
   static void NotifyObserversOfUserCertRemoved(const X509Certificate* cert);
   static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert);
 
   DISALLOW_COPY_AND_ASSIGN(CertDatabase);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_CERT_DATABASE_H_