| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_database.h" | 5 #include "net/base/cert_database.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| 11 #include <secmod.h> | 11 #include <secmod.h> |
| 12 | 12 |
| 13 #include "base/logging.h" | 13 #include "base/logging.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
| 16 #include "crypto/nss_util_internal.h" | 16 #include "crypto/nss_util_internal.h" |
| 17 #include "net/base/crypto_module.h" | 17 #include "net/base/crypto_module.h" |
| 18 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
| 19 #include "net/base/x509_certificate.h" | 19 #include "net/base/x509_certificate.h" |
| 20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 21 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | |
| 22 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" | 21 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" |
| 23 | 22 |
| 24 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use | 23 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 25 // the new name of the macro. | 24 // the new name of the macro. |
| 26 #if !defined(CERTDB_TERMINAL_RECORD) | 25 #if !defined(CERTDB_TERMINAL_RECORD) |
| 27 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | 26 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 28 #endif | 27 #endif |
| 29 | 28 |
| 30 // PSM = Mozilla's Personal Security Manager. | 29 // PSM = Mozilla's Personal Security Manager. |
| 31 namespace psm = mozilla_security_manager; | 30 namespace psm = mozilla_security_manager; |
| (...skipping 160 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 192 X509Certificate* root = FindRootInList(certificates); | 191 X509Certificate* root = FindRootInList(certificates); |
| 193 bool success = psm::ImportCACerts(certificates, root, trust_bits, | 192 bool success = psm::ImportCACerts(certificates, root, trust_bits, |
| 194 not_imported); | 193 not_imported); |
| 195 if (success) | 194 if (success) |
| 196 CertDatabase::NotifyObserversOfCertTrustChanged(NULL); | 195 CertDatabase::NotifyObserversOfCertTrustChanged(NULL); |
| 197 | 196 |
| 198 return success; | 197 return success; |
| 199 } | 198 } |
| 200 | 199 |
| 201 bool CertDatabase::ImportServerCert(const CertificateList& certificates, | 200 bool CertDatabase::ImportServerCert(const CertificateList& certificates, |
| 201 TrustBits trust_bits, |
| 202 ImportCertFailureList* not_imported) { | 202 ImportCertFailureList* not_imported) { |
| 203 return psm::ImportServerCert(certificates, not_imported); | 203 return psm::ImportServerCert(certificates, trust_bits, not_imported); |
| 204 } | 204 } |
| 205 | 205 |
| 206 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, | 206 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, |
| 207 CertType type) const { | 207 CertType type) const { |
| 208 CERTCertTrust nsstrust; | 208 CERTCertTrust trust; |
| 209 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); | 209 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); |
| 210 if (srv != SECSuccess) { | 210 if (srv != SECSuccess) { |
| 211 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | 211 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| 212 return UNTRUSTED; | 212 return UNTRUSTED; |
| 213 } | 213 } |
| 214 psm::nsNSSCertTrust trust(&nsstrust); | 214 // We define our own more "friendly" TrustBits, which means we aren't able to |
| 215 // round-trip all possible NSS trust flag combinations. We try to map them in |
| 216 // a sensible way. |
| 215 switch (type) { | 217 switch (type) { |
| 216 case CA_CERT: | 218 case CA_CERT: { |
| 217 return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + | 219 const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; |
| 218 trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + | 220 const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD; |
| 219 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 221 |
| 222 // If any of the trust values is explicitly distrusted, return full |
| 223 // explicit distrust. |
| 224 if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD || |
| 225 (trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD || |
| 226 (trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) |
| 227 return EXPLICIT_DISTRUST; |
| 228 |
| 229 TrustBits r = UNTRUSTED; |
| 230 if ((trust.sslFlags & kTrustedCA) == kTrustedCA) |
| 231 r |= TRUSTED_SSL; |
| 232 if ((trust.emailFlags & kTrustedCA) == kTrustedCA) |
| 233 r |= TRUSTED_EMAIL; |
| 234 if ((trust.objectSigningFlags & kTrustedCA) == kTrustedCA) |
| 235 r |= TRUSTED_OBJ_SIGN; |
| 236 return r; |
| 237 } |
| 220 case SERVER_CERT: | 238 case SERVER_CERT: |
| 221 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + | 239 if ((trust.sslFlags & (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD)) == |
| 222 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + | 240 (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD)) |
| 223 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 241 return TRUSTED_SSL; |
| 242 else if ((trust.sslFlags & CERTDB_TERMINAL_RECORD) || |
| 243 (trust.emailFlags & CERTDB_TERMINAL_RECORD) || |
| 244 (trust.objectSigningFlags & CERTDB_TERMINAL_RECORD)) |
| 245 return EXPLICIT_DISTRUST; |
| 246 return UNTRUSTED; |
| 224 default: | 247 default: |
| 225 return UNTRUSTED; | 248 return UNTRUSTED; |
| 226 } | 249 } |
| 227 } | 250 } |
| 228 | 251 |
| 229 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { | 252 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { |
| 230 CERTCertTrust nsstrust; | 253 CERTCertTrust nsstrust; |
| 231 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); | 254 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); |
| 232 if (rv != SECSuccess) { | 255 if (rv != SECSuccess) { |
| 233 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | 256 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 313 | 336 |
| 314 return true; | 337 return true; |
| 315 } | 338 } |
| 316 | 339 |
| 317 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { | 340 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { |
| 318 PK11SlotInfo* slot = cert->os_cert_handle()->slot; | 341 PK11SlotInfo* slot = cert->os_cert_handle()->slot; |
| 319 return slot && PK11_IsReadOnly(slot); | 342 return slot && PK11_IsReadOnly(slot); |
| 320 } | 343 } |
| 321 | 344 |
| 322 } // namespace net | 345 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src