Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
 // the new name of the macro.
 #if !defined(CERTDB_TERMINAL_RECORD)
 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
 #endif
 
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
@@ skipping 160 matching lines @@
   X509Certificate* root = FindRootInList(certificates);
   bool success = psm::ImportCACerts(certificates, root, trust_bits,
                                     not_imported);
   if (success)
     CertDatabase::NotifyObserversOfCertTrustChanged(NULL);
 
   return success;
 }
 
 bool CertDatabase::ImportServerCert(const CertificateList& certificates,
+                                    TrustBits trust_bits,
                                     ImportCertFailureList* not_imported) {
-  return psm::ImportServerCert(certificates, not_imported);
+  return psm::ImportServerCert(certificates, trust_bits, not_imported);
 }
 
 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
                                                    CertType type) const {
-  CERTCertTrust nsstrust;
-  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  CERTCertTrust trust;
+  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
   if (srv != SECSuccess) {
     LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
-    return UNTRUSTED;
+    return TRUST_DEFAULT;
   }
-  psm::nsNSSCertTrust trust(&nsstrust);
+  // We define our own more "friendly" TrustBits, which means we aren't able to
+  // round-trip all possible NSS trust flag combinations.  We try to map them in
+  // a sensible way.
   switch (type) {
-    case CA_CERT:
-      return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+    case CA_CERT: {
+      const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+      const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD;
+
+      TrustBits r = TRUST_DEFAULT;

[wtc, 2012/05/22 00:28:39]

Nit: use |trust_bits| instead of |r|?

[mattm, 2012/05/26 03:41:35]

Done.

+      if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
+        r |= DISTRUSTED_SSL;
+      else if (trust.sslFlags & kTrustedCA)
+        r |= TRUSTED_SSL;

[wtc, 2012/05/22 00:28:39]

This isn't quite right for an intermediate CA certificate.
I believe that an intermediate CA certificate still needs
the CERTDB_TERMINAL_RECORD bit set to get TRUSTED_SSL.
So I think for an intermediate CA certificate, we should say:

  TrustBits r = TRUST_DEFAULT;
  if (trust.sslFlags & CERTDB_TERMINAL_RECORD) {
    if (trust.sslFlags & kTrustedCA)
      r |= TRUSTED_SSL;
    else
      r |= DISTRUSTED_SSL;
  }

NOTE: the above code may not be correct for a root CA
certificate, which may not need the CERTDB_TERMINAL_RECORD
bit to be set.  So the code for a root certificate might be
simply:

    if (trust.sslFlags & kTrustedCA)
      r |= TRUSTED_SSL;
    else
      r |= DISTRUSTED_SSL;

You can test cert->os_cert_handle()->isRoot to determine
if |cert| is a root CA or intermediate CA certificate.
But I am not sure about this.  So I suggest you use the
code that tests CERTDB_TERMINAL_RECORD for now.

+
+      if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
+        r |= DISTRUSTED_EMAIL;
+      else if (trust.emailFlags & kTrustedCA)
+        r |= TRUSTED_EMAIL;
+
+      if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
+        r |= DISTRUSTED_OBJ_SIGN;
+      else if (trust.objectSigningFlags & kTrustedCA)
+        r |= TRUSTED_OBJ_SIGN;
+
+      return r;
+    }
     case SERVER_CERT:
-      return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+      if (trust.sslFlags & CERTDB_TERMINAL_RECORD) {
+        if (trust.sslFlags & CERTDB_TRUSTED)
+          return TRUSTED_SSL;
+        return DISTRUSTED_SSL;
+      }
+      return TRUST_DEFAULT;
     default:
-      return UNTRUSTED;
+      return TRUST_DEFAULT;
   }
 }
 
 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
   CERTCertTrust nsstrust;
   SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
   if (rv != SECSuccess) {
     LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
     return false;
   }
@@ skipping 77 matching lines @@
 
   return true;
 }
 
 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsReadOnly(slot);
 }
 
 }  // namespace net