Chromium Code Reviews Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_CERT_DATABASE_H_ | 5 #ifndef NET_BASE_CERT_DATABASE_H_ |
| 6 #define NET_BASE_CERT_DATABASE_H_ | 6 #define NET_BASE_CERT_DATABASE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 73 | 73 |
| 74 // Constants that define which usages a certificate is trusted for. | 74 // Constants that define which usages a certificate is trusted for. |
| 75 // They are used in combination with CertType to specify trust for each type | 75 // They are used in combination with CertType to specify trust for each type |
| 76 // of certificate. | 76 // of certificate. |
| 77 // For a CA_CERT, they specify that the CA is trusted for issuing server and | 77 // For a CA_CERT, they specify that the CA is trusted for issuing server and |
| 78 // client certs of each type. | 78 // client certs of each type. |
| 79 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is | 79 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is |
| 80 // trusted as a server. | 80 // trusted as a server. |
| 81 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is | 81 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is |
| 82 // trusted for email. | 82 // trusted for email. |
| 83 // For non-root certs, TRUST_TERMINAL_RECORD specifies that the cert should | |
| 84 // not inherit trust from the issuer cert chain, and the cert will be trusted | |
|
Ryan Sleevi
2012/05/16 03:57:23
I don't see TRUST_TERMINAL_RECORD here, just EXPLI
mattm
2012/05/16 22:30:51
fixed.
| |
| 85 // or not based only on which TRUSTED_* flags are set. | |
| 83 // NOTE: The actual constants are defined using an enum instead of static | 86 // NOTE: The actual constants are defined using an enum instead of static |
| 84 // consts due to compilation/linkage constraints with template functions. | 87 // consts due to compilation/linkage constraints with template functions. |
| 85 typedef uint32 TrustBits; | 88 typedef uint32 TrustBits; |
| 86 enum { | 89 enum { |
| 87 UNTRUSTED = 0, | 90 UNTRUSTED = 0, |
| 88 TRUSTED_SSL = 1 << 0, | 91 TRUSTED_SSL = 1 << 0, |
| 89 TRUSTED_EMAIL = 1 << 1, | 92 TRUSTED_EMAIL = 1 << 1, |
| 90 TRUSTED_OBJ_SIGN = 1 << 2, | 93 TRUSTED_OBJ_SIGN = 1 << 2, |
| 94 EXPLICIT_DISTRUST = 1 << 3, | |
| 91 }; | 95 }; |
| 92 | 96 |
| 93 CertDatabase(); | 97 CertDatabase(); |
| 94 | 98 |
| 95 // Check whether this is a valid user cert that we have the private key for. | 99 // Check whether this is a valid user cert that we have the private key for. |
| 96 // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS. | 100 // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS. |
| 97 int CheckUserCert(X509Certificate* cert); | 101 int CheckUserCert(X509Certificate* cert); |
| 98 | 102 |
| 99 // Store user (client) certificate. Assumes CheckUserCert has already passed. | 103 // Store user (client) certificate. Assumes CheckUserCert has already passed. |
| 100 // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to | 104 // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to |
| 101 // the platform cert database, or possibly other network error codes. | 105 // the platform cert database, or possibly other network error codes. |
| 102 int AddUserCert(X509Certificate* cert); | 106 int AddUserCert(X509Certificate* cert); |
| 103 | 107 |
| 104 #if defined(USE_NSS) || defined(USE_OPENSSL) | 108 #if defined(USE_NSS) |
| 105 // Get a list of unique certificates in the certificate database (one | 109 // Get a list of unique certificates in the certificate database (one |
| 106 // instance of all certificates). | 110 // instance of all certificates). |
| 107 void ListCerts(CertificateList* certs); | 111 void ListCerts(CertificateList* certs); |
| 108 | 112 |
| 109 // Get the default module for public key data. | 113 // Get the default module for public key data. |
| 110 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | 114 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. |
| 111 CryptoModule* GetPublicModule() const; | 115 CryptoModule* GetPublicModule() const; |
| 112 | 116 |
| 113 // Get the default module for private key or mixed private/public key data. | 117 // Get the default module for private key or mixed private/public key data. |
| 114 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | 118 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 155 | 159 |
| 156 // Import server certificate. The first cert should be the server cert. Any | 160 // Import server certificate. The first cert should be the server cert. Any |
| 157 // additional certs should be intermediate/CA certs and will be imported but | 161 // additional certs should be intermediate/CA certs and will be imported but |
| 158 // not given any trust. | 162 // not given any trust. |
| 159 // Any certificates that could not be imported will be listed in | 163 // Any certificates that could not be imported will be listed in |
| 160 // |not_imported|. | 164 // |not_imported|. |
| 161 // Returns false if there is an internal error, otherwise true is returned and | 165 // Returns false if there is an internal error, otherwise true is returned and |
| 162 // |not_imported| should be checked for any certificates that were not | 166 // |not_imported| should be checked for any certificates that were not |
| 163 // imported. | 167 // imported. |
| 164 bool ImportServerCert(const CertificateList& certificates, | 168 bool ImportServerCert(const CertificateList& certificates, |
| 169 TrustBits trust_bits, | |
| 165 ImportCertFailureList* not_imported); | 170 ImportCertFailureList* not_imported); |
| 166 | 171 |
| 167 // Get trust bits for certificate. | 172 // Get trust bits for certificate. |
| 168 TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const; | 173 TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const; |
| 169 | 174 |
| 170 // IsUntrusted returns true if |cert| is specifically untrusted. These | 175 // IsUntrusted returns true if |cert| is specifically untrusted. These |
| 171 // certificates are stored in the database for the specific purpose of | 176 // certificates are stored in the database for the specific purpose of |
| 172 // rejecting them. | 177 // rejecting them. |
| 173 bool IsUntrusted(const X509Certificate* cert) const; | 178 bool IsUntrusted(const X509Certificate* cert) const; |
| 174 | 179 |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 201 static void NotifyObserversOfUserCertAdded(const X509Certificate* cert); | 206 static void NotifyObserversOfUserCertAdded(const X509Certificate* cert); |
| 202 static void NotifyObserversOfUserCertRemoved(const X509Certificate* cert); | 207 static void NotifyObserversOfUserCertRemoved(const X509Certificate* cert); |
| 203 static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); | 208 static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); |
| 204 | 209 |
| 205 DISALLOW_COPY_AND_ASSIGN(CertDatabase); | 210 DISALLOW_COPY_AND_ASSIGN(CertDatabase); |
| 206 }; | 211 }; |
| 207 | 212 |
| 208 } // namespace net | 213 } // namespace net |
| 209 | 214 |
| 210 #endif // NET_BASE_CERT_DATABASE_H_ | 215 #endif // NET_BASE_CERT_DATABASE_H_ |
| OLD | NEW |
