| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_database.h" | 5 #include "net/base/cert_database.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| (...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 192 X509Certificate* root = FindRootInList(certificates); | 192 X509Certificate* root = FindRootInList(certificates); |
| 193 bool success = psm::ImportCACerts(certificates, root, trust_bits, | 193 bool success = psm::ImportCACerts(certificates, root, trust_bits, |
| 194 not_imported); | 194 not_imported); |
| 195 if (success) | 195 if (success) |
| 196 CertDatabase::NotifyObserversOfCertTrustChanged(NULL); | 196 CertDatabase::NotifyObserversOfCertTrustChanged(NULL); |
| 197 | 197 |
| 198 return success; | 198 return success; |
| 199 } | 199 } |
| 200 | 200 |
| 201 bool CertDatabase::ImportServerCert(const CertificateList& certificates, | 201 bool CertDatabase::ImportServerCert(const CertificateList& certificates, |
| 202 TrustBits trust_bits, |
| 202 ImportCertFailureList* not_imported) { | 203 ImportCertFailureList* not_imported) { |
| 203 return psm::ImportServerCert(certificates, not_imported); | 204 return psm::ImportServerCert(certificates, trust_bits, not_imported); |
| 204 } | 205 } |
| 205 | 206 |
| 206 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, | 207 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, |
| 207 CertType type) const { | 208 CertType type) const { |
| 208 CERTCertTrust nsstrust; | 209 CERTCertTrust nsstrust; |
| 209 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); | 210 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); |
| 210 if (srv != SECSuccess) { | 211 if (srv != SECSuccess) { |
| 211 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | 212 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| 212 return UNTRUSTED; | 213 return UNTRUSTED; |
| 213 } | 214 } |
| 214 psm::nsNSSCertTrust trust(&nsstrust); | 215 psm::nsNSSCertTrust trust(&nsstrust); |
| 215 switch (type) { | 216 switch (type) { |
| 216 case CA_CERT: | 217 case CA_CERT: |
| 217 return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + | 218 return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + |
| 218 trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + | 219 trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + |
| 219 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 220 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN + |
| 221 ((trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE) | |
| 222 trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE) | |
| 223 trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE)) * |
| 224 TRUST_TERMINAL_RECORD); |
| 220 case SERVER_CERT: | 225 case SERVER_CERT: |
| 226 // Since we don't define per-type terminal-record bits, we can't precisely |
| 227 // round-trip from NSS trust to TrustBits and back. |
| 221 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + | 228 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + |
| 222 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + | 229 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + |
| 223 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 230 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN + |
| 231 ((trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE) | |
| 232 trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE)) * |
| 233 TRUST_TERMINAL_RECORD); |
| 224 default: | 234 default: |
| 225 return UNTRUSTED; | 235 return UNTRUSTED; |
| 226 } | 236 } |
| 227 } | 237 } |
| 228 | 238 |
| 229 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { | 239 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { |
| 230 CERTCertTrust nsstrust; | 240 CERTCertTrust nsstrust; |
| 231 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); | 241 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); |
| 232 if (rv != SECSuccess) { | 242 if (rv != SECSuccess) { |
| 233 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | 243 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 313 | 323 |
| 314 return true; | 324 return true; |
| 315 } | 325 } |
| 316 | 326 |
| 317 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { | 327 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { |
| 318 PK11SlotInfo* slot = cert->os_cert_handle()->slot; | 328 PK11SlotInfo* slot = cert->os_cert_handle()->slot; |
| 319 return slot && PK11_IsReadOnly(slot); | 329 return slot && PK11_IsReadOnly(slot); |
| 320 } | 330 } |
| 321 | 331 |
| 322 } // namespace net | 332 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src