Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(129)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ***** BEGIN LICENSE BLOCK ***** 1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 * 3 *
4 * The contents of this file are subject to the Mozilla Public License Version 4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with 5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at 6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/ 7 * http://www.mozilla.org/MPL/
8 * 8 *
9 * Software distributed under the License is distributed on an "AS IS" basis, 9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
(...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after
151 cert, net::ERR_IMPORT_CA_CERT_FAILED)); 151 cert, net::ERR_IMPORT_CA_CERT_FAILED));
152 } 152 }
153 } 153 }
154 154
155 // Any errors importing individual certs will be in listed in |not_imported|. 155 // Any errors importing individual certs will be in listed in |not_imported|.
156 return true; 156 return true;
157 } 157 }
158 158
159 // Based on nsNSSCertificateDB::ImportServerCertificate. 159 // Based on nsNSSCertificateDB::ImportServerCertificate.
160 bool ImportServerCert(const net::CertificateList& certificates, 160 bool ImportServerCert(const net::CertificateList& certificates,
161 net::CertDatabase::TrustBits trustBits,
161 net::CertDatabase::ImportCertFailureList* not_imported) { 162 net::CertDatabase::ImportCertFailureList* not_imported) {
162 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); 163 crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
163 if (!slot.get()) { 164 if (!slot.get()) {
164 LOG(ERROR) << "Couldn't get internal key slot!"; 165 LOG(ERROR) << "Couldn't get internal key slot!";
165 return false; 166 return false;
166 } 167 }
167 168
168 for (size_t i = 0; i < certificates.size(); ++i) { 169 for (size_t i = 0; i < certificates.size(); ++i) {
169 const scoped_refptr<net::X509Certificate>& cert = certificates[i]; 170 const scoped_refptr<net::X509Certificate>& cert = certificates[i];
170 171
171 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 172 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
172 // PK11_ImportCert instead. 173 // PK11_ImportCert instead.
173 SECStatus srv = PK11_ImportCert( 174 SECStatus srv = PK11_ImportCert(
174 slot.get(), 175 slot.get(),
175 cert->os_cert_handle(), 176 cert->os_cert_handle(),
176 CK_INVALID_HANDLE, 177 CK_INVALID_HANDLE,
177 cert->GetDefaultNickname(net::SERVER_CERT).c_str(), 178 cert->GetDefaultNickname(net::SERVER_CERT).c_str(),
178 PR_FALSE /* includeTrust (unused) */); 179 PR_FALSE /* includeTrust (unused) */);
179 if (srv != SECSuccess) { 180 if (srv != SECSuccess) {
180 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 181 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
181 not_imported->push_back(net::CertDatabase::ImportCertFailure( 182 not_imported->push_back(net::CertDatabase::ImportCertFailure(
182 cert, net::ERR_IMPORT_SERVER_CERT_FAILED)); 183 cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
183 continue; 184 continue;
184 } 185 }
185 } 186 }
186 187
187 // Set as valid peer, but without any extra trust. 188 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
188 SetCertTrust(certificates[0].get(), net::SERVER_CERT,
189 net::CertDatabase::UNTRUSTED);
190 // TODO(mattm): Report SetCertTrust result? Putting in not_imported 189 // TODO(mattm): Report SetCertTrust result? Putting in not_imported
191 // wouldn't quite match up since it was imported... 190 // wouldn't quite match up since it was imported...
192 191
193 // Any errors importing individual certs will be in listed in |not_imported|. 192 // Any errors importing individual certs will be in listed in |not_imported|.
194 return true; 193 return true;
195 } 194 }
196 195
197 // Based on nsNSSCertificateDB::SetCertTrust. 196 // Based on nsNSSCertificateDB::SetCertTrust.
198 bool 197 bool
199 SetCertTrust(const net::X509Certificate* cert, 198 SetCertTrust(const net::X509Certificate* cert,
200 net::CertType type, 199 net::CertType type,
201 net::CertDatabase::TrustBits trustBits) 200 net::CertDatabase::TrustBits trustBits)
202 { 201 {
203 SECStatus srv; 202 SECStatus srv;
204 nsNSSCertTrust trust; 203 nsNSSCertTrust trust;
205 CERTCertificate *nsscert = cert->os_cert_handle(); 204 CERTCertificate *nsscert = cert->os_cert_handle();
206 if (type == net::CA_CERT) { 205 if (type == net::CA_CERT) {
207 // always start with untrusted and move up 206 // always start with untrusted and move up
208 trust.SetValidCA(); 207 trust.SetValidCA();
209 trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL, 208 trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL,
210 trustBits & net::CertDatabase::TRUSTED_EMAIL, 209 trustBits & net::CertDatabase::TRUSTED_EMAIL,
211 trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN); 210 trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN);
211 if (trustBits & net::CertDatabase::TRUST_TERMINAL_RECORD)
212 trust.SetTerminalRecord();
212 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), 213 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
213 nsscert, 214 nsscert,
214 trust.GetTrust()); 215 trust.GetTrust());
215 } else if (type == net::SERVER_CERT) { 216 } else if (type == net::SERVER_CERT) {
216 // always start with untrusted and move up 217 // always start with untrusted and move up
217 trust.SetValidPeer(); 218 if (trustBits & net::CertDatabase::TRUSTED_SSL) {
218 trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0); 219 trust.SetTerminalServerRecord();
220 trust.AddPeerTrust(PR_TRUE, PR_FALSE, PR_FALSE);
221 }
222 if (trustBits & net::CertDatabase::TRUST_TERMINAL_RECORD)
223 trust.SetTerminalRecord();
224
219 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), 225 srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
220 nsscert, 226 nsscert,
221 trust.GetTrust()); 227 trust.GetTrust());
222 } else { 228 } else {
223 // ignore user and email/unknown certs 229 // ignore user and email/unknown certs
224 return true; 230 return true;
225 } 231 }
226 if (srv != SECSuccess) 232 if (srv != SECSuccess)
227 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); 233 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
228 return srv == SECSuccess; 234 return srv == SECSuccess;
229 } 235 }
230 236
231 } // namespace mozilla_security_manager 237 } // namespace mozilla_security_manager
OLDNEW
« net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698