Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(44)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_database_nss.cc

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: cleanups Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« chrome/browser/chromeos/cros/onc_network_parser_unittest.cc ('K') | « net/base/cert_database.h ('k') | net/base/cert_database_nss_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_database.h" 5 #include "net/base/cert_database.h"
6 6
7 #include <cert.h> 7 #include <cert.h>
8 #include <certdb.h> 8 #include <certdb.h>
9 #include <keyhi.h> 9 #include <keyhi.h>
10 #include <pk11pub.h> 10 #include <pk11pub.h>
11 #include <secmod.h> 11 #include <secmod.h>
12 12
13 #include "base/logging.h" 13 #include "base/logging.h"
14 #include "base/memory/scoped_ptr.h" 14 #include "base/memory/scoped_ptr.h"
15 #include "crypto/nss_util.h" 15 #include "crypto/nss_util.h"
16 #include "crypto/nss_util_internal.h" 16 #include "crypto/nss_util_internal.h"
17 #include "net/base/crypto_module.h" 17 #include "net/base/crypto_module.h"
18 #include "net/base/net_errors.h" 18 #include "net/base/net_errors.h"
19 #include "net/base/x509_certificate.h" 19 #include "net/base/x509_certificate.h"
20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" 20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
21 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
22 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" 21 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
23 22
24 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use 23 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
25 // the new name of the macro. 24 // the new name of the macro.
26 #if !defined(CERTDB_TERMINAL_RECORD) 25 #if !defined(CERTDB_TERMINAL_RECORD)
27 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 26 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
28 #endif 27 #endif
29 28
30 // PSM = Mozilla's Personal Security Manager. 29 // PSM = Mozilla's Personal Security Manager.
31 namespace psm = mozilla_security_manager; 30 namespace psm = mozilla_security_manager;
(...skipping 160 matching lines...) Expand 10 before | Expand all | Expand 10 after
192 X509Certificate* root = FindRootInList(certificates); 191 X509Certificate* root = FindRootInList(certificates);
193 bool success = psm::ImportCACerts(certificates, root, trust_bits, 192 bool success = psm::ImportCACerts(certificates, root, trust_bits,
194 not_imported); 193 not_imported);
195 if (success) 194 if (success)
196 CertDatabase::NotifyObserversOfCertTrustChanged(NULL); 195 CertDatabase::NotifyObserversOfCertTrustChanged(NULL);
197 196
198 return success; 197 return success;
199 } 198 }
200 199
201 bool CertDatabase::ImportServerCert(const CertificateList& certificates, 200 bool CertDatabase::ImportServerCert(const CertificateList& certificates,
201 TrustBits trust_bits,
202 ImportCertFailureList* not_imported) { 202 ImportCertFailureList* not_imported) {
203 return psm::ImportServerCert(certificates, not_imported); 203 return psm::ImportServerCert(certificates, trust_bits, not_imported);
204 } 204 }
205 205
206 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, 206 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
207 CertType type) const { 207 CertType type) const {
208 CERTCertTrust nsstrust; 208 CERTCertTrust trust;
209 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); 209 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
210 if (srv != SECSuccess) { 210 if (srv != SECSuccess) {
211 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); 211 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
212 return UNTRUSTED; 212 return TRUST_DEFAULT;
213 } 213 }
214 psm::nsNSSCertTrust trust(&nsstrust); 214 // We define our own more "friendly" TrustBits, which means we aren't able to
215 // round-trip all possible NSS trust flag combinations. We try to map them in
216 // a sensible way.
215 switch (type) { 217 switch (type) {
216 case CA_CERT: 218 case CA_CERT: {
217 return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + 219 const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
218 trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + 220 const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD;
219 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; 221
222 TrustBits trust_bits = TRUST_DEFAULT;
223 if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
224 trust_bits |= DISTRUSTED_SSL;
225 else if (trust.sslFlags & kTrustedCA)
226 trust_bits |= TRUSTED_SSL;
227
228 if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
229 trust_bits |= DISTRUSTED_EMAIL;
230 else if (trust.emailFlags & kTrustedCA)
231 trust_bits |= TRUSTED_EMAIL;
232
233 if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
234 trust_bits |= DISTRUSTED_OBJ_SIGN;
235 else if (trust.objectSigningFlags & kTrustedCA)
236 trust_bits |= TRUSTED_OBJ_SIGN;
237
238 return trust_bits;
239 }
220 case SERVER_CERT: 240 case SERVER_CERT:
221 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + 241 if (trust.sslFlags & CERTDB_TERMINAL_RECORD) {
222 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + 242 if (trust.sslFlags & CERTDB_TRUSTED)
223 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; 243 return TRUSTED_SSL;
244 return DISTRUSTED_SSL;
245 }
246 return TRUST_DEFAULT;
224 default: 247 default:
225 return UNTRUSTED; 248 return TRUST_DEFAULT;
226 } 249 }
227 } 250 }
228 251
229 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { 252 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
230 CERTCertTrust nsstrust; 253 CERTCertTrust nsstrust;
231 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); 254 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
232 if (rv != SECSuccess) { 255 if (rv != SECSuccess) {
233 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); 256 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
234 return false; 257 return false;
235 } 258 }
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
313 336
314 return true; 337 return true;
315 } 338 }
316 339
317 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { 340 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
318 PK11SlotInfo* slot = cert->os_cert_handle()->slot; 341 PK11SlotInfo* slot = cert->os_cert_handle()->slot;
319 return slot && PK11_IsReadOnly(slot); 342 return slot && PK11_IsReadOnly(slot);
320 } 343 }
321 344
322 } // namespace net 345 } // namespace net
OLDNEW
« chrome/browser/chromeos/cros/onc_network_parser_unittest.cc ('K') | « net/base/cert_database.h ('k') | net/base/cert_database_nss_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698