Fix imported server certs being distrusted in NSS 3.13.

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

  /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 21 matching lines @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 
 #include <cert.h>
+#include <certdb.h>
 #include <pk11pub.h>
 #include <secerr.h>
 
 #include "base/logging.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
+
+#if !defined(CERTDB_TERMINAL_RECORD)
+/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
+ * and marks CERTDB_VALID_PEER as deprecated.
+ * If we're using an older version, rename it ourselves.
+ */
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
 
 namespace mozilla_security_manager {
 
 // Based on nsNSSCertificateDB::handleCACertDownload, minus the UI bits.
 bool ImportCACerts(const net::CertificateList& certificates,
                    net::X509Certificate* root,
                    net::CertDatabase::TrustBits trustBits,
                    net::CertDatabase::ImportCertFailureList* not_imported) {
+  if (certificates.empty() || !root)
+    return false;
+
   crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
   if (!slot.get()) {
     LOG(ERROR) << "Couldn't get internal key slot!";
     return false;
   }
 
   // Mozilla had some code here to check if a perm version of the cert exists
   // already and use that, but CERT_NewTempCertificate actually does that
   // itself, so we skip it here.
 
@@ skipping 82 matching lines @@
           cert, net::ERR_IMPORT_CA_CERT_FAILED));
     }
   }
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
 // Based on nsNSSCertificateDB::ImportServerCertificate.
 bool ImportServerCert(const net::CertificateList& certificates,
+                      net::CertDatabase::TrustBits trustBits,
                       net::CertDatabase::ImportCertFailureList* not_imported) {
+  if (certificates.empty())
+    return false;
+
   crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
   if (!slot.get()) {
     LOG(ERROR) << "Couldn't get internal key slot!";
     return false;
   }
 
   for (size_t i = 0; i < certificates.size(); ++i) {
     const scoped_refptr<net::X509Certificate>& cert = certificates[i];
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
     SECStatus srv = PK11_ImportCert(
         slot.get(),
         cert->os_cert_handle(),
         CK_INVALID_HANDLE,
         cert->GetDefaultNickname(net::SERVER_CERT).c_str(),
         PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       not_imported->push_back(net::CertDatabase::ImportCertFailure(
           cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
       continue;
     }
   }
 
-  // Set as valid peer, but without any extra trust.
-  SetCertTrust(certificates[0].get(), net::SERVER_CERT,
-               net::CertDatabase::UNTRUSTED);
+  SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
   // TODO(mattm): Report SetCertTrust result?  Putting in not_imported
   // wouldn't quite match up since it was imported...
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
 // Based on nsNSSCertificateDB::SetCertTrust.
 bool
 SetCertTrust(const net::X509Certificate* cert,
              net::CertType type,
              net::CertDatabase::TrustBits trustBits)
 {
+  const unsigned kSSLTrustBits = net::CertDatabase::TRUSTED_SSL |
+      net::CertDatabase::DISTRUSTED_SSL;
+  const unsigned kEmailTrustBits = net::CertDatabase::TRUSTED_EMAIL |
+      net::CertDatabase::DISTRUSTED_EMAIL;
+  const unsigned kObjSignTrustBits = net::CertDatabase::TRUSTED_OBJ_SIGN |
+      net::CertDatabase::DISTRUSTED_OBJ_SIGN;
+  if ((trustBits & kSSLTrustBits) == kSSLTrustBits ||
+      (trustBits & kEmailTrustBits) == kEmailTrustBits ||
+      (trustBits & kObjSignTrustBits) == kObjSignTrustBits) {
+    LOG(ERROR) << "SetCertTrust called with conflicting trust bits "
+               << trustBits;
+    NOTREACHED();
+    return false;
+  }
+
   SECStatus srv;
-  nsNSSCertTrust trust;
   CERTCertificate *nsscert = cert->os_cert_handle();
   if (type == net::CA_CERT) {
-    // always start with untrusted and move up
-    trust.SetValidCA();
-    trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL,
-                     trustBits & net::CertDatabase::TRUSTED_EMAIL,
-                     trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN);
-    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
-                               nsscert,
-                               trust.GetTrust());
+    // Note that we start with CERTDB_VALID_CA for default trust and explicit
+    // trust, but explicitly distrusted usages will be set to
+    // CERTDB_TERMINAL_RECORD only.
+    CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA};
+
+    if (trustBits & net::CertDatabase::DISTRUSTED_SSL)
+      trust.sslFlags = CERTDB_TERMINAL_RECORD;
+    else if (trustBits & net::CertDatabase::TRUSTED_SSL)
+      trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+
+    if (trustBits & net::CertDatabase::DISTRUSTED_EMAIL)
+      trust.emailFlags = CERTDB_TERMINAL_RECORD;
+    else if (trustBits & net::CertDatabase::TRUSTED_EMAIL)
+      trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+
+    if (trustBits & net::CertDatabase::DISTRUSTED_OBJ_SIGN)
+      trust.objectSigningFlags = CERTDB_TERMINAL_RECORD;
+    else if (trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN)
+      trust.objectSigningFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+
+    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
   } else if (type == net::SERVER_CERT) {
-    // always start with untrusted and move up
-    trust.SetValidPeer();
-    trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0);
-    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
-                               nsscert,
-                               trust.GetTrust());
+    CERTCertTrust trust = {0};
+    // We only modify the sslFlags, so copy the other flags.
+    CERT_GetCertTrust(nsscert, &trust);
+    trust.sslFlags = 0;
+
+    if (trustBits & net::CertDatabase::DISTRUSTED_SSL)
+      trust.sslFlags |= CERTDB_TERMINAL_RECORD;
+    else if (trustBits & net::CertDatabase::TRUSTED_SSL)
+      trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
+
+    srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
   } else {
     // ignore user and email/unknown certs
     return true;
   }
   if (srv != SECSuccess)
     LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
   return srv == SECSuccess;
 }
 
 }  // namespace mozilla_security_manager