Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database_nss.cc

Index: net/base/cert_database_nss.cc
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 4dde4fcda3a06d689e32f119c48223aa575f6c5c..6b384470fb2ac24db7df5c0f4b0ce23821904d65 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -18,7 +18,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
@@ -199,28 +198,52 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates,
 }
 
 bool CertDatabase::ImportServerCert(const CertificateList& certificates,
+                                    TrustBits trust_bits,
                                     ImportCertFailureList* not_imported) {
-  return psm::ImportServerCert(certificates, not_imported);
+  return psm::ImportServerCert(certificates, trust_bits, not_imported);
 }
 
 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
                                                    CertType type) const {
-  CERTCertTrust nsstrust;
-  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  CERTCertTrust trust;
+  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
   if (srv != SECSuccess) {
     LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
     return UNTRUSTED;
   }
-  psm::nsNSSCertTrust trust(&nsstrust);
+  // We define our own more "friendly" TrustBits, which means we aren't able to
+  // round-trip all possible NSS trust flag combinations.  We try to map them in
+  // a sensible way.
   switch (type) {
-    case CA_CERT:
-      return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+    case CA_CERT: {
+      const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+      const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD;
+
+      // If any of the trust values is explicitly distrusted, return full
+      // explicit distrust.
+      if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD ||
+          (trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD ||
+          (trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
+        return EXPLICIT_DISTRUST;
+
+      TrustBits r = UNTRUSTED;
+      if (trust.sslFlags & kTrustedCA)
+        r |= TRUSTED_SSL;
+      if (trust.emailFlags & kTrustedCA)
+        r |= TRUSTED_EMAIL;
+      if (trust.objectSigningFlags & kTrustedCA)
+        r |= TRUSTED_OBJ_SIGN;
+      return r;
+    }
     case SERVER_CERT:
-      return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+      if ((trust.sslFlags & (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD)) ==

[wtc, 2012/05/16 23:37:12]

I think we should also check trust.emailFlags and
trust.objectSigningFlags.

+          (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD))
+        return TRUSTED_SSL;
+      else if ((trust.sslFlags & CERTDB_TERMINAL_RECORD) ||

[wtc, 2012/05/16 23:37:12]

Remove "else".

[wtc, 2012/05/16 23:37:12]

Remove "else".

We also need to check that CERTDB_TRUSTED is not set.

It is better to perform the tests like this:

  TrustBits r = UNTRUSTED;
  if (trust.sslFlags & CERTDB_TERMINAL_RECORD) {
    if (trust.sslFlags & CERTDB_TRUSTED)
      r |= TRUSTED_SSL;
    else
      r |= EXPLICIT_DISTRUST;  // or DISTRUSTED_SSL
  }
  // repeat for trust.emailFlags and trust.objectSigningFlags
  return r;

[mattm, 2012/05/18 03:40:54]

Done.

+               (trust.emailFlags & CERTDB_TERMINAL_RECORD) ||
+               (trust.objectSigningFlags & CERTDB_TERMINAL_RECORD))
+        return EXPLICIT_DISTRUST;
+      return UNTRUSTED;
     default:
       return UNTRUSTED;
   }