net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp - Issue 9940001: Fix imported server certs being distrusted in NSS 3.13.

Unified Diff: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: remove openssl stubs, replace TrustBits::TRUST_TERMINAL_RECORD with EXPLICIT_DISTRUST Created 8 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

index 0cf430d793195af800d8e5746bbdea134f892e0e..b0b5458e40f94590d3b43985309fe9ed3ab6c142 100644

--- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

+++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

@@ -39,6 +39,7 @@

#include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"

#include <cert.h>

+#include <certdb.h>

#include <pk11pub.h>

#include <secerr.h>

@@ -47,7 +48,14 @@

#include "crypto/scoped_nss_types.h"

#include "net/base/net_errors.h"

#include "net/base/x509_certificate.h"

-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"

+#if !defined(CERTDB_TERMINAL_RECORD)

+/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD

+ * and marks CERTDB_VALID_PEER as deprecated.

+ * If we're using an older version, rename it ourselves.

+ */

+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER

+#endif

namespace mozilla_security_manager {

@@ -158,6 +166,7 @@ bool ImportCACerts(const net::CertificateList& certificates,

// Based on nsNSSCertificateDB::ImportServerCertificate.

bool ImportServerCert(const net::CertificateList& certificates,

+ net::CertDatabase::TrustBits trustBits,

net::CertDatabase::ImportCertFailureList* not_imported) {

crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());

if (!slot.get()) {

@@ -184,9 +193,7 @@ bool ImportServerCert(const net::CertificateList& certificates,

}

- // Set as valid peer, but without any extra trust.

- SetCertTrust(certificates[0].get(), net::SERVER_CERT,

- net::CertDatabase::UNTRUSTED);

+ SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);

// TODO(mattm): Report SetCertTrust result? Putting in not_imported

// wouldn't quite match up since it was imported...

@@ -200,25 +207,44 @@ SetCertTrust(const net::X509Certificate* cert,

net::CertType type,

net::CertDatabase::TrustBits trustBits)

{

+ if (trustBits & net::CertDatabase::EXPLICIT_DISTRUST) {

+ DCHECK_EQ(trustBits & (net::CertDatabase::TRUSTED_SSL |

+ net::CertDatabase::TRUSTED_EMAIL |

+ net::CertDatabase::TRUSTED_OBJ_SIGN), 0U);

+ }

SECStatus srv;

- nsNSSCertTrust trust;

CERTCertificate *nsscert = cert->os_cert_handle();

if (type == net::CA_CERT) {

- // always start with untrusted and move up

- trust.SetValidCA();

- trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL,

- trustBits & net::CertDatabase::TRUSTED_EMAIL,

- trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN);

+ CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA};

+ if (trustBits & net::CertDatabase::EXPLICIT_DISTRUST) {

+ trust.sslFlags |= CERTDB_TERMINAL_RECORD;

+ trust.emailFlags |= CERTDB_TERMINAL_RECORD;

+ trust.objectSigningFlags |= CERTDB_TERMINAL_RECORD;

+ } else {

+ if (trustBits & net::CertDatabase::TRUSTED_SSL)

+ trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;

+ if (trustBits & net::CertDatabase::TRUSTED_EMAIL)

+ trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;

+ if (trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN)

+ trust.objectSigningFlags |= CERTDB_TRUSTED_CA |

+ CERTDB_TRUSTED_CLIENT_CA;

+ }

srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),

nsscert,

- trust.GetTrust());

+ &trust);

} else if (type == net::SERVER_CERT) {

- // always start with untrusted and move up

- trust.SetValidPeer();

- trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0);

+ CERTCertTrust trust = {0};

+ if (trustBits & net::CertDatabase::EXPLICIT_DISTRUST) {

+ trust.sslFlags |= CERTDB_TERMINAL_RECORD;

+ trust.emailFlags |= CERTDB_TERMINAL_RECORD;

+ trust.objectSigningFlags |= CERTDB_TERMINAL_RECORD;

+ } else if (trustBits & net::CertDatabase::TRUSTED_SSL) {

+ trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;

+ }

srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),

nsscert,

- trust.GetTrust());

+ &trust);

} else {

// ignore user and email/unknown certs

return true;

« chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »