Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database_nss.cc

Index: net/base/cert_database_nss.cc
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 4dde4fcda3a06d689e32f119c48223aa575f6c5c..7e80800147c05b7b4022f28d526e8ac3f35f4e79 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -18,7 +18,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
-#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
@@ -199,28 +198,52 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates,
 }
 
 bool CertDatabase::ImportServerCert(const CertificateList& certificates,
+                                    TrustBits trust_bits,
                                     ImportCertFailureList* not_imported) {
-  return psm::ImportServerCert(certificates, not_imported);
+  return psm::ImportServerCert(certificates, trust_bits, not_imported);
 }
 
 CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
                                                    CertType type) const {
-  CERTCertTrust nsstrust;
-  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  CERTCertTrust trust;
+  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
   if (srv != SECSuccess) {
     LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
     return UNTRUSTED;
   }
-  psm::nsNSSCertTrust trust(&nsstrust);
+  // We define our own more "friendly" TrustBits, which means we aren't able to
+  // round-trip all possible NSS trust flag combinations.  We try to map them in
+  // a sensible way.
   switch (type) {
-    case CA_CERT:
-      return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+    case CA_CERT: {
+      const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;

[Ryan Sleevi, 2012/05/16 03:57:23]

Is this correct, to be passing CERTDB_TRUSTED_CLIENT_CA ?

According to
http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certdb.h#17 ,
they're trusted for issuing client certs, but not necessarily servers.

This may only present a UI issue, since I don't believe any security decisions
are done based on this (please confirm the higher layers - certainly
CertVerifier-et-al don't)

[mattm, 2012/05/16 22:30:51]

Yeah, it's only used for the certificate manager trust editing.

I did fix the issue where it was checking for both rather than either.

+      const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD;
+
+      // If any of the trust values is explicitly distrusted, return full
+      // explicit distrust.
+      if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD ||
+          (trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD ||
+          (trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
+        return EXPLICIT_DISTRUST;
+
+      TrustBits r = UNTRUSTED;
+      if ((trust.sslFlags & kTrustedCA) == kTrustedCA)
+        r |= TRUSTED_SSL;
+      if ((trust.emailFlags & kTrustedCA) == kTrustedCA)
+        r |= TRUSTED_EMAIL;
+      if ((trust.objectSigningFlags & kTrustedCA) == kTrustedCA)
+        r |= TRUSTED_OBJ_SIGN;
+      return r;
+    }
     case SERVER_CERT:
-      return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
-          trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
-          trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+      if ((trust.sslFlags & (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD)) ==
+          (CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD))
+        return TRUSTED_SSL;
+      else if ((trust.sslFlags & CERTDB_TERMINAL_RECORD) ||
+               (trust.emailFlags & CERTDB_TERMINAL_RECORD) ||
+               (trust.objectSigningFlags & CERTDB_TERMINAL_RECORD))
+        return EXPLICIT_DISTRUST;
+      return UNTRUSTED;
     default:
       return UNTRUSTED;
   }