Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database.h

Index: net/base/cert_database.h
diff --git a/net/base/cert_database.h b/net/base/cert_database.h
index 2e95624c911c1d070f6d4d1df65a6d93fbdc9e13..190054d2438f1069f116fd481961e9b8808a41e5 100644
--- a/net/base/cert_database.h
+++ b/net/base/cert_database.h
@@ -80,14 +80,18 @@ class NET_EXPORT CertDatabase {
   // trusted as a server.
   // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is
   // trusted for email.
+  // For non-root certs, TRUST_TERMINAL_RECORD specifies that the cert should
+  // not inherit trust from the issuer cert chain, and the cert will be trusted
+  // or not based only on which TRUSTED_* flags are set.
   // NOTE: The actual constants are defined using an enum instead of static
   // consts due to compilation/linkage constraints with template functions.
   typedef uint32 TrustBits;
   enum {
-    UNTRUSTED        =      0,
-    TRUSTED_SSL      = 1 << 0,
-    TRUSTED_EMAIL    = 1 << 1,
-    TRUSTED_OBJ_SIGN = 1 << 2,
+    UNTRUSTED             =      0,
+    TRUSTED_SSL           = 1 << 0,
+    TRUSTED_EMAIL         = 1 << 1,
+    TRUSTED_OBJ_SIGN      = 1 << 2,
+    TRUST_TERMINAL_RECORD = 1 << 3,

[Ryan Sleevi, 2012/03/29 23:35:13]

This is unfortunately very specific to NSS, which I think makes it hard to see
this as a generic interface.

While I realize this is an existing issue, it might be worth considering moving
this into an #ifdef for NSS.

[wtc, 2012/03/30 22:00:50]

We need to think this through.  The low-level NSS trust flags
are hard to understand.  Ideally we should create a more
intuitive set of trust flags here and map them to the NSS
trust flags internally.

   };
 
   CertDatabase();
@@ -162,6 +166,7 @@ class NET_EXPORT CertDatabase {
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportServerCert(const CertificateList& certificates,
+                        TrustBits trust_bits,

[Ryan Sleevi, 2012/03/29 23:35:13]

OpenSSL and Android have no such concept.

Android: http://developer.android.com/reference/android/security/KeyChain.html

[wtc, 2012/03/30 22:00:50]

One solution might be to make ImportCACerts and
ImportServerCert do nothing but importing the certs, and
require a separate SetCertTrust call to set the trust.
This allows us to implement ImportCACerts and
ImportServerCert (with neutral trust) with OpenSSL and
Android.

[mattm, 2012/03/30 22:16:56]

Looking at the link Ryan posted, I'm not sure android should  use these
functions at all.  It looks like the only way to import a cert there is through
an Intent (does it involve user confirmation even if the app supplies the cert
to add?).  Synchronous import functions like these might not really be usable
for android?

[Ryan Sleevi, 2012/03/30 22:42:36]

Correct. And they'd like to fix that (and work is in progress somewhat).

I took a second look through cert_database_openssl, and it seems the entire
thing is NotImplemented. So really, we should remove the USE_OPENSSL from the
#if defined() on line 108 and accept that this is a huge NSS-specialization for
now. I'm fine with that. I think the only reason it was added was because of all
the NSS-specifics in the CertificateManagerModel that wanted to be re-used for
OpenSSL.

The only thing about this that is generic (today) is CheckUserCert/AddUserCert,
and both of those need to be made non-blocking callbacks at some point that run
on worker threads.

(AddObserver/RemoveObserver are questionably so - we want to implement them
correctly on other platforms, but as noticed in issues like
http://crbug.com/97462, this requires some UI-thread hopping for OS X, and FILE
thread for Win, so this is not really the same across platforms)

                         ImportCertFailureList* not_imported);
 
   // Get trust bits for certificate.