Fix imported server certs being distrusted in NSS 3.13.

net/third_party/mozilla_security_manager/nsNSSCertTrust.h

Index: net/third_party/mozilla_security_manager/nsNSSCertTrust.h
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h
index bc42fd01921eb2853eb6786065edb3bea1a2035d..6b38cc27f0bfe0981f6550f4324e658823779b89 100644
--- a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h
+++ b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h
@@ -65,9 +65,9 @@ public:
   PRBool HasCA(PRBool checkSSL = PR_TRUE, 
                PRBool checkEmail = PR_TRUE,  
                PRBool checkObjSign = PR_TRUE);
-  PRBool HasPeer(PRBool checkSSL = PR_TRUE, 
-                 PRBool checkEmail = PR_TRUE,  
-                 PRBool checkObjSign = PR_TRUE);
+  PRBool HasTerminalRecord(PRBool checkSSL = PR_TRUE, 

[wtc, 2012/03/30 22:00:50]

HasExplicitTrustOrDistrust may be a better name for
this function.  But HasTerminalRecord reflects the underlying
NSS code more closely.

+                           PRBool checkEmail = PR_TRUE,  
+                           PRBool checkObjSign = PR_TRUE);

[Ryan Sleevi, 2012/03/29 23:35:13]

Is this our code or is this upstream?

Does the license block need to be updated?

[wtc, 2012/03/30 22:00:50]

These files are our permanent fork of Mozilla's certificate
UI code (called Personal Security Manager).  We don't need
to merge with the current upstream.  But we need to keep
the MPL license.

   PRBool HasUser(PRBool checkSSL = PR_TRUE, 
                  PRBool checkEmail = PR_TRUE,  
                  PRBool checkObjSign = PR_TRUE);
@@ -86,9 +86,9 @@ public:
   /* equivalent to "CT,CT,CT" */
   void SetTrustedCA();
   /* equivalent to "p,," */
-  void SetValidServerPeer();
+  void SetTerminalServerRecord();

[wtc, 2012/03/30 22:00:50]

This function should be named SetDistrustedServer.

[mattm, 2012/03/30 22:16:56]

But a trusted server cert should have CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD,
the way I was using it was to first set the SetTerminalServerRecord() and then
AddPeerTrust, calling it SetDistrustedServer would make that code confusing. 
But perhaps it makes more sense to change the AddPeerTrust to add the
CERTDB_TERMINAL_RECORD too (is there any reason you would want to have
CERTDB_TRUSTED without CERTDB_TERMINAL_RECORD?)

[wtc, 2012/03/30 22:39:08]

I see.  Yes, that would make the code confusing.
I suspect CERTDB_TRUSTED is ignored if CERTDB_TERMINAL_RECORD
is not set.  Here is the NSS code:
http://mxr.mozilla.org/security/ident?i=CERTDB_TRUSTED

You see that when NSS sets CERTDB_TRUSTED, it always
sets CERTDB_TERMINAL_RECORD at the same time.

Similarly, NSS code that tests CERTDB_TRUSTED seems
to always test CERTDB_TERMINAL_RECORD first.  For
example, the cert_CheckLeafTrust function works that
way:
http://mxr.mozilla.org/security/ident?i=cert_CheckLeafTrust

   /* equivalent to "p,p,p" */
-  void SetValidPeer();
+  void SetTerminalRecord();

[wtc, 2012/03/30 22:00:50]

This should be named SetDistrustedCert.

   /* equivalent to "P,P,P" */
   void SetTrustedPeer();

[wtc, 2012/03/30 22:00:50]

This should be named SetTrustedCert to avoid the use of
"Peer".

   /* equivalent to "u,u,u" */