Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(715)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
index 0cf430d793195af800d8e5746bbdea134f892e0e..40600490d20c257b638ecbcda1e53740b9e033e0 100644
--- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
+++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
@@ -158,6 +158,7 @@ bool ImportCACerts(const net::CertificateList& certificates,
// Based on nsNSSCertificateDB::ImportServerCertificate.
bool ImportServerCert(const net::CertificateList& certificates,
+ net::CertDatabase::TrustBits trustBits,
net::CertDatabase::ImportCertFailureList* not_imported) {
crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
if (!slot.get()) {
@@ -184,9 +185,7 @@ bool ImportServerCert(const net::CertificateList& certificates,
}
}
- // Set as valid peer, but without any extra trust.
- SetCertTrust(certificates[0].get(), net::SERVER_CERT,
- net::CertDatabase::UNTRUSTED);
+ SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
// TODO(mattm): Report SetCertTrust result? Putting in not_imported
// wouldn't quite match up since it was imported...
@@ -209,13 +208,20 @@ SetCertTrust(const net::X509Certificate* cert,
trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL,
trustBits & net::CertDatabase::TRUSTED_EMAIL,
trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN);
+ if (trustBits & net::CertDatabase::TRUST_TERMINAL_RECORD)
+ trust.SetTerminalRecord();
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
nsscert,
trust.GetTrust());
} else if (type == net::SERVER_CERT) {
// always start with untrusted and move up
- trust.SetValidPeer();
- trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0);
+ if (trustBits & net::CertDatabase::TRUSTED_SSL) {
+ trust.SetTerminalServerRecord();
+ trust.AddPeerTrust(PR_TRUE, PR_FALSE, PR_FALSE);
+ }
+ if (trustBits & net::CertDatabase::TRUST_TERMINAL_RECORD)
+ trust.SetTerminalRecord();
+
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(),
nsscert,
trust.GetTrust());
« net/third_party/mozilla_security_manager/nsNSSCertTrust.h ('K') | « net/third_party/mozilla_security_manager/nsNSSCertificateDB.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698