Adding User Certificate (.crt) Import to Certificate Manager

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

  /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 188 matching lines @@
   }
 
   SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
   // TODO(mattm): Report SetCertTrust result?  Putting in not_imported
   // wouldn't quite match up since it was imported...
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
+// Based on nsNSSCertificateDB::ImportUserCertificate.
+int ImportUserCert(const net::CertificateList& certificates) {

[mattm, 2015/11/06 23:13:00]

Change the NSS version of CertDatabase::AddUserCert to call this also.

[svaldez, 2015/11/10 15:07:50]

Done.

+  if (certificates.empty())
+    return net::ERR_CERT_INVALID;
+
+  const scoped_refptr<net::X509Certificate>& cert = certificates[0];

[mattm, 2015/11/06 23:13:00]

If this only uses the first cert, just pass that in instead of a list.

[svaldez, 2015/11/10 15:07:50]

We may want to eventually verify the user cert cert chain, and it seems cleaner
to have this method choose the specific cert, instead of having to make all the
callers select the first cert to pass in.

+  CK_OBJECT_HANDLE key;
+  PK11SlotInfo* slot =

[mattm, 2015/11/06 23:13:00]

crypto::ScopedPK11Slot

[svaldez, 2015/11/10 15:07:50]

Done.

+      PK11_KeyForCertExists(cert->os_cert_handle(), &key, NULL);
+
+  if (!slot)
+    return net::ERR_NO_PRIVATE_KEY_FOR_CERT;
+
+  // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
+  // PK11_ImportCert instead.
+  SECStatus srv =
+      PK11_ImportCert(slot, cert->os_cert_handle(), key,
+                      net::x509_util::GetUniqueNicknameForSlot(
+                          cert->GetDefaultNickname(net::SERVER_CERT),

[mattm, 2015/11/06 23:13:00]

USER_CERT?

[svaldez, 2015/11/10 15:07:50]

Done.

+                          &cert->os_cert_handle()->derSubject, slot)
+                          .c_str(),
+                      PR_FALSE /* includeTrust (unused) */);
+
+  if (srv != SECSuccess) {
+    LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
+    return net::ERR_ADD_USER_CERT_FAILED;
+  }
+
+  return net::OK;
+}
+
 // Based on nsNSSCertificateDB::SetCertTrust.
 bool
 SetCertTrust(const net::X509Certificate* cert,
              net::CertType type,
              net::NSSCertDatabase::TrustBits trustBits)
 {
   const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL |
       net::NSSCertDatabase::DISTRUSTED_SSL;
   const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL |
       net::NSSCertDatabase::DISTRUSTED_EMAIL;
@@ skipping 47 matching lines @@
   } else {
     // ignore user and email/unknown certs
     return true;
   }
   if (srv != SECSuccess)
     LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
   return srv == SECSuccess;
 }
 
 }  // namespace mozilla_security_manager