Adding User Certificate (.crt) Import to Certificate Manager

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

  /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 26 matching lines @@
  * ***** END LICENSE BLOCK ***** */
 
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <pk11pub.h>
 #include <secerr.h>
 
 #include "base/logging.h"
+#include "crypto/scoped_nss_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 
 #if !defined(CERTDB_TERMINAL_RECORD)
 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
  * and marks CERTDB_VALID_PEER as deprecated.
  * If we're using an older version, rename it ourselves.
  */
 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
@@ skipping 142 matching lines @@
   }
 
   SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
   // TODO(mattm): Report SetCertTrust result?  Putting in not_imported
   // wouldn't quite match up since it was imported...
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
+// Based on nsNSSCertificateDB::ImportUserCertificate.
+int ImportUserCert(const net::CertificateList& certificates) {
+  if (certificates.empty())
+    return net::ERR_CERT_INVALID;
+
+  const scoped_refptr<net::X509Certificate>& cert = certificates[0];
+  CK_OBJECT_HANDLE key;
+  crypto::ScopedPK11Slot slot(
+      PK11_KeyForCertExists(cert->os_cert_handle(), &key, NULL));
+
+  if (!slot.get())
+    return net::ERR_NO_PRIVATE_KEY_FOR_CERT;
+
+  // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
+  // PK11_ImportCert instead.
+  SECStatus srv =
+      PK11_ImportCert(slot.get(), cert->os_cert_handle(), key,
+                      net::x509_util::GetUniqueNicknameForSlot(
+                          cert->GetDefaultNickname(net::USER_CERT),
+                          &cert->os_cert_handle()->derSubject, slot.get())
+                          .c_str(),
+                      PR_FALSE /* includeTrust (unused) */);
+
+  if (srv != SECSuccess) {
+    LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
+    return net::ERR_ADD_USER_CERT_FAILED;
+  }
+
+  return net::OK;
+}
+
 // Based on nsNSSCertificateDB::SetCertTrust.
 bool
 SetCertTrust(const net::X509Certificate* cert,
              net::CertType type,
              net::NSSCertDatabase::TrustBits trustBits)
 {
   const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL |
       net::NSSCertDatabase::DISTRUSTED_SSL;
   const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL |
       net::NSSCertDatabase::DISTRUSTED_EMAIL;
@@ skipping 47 matching lines @@
   } else {
     // ignore user and email/unknown certs
     return true;
   }
   if (srv != SECSuccess)
     LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
   return srv == SECSuccess;
 }
 
 }  // namespace mozilla_security_manager