OLD | NEW |
1 /* ***** BEGIN LICENSE BLOCK ***** | 1 /* ***** BEGIN LICENSE BLOCK ***** |
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
3 * | 3 * |
4 * The contents of this file are subject to the Mozilla Public License Version | 4 * The contents of this file are subject to the Mozilla Public License Version |
5 * 1.1 (the "License"); you may not use this file except in compliance with | 5 * 1.1 (the "License"); you may not use this file except in compliance with |
6 * the License. You may obtain a copy of the License at | 6 * the License. You may obtain a copy of the License at |
7 * http://www.mozilla.org/MPL/ | 7 * http://www.mozilla.org/MPL/ |
8 * | 8 * |
9 * Software distributed under the License is distributed on an "AS IS" basis, | 9 * Software distributed under the License is distributed on an "AS IS" basis, |
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License | 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
(...skipping 26 matching lines...) Expand all Loading... |
37 * ***** END LICENSE BLOCK ***** */ | 37 * ***** END LICENSE BLOCK ***** */ |
38 | 38 |
39 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 39 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
40 | 40 |
41 #include <cert.h> | 41 #include <cert.h> |
42 #include <certdb.h> | 42 #include <certdb.h> |
43 #include <pk11pub.h> | 43 #include <pk11pub.h> |
44 #include <secerr.h> | 44 #include <secerr.h> |
45 | 45 |
46 #include "base/logging.h" | 46 #include "base/logging.h" |
| 47 #include "crypto/scoped_nss_types.h" |
47 #include "net/base/net_errors.h" | 48 #include "net/base/net_errors.h" |
48 #include "net/cert/x509_certificate.h" | 49 #include "net/cert/x509_certificate.h" |
49 #include "net/cert/x509_util_nss.h" | 50 #include "net/cert/x509_util_nss.h" |
50 | 51 |
51 #if !defined(CERTDB_TERMINAL_RECORD) | 52 #if !defined(CERTDB_TERMINAL_RECORD) |
52 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD | 53 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD |
53 * and marks CERTDB_VALID_PEER as deprecated. | 54 * and marks CERTDB_VALID_PEER as deprecated. |
54 * If we're using an older version, rename it ourselves. | 55 * If we're using an older version, rename it ourselves. |
55 */ | 56 */ |
56 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | 57 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
199 } | 200 } |
200 | 201 |
201 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); | 202 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); |
202 // TODO(mattm): Report SetCertTrust result? Putting in not_imported | 203 // TODO(mattm): Report SetCertTrust result? Putting in not_imported |
203 // wouldn't quite match up since it was imported... | 204 // wouldn't quite match up since it was imported... |
204 | 205 |
205 // Any errors importing individual certs will be in listed in |not_imported|. | 206 // Any errors importing individual certs will be in listed in |not_imported|. |
206 return true; | 207 return true; |
207 } | 208 } |
208 | 209 |
| 210 // Based on nsNSSCertificateDB::ImportUserCertificate. |
| 211 int ImportUserCert(const net::CertificateList& certificates) { |
| 212 if (certificates.empty()) |
| 213 return net::ERR_CERT_INVALID; |
| 214 |
| 215 const scoped_refptr<net::X509Certificate>& cert = certificates[0]; |
| 216 CK_OBJECT_HANDLE key; |
| 217 crypto::ScopedPK11Slot slot( |
| 218 PK11_KeyForCertExists(cert->os_cert_handle(), &key, NULL)); |
| 219 |
| 220 if (!slot.get()) |
| 221 return net::ERR_NO_PRIVATE_KEY_FOR_CERT; |
| 222 |
| 223 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use |
| 224 // PK11_ImportCert instead. |
| 225 SECStatus srv = |
| 226 PK11_ImportCert(slot.get(), cert->os_cert_handle(), key, |
| 227 net::x509_util::GetUniqueNicknameForSlot( |
| 228 cert->GetDefaultNickname(net::USER_CERT), |
| 229 &cert->os_cert_handle()->derSubject, slot.get()) |
| 230 .c_str(), |
| 231 PR_FALSE /* includeTrust (unused) */); |
| 232 |
| 233 if (srv != SECSuccess) { |
| 234 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); |
| 235 return net::ERR_ADD_USER_CERT_FAILED; |
| 236 } |
| 237 |
| 238 return net::OK; |
| 239 } |
| 240 |
209 // Based on nsNSSCertificateDB::SetCertTrust. | 241 // Based on nsNSSCertificateDB::SetCertTrust. |
210 bool | 242 bool |
211 SetCertTrust(const net::X509Certificate* cert, | 243 SetCertTrust(const net::X509Certificate* cert, |
212 net::CertType type, | 244 net::CertType type, |
213 net::NSSCertDatabase::TrustBits trustBits) | 245 net::NSSCertDatabase::TrustBits trustBits) |
214 { | 246 { |
215 const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL | | 247 const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL | |
216 net::NSSCertDatabase::DISTRUSTED_SSL; | 248 net::NSSCertDatabase::DISTRUSTED_SSL; |
217 const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL | | 249 const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL | |
218 net::NSSCertDatabase::DISTRUSTED_EMAIL; | 250 net::NSSCertDatabase::DISTRUSTED_EMAIL; |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
266 } else { | 298 } else { |
267 // ignore user and email/unknown certs | 299 // ignore user and email/unknown certs |
268 return true; | 300 return true; |
269 } | 301 } |
270 if (srv != SECSuccess) | 302 if (srv != SECSuccess) |
271 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); | 303 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); |
272 return srv == SECSuccess; | 304 return srv == SECSuccess; |
273 } | 305 } |
274 | 306 |
275 } // namespace mozilla_security_manager | 307 } // namespace mozilla_security_manager |
OLD | NEW |