Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(446)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

Issue 15315003: Generate unique certificate nicknames on Linux/CrOS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: _NE -> _STRNE Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/data/ssl/scripts/generate-duplicate-cn-certs.sh ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ***** BEGIN LICENSE BLOCK ***** 1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 * 3 *
4 * The contents of this file are subject to the Mozilla Public License Version 4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with 5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at 6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/ 7 * http://www.mozilla.org/MPL/
8 * 8 *
9 * Software distributed under the License is distributed on an "AS IS" basis, 9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
(...skipping 30 matching lines...) Expand all
41 #include <cert.h> 41 #include <cert.h>
42 #include <certdb.h> 42 #include <certdb.h>
43 #include <pk11pub.h> 43 #include <pk11pub.h>
44 #include <secerr.h> 44 #include <secerr.h>
45 45
46 #include "base/logging.h" 46 #include "base/logging.h"
47 #include "crypto/nss_util_internal.h" 47 #include "crypto/nss_util_internal.h"
48 #include "crypto/scoped_nss_types.h" 48 #include "crypto/scoped_nss_types.h"
49 #include "net/base/net_errors.h" 49 #include "net/base/net_errors.h"
50 #include "net/cert/x509_certificate.h" 50 #include "net/cert/x509_certificate.h"
51 #include "net/cert/x509_util_nss.h"
51 52
52 #if !defined(CERTDB_TERMINAL_RECORD) 53 #if !defined(CERTDB_TERMINAL_RECORD)
53 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD 54 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
54 * and marks CERTDB_VALID_PEER as deprecated. 55 * and marks CERTDB_VALID_PEER as deprecated.
55 * If we're using an older version, rename it ourselves. 56 * If we're using an older version, rename it ourselves.
56 */ 57 */
57 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 58 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
58 #endif 59 #endif
59 60
60 namespace mozilla_security_manager { 61 namespace mozilla_security_manager {
(...skipping 27 matching lines...) Expand all
88 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 89 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
89 root, net::ERR_IMPORT_CERT_ALREADY_EXISTS)); 90 root, net::ERR_IMPORT_CERT_ALREADY_EXISTS));
90 } else { 91 } else {
91 // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported, 92 // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported,
92 // and it doesn't take the slot as an argument either. Instead, we use 93 // and it doesn't take the slot as an argument either. Instead, we use
93 // PK11_ImportCert and CERT_ChangeCertTrust. 94 // PK11_ImportCert and CERT_ChangeCertTrust.
94 SECStatus srv = PK11_ImportCert( 95 SECStatus srv = PK11_ImportCert(
95 slot.get(), 96 slot.get(),
96 root->os_cert_handle(), 97 root->os_cert_handle(),
97 CK_INVALID_HANDLE, 98 CK_INVALID_HANDLE,
98 root->GetDefaultNickname(net::CA_CERT).c_str(), 99 net::x509_util::GetUniqueNicknameForSlot(
100 root->GetDefaultNickname(net::CA_CERT),
101 &root->os_cert_handle()->derSubject,
102 slot.get()).c_str(),
99 PR_FALSE /* includeTrust (unused) */); 103 PR_FALSE /* includeTrust (unused) */);
100 if (srv != SECSuccess) { 104 if (srv != SECSuccess) {
101 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 105 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
102 return false; 106 return false;
103 } 107 }
104 if (!SetCertTrust(root, net::CA_CERT, trustBits)) 108 if (!SetCertTrust(root, net::CA_CERT, trustBits))
105 return false; 109 return false;
106 } 110 }
107 111
108 PRTime now = PR_Now(); 112 PRTime now = PR_Now();
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
145 VLOG(1) << "skipping cert (verify) " << PORT_GetError(); 149 VLOG(1) << "skipping cert (verify) " << PORT_GetError();
146 continue; 150 continue;
147 } 151 }
148 152
149 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 153 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
150 // PK11_ImportCert instead. 154 // PK11_ImportCert instead.
151 SECStatus srv = PK11_ImportCert( 155 SECStatus srv = PK11_ImportCert(
152 slot.get(), 156 slot.get(),
153 cert->os_cert_handle(), 157 cert->os_cert_handle(),
154 CK_INVALID_HANDLE, 158 CK_INVALID_HANDLE,
155 cert->GetDefaultNickname(net::CA_CERT).c_str(), 159 net::x509_util::GetUniqueNicknameForSlot(
160 cert->GetDefaultNickname(net::CA_CERT),
161 &cert->os_cert_handle()->derSubject,
162 slot.get()).c_str(),
156 PR_FALSE /* includeTrust (unused) */); 163 PR_FALSE /* includeTrust (unused) */);
157 if (srv != SECSuccess) { 164 if (srv != SECSuccess) {
158 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 165 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
159 // TODO(mattm): Should we bail or continue on error here? Mozilla doesn't 166 // TODO(mattm): Should we bail or continue on error here? Mozilla doesn't
160 // check error code at all. 167 // check error code at all.
161 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 168 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
162 cert, net::ERR_IMPORT_CA_CERT_FAILED)); 169 cert, net::ERR_IMPORT_CA_CERT_FAILED));
163 } 170 }
164 } 171 }
165 172
(...skipping 17 matching lines...) Expand all
183 190
184 for (size_t i = 0; i < certificates.size(); ++i) { 191 for (size_t i = 0; i < certificates.size(); ++i) {
185 const scoped_refptr<net::X509Certificate>& cert = certificates[i]; 192 const scoped_refptr<net::X509Certificate>& cert = certificates[i];
186 193
187 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use 194 // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
188 // PK11_ImportCert instead. 195 // PK11_ImportCert instead.
189 SECStatus srv = PK11_ImportCert( 196 SECStatus srv = PK11_ImportCert(
190 slot.get(), 197 slot.get(),
191 cert->os_cert_handle(), 198 cert->os_cert_handle(),
192 CK_INVALID_HANDLE, 199 CK_INVALID_HANDLE,
193 cert->GetDefaultNickname(net::SERVER_CERT).c_str(), 200 net::x509_util::GetUniqueNicknameForSlot(
201 cert->GetDefaultNickname(net::SERVER_CERT),
202 &cert->os_cert_handle()->derSubject,
203 slot.get()).c_str(),
194 PR_FALSE /* includeTrust (unused) */); 204 PR_FALSE /* includeTrust (unused) */);
195 if (srv != SECSuccess) { 205 if (srv != SECSuccess) {
196 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); 206 LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
197 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure( 207 not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
198 cert, net::ERR_IMPORT_SERVER_CERT_FAILED)); 208 cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
199 continue; 209 continue;
200 } 210 }
201 } 211 }
202 212
203 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); 213 SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
268 } else { 278 } else {
269 // ignore user and email/unknown certs 279 // ignore user and email/unknown certs
270 return true; 280 return true;
271 } 281 }
272 if (srv != SECSuccess) 282 if (srv != SECSuccess)
273 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError(); 283 LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
274 return srv == SECSuccess; 284 return srv == SECSuccess;
275 } 285 }
276 286
277 } // namespace mozilla_security_manager 287 } // namespace mozilla_security_manager
OLDNEW
« no previous file with comments | « net/data/ssl/scripts/generate-duplicate-cn-certs.sh ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698