*WIP* Store NSS slots per profile. Move keygen to chrome.

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

  /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 27 matching lines @@
 
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <pk11pub.h>
 #include <secerr.h>
 
 #include "base/logging.h"
 #include "crypto/nss_util_internal.h"
-#include "crypto/scoped_nss_types.h"
 #include "net/base/net_errors.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 
 #if !defined(CERTDB_TERMINAL_RECORD)
 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
  * and marks CERTDB_VALID_PEER as deprecated.
  * If we're using an older version, rename it ourselves.
  */
 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
 #endif
 
 namespace mozilla_security_manager {
 
 // Based on nsNSSCertificateDB::handleCACertDownload, minus the UI bits.
-bool ImportCACerts(const net::CertificateList& certificates,
+bool ImportCACerts(crypto::ScopedPK11Slot slot,
+                   const net::CertificateList& certificates,
                    net::X509Certificate* root,
                    net::NSSCertDatabase::TrustBits trustBits,
                    net::NSSCertDatabase::ImportCertFailureList* not_imported) {
-  if (certificates.empty() || !root)
+  if (certificates.empty() || !root || !slot.get())
     return false;
 
-  crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
-  if (!slot.get()) {
-    LOG(ERROR) << "Couldn't get internal key slot!";
-    return false;
-  }
-
   // Mozilla had some code here to check if a perm version of the cert exists
   // already and use that, but CERT_NewTempCertificate actually does that
   // itself, so we skip it here.
 
   if (!CERT_IsCACert(root->os_cert_handle(), NULL)) {
     not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
         root, net::ERR_IMPORT_CA_CERT_NOT_CA));
   } else if (root->os_cert_handle()->isperm) {
     // Mozilla just returns here, but we continue in case there are other certs
     // in the list which aren't already imported.
@@ skipping 82 matching lines @@
           cert, net::ERR_IMPORT_CA_CERT_FAILED));
     }
   }
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
 // Based on nsNSSCertificateDB::ImportServerCertificate.
 bool ImportServerCert(
+    crypto::ScopedPK11Slot slot,
     const net::CertificateList& certificates,
     net::NSSCertDatabase::TrustBits trustBits,
     net::NSSCertDatabase::ImportCertFailureList* not_imported) {
-  if (certificates.empty())
+  if (certificates.empty() || !slot.get())
     return false;
 
-  crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
-  if (!slot.get()) {
-    LOG(ERROR) << "Couldn't get internal key slot!";
-    return false;
-  }
-
   for (size_t i = 0; i < certificates.size(); ++i) {
     const scoped_refptr<net::X509Certificate>& cert = certificates[i];
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
     SECStatus srv = PK11_ImportCert(
         slot.get(),
         cert->os_cert_handle(),
         CK_INVALID_HANDLE,
         net::x509_util::GetUniqueNicknameForSlot(
@@ skipping 77 matching lines @@
   } else {
     // ignore user and email/unknown certs
     return true;
   }
   if (srv != SECSuccess)
     LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
   return srv == SECSuccess;
 }
 
 }  // namespace mozilla_security_manager