Linux: implement Client SSL Certificate selection UI

chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 670 matching lines @@
   CHECK(arena.get());
 
   if (SEC_ASN1DecodeItem(arena.get(), &item,
                          SEC_ASN1_GET(SEC_BMPStringTemplate), extension_data) ==
       SECSuccess)
     rv = BMPtoUTF8(arena.get(), item.data, item.len);
   return rv;
 }
 
 struct MaskIdPair {
-  unsigned char mask;
+  unsigned int mask;
   int string_id;
 };
 
+static std::string ProcessBitField(SECItem* bitfield,
+                                   const MaskIdPair* string_map,
+                                   size_t len,
+                                   char separator) {
+  unsigned int bits = 0;
+  std::string rv;
+  // NSS bit flags like KU_DIGITAL_SIGNATURE, etc. are defined with the
+  // assumption that the bitfields have at most 8 bits.
+  if (bitfield->len)
+    bits = bitfield->data[0];
+  for (size_t i = 0; i < len; ++i) {
+    if (bits & string_map[i].mask) {
+      if (!rv.empty())
+        rv += separator;
+      rv += l10n_util::GetStringUTF8(string_map[i].string_id);
+    }
+  }
+  return rv;
+}
+
 static std::string ProcessBitStringExtension(SECItem* extension_data,
                                              const MaskIdPair* string_map,
-                                             size_t len) {
+                                             size_t len,
+                                             char separator) {
   SECItem decoded;
   decoded.type = siBuffer;
   decoded.data = NULL;
   decoded.len  = 0;
   if (SEC_ASN1DecodeItem(NULL, &decoded, SEC_ASN1_GET(SEC_BitStringTemplate),
                          extension_data) != SECSuccess)
     return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
-
-  std::string rv;
-  for (size_t i = 0; i < len; ++i) {
-    if (decoded.data[0] & string_map[i].mask) {
-      rv += l10n_util::GetStringUTF8(string_map[i].string_id) + '\n';
-    }
-  }
+  std::string rv = ProcessBitField(&decoded, string_map, len, separator);
   PORT_Free(decoded.data);
   return rv;
 }
 
 std::string ProcessNSCertTypeExtension(SECItem* extension_data) {
-  MaskIdPair usage_string_map[] = {
+  static const MaskIdPair usage_string_map[] = {
     {NS_CERT_TYPE_SSL_CLIENT, IDS_CERT_USAGE_SSL_CLIENT},
     {NS_CERT_TYPE_SSL_SERVER, IDS_CERT_USAGE_SSL_SERVER},
     {NS_CERT_TYPE_EMAIL, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL},
     {NS_CERT_TYPE_OBJECT_SIGNING, IDS_CERT_USAGE_OBJECT_SIGNER},
     {NS_CERT_TYPE_SSL_CA, IDS_CERT_USAGE_SSL_CA},
     {NS_CERT_TYPE_EMAIL_CA, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL_CA},
     {NS_CERT_TYPE_OBJECT_SIGNING_CA, IDS_CERT_USAGE_OBJECT_SIGNER},
   };
   return ProcessBitStringExtension(extension_data, usage_string_map,
-                                   ARRAYSIZE_UNSAFE(usage_string_map));
+                                   ARRAYSIZE_UNSAFE(usage_string_map), '\n');
+}
+
+static const MaskIdPair key_usage_string_map[] = {
+  {KU_DIGITAL_SIGNATURE, IDS_CERT_X509_KEY_USAGE_SIGNING},
+  {KU_NON_REPUDIATION, IDS_CERT_X509_KEY_USAGE_NONREP},
+  {KU_KEY_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_ENCIPHERMENT},
+  {KU_DATA_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_DATA_ENCIPHERMENT},
+  {KU_KEY_AGREEMENT, IDS_CERT_X509_KEY_USAGE_KEY_AGREEMENT},
+  {KU_KEY_CERT_SIGN, IDS_CERT_X509_KEY_USAGE_CERT_SIGNER},
+  {KU_CRL_SIGN, IDS_CERT_X509_KEY_USAGE_CRL_SIGNER},
+  {KU_ENCIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_ENCIPHER_ONLY},
+  // NSS is missing a flag for dechiperOnly, see:
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=549952
+};
+
+std::string ProcessKeyUsageBitString(SECItem* bitstring, char sep) {
+  return ProcessBitField(bitstring, key_usage_string_map,
+                         arraysize(key_usage_string_map), sep);
 }
 
 std::string ProcessKeyUsageExtension(SECItem* extension_data) {
-  MaskIdPair usage_string_map[] = {
-    {KU_DIGITAL_SIGNATURE, IDS_CERT_X509_KEY_USAGE_SIGNING},
-    {KU_NON_REPUDIATION, IDS_CERT_X509_KEY_USAGE_NONREP},
-    {KU_KEY_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_ENCIPHERMENT},
-    {KU_DATA_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_DATA_ENCIPHERMENT},
-    {KU_KEY_AGREEMENT, IDS_CERT_X509_KEY_USAGE_KEY_AGREEMENT},
-    {KU_KEY_CERT_SIGN, IDS_CERT_X509_KEY_USAGE_CERT_SIGNER},
-    {KU_CRL_SIGN, IDS_CERT_X509_KEY_USAGE_CRL_SIGNER},
-  };
-  return ProcessBitStringExtension(extension_data, usage_string_map,
-                                   ARRAYSIZE_UNSAFE(usage_string_map));
+  return ProcessBitStringExtension(extension_data, key_usage_string_map,
+                                   arraysize(key_usage_string_map), '\n');
 }
 
 std::string ProcessExtKeyUsage(SECItem* extension_data) {
   std::string rv;
   CERTOidSequence* extension_key_usage = NULL;
   extension_key_usage = CERT_DecodeOidSequence(extension_data);
   if (extension_key_usage == NULL)
     return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
 
   SECItem** oids;
@@ skipping 50 matching lines @@
     case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
       return ProcessIA5String(extension_data);
     default:
       if (oid_tag == ms_cert_ext_certtype)
         return ProcessBMPString(extension_data);
       return ProcessRawBytes(extension_data);
   }
 }
 
 }  // namespace mozilla_security_manager