This source file includes following definitions.
- ImportCACerts
- ImportServerCert
- SetCertTrust
#include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
#include <cert.h>
#include <certdb.h>
#include <pk11pub.h>
#include <secerr.h>
#include "base/logging.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util_nss.h"
#if !defined(CERTDB_TERMINAL_RECORD)
#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
#endif
namespace mozilla_security_manager {
bool ImportCACerts(PK11SlotInfo* slot,
const net::CertificateList& certificates,
net::X509Certificate* root,
net::NSSCertDatabase::TrustBits trustBits,
net::NSSCertDatabase::ImportCertFailureList* not_imported) {
if (!slot || certificates.empty() || !root)
return false;
if (!CERT_IsCACert(root->os_cert_handle(), NULL)) {
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
root, net::ERR_IMPORT_CA_CERT_NOT_CA));
} else if (root->os_cert_handle()->isperm) {
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
root, net::ERR_IMPORT_CERT_ALREADY_EXISTS));
} else {
SECStatus srv = PK11_ImportCert(
slot,
root->os_cert_handle(),
CK_INVALID_HANDLE,
net::x509_util::GetUniqueNicknameForSlot(
root->GetDefaultNickname(net::CA_CERT),
&root->os_cert_handle()->derSubject,
slot).c_str(),
PR_FALSE );
if (srv != SECSuccess) {
LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
return false;
}
if (!SetCertTrust(root, net::CA_CERT, trustBits))
return false;
}
PRTime now = PR_Now();
for (size_t i = 0; i < certificates.size(); i++) {
const scoped_refptr<net::X509Certificate>& cert = certificates[i];
if (cert == root) {
continue;
}
if (!CERT_IsCACert(cert->os_cert_handle(), NULL)) {
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
cert, net::ERR_IMPORT_CA_CERT_NOT_CA));
VLOG(1) << "skipping cert (non-ca)";
continue;
}
if (cert->os_cert_handle()->isperm) {
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
cert, net::ERR_IMPORT_CERT_ALREADY_EXISTS));
VLOG(1) << "skipping cert (perm)";
continue;
}
if (CERT_VerifyCert(CERT_GetDefaultCertDB(), cert->os_cert_handle(),
PR_TRUE, certUsageVerifyCA, now, NULL, NULL) != SECSuccess) {
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
cert, net::ERR_FAILED));
VLOG(1) << "skipping cert (verify) " << PORT_GetError();
continue;
}
SECStatus srv = PK11_ImportCert(
slot,
cert->os_cert_handle(),
CK_INVALID_HANDLE,
net::x509_util::GetUniqueNicknameForSlot(
cert->GetDefaultNickname(net::CA_CERT),
&cert->os_cert_handle()->derSubject,
slot).c_str(),
PR_FALSE );
if (srv != SECSuccess) {
LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
cert, net::ERR_IMPORT_CA_CERT_FAILED));
}
}
return true;
}
bool ImportServerCert(
PK11SlotInfo* slot,
const net::CertificateList& certificates,
net::NSSCertDatabase::TrustBits trustBits,
net::NSSCertDatabase::ImportCertFailureList* not_imported) {
if (!slot || certificates.empty())
return false;
for (size_t i = 0; i < certificates.size(); ++i) {
const scoped_refptr<net::X509Certificate>& cert = certificates[i];
SECStatus srv = PK11_ImportCert(
slot,
cert->os_cert_handle(),
CK_INVALID_HANDLE,
net::x509_util::GetUniqueNicknameForSlot(
cert->GetDefaultNickname(net::SERVER_CERT),
&cert->os_cert_handle()->derSubject,
slot).c_str(),
PR_FALSE );
if (srv != SECSuccess) {
LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
continue;
}
}
SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits);
return true;
}
bool
SetCertTrust(const net::X509Certificate* cert,
net::CertType type,
net::NSSCertDatabase::TrustBits trustBits)
{
const unsigned kSSLTrustBits = net::NSSCertDatabase::TRUSTED_SSL |
net::NSSCertDatabase::DISTRUSTED_SSL;
const unsigned kEmailTrustBits = net::NSSCertDatabase::TRUSTED_EMAIL |
net::NSSCertDatabase::DISTRUSTED_EMAIL;
const unsigned kObjSignTrustBits = net::NSSCertDatabase::TRUSTED_OBJ_SIGN |
net::NSSCertDatabase::DISTRUSTED_OBJ_SIGN;
if ((trustBits & kSSLTrustBits) == kSSLTrustBits ||
(trustBits & kEmailTrustBits) == kEmailTrustBits ||
(trustBits & kObjSignTrustBits) == kObjSignTrustBits) {
LOG(ERROR) << "SetCertTrust called with conflicting trust bits "
<< trustBits;
NOTREACHED();
return false;
}
SECStatus srv;
CERTCertificate *nsscert = cert->os_cert_handle();
if (type == net::CA_CERT) {
CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA};
if (trustBits & net::NSSCertDatabase::DISTRUSTED_SSL)
trust.sslFlags = CERTDB_TERMINAL_RECORD;
else if (trustBits & net::NSSCertDatabase::TRUSTED_SSL)
trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
if (trustBits & net::NSSCertDatabase::DISTRUSTED_EMAIL)
trust.emailFlags = CERTDB_TERMINAL_RECORD;
else if (trustBits & net::NSSCertDatabase::TRUSTED_EMAIL)
trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
if (trustBits & net::NSSCertDatabase::DISTRUSTED_OBJ_SIGN)
trust.objectSigningFlags = CERTDB_TERMINAL_RECORD;
else if (trustBits & net::NSSCertDatabase::TRUSTED_OBJ_SIGN)
trust.objectSigningFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
} else if (type == net::SERVER_CERT) {
CERTCertTrust trust = {0};
CERT_GetCertTrust(nsscert, &trust);
trust.sslFlags = 0;
if (trustBits & net::NSSCertDatabase::DISTRUSTED_SSL)
trust.sslFlags |= CERTDB_TERMINAL_RECORD;
else if (trustBits & net::NSSCertDatabase::TRUSTED_SSL)
trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust);
} else {
return true;
}
if (srv != SECSuccess)
LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
return srv == SECSuccess;
}
}