CertDatabase: Add GetCertTrust method.

BUG=19991 TEST=net_unittests Review URL: http://codereview.chromium.org/3614001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61428 0039d316-1c4b-4281-b951-d872f2087c98
author: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-04 22:51:20 +0000
committer: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-04 22:51:20 +0000
commit: 8d80ef42bd2aeb75fa202c0575b7150ebe9421ac (patch)
tree: f271f806831d99ca527e0eef0a762d88c0639e85
parent: 57b839a8f8252d5a92695bbb7aef90acd911ee2f (diff)
download: chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.zip
chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.tar.gz
chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.tar.bz2
3 files changed, 37 insertions, 0 deletions
diff --git a/net/base/cert_database.h b/net/base/cert_database.h
index 52888fe..5d7673f 100644
--- a/net/base/cert_database.h
+++ b/net/base/cert_database.h
@@ -115,6 +115,9 @@ class CertDatabase {
                      unsigned int trust_bits,
                      ImportCertFailureList* not_imported);
 
+  // Get trust bits for certificate.
+  int GetCertTrust(const X509Certificate* cert, CertType type) const;
+
   // Set trust values for certificate.
   // Returns true on success or false on failure.
   bool SetCertTrust(const X509Certificate* cert,
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 18c7eba..8ddfe39 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -16,6 +16,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
+#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
 // PSM = Mozilla's Personal Security Manager.
@@ -147,6 +148,30 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates,
   return psm::ImportCACerts(certificates, root, trust_bits, not_imported);
 }
 
+int CertDatabase::GetCertTrust(
+    const X509Certificate* cert, CertType type) const {
+  CERTCertTrust nsstrust;
+  SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  if (srv != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
+    return UNTRUSTED;
+  }
+  psm::nsNSSCertTrust trust(&nsstrust);
+  switch (type) {
+    case CA_CERT:
+      return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
+          trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
+          trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+    case SERVER_CERT:
+    case EMAIL_CERT:
+      return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
+          trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
+          trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+    default:
+      return UNTRUSTED;
+  }
+}
+
 bool CertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 unsigned int trusted) {
diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
index b115ac0..40754d8 100644
--- a/net/base/cert_database_nss_unittest.cc
+++ b/net/base/cert_database_nss_unittest.cc
@@ -197,6 +197,9 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
+  EXPECT_EQ(CertDatabase::TRUSTED_SSL,
+            cert_db_.GetCertTrust(cert.get(), CA_CERT));
+
   psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
   EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
   EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
@@ -226,6 +229,9 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
+  EXPECT_EQ(CertDatabase::TRUSTED_EMAIL,
+            cert_db_.GetCertTrust(cert.get(), CA_CERT));
+
   psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
   EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
   EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
@@ -254,6 +260,9 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
   scoped_refptr<X509Certificate> cert(cert_list[0]);
   EXPECT_EQ("Test CA", cert->subject().common_name);
 
+  EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN,
+            cert_db_.GetCertTrust(cert.get(), CA_CERT));
+
   psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
   EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
   EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
author	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-04 22:51:20 +0000
committer	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-04 22:51:20 +0000
commit	8d80ef42bd2aeb75fa202c0575b7150ebe9421ac (patch)
tree	f271f806831d99ca527e0eef0a762d88c0639e85
parent	57b839a8f8252d5a92695bbb7aef90acd911ee2f (diff)
download	chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.zip chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.tar.gz chromium_src-8d80ef42bd2aeb75fa202c0575b7150ebe9421ac.tar.bz2