Revert 139719 - Fix imported server certs being distrusted in NSS 3.13.

Reverting as it seemed to break net_unittests on Linux(dbg)(shared).

Add support for intentionally distrusting certs.  (Not exposed in the UI yet.)

BUG=116411
TEST=CertDatabaseNSSTest


Review URL: https://chromiumcodereview.appspot.com/9940001

TBR=mattm@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10440110

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@139725 0039d316-1c4b-4281-b951-d872f2087c98

9 files changed, 17 insertions, 27 deletions

diff --git a/chrome/browser/certificate_manager_model.cc b/chrome/browser/certificate_manager_model.cc
index e44a0b6..22af7e8 100644
--- a/chrome/browser/certificate_manager_model.cc
+++ b/chrome/browser/certificate_manager_model.cc
@@ -131,10 +131,8 @@ bool CertificateManagerModel::ImportCACerts(
 
 bool CertificateManagerModel::ImportServerCert(
     const net::CertificateList& certificates,
-    net::CertDatabase::TrustBits trust_bits,
     net::CertDatabase::ImportCertFailureList* not_imported) {
-  bool result = cert_db_.ImportServerCert(certificates, trust_bits,
-                                          not_imported);
+  bool result = cert_db_.ImportServerCert(certificates, not_imported);
   if (result && not_imported->size() != certificates.size())
     Refresh();
   return result;
diff --git a/chrome/browser/certificate_manager_model.h b/chrome/browser/certificate_manager_model.h
index b111aa2..cadeebd 100644
--- a/chrome/browser/certificate_manager_model.h
+++ b/chrome/browser/certificate_manager_model.h
@@ -67,7 +67,8 @@ class CertificateManagerModel {
   // Tries to import all the certificates given.  The root will be trusted
   // according to |trust_bits|.  Any certificates that could not be imported
   // will be listed in |not_imported|.
-  // |trust_bits| should be a bit field of TRUST* values from CertDatabase.
+  // |trust_bits| should be a bit field of TRUST_* values from CertDatabase, or
+  // UNTRUSTED.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
@@ -80,18 +81,16 @@ class CertificateManagerModel {
   // not given any trust.
   // Any certificates that could not be imported will be listed in
   // |not_imported|.
-  // |trust_bits| can be set to explicitly trust or distrust the certificate, or
-  // use TRUST_DEFAULT to inherit trust as normal.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportServerCert(
       const net::CertificateList& certificates,
-      net::CertDatabase::TrustBits trust_bits,
       net::CertDatabase::ImportCertFailureList* not_imported);
 
   // Set trust values for certificate.
-  // |trust_bits| should be a bit field of TRUST* values from CertDatabase.
+  // |trust_bits| should be a bit field of TRUST_* values from CertDatabase, or
+  // UNTRUSTED.
   // Returns true on success or false on failure.
   bool SetCertTrust(const net::X509Certificate* cert,
                     net::CertType type,
diff --git a/chrome/browser/chromeos/cros/onc_network_parser.cc b/chrome/browser/chromeos/cros/onc_network_parser.cc
index 0193142..8919b76 100644
--- a/chrome/browser/chromeos/cros/onc_network_parser.cc
+++ b/chrome/browser/chromeos/cros/onc_network_parser.cc
@@ -829,8 +829,6 @@ OncNetworkParser::ParseServerOrCaCertificate(
         return NULL;
       }
       if (trust_type == "Web") {
-        // "Web" implies that the certificate is to be trusted for SSL
-        // identification.
         web_trust = true;
       } else {
         LOG(WARNING) << "ONC File: certificate contains unknown "
@@ -931,12 +929,12 @@ OncNetworkParser::ParseServerOrCaCertificate(
   cert_list.push_back(x509_cert);
   net::CertDatabase::ImportCertFailureList failures;
   bool success = false;
-  net::CertDatabase::TrustBits trust = web_trust ?
-                                       net::CertDatabase::TRUSTED_SSL :
-                                       net::CertDatabase::TRUST_DEFAULT;
   if (cert_type == "Server") {
-    success = cert_database.ImportServerCert(cert_list, trust, &failures);
+    success = cert_database.ImportServerCert(cert_list, &failures);
   } else {  // Authority cert
+    net::CertDatabase::TrustBits trust = web_trust ?
+                                         net::CertDatabase::TRUSTED_SSL :
+                                         net::CertDatabase::UNTRUSTED;
     success = cert_database.ImportCACerts(cert_list, trust, &failures);
   }
   if (!failures.empty()) {
diff --git a/chrome/browser/chromeos/cros/onc_network_parser_unittest.cc b/chrome/browser/chromeos/cros/onc_network_parser_unittest.cc
index 2166689..f738a56 100644
--- a/chrome/browser/chromeos/cros/onc_network_parser_unittest.cc
+++ b/chrome/browser/chromeos/cros/onc_network_parser_unittest.cc
@@ -33,12 +33,14 @@
 #include "net/base/crypto_module.h"
 #include "net/base/x509_certificate.h"
 #include "net/proxy/proxy_config.h"
+#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 using ::testing::AnyNumber;
 using ::testing::Return;
 
+namespace msm = mozilla_security_manager;
 namespace chromeos {
 
 namespace {
diff --git a/chrome/browser/resources/options2/browser_options.html b/chrome/browser/resources/options2/browser_options.html
index ceafb7a..480d926 100644
--- a/chrome/browser/resources/options2/browser_options.html
+++ b/chrome/browser/resources/options2/browser_options.html
@@ -431,12 +431,10 @@
   <section>
       <h3 i18n-content="advancedSectionTitleSecurity"></h3>
       <div>
-<if expr="pp_ifdef('use_nss') or is_win or is_macosx">
         <div class="settings-row">
           <button id="certificatesManageButton"
               i18n-content="certificatesManageButton"></button>
         </div>
-</if>
         <div class="checkbox">
           <label>
             <input id="sslCheckRevocation" type="checkbox">
diff --git a/chrome/browser/resources/options2/options.html b/chrome/browser/resources/options2/options.html
index 696c7a1..1c70554 100644
--- a/chrome/browser/resources/options2/options.html
+++ b/chrome/browser/resources/options2/options.html
@@ -44,7 +44,7 @@
 <if expr="pp_ifdef('chromeos') and pp_ifdef('use_ash')">
   <link rel="stylesheet" href="chromeos/set_wallpaper_options.css">
 </if>
-<if expr="pp_ifdef('use_nss')">
+<if expr="not is_win and not is_macosx">
   <link rel="stylesheet" href="certificate_manager.css">
   <link rel="stylesheet" href="certificate_tree.css">
 </if>
@@ -102,7 +102,7 @@
   <if expr="pp_ifdef('chromeos') and pp_ifdef('use_ash')">
     <include src="chromeos/set_wallpaper_options.html">
   </if>
-  <if expr="pp_ifdef('use_nss')">
+  <if expr="not is_win and not is_macosx">
     <include src="certificate_manager.html">
   </if>
 </div>
diff --git a/chrome/browser/resources/options2/options_bundle.js b/chrome/browser/resources/options2/options_bundle.js
index 993995e..819f1f5 100644
--- a/chrome/browser/resources/options2/options_bundle.js
+++ b/chrome/browser/resources/options2/options_bundle.js
@@ -43,7 +43,7 @@
   <include src="chromeos/set_wallpaper_options.js"></include>
   var SetWallpaperOptions = options.SetWallpaperOptions;
 </if>
-<if expr="pp_ifdef('use_nss')">
+<if expr="not is_win and not is_macosx">
   <include src="certificate_tree.js"></include>
   <include src="certificate_manager.js"></include>
   <include src="certificate_restore_overlay.js"></include>
diff --git a/chrome/browser/ui/webui/options2/certificate_manager2_browsertest.js b/chrome/browser/ui/webui/options2/certificate_manager2_browsertest.js
index 5a982850..dba6492b 100644
--- a/chrome/browser/ui/webui/options2/certificate_manager2_browsertest.js
+++ b/chrome/browser/ui/webui/options2/certificate_manager2_browsertest.js
@@ -18,15 +18,14 @@ CertificateManagerWebUITest.prototype = {
   browsePreload: 'chrome://settings-frame/certificates',
 };
 
-// Mac and Windows go to native certificate manager, and certificate manager
-// isn't implemented if OpenSSL is used.
-GEN('#if !defined(USE_NSS)');
+// Mac and Windows go to native certificate manager.
+GEN('#if defined(OS_MACOSX) || defined(OS_WIN)');
 GEN('#define MAYBE_testOpenCertificateManager ' +
     'DISABLED_testOpenCertificateManager');
 GEN('#else');
 GEN('#define MAYBE_testOpenCertificateManager ' +
     'testOpenCertificateManager');
-GEN('#endif  // !defined(USE_NSS)');
+GEN('#endif  // defined(OS_MACOSX) || defined(OS_WIN)');
 // Test opening the certificate manager has correct location.
 TEST_F('CertificateManagerWebUITest',
        'MAYBE_testOpenCertificateManager', function() {
diff --git a/chrome/browser/ui/webui/options2/certificate_manager_handler2.cc b/chrome/browser/ui/webui/options2/certificate_manager_handler2.cc
index 707ea97..a8ed124 100644
--- a/chrome/browser/ui/webui/options2/certificate_manager_handler2.cc
+++ b/chrome/browser/ui/webui/options2/certificate_manager_handler2.cc
@@ -810,10 +810,8 @@ void CertificateManagerHandler::ImportServerFileRead(int read_errno,
   }
 
   net::CertDatabase::ImportCertFailureList not_imported;
-  // TODO(mattm): Add UI for trust. http://crbug.com/76274
   bool result = certificate_manager_model_->ImportServerCert(
       selected_cert_list_,
-      net::CertDatabase::TRUST_DEFAULT,
       &not_imported);
   if (!result) {
     ShowError(
@@ -892,8 +890,6 @@ void CertificateManagerHandler::ImportCATrustSelected(const ListValue* args) {
     return;
   }
 
-  // TODO(mattm): add UI for setting explicit distrust, too.
-  // http://crbug.com/128411
   net::CertDatabase::ImportCertFailureList not_imported;
   bool result = certificate_manager_model_->ImportCACerts(
       selected_cert_list_,