diff options
| author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-12 02:17:08 +0000 |
|---|---|---|
| committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-12 02:17:08 +0000 |
| commit | 8405da12256819349baf47280fcd495bb796a723 (patch) | |
| tree | 83f1b318ee853e10985a47a70dcd00d8049b2803 /net/third_party | |
| parent | e1751fb1116682ffba80cbc127b9da66c6d72a3c (diff) | |
| download | chromium_src-8405da12256819349baf47280fcd495bb796a723.zip chromium_src-8405da12256819349baf47280fcd495bb796a723.tar.gz chromium_src-8405da12256819349baf47280fcd495bb796a723.tar.bz2 | |
CertDatabase: Add ImportServerCerts method.
BUG=19991
TEST=net_unittests
Review URL: http://codereview.chromium.org/3576016
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62228 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp | 36 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.h | 3 |
2 files changed, 39 insertions, 0 deletions
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp index b32458d..e0876f77 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp @@ -160,6 +160,42 @@ bool ImportCACerts(const net::CertificateList& certificates, return true; } +// Based on nsNSSCertificateDB::ImportServerCertificate. +bool ImportServerCert(const net::CertificateList& certificates, + net::CertDatabase::ImportCertFailureList* not_imported) { + base::ScopedPK11Slot slot(base::GetDefaultNSSKeySlot()); + if (!slot.get()) { + LOG(ERROR) << "Couldn't get internal key slot!"; + return false; + } + + for (size_t i = 0; i < certificates.size(); ++i) { + const scoped_refptr<net::X509Certificate>& cert = certificates[i]; + + // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use + // PK11_ImportCert instead. + SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(), + CK_INVALID_HANDLE, + cert->subject().GetDisplayName().c_str(), + PR_FALSE /* includeTrust (unused) */); + if (srv != SECSuccess) { + LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); + not_imported->push_back(net::CertDatabase::ImportCertFailure( + cert, net::ERR_IMPORT_SERVER_CERT_FAILED)); + continue; + } + } + + // Set as valid peer, but without any extra trust. + SetCertTrust(certificates[0].get(), net::SERVER_CERT, + net::CertDatabase::UNTRUSTED); + // TODO(mattm): Report SetCertTrust result? Putting in not_imported + // wouldn't quite match up since it was imported... + + // Any errors importing individual certs will be in listed in |not_imported|. + return true; +} + // Based on nsNSSCertificateDB::SetCertTrust. bool SetCertTrust(const net::X509Certificate* cert, diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h index 58c1a2b..ea02bf8 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h @@ -57,6 +57,9 @@ bool ImportCACerts(const net::CertificateList& certificates, unsigned int trustBits, net::CertDatabase::ImportCertFailureList* not_imported); +bool ImportServerCert(const net::CertificateList& certificates, + net::CertDatabase::ImportCertFailureList* not_imported); + bool SetCertTrust(const net::X509Certificate* cert, net::CertType type, unsigned int trusted); |