diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-23 11:07:14 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-23 11:07:14 +0000 |
| commit | 308e87f9c3f9220e18102cfa97a57ca5efe845ef (patch) | |
| tree | 66a120d13c0c0d002178a9b272d1f379d9befcfb /net/third_party | |
| parent | 45be8d87149b5a5de7e496b25b8c826868e12c92 (diff) | |
| download | chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.zip chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.tar.gz chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.tar.bz2 | |
Generate unique certificate nicknames on Linux/CrOS.
When importing certificates on Linux/CrOS where the user has a pre-existing
cert, generate a unique certificate nickname if the DER-encoded subjects do
not match, as required by NSS.
This updates the template from being:
<subject common name>'s <issuer common name> ID
to:
<subject display name>'s <issuer display name> ID [#d]
Where #d will be appended with an incrementing number until a unique nickname
is found. Note that "display name" represents a gradiation that starts with
common name, then organization name, than organizational unit name.
Note: This does not address PKCS#12 importing - only importing CA certificates
(root and intermediate) and server certificates via the UI, or the handling
of application/x-x509-user-cert (via download).
BUG=237870
TEST=net_unittests added. Additionally, test that server & CA certificates can
still be imported fine through the UI.
Review URL: https://chromiumcodereview.appspot.com/15315003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@201748 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp index baa4966..6db75f3 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp @@ -48,6 +48,7 @@ #include "crypto/scoped_nss_types.h" #include "net/base/net_errors.h" #include "net/cert/x509_certificate.h" +#include "net/cert/x509_util_nss.h" #if !defined(CERTDB_TERMINAL_RECORD) /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD @@ -95,7 +96,10 @@ bool ImportCACerts(const net::CertificateList& certificates, slot.get(), root->os_cert_handle(), CK_INVALID_HANDLE, - root->GetDefaultNickname(net::CA_CERT).c_str(), + net::x509_util::GetUniqueNicknameForSlot( + root->GetDefaultNickname(net::CA_CERT), + &root->os_cert_handle()->derSubject, + slot.get()).c_str(), PR_FALSE /* includeTrust (unused) */); if (srv != SECSuccess) { LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); @@ -152,7 +156,10 @@ bool ImportCACerts(const net::CertificateList& certificates, slot.get(), cert->os_cert_handle(), CK_INVALID_HANDLE, - cert->GetDefaultNickname(net::CA_CERT).c_str(), + net::x509_util::GetUniqueNicknameForSlot( + cert->GetDefaultNickname(net::CA_CERT), + &cert->os_cert_handle()->derSubject, + slot.get()).c_str(), PR_FALSE /* includeTrust (unused) */); if (srv != SECSuccess) { LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); @@ -190,7 +197,10 @@ bool ImportServerCert( slot.get(), cert->os_cert_handle(), CK_INVALID_HANDLE, - cert->GetDefaultNickname(net::SERVER_CERT).c_str(), + net::x509_util::GetUniqueNicknameForSlot( + cert->GetDefaultNickname(net::SERVER_CERT), + &cert->os_cert_handle()->derSubject, + slot.get()).c_str(), PR_FALSE /* includeTrust (unused) */); if (srv != SECSuccess) { LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError(); |