diff options
| author | falken@google.com <falken@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-31 04:26:30 +0000 |
|---|---|---|
| committer | falken@google.com <falken@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-05-31 04:26:30 +0000 |
| commit | 440d59908056a535d4df7e2bdb4ababe122286a9 (patch) | |
| tree | e26e761c534f3e44240808eccad9292d71f1c77f /net | |
| parent | c4ca3b454d7a68dd8841d0b2f03f0f81c3cc2a7d (diff) | |
| download | chromium_src-440d59908056a535d4df7e2bdb4ababe122286a9.zip chromium_src-440d59908056a535d4df7e2bdb4ababe122286a9.tar.gz chromium_src-440d59908056a535d4df7e2bdb4ababe122286a9.tar.bz2 | |
Revert 139719 - Fix imported server certs being distrusted in NSS 3.13.
Reverting as it seemed to break net_unittests on Linux(dbg)(shared).
Add support for intentionally distrusting certs. (Not exposed in the UI yet.)
BUG=116411
TEST=CertDatabaseNSSTest
Review URL: https://chromiumcodereview.appspot.com/9940001
TBR=mattm@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10440110
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@139725 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/cert_database.h | 20 | ||||
| -rw-r--r-- | net/base/cert_database_nss.cc | 51 | ||||
| -rw-r--r-- | net/base/cert_database_nss_unittest.cc | 437 | ||||
| -rw-r--r-- | net/base/cert_database_openssl.cc | 64 | ||||
| -rw-r--r-- | net/net.gyp | 6 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp | 378 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertTrust.h | 128 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp | 83 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.h | 1 |
9 files changed, 648 insertions, 520 deletions
diff --git a/net/base/cert_database.h b/net/base/cert_database.h index 8a2803e..2e95624 100644 --- a/net/base/cert_database.h +++ b/net/base/cert_database.h @@ -80,21 +80,14 @@ class NET_EXPORT CertDatabase { // trusted as a server. // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is // trusted for email. - // DISTRUSTED_* specifies that the cert should not be trusted for the given - // usage, regardless of whether it would otherwise inherit trust from the - // issuer chain. - // Use TRUST_DEFAULT to inherit trust as normal. // NOTE: The actual constants are defined using an enum instead of static // consts due to compilation/linkage constraints with template functions. typedef uint32 TrustBits; enum { - TRUST_DEFAULT = 0, - TRUSTED_SSL = 1 << 0, - TRUSTED_EMAIL = 1 << 1, - TRUSTED_OBJ_SIGN = 1 << 2, - DISTRUSTED_SSL = 1 << 3, - DISTRUSTED_EMAIL = 1 << 4, - DISTRUSTED_OBJ_SIGN = 1 << 5, + UNTRUSTED = 0, + TRUSTED_SSL = 1 << 0, + TRUSTED_EMAIL = 1 << 1, + TRUSTED_OBJ_SIGN = 1 << 2, }; CertDatabase(); @@ -108,7 +101,7 @@ class NET_EXPORT CertDatabase { // the platform cert database, or possibly other network error codes. int AddUserCert(X509Certificate* cert); -#if defined(USE_NSS) +#if defined(USE_NSS) || defined(USE_OPENSSL) // Get a list of unique certificates in the certificate database (one // instance of all certificates). void ListCerts(CertificateList* certs); @@ -165,13 +158,10 @@ class NET_EXPORT CertDatabase { // not given any trust. // Any certificates that could not be imported will be listed in // |not_imported|. - // |trust_bits| can be set to explicitly trust or distrust the certificate, or - // use TRUST_DEFAULT to inherit trust as normal. // Returns false if there is an internal error, otherwise true is returned and // |not_imported| should be checked for any certificates that were not // imported. bool ImportServerCert(const CertificateList& certificates, - TrustBits trust_bits, ImportCertFailureList* not_imported); // Get trust bits for certificate. diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc index be7ea74..4dde4fc 100644 --- a/net/base/cert_database_nss.cc +++ b/net/base/cert_database_nss.cc @@ -18,6 +18,7 @@ #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" +#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use @@ -198,54 +199,30 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates, } bool CertDatabase::ImportServerCert(const CertificateList& certificates, - TrustBits trust_bits, ImportCertFailureList* not_imported) { - return psm::ImportServerCert(certificates, trust_bits, not_imported); + return psm::ImportServerCert(certificates, not_imported); } CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, CertType type) const { - CERTCertTrust trust; - SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); + CERTCertTrust nsstrust; + SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); if (srv != SECSuccess) { LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); - return TRUST_DEFAULT; + return UNTRUSTED; } - // We define our own more "friendly" TrustBits, which means we aren't able to - // round-trip all possible NSS trust flag combinations. We try to map them in - // a sensible way. + psm::nsNSSCertTrust trust(&nsstrust); switch (type) { - case CA_CERT: { - const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; - const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD; - - TrustBits trust_bits = TRUST_DEFAULT; - if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) - trust_bits |= DISTRUSTED_SSL; - else if (trust.sslFlags & kTrustedCA) - trust_bits |= TRUSTED_SSL; - - if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) - trust_bits |= DISTRUSTED_EMAIL; - else if (trust.emailFlags & kTrustedCA) - trust_bits |= TRUSTED_EMAIL; - - if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) - trust_bits |= DISTRUSTED_OBJ_SIGN; - else if (trust.objectSigningFlags & kTrustedCA) - trust_bits |= TRUSTED_OBJ_SIGN; - - return trust_bits; - } + case CA_CERT: + return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + + trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + + trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; case SERVER_CERT: - if (trust.sslFlags & CERTDB_TERMINAL_RECORD) { - if (trust.sslFlags & CERTDB_TRUSTED) - return TRUSTED_SSL; - return DISTRUSTED_SSL; - } - return TRUST_DEFAULT; + return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + + trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + + trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; default: - return TRUST_DEFAULT; + return UNTRUSTED; } } diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc index be81471..75ea641 100644 --- a/net/base/cert_database_nss_unittest.cc +++ b/net/base/cert_database_nss_unittest.cc @@ -3,7 +3,6 @@ // found in the LICENSE file. #include <cert.h> -#include <certdb.h> #include <pk11pub.h> #include <algorithm> @@ -27,14 +26,11 @@ #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" +#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" #include "testing/gtest/include/gtest/gtest.h" -// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use -// the new name of the macro. -#if !defined(CERTDB_TERMINAL_RECORD) -#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER -#endif +namespace psm = mozilla_security_manager; namespace net { @@ -115,15 +111,7 @@ class CertDatabaseNSSTest : public testing::Test { CertDatabase cert_db; bool ok = true; CertificateList certs = ListCertsInSlot(slot); - CERTCertTrust default_trust = {0}; for (size_t i = 0; i < certs.size(); ++i) { - // Reset cert trust values to defaults before deleting. Otherwise NSS - // somehow seems to remember the trust which can break following tests. - SECStatus srv = CERT_ChangeCertTrust( - CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); - if (srv != SECSuccess) - ok = false; - if (!cert_db.DeleteCertAndKey(certs[i])) ok = false; } @@ -287,13 +275,12 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { EXPECT_EQ(CertDatabase::TRUSTED_SSL, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | - CERTDB_TRUSTED_CLIENT_CA), - cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->objectSigningFlags); + psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); + EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); + EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); + EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); + EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); + EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); } TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { @@ -318,13 +305,11 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | - CERTDB_TRUSTED_CLIENT_CA), - cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->objectSigningFlags); + psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); + EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); + EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); + EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); + EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); } TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { @@ -349,13 +334,11 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | - CERTDB_TRUSTED_CLIENT_CA), - cert->os_cert_handle()->trust->objectSigningFlags); + psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); + EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); + EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); + EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); + EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); } TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { @@ -449,8 +432,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { // Import it. CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT, - &failed)); + EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed)); ASSERT_EQ(1U, failed.size()); EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); @@ -528,8 +510,7 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { ASSERT_EQ(2U, certs.size()); CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, - &failed)); + EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); EXPECT_EQ(0U, failed.size()); @@ -540,18 +521,16 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { EXPECT_EQ("www.google.com", goog_cert->subject().common_name); EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + EXPECT_EQ(CertDatabase::UNTRUSTED, cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); - - EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags); + psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); + EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); int flags = 0; CertVerifyResult verify_result; int error = verify_proc->Verify(goog_cert, "www.google.com", flags, - NULL, &verify_result); + NULL, &verify_result); EXPECT_EQ(OK, error); EXPECT_EQ(0U, verify_result.cert_status); } @@ -561,8 +540,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, - &failed)); + EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); EXPECT_EQ(0U, failed.size()); @@ -570,375 +548,30 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { ASSERT_EQ(1U, cert_list.size()); scoped_refptr<X509Certificate> puny_cert(cert_list[0]); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + EXPECT_EQ(CertDatabase::UNTRUSTED, cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); - EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); + psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); + EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); int flags = 0; CertVerifyResult verify_result; int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, - NULL, &verify_result); + NULL, &verify_result); EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); -} - -TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { - // When using CERT_PKIXVerifyCert (which we do), server trust only works from - // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. - if (!NSS_VersionCheck("3.13.4")) { - LOG(INFO) << "test skipped on NSS < 3.13.4"; - return; - } - - CertificateList certs; - ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); - - CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, - &failed)); - - EXPECT_EQ(0U, failed.size()); - - CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); - ASSERT_EQ(1U, cert_list.size()); - scoped_refptr<X509Certificate> puny_cert(cert_list[0]); - - EXPECT_EQ(CertDatabase::TRUSTED_SSL, - cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); - EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), - puny_cert->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); - - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, - NULL, &verify_result); - EXPECT_EQ(OK, error); - EXPECT_EQ(0U, verify_result.cert_status); -} - -TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { - CertificateList ca_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "root_ca_cert.crt", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_certs.size()); - - // Import CA cert and trust it. - CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, - &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "ok_cert.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert with default trust. - EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, - &failed)); - EXPECT_EQ(0U, failed.size()); - // Server cert should verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result); - EXPECT_EQ(OK, error); - EXPECT_EQ(0U, verify_result.cert_status); -} - -TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { - // Explicit distrust only works starting in NSS 3.13. - if (!NSS_VersionCheck("3.13")) { - LOG(INFO) << "test skipped on NSS < 3.13"; - return; - } - - CertificateList ca_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "root_ca_cert.crt", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_certs.size()); - - // Import CA cert and trust it. - CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, - &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "ok_cert.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert without inheriting trust from issuer (explicit - // distrust). - EXPECT_TRUE(cert_db_.ImportServerCert( - certs, CertDatabase::DISTRUSTED_SSL, &failed)); - EXPECT_EQ(0U, failed.size()); - EXPECT_EQ(CertDatabase::DISTRUSTED_SSL, - cert_db_.GetCertTrust(certs[0], SERVER_CERT)); - - EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), - certs[0]->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(0U, certs[0]->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(0U, certs[0]->os_cert_handle()->trust->objectSigningFlags); - - // Server cert should fail to verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result); - EXPECT_EQ(ERR_CERT_REVOKED, error); - EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); -} - -TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { - CertificateList ca_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-root.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_certs.size()); - - // Import Root CA cert and distrust it. - CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL, - &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList intermediate_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, intermediate_certs.size()); - - // Import Intermediate CA cert and trust it. - EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, - CertDatabase::TRUSTED_SSL, &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert with default trust. - EXPECT_TRUE(cert_db_.ImportServerCert( - certs, CertDatabase::TRUST_DEFAULT, &failed)); - EXPECT_EQ(0U, failed.size()); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, - cert_db_.GetCertTrust(certs[0], SERVER_CERT)); - - // Server cert should verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result); - EXPECT_EQ(OK, error); - EXPECT_EQ(0U, verify_result.cert_status); - - // Explicit distrust only works starting in NSS 3.13. - if (!NSS_VersionCheck("3.13")) { - LOG(INFO) << "test partially skipped on NSS < 3.13"; - return; - } - - // Trust the root cert and distrust the intermediate. - EXPECT_TRUE(cert_db_.SetCertTrust( - ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL)); + // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not + // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 EXPECT_TRUE(cert_db_.SetCertTrust( - intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL)); - EXPECT_EQ( - unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), - ca_certs[0]->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - ca_certs[0]->os_cert_handle()->trust->emailFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); - EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), - intermediate_certs[0]->os_cert_handle()->trust->sslFlags); - EXPECT_EQ(unsigned(CERTDB_VALID_CA), - intermediate_certs[0]->os_cert_handle()->trust->emailFlags); - EXPECT_EQ( - unsigned(CERTDB_VALID_CA), - intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); - - // Server cert should fail to verify. - CertVerifyResult verify_result2; - error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result2); - EXPECT_EQ(ERR_CERT_REVOKED, error); - EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); -} + puny_cert.get(), CA_CERT, + CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); -TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { - CertDatabase::ImportCertFailureList failed; - - CertificateList intermediate_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, intermediate_certs.size()); - - // Import Intermediate CA cert and trust it. - EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, - CertDatabase::TRUSTED_SSL, &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert with default trust. - EXPECT_TRUE(cert_db_.ImportServerCert( - certs, CertDatabase::TRUST_DEFAULT, &failed)); - EXPECT_EQ(0U, failed.size()); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, - cert_db_.GetCertTrust(certs[0], SERVER_CERT)); - - // Server cert should verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + verify_result.Reset(); + error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, NULL, &verify_result); EXPECT_EQ(OK, error); EXPECT_EQ(0U, verify_result.cert_status); - - // Without explicit trust of the intermediate, verification should fail. - EXPECT_TRUE(cert_db_.SetCertTrust( - intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); - - // Server cert should fail to verify. - CertVerifyResult verify_result2; - error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result2); - EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); - EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); -} - -TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { - CertDatabase::ImportCertFailureList failed; - - CertificateList ca_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-root.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_certs.size()); - - // Import Root CA cert and default trust it. - EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT, - &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList intermediate_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, intermediate_certs.size()); - - // Import Intermediate CA cert and trust it. - EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, - CertDatabase::TRUSTED_SSL, &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert with default trust. - EXPECT_TRUE(cert_db_.ImportServerCert( - certs, CertDatabase::TRUST_DEFAULT, &failed)); - EXPECT_EQ(0U, failed.size()); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, - cert_db_.GetCertTrust(certs[0], SERVER_CERT)); - - // Server cert should verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result); - EXPECT_EQ(OK, error); - EXPECT_EQ(0U, verify_result.cert_status); - - // Without explicit trust of the intermediate, verification should fail. - EXPECT_TRUE(cert_db_.SetCertTrust( - intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); - - // Server cert should fail to verify. - CertVerifyResult verify_result2; - error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result2); - EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); - EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); -} - -TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { - // Explicit distrust only works starting in NSS 3.13. - if (!NSS_VersionCheck("3.13")) { - LOG(INFO) << "test skipped on NSS < 3.13"; - return; - } - - CertDatabase::ImportCertFailureList failed; - - CertificateList ca_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-root.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_certs.size()); - - // Import Root CA cert and trust it. - EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, - &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList intermediate_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, intermediate_certs.size()); - - // Import Intermediate CA cert and distrust it. - EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, - CertDatabase::DISTRUSTED_SSL, &failed)); - EXPECT_EQ(0U, failed.size()); - - CertificateList certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, certs.size()); - - // Import server cert with default trust. - EXPECT_TRUE(cert_db_.ImportServerCert( - certs, CertDatabase::TRUST_DEFAULT, &failed)); - EXPECT_EQ(0U, failed.size()); - EXPECT_EQ(CertDatabase::TRUST_DEFAULT, - cert_db_.GetCertTrust(certs[0], SERVER_CERT)); - - // Server cert should not verify. - scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); - int flags = 0; - CertVerifyResult verify_result; - int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result); - EXPECT_EQ(ERR_CERT_REVOKED, error); - EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); - - // Without explicit distrust of the intermediate, verification should succeed. - EXPECT_TRUE(cert_db_.SetCertTrust( - intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); - - // Server cert should verify. - CertVerifyResult verify_result2; - error = verify_proc->Verify(certs[0], "127.0.0.1", flags, - NULL, &verify_result2); - EXPECT_EQ(OK, error); - EXPECT_EQ(0U, verify_result2.cert_status); } } // namespace net diff --git a/net/base/cert_database_openssl.cc b/net/base/cert_database_openssl.cc index c5f86d4..82f7fd8 100644 --- a/net/base/cert_database_openssl.cc +++ b/net/base/cert_database_openssl.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -36,4 +36,66 @@ int CertDatabase::AddUserCert(X509Certificate* cert) { return ERR_NOT_IMPLEMENTED; } +void CertDatabase::ListCerts(CertificateList* certs) { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); +} + +CryptoModule* CertDatabase::GetPublicModule() const { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return NULL; +} + +CryptoModule* CertDatabase::GetPrivateModule() const { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return NULL; +} + +void CertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + modules->clear(); +} + +int CertDatabase::ImportFromPKCS12(CryptoModule* module, + const std::string& data, + const string16& password, + bool is_extractable, + CertificateList* imported_certs) { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return ERR_NOT_IMPLEMENTED; +} + +int CertDatabase::ExportToPKCS12(const CertificateList& certs, + const string16& password, + std::string* output) const { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return 0; +} + +bool CertDatabase::DeleteCertAndKey(const X509Certificate* cert) { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return false; +} + +CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, + CertType type) const { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return 0; +} + +bool CertDatabase::SetCertTrust(const X509Certificate* cert, + CertType type, + TrustBits trust_bits) { + // TODO(bulach): implement me. + NOTIMPLEMENTED(); + return false; +} + } // namespace net diff --git a/net/net.gyp b/net/net.gyp index 4d5463f..904fb4f 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -697,6 +697,8 @@ 'spdy/spdy_websocket_stream.h', 'third_party/mozilla_security_manager/nsKeygenHandler.cpp', 'third_party/mozilla_security_manager/nsKeygenHandler.h', + 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', + 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', @@ -860,6 +862,8 @@ 'third_party/mozilla_security_manager/nsKeygenHandler.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', + 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', + 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], @@ -932,6 +936,8 @@ 'third_party/mozilla_security_manager/nsKeygenHandler.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', + 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', + 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp b/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp new file mode 100644 index 0000000..408e55d --- /dev/null +++ b/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp @@ -0,0 +1,378 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Ian McGreer <mcgreer@netscape.com> + * Javier Delgadillo <javi@netscape.com> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" + +#if !defined(CERTDB_TERMINAL_RECORD) +/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD + * and marks CERTDB_VALID_PEER as deprecated. + * If we're using an older version, rename it ourselves. + */ +#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER +#endif + +namespace mozilla_security_manager { + +void +nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign) +{ + if (ssl) { + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + } + if (email) { + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + } + if (objSign) { + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); + } +} + +void +nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign) +{ + if (ssl) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (email) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); + if (objSign) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); +} + +nsNSSCertTrust::nsNSSCertTrust() +{ + memset(&mTrust, 0, sizeof(CERTCertTrust)); +} + +nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, + unsigned int email, + unsigned int objsign) +{ + memset(&mTrust, 0, sizeof(CERTCertTrust)); + addTrust(&mTrust.sslFlags, ssl); + addTrust(&mTrust.emailFlags, email); + addTrust(&mTrust.objectSigningFlags, objsign); +} + +nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t) +{ + if (t) + memcpy(&mTrust, t, sizeof(CERTCertTrust)); + else + memset(&mTrust, 0, sizeof(CERTCertTrust)); +} + +nsNSSCertTrust::~nsNSSCertTrust() +{ +} + +void +nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.sslFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD); + if (tPeer) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.sslFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.sslFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.emailFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD); + if (tPeer) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.emailFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.emailFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.objectSigningFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD); + if (tPeer) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.objectSigningFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetValidCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedServerCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetValidPeer() +{ + SetSSLTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetValidServerPeer() +{ + SetSSLTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedPeer() +{ + SetSSLTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetUser() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); +} + +PRBool +nsNSSCertTrust::HasAnyCA() +{ + if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) + return PR_TRUE; + return PR_FALSE; +} + +PRBool +nsNSSCertTrust::HasCA(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA)) + return PR_FALSE; + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasPeer(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD)) + return PR_FALSE; + if (checkObjSign && + !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasAnyUser() +{ + if (hasTrust(mTrust.sslFlags, CERTDB_USER) || + hasTrust(mTrust.emailFlags, CERTDB_USER) || + hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) + return PR_TRUE; + return PR_FALSE; +} + +PRBool +nsNSSCertTrust::HasUser(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER)) + return PR_FALSE; + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasTrustedCA(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + if (checkObjSign && + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) + return PR_FALSE; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) + return PR_FALSE; + if (checkObjSign && + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED))) + return PR_FALSE; + return PR_TRUE; +} + +void +nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v) +{ + *t |= v; +} + +PRBool +nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) +{ + return !!(t & v); +} + +} // namespace mozilla_security_manager diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h new file mode 100644 index 0000000..bc42fd0 --- /dev/null +++ b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h @@ -0,0 +1,128 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Ian McGreer <mcgreer@netscape.com> + * Javier Delgadillo <javi@netscape.com> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ +#define NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ + +#include <certt.h> +#include <certdb.h> + +#include "net/base/net_export.h" + +namespace mozilla_security_manager { + +/* + * nsNSSCertTrust + * + * Class for maintaining trust flags for an NSS certificate. + */ +class NET_EXPORT nsNSSCertTrust +{ +public: + nsNSSCertTrust(); + nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign); + nsNSSCertTrust(CERTCertTrust *t); + virtual ~nsNSSCertTrust(); + + /* query */ + PRBool HasAnyCA(); + PRBool HasAnyUser(); + PRBool HasCA(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasPeer(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasUser(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasTrustedCA(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasTrustedPeer(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + + /* common defaults */ + /* equivalent to "c,c,c" */ + void SetValidCA(); + /* equivalent to "C,C,C" */ + void SetTrustedServerCA(); + /* equivalent to "CT,CT,CT" */ + void SetTrustedCA(); + /* equivalent to "p,," */ + void SetValidServerPeer(); + /* equivalent to "p,p,p" */ + void SetValidPeer(); + /* equivalent to "P,P,P" */ + void SetTrustedPeer(); + /* equivalent to "u,u,u" */ + void SetUser(); + + /* general setters */ + /* read: "p, P, c, C, T, u, w" */ + void SetSSLTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + void SetEmailTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + void SetObjSignTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + /* set c <--> CT */ + void AddCATrust(PRBool ssl, PRBool email, PRBool objSign); + /* set p <--> P */ + void AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign); + + /* get it (const?) (shallow?) */ + CERTCertTrust * GetTrust() { return &mTrust; } + +private: + void addTrust(unsigned int *t, unsigned int v); + void removeTrust(unsigned int *t, unsigned int v); + PRBool hasTrust(unsigned int t, unsigned int v); + CERTCertTrust mTrust; +}; + +} // namespace mozilla_security_manager + +#endif // NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp index 234c065..0cf430d 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp @@ -39,7 +39,6 @@ #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" #include <cert.h> -#include <certdb.h> #include <pk11pub.h> #include <secerr.h> @@ -48,14 +47,7 @@ #include "crypto/scoped_nss_types.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" - -#if !defined(CERTDB_TERMINAL_RECORD) -/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD - * and marks CERTDB_VALID_PEER as deprecated. - * If we're using an older version, rename it ourselves. - */ -#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER -#endif +#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" namespace mozilla_security_manager { @@ -64,9 +56,6 @@ bool ImportCACerts(const net::CertificateList& certificates, net::X509Certificate* root, net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported) { - if (certificates.empty() || !root) - return false; - crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); if (!slot.get()) { LOG(ERROR) << "Couldn't get internal key slot!"; @@ -169,11 +158,7 @@ bool ImportCACerts(const net::CertificateList& certificates, // Based on nsNSSCertificateDB::ImportServerCertificate. bool ImportServerCert(const net::CertificateList& certificates, - net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported) { - if (certificates.empty()) - return false; - crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); if (!slot.get()) { LOG(ERROR) << "Couldn't get internal key slot!"; @@ -199,7 +184,9 @@ bool ImportServerCert(const net::CertificateList& certificates, } } - SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); + // Set as valid peer, but without any extra trust. + SetCertTrust(certificates[0].get(), net::SERVER_CERT, + net::CertDatabase::UNTRUSTED); // TODO(mattm): Report SetCertTrust result? Putting in not_imported // wouldn't quite match up since it was imported... @@ -213,57 +200,25 @@ SetCertTrust(const net::X509Certificate* cert, net::CertType type, net::CertDatabase::TrustBits trustBits) { - const unsigned kSSLTrustBits = net::CertDatabase::TRUSTED_SSL | - net::CertDatabase::DISTRUSTED_SSL; - const unsigned kEmailTrustBits = net::CertDatabase::TRUSTED_EMAIL | - net::CertDatabase::DISTRUSTED_EMAIL; - const unsigned kObjSignTrustBits = net::CertDatabase::TRUSTED_OBJ_SIGN | - net::CertDatabase::DISTRUSTED_OBJ_SIGN; - if ((trustBits & kSSLTrustBits) == kSSLTrustBits || - (trustBits & kEmailTrustBits) == kEmailTrustBits || - (trustBits & kObjSignTrustBits) == kObjSignTrustBits) { - LOG(ERROR) << "SetCertTrust called with conflicting trust bits " - << trustBits; - NOTREACHED(); - return false; - } - SECStatus srv; + nsNSSCertTrust trust; CERTCertificate *nsscert = cert->os_cert_handle(); if (type == net::CA_CERT) { - // Note that we start with CERTDB_VALID_CA for default trust and explicit - // trust, but explicitly distrusted usages will be set to - // CERTDB_TERMINAL_RECORD only. - CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA}; - - if (trustBits & net::CertDatabase::DISTRUSTED_SSL) - trust.sslFlags = CERTDB_TERMINAL_RECORD; - else if (trustBits & net::CertDatabase::TRUSTED_SSL) - trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; - - if (trustBits & net::CertDatabase::DISTRUSTED_EMAIL) - trust.emailFlags = CERTDB_TERMINAL_RECORD; - else if (trustBits & net::CertDatabase::TRUSTED_EMAIL) - trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; - - if (trustBits & net::CertDatabase::DISTRUSTED_OBJ_SIGN) - trust.objectSigningFlags = CERTDB_TERMINAL_RECORD; - else if (trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN) - trust.objectSigningFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; - - srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); + // always start with untrusted and move up + trust.SetValidCA(); + trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL, + trustBits & net::CertDatabase::TRUSTED_EMAIL, + trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN); + srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), + nsscert, + trust.GetTrust()); } else if (type == net::SERVER_CERT) { - CERTCertTrust trust = {0}; - // We only modify the sslFlags, so copy the other flags. - CERT_GetCertTrust(nsscert, &trust); - trust.sslFlags = 0; - - if (trustBits & net::CertDatabase::DISTRUSTED_SSL) - trust.sslFlags |= CERTDB_TERMINAL_RECORD; - else if (trustBits & net::CertDatabase::TRUSTED_SSL) - trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; - - srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); + // always start with untrusted and move up + trust.SetValidPeer(); + trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0); + srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), + nsscert, + trust.GetTrust()); } else { // ignore user and email/unknown certs return true; diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h index e7a5a103..29acaf9 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h @@ -58,7 +58,6 @@ bool ImportCACerts(const net::CertificateList& certificates, net::CertDatabase::ImportCertFailureList* not_imported); bool ImportServerCert(const net::CertificateList& certificates, - net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported); bool SetCertTrust(const net::X509Certificate* cert, |