diff options
| author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-01 05:59:56 +0000 |
|---|---|---|
| committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-01 05:59:56 +0000 |
| commit | ad40b2190329c77463db06fb6982a0e26dc6ae05 (patch) | |
| tree | 8db6d516f6b789d0c4e1bc7dcaf2f4c909490ac6 /net | |
| parent | 2d7b82c64aba940073da269f302403110f2f1574 (diff) | |
| download | chromium_src-ad40b2190329c77463db06fb6982a0e26dc6ae05.zip chromium_src-ad40b2190329c77463db06fb6982a0e26dc6ae05.tar.gz chromium_src-ad40b2190329c77463db06fb6982a0e26dc6ae05.tar.bz2 | |
Reland: Fix imported server certs being distrusted in NSS 3.13.
Add support for intentionally distrusting certs. (Not exposed in the UI yet.)
BUG=116411
TEST=CertDatabaseNSSTest
TBR=stevenjb@chromium.org,jhawkins@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10458069
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@139979 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/cert_database.h | 20 | ||||
| -rw-r--r-- | net/base/cert_database_nss.cc | 51 | ||||
| -rw-r--r-- | net/base/cert_database_nss_unittest.cc | 429 | ||||
| -rw-r--r-- | net/base/cert_database_openssl.cc | 64 | ||||
| -rw-r--r-- | net/net.gyp | 6 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp | 378 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertTrust.h | 128 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp | 83 | ||||
| -rw-r--r-- | net/third_party/mozilla_security_manager/nsNSSCertificateDB.h | 1 |
9 files changed, 512 insertions, 648 deletions
diff --git a/net/base/cert_database.h b/net/base/cert_database.h index 2e95624..8a2803e 100644 --- a/net/base/cert_database.h +++ b/net/base/cert_database.h @@ -80,14 +80,21 @@ class NET_EXPORT CertDatabase { // trusted as a server. // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is // trusted for email. + // DISTRUSTED_* specifies that the cert should not be trusted for the given + // usage, regardless of whether it would otherwise inherit trust from the + // issuer chain. + // Use TRUST_DEFAULT to inherit trust as normal. // NOTE: The actual constants are defined using an enum instead of static // consts due to compilation/linkage constraints with template functions. typedef uint32 TrustBits; enum { - UNTRUSTED = 0, - TRUSTED_SSL = 1 << 0, - TRUSTED_EMAIL = 1 << 1, - TRUSTED_OBJ_SIGN = 1 << 2, + TRUST_DEFAULT = 0, + TRUSTED_SSL = 1 << 0, + TRUSTED_EMAIL = 1 << 1, + TRUSTED_OBJ_SIGN = 1 << 2, + DISTRUSTED_SSL = 1 << 3, + DISTRUSTED_EMAIL = 1 << 4, + DISTRUSTED_OBJ_SIGN = 1 << 5, }; CertDatabase(); @@ -101,7 +108,7 @@ class NET_EXPORT CertDatabase { // the platform cert database, or possibly other network error codes. int AddUserCert(X509Certificate* cert); -#if defined(USE_NSS) || defined(USE_OPENSSL) +#if defined(USE_NSS) // Get a list of unique certificates in the certificate database (one // instance of all certificates). void ListCerts(CertificateList* certs); @@ -158,10 +165,13 @@ class NET_EXPORT CertDatabase { // not given any trust. // Any certificates that could not be imported will be listed in // |not_imported|. + // |trust_bits| can be set to explicitly trust or distrust the certificate, or + // use TRUST_DEFAULT to inherit trust as normal. // Returns false if there is an internal error, otherwise true is returned and // |not_imported| should be checked for any certificates that were not // imported. bool ImportServerCert(const CertificateList& certificates, + TrustBits trust_bits, ImportCertFailureList* not_imported); // Get trust bits for certificate. diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc index 4dde4fc..be7ea74 100644 --- a/net/base/cert_database_nss.cc +++ b/net/base/cert_database_nss.cc @@ -18,7 +18,6 @@ #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use @@ -199,30 +198,54 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates, } bool CertDatabase::ImportServerCert(const CertificateList& certificates, + TrustBits trust_bits, ImportCertFailureList* not_imported) { - return psm::ImportServerCert(certificates, not_imported); + return psm::ImportServerCert(certificates, trust_bits, not_imported); } CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, CertType type) const { - CERTCertTrust nsstrust; - SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); + CERTCertTrust trust; + SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); if (srv != SECSuccess) { LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); - return UNTRUSTED; + return TRUST_DEFAULT; } - psm::nsNSSCertTrust trust(&nsstrust); + // We define our own more "friendly" TrustBits, which means we aren't able to + // round-trip all possible NSS trust flag combinations. We try to map them in + // a sensible way. switch (type) { - case CA_CERT: - return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + - trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + - trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; + case CA_CERT: { + const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; + const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD; + + TrustBits trust_bits = TRUST_DEFAULT; + if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) + trust_bits |= DISTRUSTED_SSL; + else if (trust.sslFlags & kTrustedCA) + trust_bits |= TRUSTED_SSL; + + if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) + trust_bits |= DISTRUSTED_EMAIL; + else if (trust.emailFlags & kTrustedCA) + trust_bits |= TRUSTED_EMAIL; + + if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) + trust_bits |= DISTRUSTED_OBJ_SIGN; + else if (trust.objectSigningFlags & kTrustedCA) + trust_bits |= TRUSTED_OBJ_SIGN; + + return trust_bits; + } case SERVER_CERT: - return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + - trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + - trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; + if (trust.sslFlags & CERTDB_TERMINAL_RECORD) { + if (trust.sslFlags & CERTDB_TRUSTED) + return TRUSTED_SSL; + return DISTRUSTED_SSL; + } + return TRUST_DEFAULT; default: - return UNTRUSTED; + return TRUST_DEFAULT; } } diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc index 75ea641..7000aa0 100644 --- a/net/base/cert_database_nss_unittest.cc +++ b/net/base/cert_database_nss_unittest.cc @@ -3,6 +3,7 @@ // found in the LICENSE file. #include <cert.h> +#include <certdb.h> #include <pk11pub.h> #include <algorithm> @@ -26,11 +27,14 @@ #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" #include "testing/gtest/include/gtest/gtest.h" -namespace psm = mozilla_security_manager; +// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use +// the new name of the macro. +#if !defined(CERTDB_TERMINAL_RECORD) +#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER +#endif namespace net { @@ -111,7 +115,15 @@ class CertDatabaseNSSTest : public testing::Test { CertDatabase cert_db; bool ok = true; CertificateList certs = ListCertsInSlot(slot); + CERTCertTrust default_trust = {0}; for (size_t i = 0; i < certs.size(); ++i) { + // Reset cert trust values to defaults before deleting. Otherwise NSS + // somehow seems to remember the trust which can break following tests. + SECStatus srv = CERT_ChangeCertTrust( + CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); + if (srv != SECSuccess) + ok = false; + if (!cert_db.DeleteCertAndKey(certs[i])) ok = false; } @@ -275,12 +287,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { EXPECT_EQ(CertDatabase::TRUSTED_SSL, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); - EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | + CERTDB_TRUSTED_CLIENT_CA), + cert->os_cert_handle()->trust->sslFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->emailFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->objectSigningFlags); } TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { @@ -305,11 +318,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->sslFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | + CERTDB_TRUSTED_CLIENT_CA), + cert->os_cert_handle()->trust->emailFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->objectSigningFlags); } TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { @@ -334,11 +349,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, cert_db_.GetCertTrust(cert.get(), CA_CERT)); - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->sslFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + cert->os_cert_handle()->trust->emailFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | + CERTDB_TRUSTED_CLIENT_CA), + cert->os_cert_handle()->trust->objectSigningFlags); } TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { @@ -432,7 +449,8 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { // Import it. CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed)); + EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT, + &failed)); ASSERT_EQ(1U, failed.size()); EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); @@ -510,7 +528,8 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { ASSERT_EQ(2U, certs.size()); CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, + &failed)); EXPECT_EQ(0U, failed.size()); @@ -521,16 +540,16 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { EXPECT_EQ("www.google.com", goog_cert->subject().common_name); EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); - EXPECT_EQ(CertDatabase::UNTRUSTED, + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); - psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); - EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); + + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); int flags = 0; CertVerifyResult verify_result; int error = verify_proc->Verify(goog_cert, "www.google.com", flags, - NULL, &verify_result); + NULL, &verify_result); EXPECT_EQ(OK, error); EXPECT_EQ(0U, verify_result.cert_status); } @@ -540,7 +559,8 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); CertDatabase::ImportCertFailureList failed; - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, + &failed)); EXPECT_EQ(0U, failed.size()); @@ -548,30 +568,369 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { ASSERT_EQ(1U, cert_list.size()); scoped_refptr<X509Certificate> puny_cert(cert_list[0]); - EXPECT_EQ(CertDatabase::UNTRUSTED, + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); - psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); - EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); int flags = 0; CertVerifyResult verify_result; int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, - NULL, &verify_result); + NULL, &verify_result); EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); +} + +TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { + // When using CERT_PKIXVerifyCert (which we do), server trust only works from + // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. + if (!NSS_VersionCheck("3.13.4")) { + LOG(INFO) << "test skipped on NSS < 3.13.4"; + return; + } + + CertificateList certs; + ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); + + CertDatabase::ImportCertFailureList failed; + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, + &failed)); + + EXPECT_EQ(0U, failed.size()); + + CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); + ASSERT_EQ(1U, cert_list.size()); + scoped_refptr<X509Certificate> puny_cert(cert_list[0]); + + EXPECT_EQ(CertDatabase::TRUSTED_SSL, + cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); + EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), + puny_cert->os_cert_handle()->trust->sslFlags); + + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, + NULL, &verify_result); + EXPECT_EQ(OK, error); + EXPECT_EQ(0U, verify_result.cert_status); +} + +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { + CertificateList ca_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "root_ca_cert.crt", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, ca_certs.size()); + + // Import CA cert and trust it. + CertDatabase::ImportCertFailureList failed; + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, + &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "ok_cert.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, + &failed)); + EXPECT_EQ(0U, failed.size()); - // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not - // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 + // Server cert should verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result); + EXPECT_EQ(OK, error); + EXPECT_EQ(0U, verify_result.cert_status); +} + +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { + // Explicit distrust only works starting in NSS 3.13. + if (!NSS_VersionCheck("3.13")) { + LOG(INFO) << "test skipped on NSS < 3.13"; + return; + } + + CertificateList ca_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "root_ca_cert.crt", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, ca_certs.size()); + + // Import CA cert and trust it. + CertDatabase::ImportCertFailureList failed; + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, + &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "ok_cert.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert without inheriting trust from issuer (explicit + // distrust). + EXPECT_TRUE(cert_db_.ImportServerCert( + certs, CertDatabase::DISTRUSTED_SSL, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(CertDatabase::DISTRUSTED_SSL, + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); + + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), + certs[0]->os_cert_handle()->trust->sslFlags); + + // Server cert should fail to verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result); + EXPECT_EQ(ERR_CERT_REVOKED, error); + EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); +} + +TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { + CertificateList ca_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-root.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, ca_certs.size()); + + // Import Root CA cert and distrust it. + CertDatabase::ImportCertFailureList failed; + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL, + &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList intermediate_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, intermediate_certs.size()); + + // Import Intermediate CA cert and trust it. + EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, + CertDatabase::TRUSTED_SSL, &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_.ImportServerCert( + certs, CertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); + + // Server cert should verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result); + EXPECT_EQ(OK, error); + EXPECT_EQ(0U, verify_result.cert_status); + + // Explicit distrust only works starting in NSS 3.13. + if (!NSS_VersionCheck("3.13")) { + LOG(INFO) << "test partially skipped on NSS < 3.13"; + return; + } + + // Trust the root cert and distrust the intermediate. + EXPECT_TRUE(cert_db_.SetCertTrust( + ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL)); EXPECT_TRUE(cert_db_.SetCertTrust( - puny_cert.get(), CA_CERT, - CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); + intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL)); + EXPECT_EQ( + unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), + ca_certs[0]->os_cert_handle()->trust->sslFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + ca_certs[0]->os_cert_handle()->trust->emailFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), + intermediate_certs[0]->os_cert_handle()->trust->sslFlags); + EXPECT_EQ(unsigned(CERTDB_VALID_CA), + intermediate_certs[0]->os_cert_handle()->trust->emailFlags); + EXPECT_EQ( + unsigned(CERTDB_VALID_CA), + intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); + + // Server cert should fail to verify. + CertVerifyResult verify_result2; + error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result2); + EXPECT_EQ(ERR_CERT_REVOKED, error); + EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); +} - verify_result.Reset(); - error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, +TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { + CertDatabase::ImportCertFailureList failed; + + CertificateList intermediate_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, intermediate_certs.size()); + + // Import Intermediate CA cert and trust it. + EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, + CertDatabase::TRUSTED_SSL, &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_.ImportServerCert( + certs, CertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); + + // Server cert should verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, NULL, &verify_result); EXPECT_EQ(OK, error); EXPECT_EQ(0U, verify_result.cert_status); + + // Without explicit trust of the intermediate, verification should fail. + EXPECT_TRUE(cert_db_.SetCertTrust( + intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); + + // Server cert should fail to verify. + CertVerifyResult verify_result2; + error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result2); + EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); + EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); +} + +TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { + CertDatabase::ImportCertFailureList failed; + + CertificateList ca_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-root.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, ca_certs.size()); + + // Import Root CA cert and default trust it. + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT, + &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList intermediate_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, intermediate_certs.size()); + + // Import Intermediate CA cert and trust it. + EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, + CertDatabase::TRUSTED_SSL, &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_.ImportServerCert( + certs, CertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); + + // Server cert should verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result); + EXPECT_EQ(OK, error); + EXPECT_EQ(0U, verify_result.cert_status); + + // Without explicit trust of the intermediate, verification should fail. + EXPECT_TRUE(cert_db_.SetCertTrust( + intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); + + // Server cert should fail to verify. + CertVerifyResult verify_result2; + error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result2); + EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); + EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); +} + +TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { + // Explicit distrust only works starting in NSS 3.13. + if (!NSS_VersionCheck("3.13")) { + LOG(INFO) << "test skipped on NSS < 3.13"; + return; + } + + CertDatabase::ImportCertFailureList failed; + + CertificateList ca_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-root.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, ca_certs.size()); + + // Import Root CA cert and trust it. + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, + &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList intermediate_certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, intermediate_certs.size()); + + // Import Intermediate CA cert and distrust it. + EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, + CertDatabase::DISTRUSTED_SSL, &failed)); + EXPECT_EQ(0U, failed.size()); + + CertificateList certs = CreateCertificateListFromFile( + GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_.ImportServerCert( + certs, CertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(CertDatabase::TRUST_DEFAULT, + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); + + // Server cert should not verify. + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int flags = 0; + CertVerifyResult verify_result; + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result); + EXPECT_EQ(ERR_CERT_REVOKED, error); + EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); + + // Without explicit distrust of the intermediate, verification should succeed. + EXPECT_TRUE(cert_db_.SetCertTrust( + intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); + + // Server cert should verify. + CertVerifyResult verify_result2; + error = verify_proc->Verify(certs[0], "127.0.0.1", flags, + NULL, &verify_result2); + EXPECT_EQ(OK, error); + EXPECT_EQ(0U, verify_result2.cert_status); } } // namespace net diff --git a/net/base/cert_database_openssl.cc b/net/base/cert_database_openssl.cc index 82f7fd8..c5f86d4 100644 --- a/net/base/cert_database_openssl.cc +++ b/net/base/cert_database_openssl.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -36,66 +36,4 @@ int CertDatabase::AddUserCert(X509Certificate* cert) { return ERR_NOT_IMPLEMENTED; } -void CertDatabase::ListCerts(CertificateList* certs) { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); -} - -CryptoModule* CertDatabase::GetPublicModule() const { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return NULL; -} - -CryptoModule* CertDatabase::GetPrivateModule() const { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return NULL; -} - -void CertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - modules->clear(); -} - -int CertDatabase::ImportFromPKCS12(CryptoModule* module, - const std::string& data, - const string16& password, - bool is_extractable, - CertificateList* imported_certs) { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return ERR_NOT_IMPLEMENTED; -} - -int CertDatabase::ExportToPKCS12(const CertificateList& certs, - const string16& password, - std::string* output) const { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return 0; -} - -bool CertDatabase::DeleteCertAndKey(const X509Certificate* cert) { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return false; -} - -CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert, - CertType type) const { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return 0; -} - -bool CertDatabase::SetCertTrust(const X509Certificate* cert, - CertType type, - TrustBits trust_bits) { - // TODO(bulach): implement me. - NOTIMPLEMENTED(); - return false; -} - } // namespace net diff --git a/net/net.gyp b/net/net.gyp index 313e11d..d1a3b46 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -696,8 +696,6 @@ 'spdy/spdy_websocket_stream.h', 'third_party/mozilla_security_manager/nsKeygenHandler.cpp', 'third_party/mozilla_security_manager/nsKeygenHandler.h', - 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', - 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', @@ -861,8 +859,6 @@ 'third_party/mozilla_security_manager/nsKeygenHandler.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', - 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', - 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], @@ -935,8 +931,6 @@ 'third_party/mozilla_security_manager/nsKeygenHandler.h', 'third_party/mozilla_security_manager/nsNSSCertificateDB.cpp', 'third_party/mozilla_security_manager/nsNSSCertificateDB.h', - 'third_party/mozilla_security_manager/nsNSSCertTrust.cpp', - 'third_party/mozilla_security_manager/nsNSSCertTrust.h', 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp b/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp deleted file mode 100644 index 408e55d..0000000 --- a/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp +++ /dev/null @@ -1,378 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Ian McGreer <mcgreer@netscape.com> - * Javier Delgadillo <javi@netscape.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" - -#if !defined(CERTDB_TERMINAL_RECORD) -/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD - * and marks CERTDB_VALID_PEER as deprecated. - * If we're using an older version, rename it ourselves. - */ -#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER -#endif - -namespace mozilla_security_manager { - -void -nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign) -{ - if (ssl) { - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); - } - if (email) { - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); - } - if (objSign) { - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); - } -} - -void -nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign) -{ - if (ssl) - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); - if (email) - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); - if (objSign) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); -} - -nsNSSCertTrust::nsNSSCertTrust() -{ - memset(&mTrust, 0, sizeof(CERTCertTrust)); -} - -nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, - unsigned int email, - unsigned int objsign) -{ - memset(&mTrust, 0, sizeof(CERTCertTrust)); - addTrust(&mTrust.sslFlags, ssl); - addTrust(&mTrust.emailFlags, email); - addTrust(&mTrust.objectSigningFlags, objsign); -} - -nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t) -{ - if (t) - memcpy(&mTrust, t, sizeof(CERTCertTrust)); - else - memset(&mTrust, 0, sizeof(CERTCertTrust)); -} - -nsNSSCertTrust::~nsNSSCertTrust() -{ -} - -void -nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn) -{ - mTrust.sslFlags = 0; - if (peer || tPeer) - addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD); - if (tPeer) - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); - if (ca || tCA) - addTrust(&mTrust.sslFlags, CERTDB_VALID_CA); - if (tClientCA) - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); - if (tCA) - addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); - if (user) - addTrust(&mTrust.sslFlags, CERTDB_USER); - if (warn) - addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN); -} - -void -nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn) -{ - mTrust.emailFlags = 0; - if (peer || tPeer) - addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD); - if (tPeer) - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); - if (ca || tCA) - addTrust(&mTrust.emailFlags, CERTDB_VALID_CA); - if (tClientCA) - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); - if (tCA) - addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); - if (user) - addTrust(&mTrust.emailFlags, CERTDB_USER); - if (warn) - addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); -} - -void -nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn) -{ - mTrust.objectSigningFlags = 0; - if (peer || tPeer) - addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD); - if (tPeer) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); - if (ca || tCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA); - if (tClientCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); - if (tCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); - if (user) - addTrust(&mTrust.objectSigningFlags, CERTDB_USER); - if (warn) - addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN); -} - -void -nsNSSCertTrust::SetValidCA() -{ - SetSSLTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetTrustedServerCA() -{ - SetSSLTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetTrustedCA() -{ - SetSSLTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_FALSE, PR_FALSE, - PR_TRUE, PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetValidPeer() -{ - SetSSLTrust(PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetValidServerPeer() -{ - SetSSLTrust(PR_TRUE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetTrustedPeer() -{ - SetSSLTrust(PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetEmailTrust(PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); - SetObjSignTrust(PR_TRUE, PR_TRUE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE); -} - -void -nsNSSCertTrust::SetUser() -{ - SetSSLTrust(PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE); - SetEmailTrust(PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE); - SetObjSignTrust(PR_FALSE, PR_FALSE, - PR_FALSE, PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE); -} - -PRBool -nsNSSCertTrust::HasAnyCA() -{ - if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) || - hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) || - hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) - return PR_TRUE; - return PR_FALSE; -} - -PRBool -nsNSSCertTrust::HasCA(PRBool checkSSL, - PRBool checkEmail, - PRBool checkObjSign) -{ - if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA)) - return PR_FALSE; - if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA)) - return PR_FALSE; - if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) - return PR_FALSE; - return PR_TRUE; -} - -PRBool -nsNSSCertTrust::HasPeer(PRBool checkSSL, - PRBool checkEmail, - PRBool checkObjSign) -{ - if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD)) - return PR_FALSE; - if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD)) - return PR_FALSE; - if (checkObjSign && - !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD)) - return PR_FALSE; - return PR_TRUE; -} - -PRBool -nsNSSCertTrust::HasAnyUser() -{ - if (hasTrust(mTrust.sslFlags, CERTDB_USER) || - hasTrust(mTrust.emailFlags, CERTDB_USER) || - hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) - return PR_TRUE; - return PR_FALSE; -} - -PRBool -nsNSSCertTrust::HasUser(PRBool checkSSL, - PRBool checkEmail, - PRBool checkObjSign) -{ - if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER)) - return PR_FALSE; - if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER)) - return PR_FALSE; - if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) - return PR_FALSE; - return PR_TRUE; -} - -PRBool -nsNSSCertTrust::HasTrustedCA(PRBool checkSSL, - PRBool checkEmail, - PRBool checkObjSign) -{ - if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || - hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) - return PR_FALSE; - if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || - hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) - return PR_FALSE; - if (checkObjSign && - !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) || - hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA))) - return PR_FALSE; - return PR_TRUE; -} - -PRBool -nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL, - PRBool checkEmail, - PRBool checkObjSign) -{ - if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) - return PR_FALSE; - if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) - return PR_FALSE; - if (checkObjSign && - !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED))) - return PR_FALSE; - return PR_TRUE; -} - -void -nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v) -{ - *t |= v; -} - -PRBool -nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) -{ - return !!(t & v); -} - -} // namespace mozilla_security_manager diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h deleted file mode 100644 index bc42fd0..0000000 --- a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h +++ /dev/null @@ -1,128 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Ian McGreer <mcgreer@netscape.com> - * Javier Delgadillo <javi@netscape.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#ifndef NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ -#define NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ - -#include <certt.h> -#include <certdb.h> - -#include "net/base/net_export.h" - -namespace mozilla_security_manager { - -/* - * nsNSSCertTrust - * - * Class for maintaining trust flags for an NSS certificate. - */ -class NET_EXPORT nsNSSCertTrust -{ -public: - nsNSSCertTrust(); - nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign); - nsNSSCertTrust(CERTCertTrust *t); - virtual ~nsNSSCertTrust(); - - /* query */ - PRBool HasAnyCA(); - PRBool HasAnyUser(); - PRBool HasCA(PRBool checkSSL = PR_TRUE, - PRBool checkEmail = PR_TRUE, - PRBool checkObjSign = PR_TRUE); - PRBool HasPeer(PRBool checkSSL = PR_TRUE, - PRBool checkEmail = PR_TRUE, - PRBool checkObjSign = PR_TRUE); - PRBool HasUser(PRBool checkSSL = PR_TRUE, - PRBool checkEmail = PR_TRUE, - PRBool checkObjSign = PR_TRUE); - PRBool HasTrustedCA(PRBool checkSSL = PR_TRUE, - PRBool checkEmail = PR_TRUE, - PRBool checkObjSign = PR_TRUE); - PRBool HasTrustedPeer(PRBool checkSSL = PR_TRUE, - PRBool checkEmail = PR_TRUE, - PRBool checkObjSign = PR_TRUE); - - /* common defaults */ - /* equivalent to "c,c,c" */ - void SetValidCA(); - /* equivalent to "C,C,C" */ - void SetTrustedServerCA(); - /* equivalent to "CT,CT,CT" */ - void SetTrustedCA(); - /* equivalent to "p,," */ - void SetValidServerPeer(); - /* equivalent to "p,p,p" */ - void SetValidPeer(); - /* equivalent to "P,P,P" */ - void SetTrustedPeer(); - /* equivalent to "u,u,u" */ - void SetUser(); - - /* general setters */ - /* read: "p, P, c, C, T, u, w" */ - void SetSSLTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn); - - void SetEmailTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn); - - void SetObjSignTrust(PRBool peer, PRBool tPeer, - PRBool ca, PRBool tCA, PRBool tClientCA, - PRBool user, PRBool warn); - - /* set c <--> CT */ - void AddCATrust(PRBool ssl, PRBool email, PRBool objSign); - /* set p <--> P */ - void AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign); - - /* get it (const?) (shallow?) */ - CERTCertTrust * GetTrust() { return &mTrust; } - -private: - void addTrust(unsigned int *t, unsigned int v); - void removeTrust(unsigned int *t, unsigned int v); - PRBool hasTrust(unsigned int t, unsigned int v); - CERTCertTrust mTrust; -}; - -} // namespace mozilla_security_manager - -#endif // NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp index 0cf430d..234c065 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp @@ -39,6 +39,7 @@ #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" #include <cert.h> +#include <certdb.h> #include <pk11pub.h> #include <secerr.h> @@ -47,7 +48,14 @@ #include "crypto/scoped_nss_types.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" + +#if !defined(CERTDB_TERMINAL_RECORD) +/* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD + * and marks CERTDB_VALID_PEER as deprecated. + * If we're using an older version, rename it ourselves. + */ +#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER +#endif namespace mozilla_security_manager { @@ -56,6 +64,9 @@ bool ImportCACerts(const net::CertificateList& certificates, net::X509Certificate* root, net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported) { + if (certificates.empty() || !root) + return false; + crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); if (!slot.get()) { LOG(ERROR) << "Couldn't get internal key slot!"; @@ -158,7 +169,11 @@ bool ImportCACerts(const net::CertificateList& certificates, // Based on nsNSSCertificateDB::ImportServerCertificate. bool ImportServerCert(const net::CertificateList& certificates, + net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported) { + if (certificates.empty()) + return false; + crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot()); if (!slot.get()) { LOG(ERROR) << "Couldn't get internal key slot!"; @@ -184,9 +199,7 @@ bool ImportServerCert(const net::CertificateList& certificates, } } - // Set as valid peer, but without any extra trust. - SetCertTrust(certificates[0].get(), net::SERVER_CERT, - net::CertDatabase::UNTRUSTED); + SetCertTrust(certificates[0].get(), net::SERVER_CERT, trustBits); // TODO(mattm): Report SetCertTrust result? Putting in not_imported // wouldn't quite match up since it was imported... @@ -200,25 +213,57 @@ SetCertTrust(const net::X509Certificate* cert, net::CertType type, net::CertDatabase::TrustBits trustBits) { + const unsigned kSSLTrustBits = net::CertDatabase::TRUSTED_SSL | + net::CertDatabase::DISTRUSTED_SSL; + const unsigned kEmailTrustBits = net::CertDatabase::TRUSTED_EMAIL | + net::CertDatabase::DISTRUSTED_EMAIL; + const unsigned kObjSignTrustBits = net::CertDatabase::TRUSTED_OBJ_SIGN | + net::CertDatabase::DISTRUSTED_OBJ_SIGN; + if ((trustBits & kSSLTrustBits) == kSSLTrustBits || + (trustBits & kEmailTrustBits) == kEmailTrustBits || + (trustBits & kObjSignTrustBits) == kObjSignTrustBits) { + LOG(ERROR) << "SetCertTrust called with conflicting trust bits " + << trustBits; + NOTREACHED(); + return false; + } + SECStatus srv; - nsNSSCertTrust trust; CERTCertificate *nsscert = cert->os_cert_handle(); if (type == net::CA_CERT) { - // always start with untrusted and move up - trust.SetValidCA(); - trust.AddCATrust(trustBits & net::CertDatabase::TRUSTED_SSL, - trustBits & net::CertDatabase::TRUSTED_EMAIL, - trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN); - srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), - nsscert, - trust.GetTrust()); + // Note that we start with CERTDB_VALID_CA for default trust and explicit + // trust, but explicitly distrusted usages will be set to + // CERTDB_TERMINAL_RECORD only. + CERTCertTrust trust = {CERTDB_VALID_CA, CERTDB_VALID_CA, CERTDB_VALID_CA}; + + if (trustBits & net::CertDatabase::DISTRUSTED_SSL) + trust.sslFlags = CERTDB_TERMINAL_RECORD; + else if (trustBits & net::CertDatabase::TRUSTED_SSL) + trust.sslFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; + + if (trustBits & net::CertDatabase::DISTRUSTED_EMAIL) + trust.emailFlags = CERTDB_TERMINAL_RECORD; + else if (trustBits & net::CertDatabase::TRUSTED_EMAIL) + trust.emailFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; + + if (trustBits & net::CertDatabase::DISTRUSTED_OBJ_SIGN) + trust.objectSigningFlags = CERTDB_TERMINAL_RECORD; + else if (trustBits & net::CertDatabase::TRUSTED_OBJ_SIGN) + trust.objectSigningFlags |= CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; + + srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); } else if (type == net::SERVER_CERT) { - // always start with untrusted and move up - trust.SetValidPeer(); - trust.AddPeerTrust(trustBits & net::CertDatabase::TRUSTED_SSL, 0, 0); - srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), - nsscert, - trust.GetTrust()); + CERTCertTrust trust = {0}; + // We only modify the sslFlags, so copy the other flags. + CERT_GetCertTrust(nsscert, &trust); + trust.sslFlags = 0; + + if (trustBits & net::CertDatabase::DISTRUSTED_SSL) + trust.sslFlags |= CERTDB_TERMINAL_RECORD; + else if (trustBits & net::CertDatabase::TRUSTED_SSL) + trust.sslFlags |= CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; + + srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, &trust); } else { // ignore user and email/unknown certs return true; diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h index 29acaf9..e7a5a103 100644 --- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h +++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.h @@ -58,6 +58,7 @@ bool ImportCACerts(const net::CertificateList& certificates, net::CertDatabase::ImportCertFailureList* not_imported); bool ImportServerCert(const net::CertificateList& certificates, + net::CertDatabase::TrustBits trustBits, net::CertDatabase::ImportCertFailureList* not_imported); bool SetCertTrust(const net::X509Certificate* cert, |