Linux Cert manager: improve PKCS #12 import error messages.

BUG=76275 TEST=try to import a corrupt or unsupported PKCS #12 file. Review URL: http://codereview.chromium.org/7338011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@92306 0039d316-1c4b-4281-b951-d872f2087c98
author: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-13 02:53:22 +0000
committer: mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-13 02:53:22 +0000
commit: 35f05d23297b66e2098ae05f7f27d4832562bc48 (patch)
tree: 853ac3c035717356684c69fe268c41967ee0a0c9 /net
parent: 50264918ffe6571a692525f06d976d6005e6dd78 (diff)
download: chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.zip
chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.tar.gz
chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.tar.bz2
3 files changed, 64 insertions, 7 deletions
diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
index 70d4224..e6cf147 100644
--- a/net/base/cert_database_nss_unittest.cc
+++ b/net/base/cert_database_nss_unittest.cc
@@ -185,6 +185,24 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
   // TODO(mattm): further verification of exported data?
 }
 
+TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
+  std::string pkcs12_data = ReadTestFile("client.p12");
+
+  EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
+                                          pkcs12_data,
+                                          ASCIIToUTF16("12345"),
+                                          true));  // is_extractable
+  EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+
+  // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
+  // it's ever used.  This test verifies that.
+  EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
+                                          pkcs12_data,
+                                          ASCIIToUTF16("12345"),
+                                          true));  // is_extractable
+  EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+}
+
 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
   std::string pkcs12_data = ReadTestFile("client.p12");
 
@@ -205,6 +223,19 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
                                        &exported_data));
 }
 
+TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
+  std::string pkcs12_data = "Foobarbaz";
+
+  EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
+            cert_db_.ImportFromPKCS12(slot_,
+                                      pkcs12_data,
+                                      ASCIIToUTF16(""),
+                                      true));  // is_extractable
+
+  // Test db should still be empty.
+  EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+}
+
 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
   std::string cert_data = ReadTestFile("root_ca_cert.crt");
 
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index cfde9d8..80d770f 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -555,6 +555,15 @@ NET_ERROR(IMPORT_CA_CERT_FAILED, -705)
 // Server certificate import failed due to some internal error.
 NET_ERROR(IMPORT_SERVER_CERT_FAILED, -706)
 
+// PKCS #12 import failed due to invalid MAC.
+NET_ERROR(PKCS12_IMPORT_INVALID_MAC, -707)
+
+// PKCS #12 import failed due to invalid/corrupt file.
+NET_ERROR(PKCS12_IMPORT_INVALID_FILE, -708)
+
+// PKCS #12 import failed due to unsupported features.
+NET_ERROR(PKCS12_IMPORT_UNSUPPORTED, -709)
+
 // DNS error codes.
 
 // DNS resolver received a malformed response.
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
index e314660..d659900 100644
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
+++ b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
@@ -228,13 +228,30 @@ finish:
   // We should use that error code instead of inventing a new one
   // for every error possible.
   if (srv != SECSuccess) {
-    if (SEC_ERROR_BAD_PASSWORD == PORT_GetError()) {
-      import_result = net::ERR_PKCS12_IMPORT_BAD_PASSWORD;
-    }
-    else
-    {
-      LOG(ERROR) << "PKCS#12 import failed with error " << PORT_GetError();
-      import_result = net::ERR_PKCS12_IMPORT_FAILED;
+    int error = PORT_GetError();
+    LOG(ERROR) << "PKCS#12 import failed with error " << error;
+    switch (error) {
+      case SEC_ERROR_BAD_PASSWORD:
+      case SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT:
+        import_result = net::ERR_PKCS12_IMPORT_BAD_PASSWORD;
+        break;
+      case SEC_ERROR_PKCS12_INVALID_MAC:
+        import_result = net::ERR_PKCS12_IMPORT_INVALID_MAC;
+        break;
+      case SEC_ERROR_BAD_DER:
+      case SEC_ERROR_PKCS12_DECODING_PFX:
+      case SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE:
+        import_result = net::ERR_PKCS12_IMPORT_INVALID_FILE;
+        break;
+      case SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM:
+      case SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE:
+      case SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM:
+      case SEC_ERROR_PKCS12_UNSUPPORTED_VERSION:
+        import_result = net::ERR_PKCS12_IMPORT_UNSUPPORTED;
+        break;
+      default:
+        import_result = net::ERR_PKCS12_IMPORT_FAILED;
+        break;
     }
   }
   // Finish the decoder
author	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-13 02:53:22 +0000
committer	mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-13 02:53:22 +0000
commit	35f05d23297b66e2098ae05f7f27d4832562bc48 (patch)
tree	853ac3c035717356684c69fe268c41967ee0a0c9 /net
parent	50264918ffe6571a692525f06d976d6005e6dd78 (diff)
download	chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.zip chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.tar.gz chromium_src-35f05d23297b66e2098ae05f7f27d4832562bc48.tar.bz2