Move nsNSSCertTrust from chrome/third_party to net/third_party.

BUG=19991
TEST=builds

Review URL: http://codereview.chromium.org/3104022

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56799 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 499 insertions, 0 deletions

diff --git a/net/net.gyp b/net/net.gyp
index c370020..f661b17 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -185,6 +185,8 @@
         'base/x509_cert_types_mac.cc',
         'third_party/mozilla_security_manager/nsKeygenHandler.cpp',
         'third_party/mozilla_security_manager/nsKeygenHandler.h',
+        'third_party/mozilla_security_manager/nsNSSCertTrust.cpp',
+        'third_party/mozilla_security_manager/nsNSSCertTrust.h',
         'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
         'third_party/mozilla_security_manager/nsPKCS12Blob.h',
       ],
@@ -207,6 +209,8 @@
               'base/x509_certificate_nss.cc',
               'third_party/mozilla_security_manager/nsKeygenHandler.cpp',
               'third_party/mozilla_security_manager/nsKeygenHandler.h',
+              'third_party/mozilla_security_manager/nsNSSCertTrust.cpp',
+              'third_party/mozilla_security_manager/nsNSSCertTrust.h',
               'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
               'third_party/mozilla_security_manager/nsPKCS12Blob.h',
             ],
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp b/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp
new file mode 100644
index 0000000..75fa04f
--- /dev/null
+++ b/net/third_party/mozilla_security_manager/nsNSSCertTrust.cpp
@@ -0,0 +1,369 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Ian McGreer <mcgreer@netscape.com>
+ *   Javier Delgadillo <javi@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
+
+namespace mozilla_security_manager {
+
+void
+nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign)
+{
+  if (ssl) {
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
+  }
+  if (email) {
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
+  }
+  if (objSign) {
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
+  }
+}
+
+void
+nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign)
+{
+  if (ssl)
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
+  if (email)
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
+  if (objSign)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
+}
+
+nsNSSCertTrust::nsNSSCertTrust()
+{
+  memset(&mTrust, 0, sizeof(CERTCertTrust));
+}
+
+nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, 
+                               unsigned int email, 
+                               unsigned int objsign)
+{
+  memset(&mTrust, 0, sizeof(CERTCertTrust));
+  addTrust(&mTrust.sslFlags, ssl);
+  addTrust(&mTrust.emailFlags, email);
+  addTrust(&mTrust.objectSigningFlags, objsign);
+}
+
+nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
+{
+  if (t)
+    memcpy(&mTrust, t, sizeof(CERTCertTrust));
+  else
+    memset(&mTrust, 0, sizeof(CERTCertTrust)); 
+}
+
+nsNSSCertTrust::~nsNSSCertTrust()
+{
+}
+
+void
+nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer,
+                            PRBool ca,   PRBool tCA, PRBool tClientCA,
+                            PRBool user, PRBool warn)
+{
+  mTrust.sslFlags = 0;
+  if (peer || tPeer)
+    addTrust(&mTrust.sslFlags, CERTDB_VALID_PEER);
+  if (tPeer)
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
+  if (ca || tCA)
+    addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
+  if (tClientCA)
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
+  if (tCA)
+    addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
+  if (user)
+    addTrust(&mTrust.sslFlags, CERTDB_USER);
+  if (warn)
+    addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
+}
+
+void
+nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer,
+                              PRBool ca,   PRBool tCA, PRBool tClientCA,
+                              PRBool user, PRBool warn)
+{
+  mTrust.emailFlags = 0;
+  if (peer || tPeer)
+    addTrust(&mTrust.emailFlags, CERTDB_VALID_PEER);
+  if (tPeer)
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
+  if (ca || tCA)
+    addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
+  if (tClientCA)
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
+  if (tCA)
+    addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
+  if (user)
+    addTrust(&mTrust.emailFlags, CERTDB_USER);
+  if (warn)
+    addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
+}
+
+void
+nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer,
+                                PRBool ca,   PRBool tCA, PRBool tClientCA,
+                                PRBool user, PRBool warn)
+{
+  mTrust.objectSigningFlags = 0;
+  if (peer || tPeer)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_PEER);
+  if (tPeer)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
+  if (ca || tCA)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
+  if (tClientCA)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
+  if (tCA)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
+  if (user)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
+  if (warn)
+    addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
+}
+
+void
+nsNSSCertTrust::SetValidCA()
+{
+  SetSSLTrust(PR_FALSE, PR_FALSE,
+              PR_TRUE, PR_FALSE, PR_FALSE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_FALSE, PR_FALSE,
+                PR_TRUE, PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_FALSE, PR_FALSE,
+                  PR_TRUE, PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void
+nsNSSCertTrust::SetTrustedServerCA()
+{
+  SetSSLTrust(PR_FALSE, PR_FALSE,
+              PR_TRUE, PR_TRUE, PR_FALSE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_FALSE, PR_FALSE,
+                PR_TRUE, PR_TRUE, PR_FALSE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_FALSE, PR_FALSE,
+                  PR_TRUE, PR_TRUE, PR_FALSE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void
+nsNSSCertTrust::SetTrustedCA()
+{
+  SetSSLTrust(PR_FALSE, PR_FALSE,
+              PR_TRUE, PR_TRUE, PR_TRUE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_FALSE, PR_FALSE,
+                PR_TRUE, PR_TRUE, PR_TRUE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_FALSE, PR_FALSE,
+                  PR_TRUE, PR_TRUE, PR_TRUE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void 
+nsNSSCertTrust::SetValidPeer()
+{
+  SetSSLTrust(PR_TRUE, PR_FALSE,
+              PR_FALSE, PR_FALSE, PR_FALSE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_TRUE, PR_FALSE,
+                PR_FALSE, PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_TRUE, PR_FALSE,
+                  PR_FALSE, PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void 
+nsNSSCertTrust::SetValidServerPeer()
+{
+  SetSSLTrust(PR_TRUE, PR_FALSE,
+              PR_FALSE, PR_FALSE, PR_FALSE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void 
+nsNSSCertTrust::SetTrustedPeer()
+{
+  SetSSLTrust(PR_TRUE, PR_TRUE,
+              PR_FALSE, PR_FALSE, PR_FALSE,
+              PR_FALSE, PR_FALSE);
+  SetEmailTrust(PR_TRUE, PR_TRUE,
+                PR_FALSE, PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE);
+  SetObjSignTrust(PR_TRUE, PR_TRUE,
+                  PR_FALSE, PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE);
+}
+
+void
+nsNSSCertTrust::SetUser()
+{
+  SetSSLTrust(PR_FALSE, PR_FALSE,
+              PR_FALSE, PR_FALSE, PR_FALSE,
+              PR_TRUE, PR_FALSE);
+  SetEmailTrust(PR_FALSE, PR_FALSE,
+                PR_FALSE, PR_FALSE, PR_FALSE,
+                PR_TRUE, PR_FALSE);
+  SetObjSignTrust(PR_FALSE, PR_FALSE,
+                  PR_FALSE, PR_FALSE, PR_FALSE,
+                  PR_TRUE, PR_FALSE);
+}
+
+PRBool
+nsNSSCertTrust::HasAnyCA()
+{
+  if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
+      hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
+      hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
+    return PR_TRUE;
+  return PR_FALSE;
+}
+
+PRBool
+nsNSSCertTrust::HasCA(PRBool checkSSL, 
+                      PRBool checkEmail,  
+                      PRBool checkObjSign)
+{
+  if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
+    return PR_FALSE;
+  if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
+    return PR_FALSE;
+  if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
+    return PR_FALSE;
+  return PR_TRUE;
+}
+
+PRBool
+nsNSSCertTrust::HasPeer(PRBool checkSSL, 
+                        PRBool checkEmail,  
+                        PRBool checkObjSign)
+{
+  if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_PEER))
+    return PR_FALSE;
+  if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_PEER))
+    return PR_FALSE;
+  if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_PEER))
+    return PR_FALSE;
+  return PR_TRUE;
+}
+
+PRBool
+nsNSSCertTrust::HasAnyUser()
+{
+  if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
+      hasTrust(mTrust.emailFlags, CERTDB_USER) ||
+      hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
+    return PR_TRUE;
+  return PR_FALSE;
+}
+
+PRBool
+nsNSSCertTrust::HasUser(PRBool checkSSL, 
+                        PRBool checkEmail,  
+                        PRBool checkObjSign)
+{
+  if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
+    return PR_FALSE;
+  if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
+    return PR_FALSE;
+  if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
+    return PR_FALSE;
+  return PR_TRUE;
+}
+
+PRBool
+nsNSSCertTrust::HasTrustedCA(PRBool checkSSL, 
+                             PRBool checkEmail,  
+                             PRBool checkObjSign)
+{
+  if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
+                    hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
+    return PR_FALSE;
+  if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
+                      hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
+    return PR_FALSE;
+  if (checkObjSign && 
+       !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
+         hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
+    return PR_FALSE;
+  return PR_TRUE;
+}
+
+PRBool
+nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL, 
+                               PRBool checkEmail,  
+                               PRBool checkObjSign)
+{
+  if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
+    return PR_FALSE;
+  if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
+    return PR_FALSE;
+  if (checkObjSign && 
+       !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
+    return PR_FALSE;
+  return PR_TRUE;
+}
+
+void
+nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
+{
+  *t |= v;
+}
+
+PRBool
+nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
+{
+  return !!(t & v);
+}
+
+}  // namespace mozilla_security_manager
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertTrust.h b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h
new file mode 100644
index 0000000..d858c84
--- /dev/null
+++ b/net/third_party/mozilla_security_manager/nsNSSCertTrust.h
@@ -0,0 +1,126 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Ian McGreer <mcgreer@netscape.com>
+ *   Javier Delgadillo <javi@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_
+#define NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_
+
+#include <certt.h>
+#include <certdb.h>
+
+namespace mozilla_security_manager {
+
+/*
+ * nsNSSCertTrust
+ * 
+ * Class for maintaining trust flags for an NSS certificate.
+ */
+class nsNSSCertTrust
+{
+public:
+  nsNSSCertTrust();
+  nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign);
+  nsNSSCertTrust(CERTCertTrust *t);
+  virtual ~nsNSSCertTrust();
+
+  /* query */
+  PRBool HasAnyCA();
+  PRBool HasAnyUser();
+  PRBool HasCA(PRBool checkSSL = PR_TRUE, 
+               PRBool checkEmail = PR_TRUE,  
+               PRBool checkObjSign = PR_TRUE);
+  PRBool HasPeer(PRBool checkSSL = PR_TRUE, 
+                 PRBool checkEmail = PR_TRUE,  
+                 PRBool checkObjSign = PR_TRUE);
+  PRBool HasUser(PRBool checkSSL = PR_TRUE, 
+                 PRBool checkEmail = PR_TRUE,  
+                 PRBool checkObjSign = PR_TRUE);
+  PRBool HasTrustedCA(PRBool checkSSL = PR_TRUE, 
+                      PRBool checkEmail = PR_TRUE,  
+                      PRBool checkObjSign = PR_TRUE);
+  PRBool HasTrustedPeer(PRBool checkSSL = PR_TRUE, 
+                        PRBool checkEmail = PR_TRUE,  
+                        PRBool checkObjSign = PR_TRUE);
+
+  /* common defaults */
+  /* equivalent to "c,c,c" */
+  void SetValidCA();
+  /* equivalent to "C,C,C" */
+  void SetTrustedServerCA();
+  /* equivalent to "CT,CT,CT" */
+  void SetTrustedCA();
+  /* equivalent to "p,," */
+  void SetValidServerPeer();
+  /* equivalent to "p,p,p" */
+  void SetValidPeer();
+  /* equivalent to "P,P,P" */
+  void SetTrustedPeer();
+  /* equivalent to "u,u,u" */
+  void SetUser();
+
+  /* general setters */
+  /* read: "p, P, c, C, T, u, w" */
+  void SetSSLTrust(PRBool peer, PRBool tPeer,
+                   PRBool ca,   PRBool tCA, PRBool tClientCA,
+                   PRBool user, PRBool warn); 
+
+  void SetEmailTrust(PRBool peer, PRBool tPeer,
+                     PRBool ca,   PRBool tCA, PRBool tClientCA,
+                     PRBool user, PRBool warn);
+
+  void SetObjSignTrust(PRBool peer, PRBool tPeer,
+                       PRBool ca,   PRBool tCA, PRBool tClientCA,
+                       PRBool user, PRBool warn);
+
+  /* set c <--> CT */
+  void AddCATrust(PRBool ssl, PRBool email, PRBool objSign);
+  /* set p <--> P */
+  void AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign);
+
+  /* get it (const?) (shallow?) */
+  CERTCertTrust * GetTrust() { return &mTrust; }
+
+private:
+  void addTrust(unsigned int *t, unsigned int v);
+  void removeTrust(unsigned int *t, unsigned int v);
+  PRBool hasTrust(unsigned int t, unsigned int v);
+  CERTCertTrust mTrust;
+};
+
+}  // namespace mozilla_security_manager
+
+#endif  // NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_