diff options
-rw-r--r-- | base/nss_util.cc | 48 | ||||
-rw-r--r-- | base/nss_util.h | 7 | ||||
-rw-r--r-- | net/base/cert_database.h | 19 | ||||
-rw-r--r-- | net/base/cert_database_nss.cc | 19 | ||||
-rw-r--r-- | net/base/cert_database_nss_unittest.cc | 116 | ||||
-rw-r--r-- | net/base/net_error_list.h | 7 | ||||
-rw-r--r-- | net/net.gyp | 10 | ||||
-rw-r--r-- | net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp | 397 | ||||
-rw-r--r-- | net/third_party/mozilla_security_manager/nsPKCS12Blob.h | 73 | ||||
-rw-r--r-- | tools/valgrind/memcheck/suppressions.txt | 67 |
10 files changed, 8 insertions, 755 deletions
diff --git a/base/nss_util.cc b/base/nss_util.cc index d4ace40..cd44fed 100644 --- a/base/nss_util.cc +++ b/base/nss_util.cc @@ -127,7 +127,6 @@ class NSSInitSingleton { public: NSSInitSingleton() : real_db_slot_(NULL), - test_db_slot_(NULL), root_(NULL), chromeos_user_logged_in_(false) { base::EnsureNSPRInit(); @@ -219,7 +218,6 @@ class NSSInitSingleton { PK11_FreeSlot(real_db_slot_); real_db_slot_ = NULL; } - CloseTestNSSDB(); if (root_) { SECMOD_UnloadUserModule(root_); SECMOD_DestroyModule(root_); @@ -239,33 +237,23 @@ class NSSInitSingleton { void OpenPersistentNSSDB() { if (!chromeos_user_logged_in_) { chromeos_user_logged_in_ = true; - real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(), - "Real NSS database"); + const std::string modspec = + StringPrintf("configDir='%s' tokenDescription='Real NSS database'", + GetDefaultConfigDirectory().value().c_str()); + real_db_slot_ = SECMOD_OpenUserDB(modspec.c_str()); if (real_db_slot_ == NULL) { LOG(ERROR) << "Error opening persistent database (" << modspec << "): NSS error code " << PR_GetError(); + } else { + if (PK11_NeedUserInit(real_db_slot_)) + PK11_InitPin(real_db_slot_, NULL, NULL); } } } #endif // defined(OS_CHROMEOS) - bool OpenTestNSSDB(const FilePath& path, const char* description) { - test_db_slot_ = OpenUserDB(path, description); - return !!test_db_slot_; - } - - void CloseTestNSSDB() { - if (test_db_slot_) { - SECMOD_CloseUserDB(test_db_slot_); - PK11_FreeSlot(test_db_slot_); - test_db_slot_ = NULL; - } - } - PK11SlotInfo* GetDefaultKeySlot() { - if (test_db_slot_) - return PK11_ReferenceSlot(test_db_slot_); if (real_db_slot_) return PK11_ReferenceSlot(real_db_slot_); return PK11_GetInternalKeySlot(); @@ -278,21 +266,7 @@ class NSSInitSingleton { #endif // defined(USE_NSS) private: - static PK11SlotInfo* OpenUserDB(const FilePath& path, - const char* description) { - const std::string modspec = - StringPrintf("configDir='sql:%s' tokenDescription='%s'", - path.value().c_str(), description); - PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str()); - if (db_slot) { - if (PK11_NeedUserInit(db_slot)) - PK11_InitPin(db_slot, NULL, NULL); - } - return db_slot; - } - PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL. - PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_ SECMODModule *root_; bool chromeos_user_logged_in_; #if defined(USE_NSS) @@ -313,14 +287,6 @@ void EnsureNSSInit() { } #if defined(USE_NSS) -bool OpenTestNSSDB(const FilePath& path, const char* description) { - return Singleton<NSSInitSingleton>::get()->OpenTestNSSDB(path, description); -} - -void CloseTestNSSDB() { - Singleton<NSSInitSingleton>::get()->CloseTestNSSDB(); -} - Lock* GetNSSWriteLock() { return Singleton<NSSInitSingleton>::get()->write_lock(); } diff --git a/base/nss_util.h b/base/nss_util.h index 15b624c..b869e46 100644 --- a/base/nss_util.h +++ b/base/nss_util.h @@ -9,7 +9,6 @@ #include "base/basictypes.h" #if defined(USE_NSS) -class FilePath; class Lock; #endif // defined(USE_NSS) @@ -40,12 +39,6 @@ void OpenPersistentNSSDB(); Time PRTimeToBaseTime(int64 prtime); #if defined(USE_NSS) -// Exposed for unittests only. |path| should be an existing directory under -// which the DB files will be placed. |description| is a user-visible name for -// the DB, as a utf8 string, which will be truncated at 32 bytes. -bool OpenTestNSSDB(const FilePath& path, const char* description); -void CloseTestNSSDB(); - // NSS has a bug which can cause a deadlock or stall in some cases when writing // to the certDB and keyDB. It also has a bug which causes concurrent key pair // generations to scribble over each other. To work around this, we synchronize diff --git a/net/base/cert_database.h b/net/base/cert_database.h index a264f19..9621e45 100644 --- a/net/base/cert_database.h +++ b/net/base/cert_database.h @@ -6,17 +6,11 @@ #define NET_BASE_CERT_DATABASE_H_ #pragma once -#include <string> -#include <vector> - #include "base/basictypes.h" -#include "base/string16.h" -#include "base/ref_counted.h" namespace net { class X509Certificate; -typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; // This class provides functions to manipulate the local // certificate store. @@ -38,19 +32,6 @@ class CertDatabase { // the platform cert database, or possibly other network error codes. int AddUserCert(X509Certificate* cert); -#if defined(USE_NSS) - // Import certificates and private keys from PKCS #12 blob. - // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD - // or ERR_PKCS12_IMPORT_ERROR. - int ImportFromPKCS12(const std::string& data, const string16& password); - - // Export the given certificates and private keys into a PKCS #12 blob, - // storing into |output|. - // Returns the number of certificates successfully exported. - int ExportToPKCS12(const CertificateList& certs, const string16& password, - std::string* output); -#endif - private: DISALLOW_COPY_AND_ASSIGN(CertDatabase); }; diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc index e314afa..98930ff 100644 --- a/net/base/cert_database_nss.cc +++ b/net/base/cert_database_nss.cc @@ -13,20 +13,15 @@ #include <keyhi.h> // SECKEY_CreateSubjectPublicKeyInfo() #include "base/logging.h" -#include "base/nss_util.h" #include "base/scoped_ptr.h" +#include "base/nss_util.h" #include "net/base/net_errors.h" #include "net/base/x509_certificate.h" -#include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" - -// PSM = Mozilla's Personal Security Manager. -namespace psm = mozilla_security_manager; namespace net { CertDatabase::CertDatabase() { base::EnsureNSSInit(); - psm::EnsurePKCS12Init(); } int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { @@ -90,16 +85,4 @@ int CertDatabase::AddUserCert(X509Certificate* cert_obj) { return OK; } -int CertDatabase::ImportFromPKCS12( - const std::string& data, const string16& password) { - return psm::nsPKCS12Blob_Import(data.data(), data.size(), password); -} - -int CertDatabase::ExportToPKCS12( - const CertificateList& certs, - const string16& password, - std::string* output) { - return psm::nsPKCS12Blob_Export(output, certs, password); -} - } // namespace net diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc deleted file mode 100644 index f25b043..0000000 --- a/net/base/cert_database_nss_unittest.cc +++ /dev/null @@ -1,116 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <cert.h> -#include <pk11pub.h> - -#include "base/file_path.h" -#include "base/file_util.h" -#include "base/nss_util.h" -#include "base/nss_util_internal.h" -#include "base/path_service.h" -#include "base/scoped_temp_dir.h" -#include "base/string_util.h" -#include "net/base/cert_database.h" -#include "net/base/net_errors.h" -#include "net/base/x509_certificate.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace net { - -namespace { - -// Returns a FilePath object representing the src/net/data/ssl/certificates -// directory in the source tree. -FilePath GetTestCertsDirectory() { - FilePath certs_dir; - PathService::Get(base::DIR_SOURCE_ROOT, &certs_dir); - certs_dir = certs_dir.AppendASCII("net"); - certs_dir = certs_dir.AppendASCII("data"); - certs_dir = certs_dir.AppendASCII("ssl"); - certs_dir = certs_dir.AppendASCII("certificates"); - return certs_dir; -} - -} // namespace - - -class CertDatabaseNSSTest : public testing::Test { - public: - virtual void SetUp() { - ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir()); - ASSERT_TRUE( - base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db")); - } - virtual void TearDown() { - base::CloseTestNSSDB(); - } - private: - ScopedTempDir temp_db_dir_; -}; - -TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { - PK11SlotInfo* slot = base::GetDefaultNSSKeySlot(); - CertDatabase cert_db; - - CERTCertList* cert_list = PK11_ListCertsInSlot(slot); - // Test db should be empty at start of test. - EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list)); - CERT_DestroyCertList(cert_list); - - FilePath cert_path = GetTestCertsDirectory().AppendASCII("client.p12"); - std::string cert_data; - ASSERT_TRUE(file_util::ReadFileToString(cert_path, &cert_data)); - EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, - cert_db.ImportFromPKCS12(cert_data, ASCIIToUTF16(""))); - - - cert_list = PK11_ListCertsInSlot(slot); - // Test db should still be empty. - EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list)); - CERT_DestroyCertList(cert_list); - - PK11_FreeSlot(slot); -} - -TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) { - PK11SlotInfo* slot = base::GetDefaultNSSKeySlot(); - CertDatabase cert_db; - - CERTCertList* cert_list = PK11_ListCertsInSlot(slot); - // Test db should be empty at start of test. - EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list)); - CERT_DestroyCertList(cert_list); - - FilePath cert_path = GetTestCertsDirectory().AppendASCII("client.p12"); - std::string cert_data; - ASSERT_TRUE(file_util::ReadFileToString(cert_path, &cert_data)); - EXPECT_EQ(OK, cert_db.ImportFromPKCS12(cert_data, ASCIIToUTF16("12345"))); - - cert_list = PK11_ListCertsInSlot(slot); - // Test db should be empty at start of test. - ASSERT_FALSE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list)); - scoped_refptr<X509Certificate> cert( - X509Certificate::CreateFromHandle( - CERT_LIST_HEAD(cert_list)->cert, - X509Certificate::SOURCE_LONE_CERT_IMPORT, - X509Certificate::OSCertHandles())); - CERT_DestroyCertList(cert_list); - - EXPECT_EQ("testusercert", - cert->subject().common_name); - - // TODO(mattm): move export test to seperate test case? - CertificateList certs; - certs.push_back(cert); - std::string exported_data; - EXPECT_EQ(1, cert_db.ExportToPKCS12(certs, ASCIIToUTF16("exportpw"), - &exported_data)); - ASSERT_LT(0U, exported_data.size()); - // TODO(mattm): further verification of exported data? - - PK11_FreeSlot(slot); -} - -} // namespace net diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h index 1a0e242..53849631 100644 --- a/net/base/net_error_list.h +++ b/net/base/net_error_list.h @@ -16,7 +16,6 @@ // 400-499 Cache errors // 500-599 ? // 600-699 FTP errors -// 700-799 Certificate manager errors // // An asynchronous IO operation is not yet complete. This usually does not @@ -421,9 +420,3 @@ NET_ERROR(FTP_COMMAND_NOT_SUPPORTED, -606) // order. // FTP response code 503. NET_ERROR(FTP_BAD_COMMAND_SEQUENCE, -607) - -// PKCS #12 import failed due to incorrect password. -NET_ERROR(PKCS12_IMPORT_BAD_PASSWORD, -701) - -// PKCS #12 import failed due to other error. -NET_ERROR(PKCS12_IMPORT_FAILED, -702) diff --git a/net/net.gyp b/net/net.gyp index 7102e34..d69240f 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -185,8 +185,6 @@ 'base/x509_cert_types_mac.cc', 'third_party/mozilla_security_manager/nsKeygenHandler.cpp', 'third_party/mozilla_security_manager/nsKeygenHandler.h', - 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', - 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], 'export_dependent_settings': [ '../base/base.gyp:base', @@ -207,8 +205,6 @@ 'base/x509_certificate_nss.cc', 'third_party/mozilla_security_manager/nsKeygenHandler.cpp', 'third_party/mozilla_security_manager/nsKeygenHandler.h', - 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp', - 'third_party/mozilla_security_manager/nsPKCS12Blob.h', ], }, ], @@ -669,7 +665,6 @@ 'msvs_guid': 'E99DA267-BE90-4F45-88A1-6919DB2C7567', 'sources': [ 'base/address_list_unittest.cc', - 'base/cert_database_nss_unittest.cc', 'base/cookie_monster_unittest.cc', 'base/data_url_unittest.cc', 'base/directory_lister_unittest.cc', @@ -818,11 +813,6 @@ 'base/sdch_filter_unittest.cc', ], }, - { # else: OS is not in the above list - 'sources!': [ - 'base/cert_database_nss_unittest.cc', - ], - } ], ['OS == "linux"', { 'conditions': [ diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp deleted file mode 100644 index ab20b22..0000000 --- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp +++ /dev/null @@ -1,397 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Ian McGreer <mcgreer@netscape.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" - -#include <pk11pub.h> -#include <pkcs12.h> -#include <p12plcy.h> -#include <secerr.h> - -#include "base/logging.h" -#include "base/nss_util_internal.h" -#include "base/string_util.h" -#include "net/base/net_errors.h" -#include "net/base/x509_certificate.h" - -namespace mozilla_security_manager { - -namespace { - -// unicodeToItem -// -// For the NSS PKCS#12 library, must convert PRUnichars (shorts) to -// a buffer of octets. Must handle byte order correctly. -// TODO: Is there a mozilla way to do this? In the string lib? -void unicodeToItem(const PRUnichar *uni, SECItem *item) -{ - int len = 0; - while (uni[len++] != 0); - SECITEM_AllocItem(NULL, item, sizeof(PRUnichar) * len); -#ifdef IS_LITTLE_ENDIAN - int i = 0; - for (i=0; i<len; i++) { - item->data[2*i ] = (unsigned char )(uni[i] << 8); - item->data[2*i+1] = (unsigned char )(uni[i]); - } -#else - memcpy(item->data, uni, item->len); -#endif -} - -// write_export_data -// write bytes to the exported PKCS#12 data buffer -void write_export_data(void* arg, const char* buf, unsigned long len) { - std::string* dest = reinterpret_cast<std::string*>(arg); - dest->append(buf, len); -} - -// nickname_collision -// what to do when the nickname collides with one already in the db. -// Based on P12U_NicknameCollisionCallback from nss/cmd/pk12util/pk12util.c -SECItem* PR_CALLBACK -nickname_collision(SECItem *old_nick, PRBool *cancel, void *wincx) -{ - char *nick = NULL; - SECItem *ret_nick = NULL; - CERTCertificate* cert = (CERTCertificate*)wincx; - - if (!cancel || !cert) { - // pk12util calls this error user cancelled? - return NULL; - } - - if (!old_nick) - LOG(INFO) << "no nickname for cert in PKCS12 file."; - - nick = CERT_MakeCANickname(cert); - if (!nick) { - return NULL; - } - - if(old_nick && old_nick->data && old_nick->len && - PORT_Strlen(nick) == old_nick->len && - !PORT_Strncmp((char *)old_nick->data, nick, old_nick->len)) { - PORT_Free(nick); - PORT_SetError(SEC_ERROR_IO); - return NULL; - } - - LOG(INFO) << "using nickname " << nick; - ret_nick = PORT_ZNew(SECItem); - if(ret_nick == NULL) { - PORT_Free(nick); - return NULL; - } - - ret_nick->data = (unsigned char *)nick; - ret_nick->len = PORT_Strlen(nick); - - return ret_nick; -} - -// pip_ucs2_ascii_conversion_fn -// required to be set by NSS (to do PKCS#12), but since we've already got -// unicode make this a no-op. -PRBool -pip_ucs2_ascii_conversion_fn(PRBool toUnicode, - unsigned char *inBuf, - unsigned int inBufLen, - unsigned char *outBuf, - unsigned int maxOutBufLen, - unsigned int *outBufLen, - PRBool swapBytes) -{ - CHECK_GE(maxOutBufLen, inBufLen); - // do a no-op, since I've already got unicode. Hah! - *outBufLen = inBufLen; - memcpy(outBuf, inBuf, inBufLen); - return PR_TRUE; -} - -// Based on nsPKCS12Blob::ImportFromFileHelper. -int -nsPKCS12Blob_ImportHelper(const char* pkcs12_data, - size_t pkcs12_len, - const string16& password, - bool try_zero_length_secitem, - PK11SlotInfo *slot) -{ - DCHECK(pkcs12_data); - DCHECK(slot); - int import_result = net::ERR_PKCS12_IMPORT_FAILED; - SECStatus srv = SECSuccess; - SEC_PKCS12DecoderContext *dcx = NULL; - SECItem unicodePw; - unicodePw.type = siBuffer; - unicodePw.len = 0; - unicodePw.data = NULL; - if (!try_zero_length_secitem) { - unicodeToItem(password.c_str(), &unicodePw); - } - - // initialize the decoder - dcx = SEC_PKCS12DecoderStart(&unicodePw, slot, - // wincx - NULL, - // dOpen, dClose, dRead, dWrite, dArg: NULL - // specifies default impl using memory buffer. - NULL, NULL, NULL, NULL, NULL); - if (!dcx) { - srv = SECFailure; - goto finish; - } - // feed input to the decoder - srv = SEC_PKCS12DecoderUpdate(dcx, - (unsigned char*)pkcs12_data, - pkcs12_len); - if (srv) goto finish; - // verify the blob - srv = SEC_PKCS12DecoderVerify(dcx); - if (srv) goto finish; - // validate bags - srv = SEC_PKCS12DecoderValidateBags(dcx, nickname_collision); - if (srv) goto finish; - // import cert and key - srv = SEC_PKCS12DecoderImportBags(dcx); - if (srv) goto finish; - import_result = net::OK; -finish: - // If srv != SECSuccess, NSS probably set a specific error code. - // We should use that error code instead of inventing a new one - // for every error possible. - if (srv != SECSuccess) { - if (SEC_ERROR_BAD_PASSWORD == PORT_GetError()) { - import_result = net::ERR_PKCS12_IMPORT_BAD_PASSWORD; - } - else - { - LOG(ERROR) << "PKCS#12 import failed with error " << PORT_GetError(); - import_result = net::ERR_PKCS12_IMPORT_FAILED; - } - } - // finish the decoder - if (dcx) - SEC_PKCS12DecoderFinish(dcx); - SECITEM_ZfreeItem(&unicodePw, PR_FALSE); - return import_result; -} - -PRBool -isExtractable(SECKEYPrivateKey *privKey) -{ - SECItem value; - PRBool isExtractable = PR_FALSE; - SECStatus rv; - - rv=PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_EXTRACTABLE, &value); - if (rv != SECSuccess) { - return PR_FALSE; - } - if ((value.len == 1) && (value.data != NULL)) { - isExtractable = !!(*(CK_BBOOL*)value.data); - } - SECITEM_FreeItem(&value, PR_FALSE); - return isExtractable; -} - -class PKCS12InitSingleton { - public: - // From the PKCS#12 section of nsNSSComponent::InitializeNSS in - // nsNSSComponent.cpp. - PKCS12InitSingleton() { - // Enable ciphers for PKCS#12 - SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); - SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); - SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); - SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); - - // Set no-op ascii-ucs2 conversion function to work around weird NSS - // interface. Thankfully, PKCS12 appears to be the only thing in NSS that - // uses PORT_UCS2_ASCIIConversion, so this doesn't break anything else. - PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn); - } -}; - -} // namespace - -void EnsurePKCS12Init() { - Singleton<PKCS12InitSingleton>::get(); -} - -// Based on nsPKCS12Blob::ImportFromFile. -int nsPKCS12Blob_Import(const char* pkcs12_data, - size_t pkcs12_len, - const string16& password) { - PK11SlotInfo *slot = base::GetDefaultNSSKeySlot(); - if (!slot) { - LOG(ERROR) << "Couldn't get Internal key slot!"; - return net::ERR_PKCS12_IMPORT_FAILED; - } - - int rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password, false, - slot); - - // When the user entered a zero length password: - // An empty password should be represented as an empty - // string (a SECItem that contains a single terminating - // NULL UTF16 character), but some applications use a - // zero length SECItem. - // We try both variations, zero length item and empty string, - // without giving a user prompt when trying the different empty password flavors. - if (rv == net::ERR_PKCS12_IMPORT_BAD_PASSWORD && password.size() == 0) { - rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password, true, - slot); - } - - PK11_FreeSlot(slot); - return rv; -} - -// Based on nsPKCS12Blob::ExportToFile -// -// Having already loaded the certs, form them into a blob (loading the keys -// also), encode the blob, and stuff it into the file. -// -// TODO: handle slots correctly -// mirror "slotToUse" behavior from PSM 1.x -// verify the cert array to start off with? -// set appropriate error codes -int -nsPKCS12Blob_Export(std::string* output, - const net::CertificateList& certs, - const string16& password) -{ - int return_count = 0; - SECStatus srv = SECSuccess; - SEC_PKCS12ExportContext *ecx = NULL; - SEC_PKCS12SafeInfo *certSafe = NULL, *keySafe = NULL; - SECItem unicodePw; - unicodePw.type = siBuffer; - unicodePw.len = 0; - unicodePw.data = NULL; - - int numCertsExported = 0; - - // get file password (unicode) - unicodeToItem(password.c_str(), &unicodePw); - - // what about slotToUse in psm 1.x ??? - // create export context - ecx = SEC_PKCS12CreateExportContext(NULL, NULL, NULL /*slot*/, NULL); - if (!ecx) { - srv = SECFailure; - goto finish; - } - // add password integrity - srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1); - if (srv) goto finish; - - for (size_t i=0; i<certs.size(); i++) { - DCHECK(certs[i]); - CERTCertificate* nssCert = certs[i]->os_cert_handle(); - DCHECK(nssCert); - - // We can only successfully export certs that are on - // internal token. Most, if not all, smart card vendors - // won't let you extract the private key (in any way - // shape or form) from the card. So let's punt if - // the cert is not in the internal db. - if (nssCert->slot && !PK11_IsInternal(nssCert->slot)) { - // we aren't the internal token, see if the key is extractable. - SECKEYPrivateKey *privKey=PK11_FindKeyByDERCert(nssCert->slot, - nssCert, - NULL /* wincx */); - - if (privKey) { - PRBool privKeyIsExtractable = isExtractable(privKey); - - SECKEY_DestroyPrivateKey(privKey); - - if (!privKeyIsExtractable) { - LOG(ERROR) << "private key not extractable"; - // TODO(mattm): firefox has a notification dialog about trying to - // export from a smartcard. I don't think we support smartcards, so - // we can ignore that for now. - continue; - } - } - } - - // XXX this is why, to verify the slot is the same - // PK11_FindObjectForCert(nssCert, NULL, slot); - // create the cert and key safes - keySafe = SEC_PKCS12CreateUnencryptedSafe(ecx); - if (!SEC_PKCS12IsEncryptionAllowed() || PK11_IsFIPS()) { - certSafe = keySafe; - } else { - certSafe = SEC_PKCS12CreatePasswordPrivSafe(ecx, &unicodePw, - SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC); - } - if (!certSafe || !keySafe) { - LOG(ERROR) << "!certSafe || !keySafe " << certSafe << " " << keySafe; - srv = SECFailure; - goto finish; - } - // add the cert and key to the blob - srv = SEC_PKCS12AddCertAndKey(ecx, certSafe, NULL, nssCert, - CERT_GetDefaultCertDB(), - keySafe, NULL, PR_TRUE, &unicodePw, - SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC); - if (srv) goto finish; - ++numCertsExported; - } - - if (!numCertsExported) goto finish; - - // encode and write - srv = SEC_PKCS12Encode(ecx, write_export_data, output); - if (srv) goto finish; - return_count = numCertsExported; -finish: - if (srv) - LOG(ERROR) << "PKCS#12 export failed with error " << PORT_GetError(); - if (ecx) - SEC_PKCS12DestroyExportContext(ecx); - SECITEM_ZfreeItem(&unicodePw, PR_FALSE); - return return_count; -} - -} // namespace mozilla_security_manager diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.h b/net/third_party/mozilla_security_manager/nsPKCS12Blob.h deleted file mode 100644 index 95b8d46..0000000 --- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.h +++ /dev/null @@ -1,73 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Ian McGreer <mcgreer@netscape.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#ifndef NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_ -#define NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_ - -#include <string> -#include <vector> - -#include "base/string16.h" -#include "base/ref_counted.h" - -typedef struct CERTCertificateStr CERTCertificate; -namespace net { -class X509Certificate; -typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; -} // namespace net - -namespace mozilla_security_manager { - -// Initialize NSS PKCS#12 libs. -void EnsurePKCS12Init(); - -// Import certificate from PKCS#12 blob. -// Returns a net error code. -int nsPKCS12Blob_Import(const char* pkcs12_data, - size_t pkcs12_len, - const string16& password); - -// Export the given certificates into a PKCS#12 blob, storing into output. -// Returns the number of certificates exported. -// TODO(mattm): provide better error return status? -int nsPKCS12Blob_Export(std::string* output, - const net::CertificateList& certs, - const string16& password); - -} // namespace mozilla_security_manager - -#endif // NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_ diff --git a/tools/valgrind/memcheck/suppressions.txt b/tools/valgrind/memcheck/suppressions.txt index 20fbb3a..2fbf79c 100644 --- a/tools/valgrind/memcheck/suppressions.txt +++ b/tools/valgrind/memcheck/suppressions.txt @@ -566,72 +566,6 @@ fun:signal_emit_unlocked_R fun:g_signal_emit_valist } -{ - bug_51327 - Memcheck:Cond - fun:DecodeItem - ... - fun:SEC_QuickDERDecodeItem_Util - ... - fun:lg_PutMetaData - fun:sftkdb_ChangePassword - fun:NSC_InitPIN - fun:PK11_InitPin -} -{ - bug_51332a - Memcheck:Leak - ... - fun:PORT_NewArena_Util - fun:sec_pkcs7_create_content_info - fun:SEC_PKCS7CreateData - fun:sec_pkcs12_encoder_start_context - fun:SEC_PKCS12Encode -} -{ - bug_51332b - Memcheck:Leak - ... - fun:PORT_ArenaZAlloc_Util - fun:sec_pkcs7_create_content_info - fun:SEC_PKCS7CreateData - fun:sec_pkcs12_encoder_start_context - fun:SEC_PKCS12Encode -} -{ - bug_51330 - Memcheck:Leak - ... - fun:p12u_DigestOpen - ... - fun:SEC_PKCS12DecoderUpdate -} -{ - bug_51328a - Memcheck:Leak - ... - fun:sec_pkcs12_decoder_asafes_notify - fun:sec_asn1d_notify_before - fun:SEC_ASN1DecoderUpdate_Util - fun:sec_pkcs12_decoder_asafes_callback - fun:sec_pkcs7_decoder_work_data - fun:SEC_ASN1DecoderUpdate_Util - fun:SEC_PKCS7DecoderUpdate - fun:sec_pkcs12_decode_asafes_cinfo_update - fun:SEC_ASN1DecoderUpdate_Util - fun:SEC_PKCS12DecoderUpdate -} -{ - bug_51328b - Memcheck:Leak - ... - fun:PORT_NewArena_Util - fun:SEC_PKCS7DecoderStart - fun:sec_pkcs12_decoder_pfx_notify_proc - fun:sec_asn1d_notify_before - fun:SEC_ASN1DecoderUpdate_Util - fun:SEC_PKCS12DecoderUpdate -} #----------------------------------------------------------------------- # 2. intentional unit test errors, or stuff that is somehow a false positive # in our own code, or stuff that is so trivial it's not worth fixing @@ -2536,7 +2470,6 @@ { bug_32624_c Memcheck:Leak - ... fun:malloc fun:PR_Malloc fun:PORT_Alloc_Util |