summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/nss_util.cc48
-rw-r--r--base/nss_util.h7
-rw-r--r--net/base/cert_database.h19
-rw-r--r--net/base/cert_database_nss.cc19
-rw-r--r--net/base/cert_database_nss_unittest.cc116
-rw-r--r--net/base/net_error_list.h7
-rw-r--r--net/net.gyp10
-rw-r--r--net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp397
-rw-r--r--net/third_party/mozilla_security_manager/nsPKCS12Blob.h73
-rw-r--r--tools/valgrind/memcheck/suppressions.txt67
10 files changed, 8 insertions, 755 deletions
diff --git a/base/nss_util.cc b/base/nss_util.cc
index d4ace40..cd44fed 100644
--- a/base/nss_util.cc
+++ b/base/nss_util.cc
@@ -127,7 +127,6 @@ class NSSInitSingleton {
public:
NSSInitSingleton()
: real_db_slot_(NULL),
- test_db_slot_(NULL),
root_(NULL),
chromeos_user_logged_in_(false) {
base::EnsureNSPRInit();
@@ -219,7 +218,6 @@ class NSSInitSingleton {
PK11_FreeSlot(real_db_slot_);
real_db_slot_ = NULL;
}
- CloseTestNSSDB();
if (root_) {
SECMOD_UnloadUserModule(root_);
SECMOD_DestroyModule(root_);
@@ -239,33 +237,23 @@ class NSSInitSingleton {
void OpenPersistentNSSDB() {
if (!chromeos_user_logged_in_) {
chromeos_user_logged_in_ = true;
- real_db_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
- "Real NSS database");
+ const std::string modspec =
+ StringPrintf("configDir='%s' tokenDescription='Real NSS database'",
+ GetDefaultConfigDirectory().value().c_str());
+ real_db_slot_ = SECMOD_OpenUserDB(modspec.c_str());
if (real_db_slot_ == NULL) {
LOG(ERROR) << "Error opening persistent database (" << modspec
<< "): NSS error code " << PR_GetError();
+ } else {
+ if (PK11_NeedUserInit(real_db_slot_))
+ PK11_InitPin(real_db_slot_, NULL, NULL);
}
}
}
#endif // defined(OS_CHROMEOS)
- bool OpenTestNSSDB(const FilePath& path, const char* description) {
- test_db_slot_ = OpenUserDB(path, description);
- return !!test_db_slot_;
- }
-
- void CloseTestNSSDB() {
- if (test_db_slot_) {
- SECMOD_CloseUserDB(test_db_slot_);
- PK11_FreeSlot(test_db_slot_);
- test_db_slot_ = NULL;
- }
- }
-
PK11SlotInfo* GetDefaultKeySlot() {
- if (test_db_slot_)
- return PK11_ReferenceSlot(test_db_slot_);
if (real_db_slot_)
return PK11_ReferenceSlot(real_db_slot_);
return PK11_GetInternalKeySlot();
@@ -278,21 +266,7 @@ class NSSInitSingleton {
#endif // defined(USE_NSS)
private:
- static PK11SlotInfo* OpenUserDB(const FilePath& path,
- const char* description) {
- const std::string modspec =
- StringPrintf("configDir='sql:%s' tokenDescription='%s'",
- path.value().c_str(), description);
- PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
- if (db_slot) {
- if (PK11_NeedUserInit(db_slot))
- PK11_InitPin(db_slot, NULL, NULL);
- }
- return db_slot;
- }
-
PK11SlotInfo* real_db_slot_; // Overrides internal key slot if non-NULL.
- PK11SlotInfo* test_db_slot_; // Overrides internal key slot and real_db_slot_
SECMODModule *root_;
bool chromeos_user_logged_in_;
#if defined(USE_NSS)
@@ -313,14 +287,6 @@ void EnsureNSSInit() {
}
#if defined(USE_NSS)
-bool OpenTestNSSDB(const FilePath& path, const char* description) {
- return Singleton<NSSInitSingleton>::get()->OpenTestNSSDB(path, description);
-}
-
-void CloseTestNSSDB() {
- Singleton<NSSInitSingleton>::get()->CloseTestNSSDB();
-}
-
Lock* GetNSSWriteLock() {
return Singleton<NSSInitSingleton>::get()->write_lock();
}
diff --git a/base/nss_util.h b/base/nss_util.h
index 15b624c..b869e46 100644
--- a/base/nss_util.h
+++ b/base/nss_util.h
@@ -9,7 +9,6 @@
#include "base/basictypes.h"
#if defined(USE_NSS)
-class FilePath;
class Lock;
#endif // defined(USE_NSS)
@@ -40,12 +39,6 @@ void OpenPersistentNSSDB();
Time PRTimeToBaseTime(int64 prtime);
#if defined(USE_NSS)
-// Exposed for unittests only. |path| should be an existing directory under
-// which the DB files will be placed. |description| is a user-visible name for
-// the DB, as a utf8 string, which will be truncated at 32 bytes.
-bool OpenTestNSSDB(const FilePath& path, const char* description);
-void CloseTestNSSDB();
-
// NSS has a bug which can cause a deadlock or stall in some cases when writing
// to the certDB and keyDB. It also has a bug which causes concurrent key pair
// generations to scribble over each other. To work around this, we synchronize
diff --git a/net/base/cert_database.h b/net/base/cert_database.h
index a264f19..9621e45 100644
--- a/net/base/cert_database.h
+++ b/net/base/cert_database.h
@@ -6,17 +6,11 @@
#define NET_BASE_CERT_DATABASE_H_
#pragma once
-#include <string>
-#include <vector>
-
#include "base/basictypes.h"
-#include "base/string16.h"
-#include "base/ref_counted.h"
namespace net {
class X509Certificate;
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
// This class provides functions to manipulate the local
// certificate store.
@@ -38,19 +32,6 @@ class CertDatabase {
// the platform cert database, or possibly other network error codes.
int AddUserCert(X509Certificate* cert);
-#if defined(USE_NSS)
- // Import certificates and private keys from PKCS #12 blob.
- // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD
- // or ERR_PKCS12_IMPORT_ERROR.
- int ImportFromPKCS12(const std::string& data, const string16& password);
-
- // Export the given certificates and private keys into a PKCS #12 blob,
- // storing into |output|.
- // Returns the number of certificates successfully exported.
- int ExportToPKCS12(const CertificateList& certs, const string16& password,
- std::string* output);
-#endif
-
private:
DISALLOW_COPY_AND_ASSIGN(CertDatabase);
};
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index e314afa..98930ff 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -13,20 +13,15 @@
#include <keyhi.h> // SECKEY_CreateSubjectPublicKeyInfo()
#include "base/logging.h"
-#include "base/nss_util.h"
#include "base/scoped_ptr.h"
+#include "base/nss_util.h"
#include "net/base/net_errors.h"
#include "net/base/x509_certificate.h"
-#include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
-
-// PSM = Mozilla's Personal Security Manager.
-namespace psm = mozilla_security_manager;
namespace net {
CertDatabase::CertDatabase() {
base::EnsureNSSInit();
- psm::EnsurePKCS12Init();
}
int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
@@ -90,16 +85,4 @@ int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
return OK;
}
-int CertDatabase::ImportFromPKCS12(
- const std::string& data, const string16& password) {
- return psm::nsPKCS12Blob_Import(data.data(), data.size(), password);
-}
-
-int CertDatabase::ExportToPKCS12(
- const CertificateList& certs,
- const string16& password,
- std::string* output) {
- return psm::nsPKCS12Blob_Export(output, certs, password);
-}
-
} // namespace net
diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
deleted file mode 100644
index f25b043..0000000
--- a/net/base/cert_database_nss_unittest.cc
+++ /dev/null
@@ -1,116 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <cert.h>
-#include <pk11pub.h>
-
-#include "base/file_path.h"
-#include "base/file_util.h"
-#include "base/nss_util.h"
-#include "base/nss_util_internal.h"
-#include "base/path_service.h"
-#include "base/scoped_temp_dir.h"
-#include "base/string_util.h"
-#include "net/base/cert_database.h"
-#include "net/base/net_errors.h"
-#include "net/base/x509_certificate.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace net {
-
-namespace {
-
-// Returns a FilePath object representing the src/net/data/ssl/certificates
-// directory in the source tree.
-FilePath GetTestCertsDirectory() {
- FilePath certs_dir;
- PathService::Get(base::DIR_SOURCE_ROOT, &certs_dir);
- certs_dir = certs_dir.AppendASCII("net");
- certs_dir = certs_dir.AppendASCII("data");
- certs_dir = certs_dir.AppendASCII("ssl");
- certs_dir = certs_dir.AppendASCII("certificates");
- return certs_dir;
-}
-
-} // namespace
-
-
-class CertDatabaseNSSTest : public testing::Test {
- public:
- virtual void SetUp() {
- ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir());
- ASSERT_TRUE(
- base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db"));
- }
- virtual void TearDown() {
- base::CloseTestNSSDB();
- }
- private:
- ScopedTempDir temp_db_dir_;
-};
-
-TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
- PK11SlotInfo* slot = base::GetDefaultNSSKeySlot();
- CertDatabase cert_db;
-
- CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
- // Test db should be empty at start of test.
- EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list));
- CERT_DestroyCertList(cert_list);
-
- FilePath cert_path = GetTestCertsDirectory().AppendASCII("client.p12");
- std::string cert_data;
- ASSERT_TRUE(file_util::ReadFileToString(cert_path, &cert_data));
- EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
- cert_db.ImportFromPKCS12(cert_data, ASCIIToUTF16("")));
-
-
- cert_list = PK11_ListCertsInSlot(slot);
- // Test db should still be empty.
- EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list));
- CERT_DestroyCertList(cert_list);
-
- PK11_FreeSlot(slot);
-}
-
-TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) {
- PK11SlotInfo* slot = base::GetDefaultNSSKeySlot();
- CertDatabase cert_db;
-
- CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
- // Test db should be empty at start of test.
- EXPECT_TRUE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list));
- CERT_DestroyCertList(cert_list);
-
- FilePath cert_path = GetTestCertsDirectory().AppendASCII("client.p12");
- std::string cert_data;
- ASSERT_TRUE(file_util::ReadFileToString(cert_path, &cert_data));
- EXPECT_EQ(OK, cert_db.ImportFromPKCS12(cert_data, ASCIIToUTF16("12345")));
-
- cert_list = PK11_ListCertsInSlot(slot);
- // Test db should be empty at start of test.
- ASSERT_FALSE(CERT_LIST_END(CERT_LIST_HEAD(cert_list), cert_list));
- scoped_refptr<X509Certificate> cert(
- X509Certificate::CreateFromHandle(
- CERT_LIST_HEAD(cert_list)->cert,
- X509Certificate::SOURCE_LONE_CERT_IMPORT,
- X509Certificate::OSCertHandles()));
- CERT_DestroyCertList(cert_list);
-
- EXPECT_EQ("testusercert",
- cert->subject().common_name);
-
- // TODO(mattm): move export test to seperate test case?
- CertificateList certs;
- certs.push_back(cert);
- std::string exported_data;
- EXPECT_EQ(1, cert_db.ExportToPKCS12(certs, ASCIIToUTF16("exportpw"),
- &exported_data));
- ASSERT_LT(0U, exported_data.size());
- // TODO(mattm): further verification of exported data?
-
- PK11_FreeSlot(slot);
-}
-
-} // namespace net
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 1a0e242..53849631 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -16,7 +16,6 @@
// 400-499 Cache errors
// 500-599 ?
// 600-699 FTP errors
-// 700-799 Certificate manager errors
//
// An asynchronous IO operation is not yet complete. This usually does not
@@ -421,9 +420,3 @@ NET_ERROR(FTP_COMMAND_NOT_SUPPORTED, -606)
// order.
// FTP response code 503.
NET_ERROR(FTP_BAD_COMMAND_SEQUENCE, -607)
-
-// PKCS #12 import failed due to incorrect password.
-NET_ERROR(PKCS12_IMPORT_BAD_PASSWORD, -701)
-
-// PKCS #12 import failed due to other error.
-NET_ERROR(PKCS12_IMPORT_FAILED, -702)
diff --git a/net/net.gyp b/net/net.gyp
index 7102e34..d69240f 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -185,8 +185,6 @@
'base/x509_cert_types_mac.cc',
'third_party/mozilla_security_manager/nsKeygenHandler.cpp',
'third_party/mozilla_security_manager/nsKeygenHandler.h',
- 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
- 'third_party/mozilla_security_manager/nsPKCS12Blob.h',
],
'export_dependent_settings': [
'../base/base.gyp:base',
@@ -207,8 +205,6 @@
'base/x509_certificate_nss.cc',
'third_party/mozilla_security_manager/nsKeygenHandler.cpp',
'third_party/mozilla_security_manager/nsKeygenHandler.h',
- 'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
- 'third_party/mozilla_security_manager/nsPKCS12Blob.h',
],
},
],
@@ -669,7 +665,6 @@
'msvs_guid': 'E99DA267-BE90-4F45-88A1-6919DB2C7567',
'sources': [
'base/address_list_unittest.cc',
- 'base/cert_database_nss_unittest.cc',
'base/cookie_monster_unittest.cc',
'base/data_url_unittest.cc',
'base/directory_lister_unittest.cc',
@@ -818,11 +813,6 @@
'base/sdch_filter_unittest.cc',
],
},
- { # else: OS is not in the above list
- 'sources!': [
- 'base/cert_database_nss_unittest.cc',
- ],
- }
],
['OS == "linux"', {
'conditions': [
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
deleted file mode 100644
index ab20b22..0000000
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
+++ /dev/null
@@ -1,397 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * Ian McGreer <mcgreer@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
-
-#include <pk11pub.h>
-#include <pkcs12.h>
-#include <p12plcy.h>
-#include <secerr.h>
-
-#include "base/logging.h"
-#include "base/nss_util_internal.h"
-#include "base/string_util.h"
-#include "net/base/net_errors.h"
-#include "net/base/x509_certificate.h"
-
-namespace mozilla_security_manager {
-
-namespace {
-
-// unicodeToItem
-//
-// For the NSS PKCS#12 library, must convert PRUnichars (shorts) to
-// a buffer of octets. Must handle byte order correctly.
-// TODO: Is there a mozilla way to do this? In the string lib?
-void unicodeToItem(const PRUnichar *uni, SECItem *item)
-{
- int len = 0;
- while (uni[len++] != 0);
- SECITEM_AllocItem(NULL, item, sizeof(PRUnichar) * len);
-#ifdef IS_LITTLE_ENDIAN
- int i = 0;
- for (i=0; i<len; i++) {
- item->data[2*i ] = (unsigned char )(uni[i] << 8);
- item->data[2*i+1] = (unsigned char )(uni[i]);
- }
-#else
- memcpy(item->data, uni, item->len);
-#endif
-}
-
-// write_export_data
-// write bytes to the exported PKCS#12 data buffer
-void write_export_data(void* arg, const char* buf, unsigned long len) {
- std::string* dest = reinterpret_cast<std::string*>(arg);
- dest->append(buf, len);
-}
-
-// nickname_collision
-// what to do when the nickname collides with one already in the db.
-// Based on P12U_NicknameCollisionCallback from nss/cmd/pk12util/pk12util.c
-SECItem* PR_CALLBACK
-nickname_collision(SECItem *old_nick, PRBool *cancel, void *wincx)
-{
- char *nick = NULL;
- SECItem *ret_nick = NULL;
- CERTCertificate* cert = (CERTCertificate*)wincx;
-
- if (!cancel || !cert) {
- // pk12util calls this error user cancelled?
- return NULL;
- }
-
- if (!old_nick)
- LOG(INFO) << "no nickname for cert in PKCS12 file.";
-
- nick = CERT_MakeCANickname(cert);
- if (!nick) {
- return NULL;
- }
-
- if(old_nick && old_nick->data && old_nick->len &&
- PORT_Strlen(nick) == old_nick->len &&
- !PORT_Strncmp((char *)old_nick->data, nick, old_nick->len)) {
- PORT_Free(nick);
- PORT_SetError(SEC_ERROR_IO);
- return NULL;
- }
-
- LOG(INFO) << "using nickname " << nick;
- ret_nick = PORT_ZNew(SECItem);
- if(ret_nick == NULL) {
- PORT_Free(nick);
- return NULL;
- }
-
- ret_nick->data = (unsigned char *)nick;
- ret_nick->len = PORT_Strlen(nick);
-
- return ret_nick;
-}
-
-// pip_ucs2_ascii_conversion_fn
-// required to be set by NSS (to do PKCS#12), but since we've already got
-// unicode make this a no-op.
-PRBool
-pip_ucs2_ascii_conversion_fn(PRBool toUnicode,
- unsigned char *inBuf,
- unsigned int inBufLen,
- unsigned char *outBuf,
- unsigned int maxOutBufLen,
- unsigned int *outBufLen,
- PRBool swapBytes)
-{
- CHECK_GE(maxOutBufLen, inBufLen);
- // do a no-op, since I've already got unicode. Hah!
- *outBufLen = inBufLen;
- memcpy(outBuf, inBuf, inBufLen);
- return PR_TRUE;
-}
-
-// Based on nsPKCS12Blob::ImportFromFileHelper.
-int
-nsPKCS12Blob_ImportHelper(const char* pkcs12_data,
- size_t pkcs12_len,
- const string16& password,
- bool try_zero_length_secitem,
- PK11SlotInfo *slot)
-{
- DCHECK(pkcs12_data);
- DCHECK(slot);
- int import_result = net::ERR_PKCS12_IMPORT_FAILED;
- SECStatus srv = SECSuccess;
- SEC_PKCS12DecoderContext *dcx = NULL;
- SECItem unicodePw;
- unicodePw.type = siBuffer;
- unicodePw.len = 0;
- unicodePw.data = NULL;
- if (!try_zero_length_secitem) {
- unicodeToItem(password.c_str(), &unicodePw);
- }
-
- // initialize the decoder
- dcx = SEC_PKCS12DecoderStart(&unicodePw, slot,
- // wincx
- NULL,
- // dOpen, dClose, dRead, dWrite, dArg: NULL
- // specifies default impl using memory buffer.
- NULL, NULL, NULL, NULL, NULL);
- if (!dcx) {
- srv = SECFailure;
- goto finish;
- }
- // feed input to the decoder
- srv = SEC_PKCS12DecoderUpdate(dcx,
- (unsigned char*)pkcs12_data,
- pkcs12_len);
- if (srv) goto finish;
- // verify the blob
- srv = SEC_PKCS12DecoderVerify(dcx);
- if (srv) goto finish;
- // validate bags
- srv = SEC_PKCS12DecoderValidateBags(dcx, nickname_collision);
- if (srv) goto finish;
- // import cert and key
- srv = SEC_PKCS12DecoderImportBags(dcx);
- if (srv) goto finish;
- import_result = net::OK;
-finish:
- // If srv != SECSuccess, NSS probably set a specific error code.
- // We should use that error code instead of inventing a new one
- // for every error possible.
- if (srv != SECSuccess) {
- if (SEC_ERROR_BAD_PASSWORD == PORT_GetError()) {
- import_result = net::ERR_PKCS12_IMPORT_BAD_PASSWORD;
- }
- else
- {
- LOG(ERROR) << "PKCS#12 import failed with error " << PORT_GetError();
- import_result = net::ERR_PKCS12_IMPORT_FAILED;
- }
- }
- // finish the decoder
- if (dcx)
- SEC_PKCS12DecoderFinish(dcx);
- SECITEM_ZfreeItem(&unicodePw, PR_FALSE);
- return import_result;
-}
-
-PRBool
-isExtractable(SECKEYPrivateKey *privKey)
-{
- SECItem value;
- PRBool isExtractable = PR_FALSE;
- SECStatus rv;
-
- rv=PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_EXTRACTABLE, &value);
- if (rv != SECSuccess) {
- return PR_FALSE;
- }
- if ((value.len == 1) && (value.data != NULL)) {
- isExtractable = !!(*(CK_BBOOL*)value.data);
- }
- SECITEM_FreeItem(&value, PR_FALSE);
- return isExtractable;
-}
-
-class PKCS12InitSingleton {
- public:
- // From the PKCS#12 section of nsNSSComponent::InitializeNSS in
- // nsNSSComponent.cpp.
- PKCS12InitSingleton() {
- // Enable ciphers for PKCS#12
- SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
- SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
- SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
- SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
- SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
- SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
- SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
-
- // Set no-op ascii-ucs2 conversion function to work around weird NSS
- // interface. Thankfully, PKCS12 appears to be the only thing in NSS that
- // uses PORT_UCS2_ASCIIConversion, so this doesn't break anything else.
- PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
- }
-};
-
-} // namespace
-
-void EnsurePKCS12Init() {
- Singleton<PKCS12InitSingleton>::get();
-}
-
-// Based on nsPKCS12Blob::ImportFromFile.
-int nsPKCS12Blob_Import(const char* pkcs12_data,
- size_t pkcs12_len,
- const string16& password) {
- PK11SlotInfo *slot = base::GetDefaultNSSKeySlot();
- if (!slot) {
- LOG(ERROR) << "Couldn't get Internal key slot!";
- return net::ERR_PKCS12_IMPORT_FAILED;
- }
-
- int rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password, false,
- slot);
-
- // When the user entered a zero length password:
- // An empty password should be represented as an empty
- // string (a SECItem that contains a single terminating
- // NULL UTF16 character), but some applications use a
- // zero length SECItem.
- // We try both variations, zero length item and empty string,
- // without giving a user prompt when trying the different empty password flavors.
- if (rv == net::ERR_PKCS12_IMPORT_BAD_PASSWORD && password.size() == 0) {
- rv = nsPKCS12Blob_ImportHelper(pkcs12_data, pkcs12_len, password, true,
- slot);
- }
-
- PK11_FreeSlot(slot);
- return rv;
-}
-
-// Based on nsPKCS12Blob::ExportToFile
-//
-// Having already loaded the certs, form them into a blob (loading the keys
-// also), encode the blob, and stuff it into the file.
-//
-// TODO: handle slots correctly
-// mirror "slotToUse" behavior from PSM 1.x
-// verify the cert array to start off with?
-// set appropriate error codes
-int
-nsPKCS12Blob_Export(std::string* output,
- const net::CertificateList& certs,
- const string16& password)
-{
- int return_count = 0;
- SECStatus srv = SECSuccess;
- SEC_PKCS12ExportContext *ecx = NULL;
- SEC_PKCS12SafeInfo *certSafe = NULL, *keySafe = NULL;
- SECItem unicodePw;
- unicodePw.type = siBuffer;
- unicodePw.len = 0;
- unicodePw.data = NULL;
-
- int numCertsExported = 0;
-
- // get file password (unicode)
- unicodeToItem(password.c_str(), &unicodePw);
-
- // what about slotToUse in psm 1.x ???
- // create export context
- ecx = SEC_PKCS12CreateExportContext(NULL, NULL, NULL /*slot*/, NULL);
- if (!ecx) {
- srv = SECFailure;
- goto finish;
- }
- // add password integrity
- srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1);
- if (srv) goto finish;
-
- for (size_t i=0; i<certs.size(); i++) {
- DCHECK(certs[i]);
- CERTCertificate* nssCert = certs[i]->os_cert_handle();
- DCHECK(nssCert);
-
- // We can only successfully export certs that are on
- // internal token. Most, if not all, smart card vendors
- // won't let you extract the private key (in any way
- // shape or form) from the card. So let's punt if
- // the cert is not in the internal db.
- if (nssCert->slot && !PK11_IsInternal(nssCert->slot)) {
- // we aren't the internal token, see if the key is extractable.
- SECKEYPrivateKey *privKey=PK11_FindKeyByDERCert(nssCert->slot,
- nssCert,
- NULL /* wincx */);
-
- if (privKey) {
- PRBool privKeyIsExtractable = isExtractable(privKey);
-
- SECKEY_DestroyPrivateKey(privKey);
-
- if (!privKeyIsExtractable) {
- LOG(ERROR) << "private key not extractable";
- // TODO(mattm): firefox has a notification dialog about trying to
- // export from a smartcard. I don't think we support smartcards, so
- // we can ignore that for now.
- continue;
- }
- }
- }
-
- // XXX this is why, to verify the slot is the same
- // PK11_FindObjectForCert(nssCert, NULL, slot);
- // create the cert and key safes
- keySafe = SEC_PKCS12CreateUnencryptedSafe(ecx);
- if (!SEC_PKCS12IsEncryptionAllowed() || PK11_IsFIPS()) {
- certSafe = keySafe;
- } else {
- certSafe = SEC_PKCS12CreatePasswordPrivSafe(ecx, &unicodePw,
- SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC);
- }
- if (!certSafe || !keySafe) {
- LOG(ERROR) << "!certSafe || !keySafe " << certSafe << " " << keySafe;
- srv = SECFailure;
- goto finish;
- }
- // add the cert and key to the blob
- srv = SEC_PKCS12AddCertAndKey(ecx, certSafe, NULL, nssCert,
- CERT_GetDefaultCertDB(),
- keySafe, NULL, PR_TRUE, &unicodePw,
- SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC);
- if (srv) goto finish;
- ++numCertsExported;
- }
-
- if (!numCertsExported) goto finish;
-
- // encode and write
- srv = SEC_PKCS12Encode(ecx, write_export_data, output);
- if (srv) goto finish;
- return_count = numCertsExported;
-finish:
- if (srv)
- LOG(ERROR) << "PKCS#12 export failed with error " << PORT_GetError();
- if (ecx)
- SEC_PKCS12DestroyExportContext(ecx);
- SECITEM_ZfreeItem(&unicodePw, PR_FALSE);
- return return_count;
-}
-
-} // namespace mozilla_security_manager
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.h b/net/third_party/mozilla_security_manager/nsPKCS12Blob.h
deleted file mode 100644
index 95b8d46..0000000
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * Ian McGreer <mcgreer@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_
-#define NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_
-
-#include <string>
-#include <vector>
-
-#include "base/string16.h"
-#include "base/ref_counted.h"
-
-typedef struct CERTCertificateStr CERTCertificate;
-namespace net {
-class X509Certificate;
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
-} // namespace net
-
-namespace mozilla_security_manager {
-
-// Initialize NSS PKCS#12 libs.
-void EnsurePKCS12Init();
-
-// Import certificate from PKCS#12 blob.
-// Returns a net error code.
-int nsPKCS12Blob_Import(const char* pkcs12_data,
- size_t pkcs12_len,
- const string16& password);
-
-// Export the given certificates into a PKCS#12 blob, storing into output.
-// Returns the number of certificates exported.
-// TODO(mattm): provide better error return status?
-int nsPKCS12Blob_Export(std::string* output,
- const net::CertificateList& certs,
- const string16& password);
-
-} // namespace mozilla_security_manager
-
-#endif // NET_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSPKCS12BLOB_H_
diff --git a/tools/valgrind/memcheck/suppressions.txt b/tools/valgrind/memcheck/suppressions.txt
index 20fbb3a..2fbf79c 100644
--- a/tools/valgrind/memcheck/suppressions.txt
+++ b/tools/valgrind/memcheck/suppressions.txt
@@ -566,72 +566,6 @@
fun:signal_emit_unlocked_R
fun:g_signal_emit_valist
}
-{
- bug_51327
- Memcheck:Cond
- fun:DecodeItem
- ...
- fun:SEC_QuickDERDecodeItem_Util
- ...
- fun:lg_PutMetaData
- fun:sftkdb_ChangePassword
- fun:NSC_InitPIN
- fun:PK11_InitPin
-}
-{
- bug_51332a
- Memcheck:Leak
- ...
- fun:PORT_NewArena_Util
- fun:sec_pkcs7_create_content_info
- fun:SEC_PKCS7CreateData
- fun:sec_pkcs12_encoder_start_context
- fun:SEC_PKCS12Encode
-}
-{
- bug_51332b
- Memcheck:Leak
- ...
- fun:PORT_ArenaZAlloc_Util
- fun:sec_pkcs7_create_content_info
- fun:SEC_PKCS7CreateData
- fun:sec_pkcs12_encoder_start_context
- fun:SEC_PKCS12Encode
-}
-{
- bug_51330
- Memcheck:Leak
- ...
- fun:p12u_DigestOpen
- ...
- fun:SEC_PKCS12DecoderUpdate
-}
-{
- bug_51328a
- Memcheck:Leak
- ...
- fun:sec_pkcs12_decoder_asafes_notify
- fun:sec_asn1d_notify_before
- fun:SEC_ASN1DecoderUpdate_Util
- fun:sec_pkcs12_decoder_asafes_callback
- fun:sec_pkcs7_decoder_work_data
- fun:SEC_ASN1DecoderUpdate_Util
- fun:SEC_PKCS7DecoderUpdate
- fun:sec_pkcs12_decode_asafes_cinfo_update
- fun:SEC_ASN1DecoderUpdate_Util
- fun:SEC_PKCS12DecoderUpdate
-}
-{
- bug_51328b
- Memcheck:Leak
- ...
- fun:PORT_NewArena_Util
- fun:SEC_PKCS7DecoderStart
- fun:sec_pkcs12_decoder_pfx_notify_proc
- fun:sec_asn1d_notify_before
- fun:SEC_ASN1DecoderUpdate_Util
- fun:SEC_PKCS12DecoderUpdate
-}
#-----------------------------------------------------------------------
# 2. intentional unit test errors, or stuff that is somehow a false positive
# in our own code, or stuff that is so trivial it's not worth fixing
@@ -2536,7 +2470,6 @@
{
bug_32624_c
Memcheck:Leak
- ...
fun:malloc
fun:PR_Malloc
fun:PORT_Alloc_Util