summaryrefslogtreecommitdiffstats
path: root/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp')
-rw-r--r--net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp36
1 files changed, 36 insertions, 0 deletions
diff --git a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
index b32458d..e0876f77 100644
--- a/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
+++ b/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
@@ -160,6 +160,42 @@ bool ImportCACerts(const net::CertificateList& certificates,
return true;
}
+// Based on nsNSSCertificateDB::ImportServerCertificate.
+bool ImportServerCert(const net::CertificateList& certificates,
+ net::CertDatabase::ImportCertFailureList* not_imported) {
+ base::ScopedPK11Slot slot(base::GetDefaultNSSKeySlot());
+ if (!slot.get()) {
+ LOG(ERROR) << "Couldn't get internal key slot!";
+ return false;
+ }
+
+ for (size_t i = 0; i < certificates.size(); ++i) {
+ const scoped_refptr<net::X509Certificate>& cert = certificates[i];
+
+ // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg. We use
+ // PK11_ImportCert instead.
+ SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
+ CK_INVALID_HANDLE,
+ cert->subject().GetDisplayName().c_str(),
+ PR_FALSE /* includeTrust (unused) */);
+ if (srv != SECSuccess) {
+ LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
+ not_imported->push_back(net::CertDatabase::ImportCertFailure(
+ cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
+ continue;
+ }
+ }
+
+ // Set as valid peer, but without any extra trust.
+ SetCertTrust(certificates[0].get(), net::SERVER_CERT,
+ net::CertDatabase::UNTRUSTED);
+ // TODO(mattm): Report SetCertTrust result? Putting in not_imported
+ // wouldn't quite match up since it was imported...
+
+ // Any errors importing individual certs will be in listed in |not_imported|.
+ return true;
+}
+
// Based on nsNSSCertificateDB::SetCertTrust.
bool
SetCertTrust(const net::X509Certificate* cert,
generated by cgit v1.1 at 2025-07-29 08:45:00 +0000