From a274ebafe75525e6656aeeaffc86db3698a6b311 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Sat, 1 Mar 2014 19:01:23 -0800 Subject: [PATCH] Bug 978120: Make nsIX509Cert.setCerttrust, and nsIX509CertDB.addCert, and nsIX509CertDB2.addCertFromBase64 work on Android and B2G, r=keeler --HG-- extra : rebase_source : 5582716fe0c650366e3cf5e85a30748a7d22b156 --- security/manager/ssl/src/moz.build | 2 + .../manager/ssl/src/nsNSSCertificateDB.cpp | 41 +++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/security/manager/ssl/src/moz.build b/security/manager/ssl/src/moz.build index db276af18d99..e26a604db61e 100644 --- a/security/manager/ssl/src/moz.build +++ b/security/manager/ssl/src/moz.build @@ -98,6 +98,8 @@ LOCAL_INCLUDES += [ '../../../insanity/include', ] +if CONFIG['NSS_DISABLE_DBM']: + DEFINES['NSS_DISABLE_DBM'] = '1' DEFINES['NSS_ENABLE_ECC'] = 'True' for var in ('DLL_PREFIX', 'DLL_SUFFIX'): diff --git a/security/manager/ssl/src/nsNSSCertificateDB.cpp b/security/manager/ssl/src/nsNSSCertificateDB.cpp index 6d66f3c22f6d..28694a641962 100644 --- a/security/manager/ssl/src/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp @@ -58,6 +58,31 @@ using mozilla::psm::SharedSSLState; extern PRLogModuleInfo* gPIPNSSLog; #endif +static nsresult +attemptToLogInWithDefaultPassword() +{ +#ifdef NSS_DISABLE_DBM + // The SQL NSS DB requires the user to be authenticated to set certificate + // trust settings, even if the user's password is empty. To maintain + // compatibility with the DBM-based database, try to log in with the + // default empty password. This will allow, at least, tests that need to + // change certificate trust to pass on all platforms. TODO(bug 978120): Do + // proper testing and/or implement a better solution so that we are confident + // that this does the correct thing outside of xpcshell tests too. + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + return MapSECStatus(SECFailure); + } + if (PK11_NeedUserInit(slot)) { + // Ignore the return value. Presumably PK11_InitPin will fail if the user + // has a non-default password. + (void) PK11_InitPin(slot, nullptr, nullptr); + } +#endif + + return NS_OK; +} + NS_IMPL_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2) nsNSSCertificateDB::nsNSSCertificateDB() @@ -978,6 +1003,11 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert, } insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert()); + rv = attemptToLogInWithDefaultPassword(); + if (NS_WARN_IF(rv != NS_OK)) { + return rv; + } + SECStatus srv; if (type == nsIX509Cert::CA_CERT) { // always start with untrusted and move up @@ -1614,6 +1644,11 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get())); + rv = attemptToLogInWithDefaultPassword(); + if (NS_WARN_IF(rv != NS_OK)) { + return rv; + } + SECStatus srv = __CERT_AddTempCertToPerm(tmpCert.get(), const_cast(nickname.get()), trust.GetTrust()); @@ -1643,6 +1678,12 @@ nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert3* cert, return MapSECStatus(SECFailure); } insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert()); + + nsresult rv = attemptToLogInWithDefaultPassword(); + if (NS_WARN_IF(rv != NS_OK)) { + return rv; + } + srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust); return MapSECStatus(srv); }