fix 221329 add ability to add root certs from autoconfig js, r=misterSSL@aol.com, sr=sspitzer

git-svn-id: svn://10.0.0.236/trunk@148152 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/manager/ssl/public/Makefile.in

@@ -49,6 +49,7 @@ XPIDLSRCS = \
     nsICertSelect.idl \
     nsIX509Cert.idl \
     nsIX509CertDB.idl \
+    nsIX509CertDB2.idl \
     nsIPKCS11Slot.idl \
     nsIPK11TokenDB.idl \
     nsICertificateDialogs.idl \

mozilla/security/manager/ssl/public/nsIX509CertDB2.idl

@@ -0,0 +1,53 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * Contributor(s):
+ *   David Bienvenu <bienvenu@nventure.com>
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nsISupports.idl"
+
+/**
+ * This represents a service to access and manipulate 
+ * X.509 certificates stored in a database through methods
+ * not in nsIX509CertDB, which is frozen
+ *
+ */
+[scriptable, uuid(dedec2ca-f941-4638-a9c0-32e02ff83d5b)]
+interface nsIX509CertDB2 : nsISupports {
+
+  /* 
+   * Add a cert to a cert DB from a base64 encoded string.
+   *
+   * @param base64 The raw representation of a certificate,
+   *                encoded as Base 64.
+   * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
+   *                indicating SSL, Email, and Obj signing trust
+   * @param aName name of the cert for display purposes.
+   */
+  void addCertFromBase64(in string base64, in string aTrust, in string aName);
+};
+

mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -77,7 +77,7 @@ NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
 
-NS_IMPL_ISUPPORTS1(nsNSSCertificateDB, nsIX509CertDB)
+NS_IMPL_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2)
 
 nsNSSCertificateDB::nsNSSCertificateDB()
 {
@@ -1381,3 +1381,60 @@ done:
     PR_FREEIF(tmp);
     return(nickname);
 }
+
+NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const char *aTrust, const char *aName)
+{
+  NS_ENSURE_ARG_POINTER(aBase64);
+  nsCOMPtr <nsIX509Cert> newCert;
+
+  nsNSSCertTrust trust;
+
+  // need to calculate the trust bits from the aTrust string.
+  nsresult rv = CERT_DecodeTrustString(trust.GetTrust(), /* this is const, but not declared that way */(char *) aTrust);
+  NS_ENSURE_SUCCESS(rv, rv); // if bad trust passed in, return error.
+  trust.SetValidCA();
+  trust.AddCATrust(trust.GetTrust()->sslFlags,
+                   trust.GetTrust()->emailFlags,
+                   trust.GetTrust()->objectSigningFlags);
+
+
+  rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  SECItem der;
+  rv = newCert->GetRawDER(&der.len, (PRUint8 **)&der.data);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
+  CERTCertificate *tmpCert;
+  CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
+  tmpCert = CERT_FindCertByDERCert(certdb, &der);
+  if (!tmpCert) 
+    tmpCert = CERT_NewTempCertificate(certdb, &der,
+                                      nsnull, PR_FALSE, PR_TRUE);
+
+  if (!tmpCert) {
+    NS_ASSERTION(0,"Couldn't create cert from DER blob\n");
+    return NS_ERROR_FAILURE;
+  }
+
+  if (tmpCert->isperm) {
+    CERT_DestroyCertificate(tmpCert);
+    return NS_OK;
+  }
+
+  CERTCertificateCleaner tmpCertCleaner(tmpCert);
+
+  nsXPIDLCString nickname;
+  nickname.Adopt(CERT_MakeCANickname(tmpCert));
+
+  PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));
+
+  SECStatus srv = CERT_AddTempCertToPerm(tmpCert, 
+                                         NS_CONST_CAST(char*,nickname.get()), 
+                                         trust.GetTrust()); 
+
+  CERT_DestroyCertificate(tmpCert);
+
+  return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
+}

mozilla/security/manager/ssl/src/nsNSSCertificateDB.h

@@ -38,15 +38,17 @@
 #define __NSNSSCERTIFICATEDB_H__
 
 #include "nsIX509CertDB.h"
+#include "nsIX509CertDB2.h"
 #include "nsNSSCertHeader.h"
 
 class nsIArray;
 
-class nsNSSCertificateDB : public nsIX509CertDB
+class nsNSSCertificateDB : public nsIX509CertDB, public nsIX509CertDB2
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIX509CERTDB
+  NS_DECL_NSIX509CERTDB2
 
   nsNSSCertificateDB(); 
   virtual ~nsNSSCertificateDB();