Parse an application/x-x509-user-cert response with

net/base/cert_database_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
@@ skipping 20 matching lines @@
 namespace psm = mozilla_security_manager;
 
 namespace net {
 
 CertDatabase::CertDatabase() {
   crypto::EnsureNSSInit();
   psm::EnsurePKCS12Init();
 }
 
 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
+  // TODO(wtc) a null cert_obj means we could not decode the
+  // application/x-x509-user-cert response.  Should we check that
+  // here or in the caller?

[Ryan Sleevi, 2012/04/27 00:55:48]

Presuming a CertificateList, I would assume it's the caller's responsibility.
This would still need to be a single cert.

   if (!cert_obj)
     return ERR_CERT_INVALID;
   if (cert_obj->HasExpired())
     return ERR_CERT_DATE_INVALID;
 
   // Check if the private key corresponding to the certificate exist
   // We shouldn't accept any random client certificate sent by a CA.
 
   // Note: The NSS source documentation wrongly suggests that this
   // also imports the certificate if the private key exists. This
@@ skipping 18 matching lines @@
     slot = PK11_ImportCertForKey(
         cert,
         cert_obj->GetDefaultNickname(net::USER_CERT).c_str(),
         NULL);
   }
 
   if (!slot) {
     LOG(ERROR) << "Couldn't import user certificate.";
     return ERR_ADD_USER_CERT_FAILED;
   }
+  const X509Certificate::OSCertHandles& intermediate_certs =
+      cert_obj->GetIntermediateCertificates();
+  for (size_t i = 0; i < intermediate_certs.size(); ++i) {
+    CERTCertificate* intermediate_cert = intermediate_certs[i];
+    // TODO(wtc): skip intermediate_cert if it is a self-signed root cert?
+    // It is not useful to import a root cert without trust settings.
+    char* nickname = CERT_MakeCANickname(intermediate_cert);
+    PK11_ImportCert(slot, intermediate_cert, CK_INVALID_HANDLE, nickname,

[Ryan Sleevi, 2012/04/27 00:55:48]

This is quite dangerous for Linux, in that non-libpkix applications (such as
Firefox) can become confused by cross-signed roots and fail to successfully
build chains.

This is why Firefox ensures a chain can be built for each certificate, before
importing.

[wtc, 2012/04/27 21:16:50]

We can copy Firefox's behavior.  This means if client certs
are issued by a private CA that is not in the browser's
trusted root CA list, that private CA has to issue the client
certs directly and can't issue them from an intermediate CA
(because the browser won't import the intermediate CA cert).

[Ryan Sleevi, 2012/04/27 21:24:21]

What Firefox does is described in my previous comment. It effectively
accomplishes the same thing, in that no intermediates will be imported that do
not chain to a (previously trusted/imported/built-in) root.

That's were my comment about UI behaviour comes in, since there are typically
one or two (such as non-cross-signed root certs) in these bundles.

+                    PR_FALSE);
+    PORT_Free(nickname);
+  }
   PK11_FreeSlot(slot);
   CertDatabase::NotifyObserversOfUserCertAdded(cert_obj);
   return OK;
 }
 
 void CertDatabase::ListCerts(CertificateList* certs) {
   certs->clear();
 
   CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
   CERTCertListNode* node;
@@ skipping 224 matching lines @@
 
   return true;
 }
 
 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsReadOnly(slot);
 }
 
 }  // namespace net