Index: net/base/cert_database_nss.cc |
=================================================================== |
--- net/base/cert_database_nss.cc (revision 133822) |
+++ net/base/cert_database_nss.cc (working copy) |
@@ -38,6 +38,9 @@ |
} |
int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { |
+ // TODO(wtc) a null cert_obj means we could not decode the |
+ // application/x-x509-user-cert response. Should we check that |
+ // here or in the caller? |
Ryan Sleevi
2012/04/27 00:55:48
Presuming a CertificateList, I would assume it's t
|
if (!cert_obj) |
return ERR_CERT_INVALID; |
if (cert_obj->HasExpired()) |
@@ -76,6 +79,17 @@ |
LOG(ERROR) << "Couldn't import user certificate."; |
return ERR_ADD_USER_CERT_FAILED; |
} |
+ const X509Certificate::OSCertHandles& intermediate_certs = |
+ cert_obj->GetIntermediateCertificates(); |
+ for (size_t i = 0; i < intermediate_certs.size(); ++i) { |
+ CERTCertificate* intermediate_cert = intermediate_certs[i]; |
+ // TODO(wtc): skip intermediate_cert if it is a self-signed root cert? |
+ // It is not useful to import a root cert without trust settings. |
+ char* nickname = CERT_MakeCANickname(intermediate_cert); |
+ PK11_ImportCert(slot, intermediate_cert, CK_INVALID_HANDLE, nickname, |
Ryan Sleevi
2012/04/27 00:55:48
This is quite dangerous for Linux, in that non-lib
wtc
2012/04/27 21:16:50
We can copy Firefox's behavior. This means if cli
Ryan Sleevi
2012/04/27 21:24:21
What Firefox does is described in my previous comm
|
+ PR_FALSE); |
+ PORT_Free(nickname); |
+ } |
PK11_FreeSlot(slot); |
CertDatabase::NotifyObserversOfUserCertAdded(cert_obj); |
return OK; |