Reland: Fix imported server certs being distrusted in NSS 3.13.

chrome/browser/certificate_manager_model.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
 #define CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
 
 #include <map>
 #include <string>
 
@@ skipping 49 matching lines @@
   // |data|, using the given |password|. If |is_extractable| is false,
   // mark the private key as unextractable from the module.
   // Returns a net error code on failure.
   int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
                        const string16& password, bool is_extractable);
 
   // Import CA certificates.
   // Tries to import all the certificates given.  The root will be trusted
   // according to |trust_bits|.  Any certificates that could not be imported
   // will be listed in |not_imported|.
-  // |trust_bits| should be a bit field of TRUST_* values from CertDatabase, or
-  // UNTRUSTED.
+  // |trust_bits| should be a bit field of TRUST* values from CertDatabase.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportCACerts(const net::CertificateList& certificates,
                      net::CertDatabase::TrustBits trust_bits,
                      net::CertDatabase::ImportCertFailureList* not_imported);
 
   // Import server certificate.  The first cert should be the server cert.  Any
   // additional certs should be intermediate/CA certs and will be imported but
   // not given any trust.
   // Any certificates that could not be imported will be listed in
   // |not_imported|.
+  // |trust_bits| can be set to explicitly trust or distrust the certificate, or
+  // use TRUST_DEFAULT to inherit trust as normal.
   // Returns false if there is an internal error, otherwise true is returned and
   // |not_imported| should be checked for any certificates that were not
   // imported.
   bool ImportServerCert(
       const net::CertificateList& certificates,
+      net::CertDatabase::TrustBits trust_bits,
       net::CertDatabase::ImportCertFailureList* not_imported);
 
   // Set trust values for certificate.
-  // |trust_bits| should be a bit field of TRUST_* values from CertDatabase, or
-  // UNTRUSTED.
+  // |trust_bits| should be a bit field of TRUST* values from CertDatabase.
   // Returns true on success or false on failure.
   bool SetCertTrust(const net::X509Certificate* cert,
                     net::CertType type,
                     net::CertDatabase::TrustBits trust_bits);
 
   // Delete the cert.  Returns true on success.  |cert| is still valid when this
   // function returns.
   bool Delete(net::X509Certificate* cert);
 
   // IsHardwareBacked returns true if |cert| is hardware backed.
   // This function is only implemented for Chrome OS and always returns false
   // for other platforms.
   bool IsHardwareBacked(const net::X509Certificate* cert) const;
 
  private:
   // Callback used by Refresh() for when the cert slots have been unlocked.
   // This method does the actual refreshing.
   void RefreshSlotsUnlocked();
 
   net::CertDatabase cert_db_;
   net::CertificateList cert_list_;
 
   // The observer to notify when certificate list is refreshed.
   Observer* observer_;
 
   DISALLOW_COPY_AND_ASSIGN(CertificateManagerModel);
 };
 
 #endif  // CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_