Index: net/base/x509_certificate_nss.cc |
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc |
index d71381ac7bf1547958775979bb8b890eebd73115..928883511467ca50a23b8d71ca460bad92b7c3e6 100644 |
--- a/net/base/x509_certificate_nss.cc |
+++ b/net/base/x509_certificate_nss.cc |
@@ -203,6 +203,18 @@ void GetCertChainInfo(CERTCertList* cert_list, |
} |
} |
+// IsKnownRoot returns true if the given certificate is one that we believe is |
+// a standard (as opposed to user-installed) root. |
+static bool IsKnownRoot(CERTCertificate* root) { |
wtc
2011/04/06 04:28:38
Remove 'static', because this is in the unnamed na
agl
2011/04/06 19:02:02
Done.
|
+ if (!root->slot) |
+ return false; |
+ |
+ // This magic name is taken from |
+ // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79 |
+ return 0 == strcmp(PK11_GetSlotName(root->slot), |
+ "NSS Builtin Objects"); |
+} |
+ |
typedef char* (*CERTGetNameFunc)(CERTName* name); |
void ParsePrincipal(CERTName* name, |
@@ -774,6 +786,10 @@ int X509Certificate::Verify(const std::string& hostname, |
cvout[cvout_index].value.pointer.chain = NULL; |
int cvout_cert_list_index = cvout_index; |
cvout_index++; |
+ cvout[cvout_index].type = cert_po_trustAnchor; |
+ cvout[cvout_index].value.pointer.cert = NULL; |
+ int cvout_trust_anchor_index = cvout_index; |
+ cvout_index++; |
cvout[cvout_index].type = cert_po_end; |
ScopedCERTValOutParam scoped_cvout(cvout); |
@@ -808,6 +824,9 @@ int X509Certificate::Verify(const std::string& hostname, |
if (IsCertStatusError(verify_result->cert_status)) |
return MapCertStatusToNetError(verify_result->cert_status); |
+ verify_result->is_probably_mitm_cert = |
+ !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
+ |
if ((flags & VERIFY_EV_CERT) && VerifyEV()) |
verify_result->cert_status |= CERT_STATUS_IS_EV; |
return OK; |