Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(172)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/x509_certificate_win.cc

Issue 6874039: Return the constructed certificate chain in X509Certificate::Verify() (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Ensure the EE cert is marked as a TLS server cert, not a CA cert Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/x509_certificate_nss.cc ('K') | « net/base/x509_certificate_unittest.cc ('k') | net/data/ssl/certificates/README » ('j') | net/data/ssl/certificates/README » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate_win.cc
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 26926b4d81ffe395324fa73805bc28edcc83e9c3..c25d6aa64b5dd9e7cea714eff73e3a7d95a4f5d6 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -295,16 +295,28 @@ bool CertSubjectCommonNameHasNull(PCCERT_CONTEXT cert) {
// this function.
void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
CertVerifyResult* verify_result) {
+ if (chain_context->cChain < 1)
+ return;
wtc 2011/07/26 00:16:35 Why don't you test chain_context->cChain == 0 here
Ryan Sleevi 2011/07/26 00:44:15 No, it's a DWORD, so it's unsigned. Updated to be
+
PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
int num_elements = first_chain->cElement;
PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
+ PCCERT_CONTEXT verified_cert = NULL;
+ std::vector<PCCERT_CONTEXT> verified_chain;
+
// Each chain starts with the end entity certificate (i = 0) and ends with
// the root CA certificate (i = num_elements - 1). Do not inspect the
// signature algorithm of the root CA certificate because the signature on
// the trust anchor is not important.
for (int i = 0; i < num_elements - 1; ++i) {
PCCERT_CONTEXT cert = element[i]->pCertContext;
+ if (i == 0) {
+ verified_cert = cert;
+ } else {
+ verified_chain.push_back(cert);
+ }
+
const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;
if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {
// md5WithRSAEncryption: 1.2.840.113549.1.1.4
@@ -321,6 +333,14 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
verify_result->has_md4 = true;
}
}
+
+ if (verified_cert) {
+ // Add the root certificate, if present, as it was not added above.
+ if (num_elements > 1)
+ verified_chain.push_back(element[num_elements - 1]->pCertContext);
+ verify_result->verified_cert =
+ X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+ }
}
// Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
@@ -674,8 +694,8 @@ int X509Certificate::Verify(const std::string& hostname,
int flags,
CertVerifyResult* verify_result) const {
verify_result->Reset();
- if (!cert_handle_)
- return ERR_UNEXPECTED;
+ verify_result->verified_cert =
+ CreateFromHandle(cert_handle_, GetIntermediateCertificates());
if (IsBlacklisted()) {
verify_result->cert_status |= CERT_STATUS_REVOKED;
« net/base/x509_certificate_nss.cc ('K') | « net/base/x509_certificate_unittest.cc ('k') | net/data/ssl/certificates/README » ('j') | net/data/ssl/certificates/README » ('J')

Powered by Google App Engine
This is Rietveld 408576698