net/base/cert_database_nss.cc - Issue 7272014: Mark untrusted certificates as such in Linux UI.

Side by Side Diff: net/base/cert_database_nss.cc

Issue 7272014: Mark untrusted certificates as such in Linux UI. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 9 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/cert_database.h"	5 #include "net/base/cert_database.h"

6	6

7 #include <cert.h>	7 #include <cert.h>

8 #include <certdb.h>	8 #include <certdb.h>

9 #include <keyhi.h>	9 #include <keyhi.h>

10 #include <pk11pub.h>	10 #include <pk11pub.h>

(...skipping 218 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
229 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;	229 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;

230 case SERVER_CERT:	230 case SERVER_CERT:

231 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +	231 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +

232 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +	232 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +

233 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;	233 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;

234 default:	234 default:

235 return UNTRUSTED;	235 return UNTRUSTED;

236 }	236 }

237 }	237 }

238	238

	239 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {

	240 CERTCertTrust nsstrust;

	241 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);

	242 if (rv != SECSuccess) {

	243 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();

	244 return false;

	245 }

	246

	247 return nsstrust.sslFlags == 0 &&

	248 nsstrust.emailFlags == 0 &&

	249 nsstrust.objectSigningFlags == 0;
	wtc 2011/06/29 00:30:45 I believe this is correct only for root certs. (N I believe this is correct only for root certs. (Note: the trusts for the IPS roots were removed in https://bugzilla.mozilla.org/show_bug.cgi?id=530853.) For non-root certs, I think we will need code similar to the CERT_CheckLeafTrust function in Bob Relyea's patch https://bug642503.bugzilla.mozilla.org/attachment.cgi?id=527127 in the NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=642503 Specifically, we need to test if the CERTDB_TERMINAL_RECORD bit (formerly named CERTDB_VALID_PEER) is set. nsstrust.sslFlags == 0 for a non-root cert actually means it derives its trust from its CA. Two important test cases for non-root certs are: https://bugzilla.mozilla.org/show_bug.cgi?id=471715 https://bugzilla.mozilla.org/show_bug.cgi?id=642815 I will ask Bob Relyea (an NSS developer) about this. mattm 2011/06/29 01:12:07 Maybe we should only check the sslFlags? If for s Maybe we should only check the sslFlags? If for some reason a cert is untrusted for SSL but still trusted for other things we'd probably still want to display the badge since we only use SSL trust, right?
	250 }

	251

239 bool CertDatabase::SetCertTrust(const X509Certificate* cert,	252 bool CertDatabase::SetCertTrust(const X509Certificate* cert,

240 CertType type,	253 CertType type,

241 unsigned int trusted) {	254 unsigned int trusted) {

242 bool success = psm::SetCertTrust(cert, type, trusted);	255 bool success = psm::SetCertTrust(cert, type, trusted);

243 if (success)	256 if (success)

244 CertDatabase::NotifyObserversOfCertTrustChanged(cert);	257 CertDatabase::NotifyObserversOfCertTrustChanged(cert);

245	258

246 return success;	259 return success;

247 }	260 }

248	261

(...skipping 19 matching lines...) Expand all Loading...
268 }	281 }

269 return true;	282 return true;

270 }	283 }

271	284

272 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {	285 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {

273 PK11SlotInfo* slot = cert->os_cert_handle()->slot;	286 PK11SlotInfo* slot = cert->os_cert_handle()->slot;

274 return slot && PK11_IsReadOnly(slot);	287 return slot && PK11_IsReadOnly(slot);

275 }	288 }

276	289

277 } // namespace net	290 } // namespace net

OLD	NEW

« chrome/browser/ui/webui/options/certificate_manager_handler.cc ('K') | « net/base/cert_database.h ('k') | no next file » | no next file with comments »