Mark untrusted certificates as such in Linux UI.

net/base/cert_database_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
+// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
+// the new name of the macro.
+#if !defined(CERTDB_TERMINAL_RECORD)
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
+
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
 
 namespace net {
 
 CertDatabase::CertDatabase() {
   crypto::EnsureNSSInit();
   psm::EnsurePKCS12Init();
 }
 
@@ skipping 195 matching lines @@
           trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
     case SERVER_CERT:
       return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
           trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
           trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
     default:
       return UNTRUSTED;
   }
 }
 
+bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
+  CERTCertTrust nsstrust;
+  SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  if (rv != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
+    return false;
+  }
+
+  // handle explicitly distrusted certificates.

[wtc, 2011/09/21 17:05:33]

Nit: capitalize "handle".

+  unsigned int flags = SEC_GET_TRUST_FLAGS(&nsstrust, trustSSL);
+  static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED;
+  if ((flags & CERTDB_TERMINAL_RECORD) && (flags & kTrusted) == 0) {
+    // In a terminal trust record, three bits may be set: CERTDB_VALID_CA,
+    // CERTDB_TRUSTED_CA, and CERTDB_TRUSTED.  The CERTDB_VALID_CA bit is
+    // irrelevant to distrust, so we don't test that bit.
+    return true;
+  }

[wtc, 2011/09/21 17:05:33]

IMPORTANT: Did you omit the checking of distrust for email and
code signing intentionally?  If so, you should add a comment,
and change the boolean expression on lines 268-270 to match
(which would be just (nsstrust.sslFlags & kTrusted) == 0.

[agl, 2011/09/21 17:53:53]

I did deliberately omit the tests for email and code signing. Just because a
terminal record isn't trusted for email signing doesn't mean that it's
distrusted for SSL, which is what we're interested in here.

But nor do I really want to adjust the code below to match because, in that
case, self-signed certs which are only valid for email will be marked as
untrusted.

Please see if you like the latest revision of this code any better.

+
+  // Self-signed certificates that don't have any trust bits set are untrusted.
+  // Other certificates that don't have any trust bits set may still be trusted
+  // if they chain up to a trust anchor.
+  if (CERT_CompareName(&cert->os_cert_handle()->issuer,
+                       &cert->os_cert_handle()->subject) == SECEqual) {
+    return (nsstrust.sslFlags & kTrusted) == 0 &&
+           (nsstrust.emailFlags & kTrusted) == 0 &&
+           (nsstrust.objectSigningFlags & kTrusted) == 0;
+  }
+
+  return false;
+}
+
 bool CertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 unsigned int trusted) {
   bool success = psm::SetCertTrust(cert, type, trusted);
   if (success)
     CertDatabase::NotifyObserversOfCertTrustChanged(cert);
 
   return success;
 }
 
@@ skipping 19 matching lines @@
   }
   return true;
 }
 
 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsReadOnly(slot);
 }
 
 }  // namespace net