Mark untrusted certificates as such in Linux UI.

net/base/cert_database_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
+// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
+// the new name of the macro.
+#if !defined(CERTDB_TERMINAL_RECORD)
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
+
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
 
 namespace net {
 
 CertDatabase::CertDatabase() {
   crypto::EnsureNSSInit();
   psm::EnsurePKCS12Init();
 }
 
@@ skipping 195 matching lines @@
           trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
     case SERVER_CERT:
       return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
           trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
           trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
     default:
       return UNTRUSTED;
   }
 }
 
+bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
+  CERTCertTrust nsstrust;
+  SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  if (rv != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
+    return false;
+  }
+
+  // Handle explicitly distrusted certificates.
+  static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED;
+  const bool has_no_trust_flags =
+      (nsstrust.sslFlags & kTrusted) == 0 &&
+      (nsstrust.emailFlags & kTrusted) == 0 &&
+      (nsstrust.objectSigningFlags & kTrusted) == 0;
+
+  unsigned int flags = SEC_GET_TRUST_FLAGS(&nsstrust, trustSSL);
+  if (flags & CERTDB_TERMINAL_RECORD) {

[wtc, 2011/09/21 21:49:21]

Also the CERTDB_TERMINAL_RECORD bit needs to be tested
in nsstrust.sslFlags, nsstrust.emailFlags, and
nsstrust.objectSigningFlags separately.  (There could be
three terminal trust records.)

You can just revert to the CertDatabase::IsUntrusted logic
in Patch Set 3.

+    // In a terminal trust record, three bits may be set: CERTDB_VALID_CA,
+    // CERTDB_TRUSTED_CA, and CERTDB_TRUSTED.  The CERTDB_VALID_CA bit is
+    // irrelevant to distrust, so we don't test that bit.
+    return has_no_trust_flags;

[wtc, 2011/09/21 19:01:13]

The boolean expression has_no_trust_flags is wrong for
explicit distrust.

For explicit distrust, we need to use || instead of &&.
That is, if a cert is only explicitly distrusted for SSL,
we still want to flag it as untrusted, agreed?

+  }
+
+  // Self-signed certificates that don't have any trust bits set are untrusted.
+  // Other certificates that don't have any trust bits set may still be trusted
+  // if they chain up to a trust anchor.
+  if (CERT_CompareName(&cert->os_cert_handle()->issuer,
+                       &cert->os_cert_handle()->subject) == SECEqual) {
+    return has_no_trust_flags;
+  }
+
+  return false;
+}
+
 bool CertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 TrustBits trust_bits) {
   bool success = psm::SetCertTrust(cert, type, trust_bits);
   if (success)
     CertDatabase::NotifyObserversOfCertTrustChanged(cert);
 
   return success;
 }
 
@@ skipping 19 matching lines @@
   }
   return true;
 }
 
 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsReadOnly(slot);
 }
 
 }  // namespace net