Mark untrusted certificates as such in Linux UI.

net/base/cert_database_nss.cc

Index: net/base/cert_database_nss.cc
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 8fb51e06001db72607a13d1d6e57f056baf98e88..004abb02a1a99446ef225bde410f65e6f4120ac1 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -21,6 +21,12 @@
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
+// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
+// the new name of the macro.
+#if !defined(CERTDB_TERMINAL_RECORD)
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
+
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
 
@@ -236,6 +242,37 @@ unsigned int CertDatabase::GetCertTrust(
   }
 }
 
+bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
+  CERTCertTrust nsstrust;
+  SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  if (rv != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
+    return false;
+  }
+
+  // handle explicitly distrusted certificates.

[wtc, 2011/09/21 17:05:33]

Nit: capitalize "handle".

+  unsigned int flags = SEC_GET_TRUST_FLAGS(&nsstrust, trustSSL);
+  static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED;
+  if ((flags & CERTDB_TERMINAL_RECORD) && (flags & kTrusted) == 0) {
+    // In a terminal trust record, three bits may be set: CERTDB_VALID_CA,
+    // CERTDB_TRUSTED_CA, and CERTDB_TRUSTED.  The CERTDB_VALID_CA bit is
+    // irrelevant to distrust, so we don't test that bit.
+    return true;
+  }

[wtc, 2011/09/21 17:05:33]

IMPORTANT: Did you omit the checking of distrust for email and
code signing intentionally?  If so, you should add a comment,
and change the boolean expression on lines 268-270 to match
(which would be just (nsstrust.sslFlags & kTrusted) == 0.

[agl, 2011/09/21 17:53:53]

I did deliberately omit the tests for email and code signing. Just because a
terminal record isn't trusted for email signing doesn't mean that it's
distrusted for SSL, which is what we're interested in here.

But nor do I really want to adjust the code below to match because, in that
case, self-signed certs which are only valid for email will be marked as
untrusted.

Please see if you like the latest revision of this code any better.

+
+  // Self-signed certificates that don't have any trust bits set are untrusted.
+  // Other certificates that don't have any trust bits set may still be trusted
+  // if they chain up to a trust anchor.
+  if (CERT_CompareName(&cert->os_cert_handle()->issuer,
+                       &cert->os_cert_handle()->subject) == SECEqual) {
+    return (nsstrust.sslFlags & kTrusted) == 0 &&
+           (nsstrust.emailFlags & kTrusted) == 0 &&
+           (nsstrust.objectSigningFlags & kTrusted) == 0;
+  }
+
+  return false;
+}
+
 bool CertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 unsigned int trusted) {