Mark untrusted certificates as such in Linux UI.

net/base/cert_database_nss.cc

Index: net/base/cert_database_nss.cc
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index e198e3504be82298c9b3354b0ae08e81be425a1f..4c112126063ae870bbd0eb1d1287948b4f32ca4f 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -21,6 +21,12 @@
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
 
+// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
+// the new name of the macro.
+#if !defined(CERTDB_TERMINAL_RECORD)
+#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
+#endif
+
 // PSM = Mozilla's Personal Security Manager.
 namespace psm = mozilla_security_manager;
 
@@ -236,6 +242,42 @@ CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
   }
 }
 
+bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
+  CERTCertTrust nsstrust;

[wtc, 2011/09/21 22:40:43]

The CERTCertTrust structure contains three trust records:
sslFlags, emailFlags, and objectSigningFlags.  The three
trust records are independent of each other.

If the CERTDB_TERMINAL_RECORD bit in a trust record is set,
then that trust record is a terminal record.  A terminal
record is used for explicit trust and distrust of an
end-entity or intermediate CA cert.

In a terminal record, if neither CERTDB_TRUSTED_CA nor
CERTDB_TRUSTED is set, then the terminal record means
explicit distrust.  On the other hand, if the terminal
record has either CERTDB_TRUSTED_CA or CERTDB_TRUSTED bit
set, then the terminal record means explicit trust.

For a root CA, the trust record does not have
the CERTDB_TERMINAL_RECORD bit set.

So the logic I suggested before was:

1. Examine the three trust records of the cert in turn.
If any of them is a terminal record for explicit distrust,
then flag the cert as untrusted.

(A variant of this logic is to examine just the SSL trust
record because Chrome doesn't care about email and code
signing.)

Since the three trust records are independent, the
check of the CERTDB_TERMINAL_RECORD bit and the kTrusted
bits must be done separately for each of the three trust
records.  They cannot be combined as you did below.

2. For a self-signed root cert, flag it as untrusted only
if we do not trust it for any purpose (i.e., if all three
trust records have no trust bits).

+  SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
+  if (rv != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
+    return false;
+  }
+
+  // Handle explicitly distrusted certificates.
+  static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED;
+  const bool has_no_trust_flags =
+      (nsstrust.sslFlags & kTrusted) == 0 &&
+      (nsstrust.emailFlags & kTrusted) == 0 &&
+      (nsstrust.objectSigningFlags & kTrusted) == 0;
+  const bool is_terminal_record =
+      (nsstrust.sslFlags & CERTDB_TERMINAL_RECORD) ||
+      (nsstrust.emailFlags & CERTDB_TERMINAL_RECORD) ||
+      (nsstrust.objectSigningFlags & CERTDB_TERMINAL_RECORD);
+
+  // In a terminal trust record, three bits may be set: CERTDB_VALID_CA,
+  // CERTDB_TRUSTED_CA, and CERTDB_TRUSTED.  The CERTDB_VALID_CA bit is
+  // irrelevant to distrust, so we don't test that bit.
+  if (is_terminal_record && has_no_trust_flags)
+    return true;
+
+  // Self-signed certificates that don't have any trust bits set are untrusted.
+  // Other certificates that don't have any trust bits set may still be trusted
+  // if they chain up to a trust anchor.
+  if (CERT_CompareName(&cert->os_cert_handle()->issuer,
+                       &cert->os_cert_handle()->subject) == SECEqual) {
+    return has_no_trust_flags;
+  }
+
+  return false;
+}
+
 bool CertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 TrustBits trust_bits) {