net/base/x509_certificate_win.cc - Issue 8382026: Consider the signature algorithms of incomplete chains on Windows

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_win.cc

Issue 8382026: Consider the signature algorithms of incomplete chains on Windows (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_win.cc

diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc

index 5c53a15bb55e39144d80d3fff9a6995a1a3074fa..de9bcbaad47eb765ed4e089d7edde9c538530746 100644

--- a/net/base/x509_certificate_win.cc

+++ b/net/base/x509_certificate_win.cc

@@ -306,11 +306,22 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

PCCERT_CONTEXT verified_cert = NULL;

std::vector<PCCERT_CONTEXT> verified_chain;

+ bool has_root_ca = num_elements > 1 &&

+ !(chain_context.TrustStatus.dwErrorStatus &

+ CERT_TRUST_IS_PARTIAL_CHAIN);

// Each chain starts with the end entity certificate (i = 0) and ends with

- // the root CA certificate (i = num_elements - 1). Do not inspect the

- // signature algorithm of the root CA certificate because the signature on

- // the trust anchor is not important.

- for (int i = 0; i < num_elements - 1; ++i) {

+ // either the root CA certificate (i = num_elements - 1) or the last

+ // available intermediate. If a root CA certificate is present, do not

wtc 2011/10/25 01:36:46 Move "(i = num_elements - 1)" after "the last avai

+ // inspect the signature algorithm of the root CA certificate because the

+ // signature on the trust anchor is not important

+ if (has_root_ca) {

+ // If a full chain was constructed, regardless of whether it was trusted,

+ // don't inspect the root's signature algorithm.

+ num_elements -= 1;

+ }

+ for (int i = 0; i < num_elements; ++i) {

PCCERT_CONTEXT cert = element[i]->pCertContext;

if (i == 0) {

verified_cert = cert;

@@ -337,7 +348,7 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

if (verified_cert) {

// Add the root certificate, if present, as it was not added above.

- if (num_elements > 1)

+ if (has_root_ca)

verified_chain.push_back(element[num_elements - 1]->pCertContext);

wtc 2011/10/25 01:36:46 BUG: the array index should be num_elements becaus

verify_result->verified_cert =

X509Certificate::CreateFromHandle(verified_cert, verified_chain);

« no previous file with comments | « no previous file | no next file » | no next file with comments »