net/base/x509_certificate_win.cc - Issue 8382026: Consider the signature algorithms of incomplete chains on Windows

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_win.cc

Issue 8382026: Consider the signature algorithms of incomplete chains on Windows (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Enable tests on Windows Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_win.cc

diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc

index 4f2783627772b81bf7ef5ef6fc65030f9e4a1bf5..4f0d40ccd3077b82a7abb5b9d3787d43ea2dc1e8 100644

--- a/net/base/x509_certificate_win.cc

+++ b/net/base/x509_certificate_win.cc

@@ -330,11 +330,22 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

PCCERT_CONTEXT verified_cert = NULL;

std::vector<PCCERT_CONTEXT> verified_chain;

+ bool has_root_ca = num_elements > 1 &&

+ !(chain_context->TrustStatus.dwErrorStatus &

+ CERT_TRUST_IS_PARTIAL_CHAIN);

// Each chain starts with the end entity certificate (i = 0) and ends with

- // the root CA certificate (i = num_elements - 1). Do not inspect the

- // signature algorithm of the root CA certificate because the signature on

- // the trust anchor is not important.

- for (int i = 0; i < num_elements - 1; ++i) {

+ // either the root CA certificate or the last available intermediate. If a

+ // root CA certificate is present, do not inspect the signature algorithm of

+ // the root CA certificate because the signature on the trust anchor is not

+ // important.

+ if (has_root_ca) {

+ // If a full chain was constructed, regardless of whether it was trusted,

+ // don't inspect the root's signature algorithm.

+ num_elements -= 1;

+ }

+ for (int i = 0; i < num_elements; ++i) {

PCCERT_CONTEXT cert = element[i]->pCertContext;

if (i == 0) {

verified_cert = cert;

@@ -361,8 +372,8 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

if (verified_cert) {

// Add the root certificate, if present, as it was not added above.

- if (num_elements > 1)

- verified_chain.push_back(element[num_elements - 1]->pCertContext);

+ if (has_root_ca)

+ verified_chain.push_back(element[num_elements]->pCertContext);

verify_result->verified_cert =

X509Certificate::CreateFromHandle(verified_cert, verified_chain);

}

« no previous file with comments | « net/base/x509_certificate_unittest.cc ('k') | no next file » | no next file with comments »