net/base/x509_certificate_nss.cc - Issue 9149010: net: allow CRLSets to block specific SPKIs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_nss.cc

Issue 9149010: net: allow CRLSets to block specific SPKIs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_nss.cc

diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc

index a338e749caea3a628e7bcc0a29febfcad0c2be49..fdd65fda4f1a3d74cbb9da8885ca925475f2e787 100644

--- a/net/base/x509_certificate_nss.cc

+++ b/net/base/x509_certificate_nss.cc

@@ -23,6 +23,7 @@

#include "crypto/nss_util.h"

#include "crypto/rsa_private_key.h"

#include "crypto/scoped_nss_types.h"

+#include "crypto/sha2.h"

#include "net/base/asn1_util.h"

#include "net/base/cert_status_flags.h"

#include "net/base/cert_verify_result.h"

@@ -258,14 +259,12 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,

if (root)

certs.push_back(root);

- CERTCertificate* prev = NULL;

- for (std::vector<CERTCertificate*>::iterator i = certs.begin();

- i != certs.end(); ++i) {

+ // We iterate from the root certificate down to the leaf, keeping track of

+ // the issuer's SPKI at each step.

+ std::string issuer_spki_hash;

+ for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();

+ i != certs.rend(); ++i) {

CERTCertificate* cert = *i;

- CERTCertificate* child = prev;

- prev = cert;

- if (child == NULL)

- continue;

base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),

cert->derCert.len);

@@ -275,12 +274,18 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,

NOTREACHED();

return kCRLSetError;

}

+ const std::string spki_hash = crypto::SHA256HashString(spki);

+ base::StringPiece serial_number = base::StringPiece(

+ reinterpret_cast<char*>(cert->serialNumber.data),

+ cert->serialNumber.len);

+ CRLSet::Result result = crl_set->CheckSPKI(spki_hash);

- std::string serial_number(

- reinterpret_cast<char*>(child->serialNumber.data),

- child->serialNumber.len);

+ if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())

+ result = crl_set->CheckSerial(serial_number, issuer_spki_hash);

- CRLSet::Result result = crl_set->CheckCertificate(serial_number, spki);

+ issuer_spki_hash = spki_hash;

switch (result) {

case CRLSet::REVOKED:

« no previous file with comments | « net/base/crl_set_unittest.cc ('k') | no next file » | no next file with comments »