Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(62)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/cert_database_nss.cc

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/cert_database.h ('K') | « net/base/cert_database.h ('k') | net/base/cert_database_nss_unittest.cc » ('j') | net/base/cert_database_nss_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/cert_database_nss.cc
diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 4dde4fcda3a06d689e32f119c48223aa575f6c5c..516db6ee195109a508de4fd4d3fa0c827f752a6a 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -199,8 +199,9 @@ bool CertDatabase::ImportCACerts(const CertificateList& certificates,
}
bool CertDatabase::ImportServerCert(const CertificateList& certificates,
+ TrustBits trust_bits,
ImportCertFailureList* not_imported) {
- return psm::ImportServerCert(certificates, not_imported);
+ return psm::ImportServerCert(certificates, trust_bits, not_imported);
}
CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
@@ -216,11 +217,20 @@ CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
case CA_CERT:
return trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
- trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+ trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN +
+ ((trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE) |
+ trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE) |
+ trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE)) *
+ TRUST_TERMINAL_RECORD);
case SERVER_CERT:
+ // Since we don't define per-type terminal-record bits, we can't precisely
+ // round-trip from NSS trust to TrustBits and back.
return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL +
trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL +
- trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN;
+ trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN +
+ ((trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE) |
+ trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE)) *
+ TRUST_TERMINAL_RECORD);
default:
return UNTRUSTED;
}
« net/base/cert_database.h ('K') | « net/base/cert_database.h ('k') | net/base/cert_database_nss_unittest.cc » ('j') | net/base/cert_database_nss_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698