NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_nss.h"
 
 #include <string>
 #include <vector>
 
 #include <cert.h>
@@ skipping 90 matching lines @@
       return ERR_INVALID_ARGUMENT;
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return ERR_CERT_COMMON_NAME_INVALID;
     case SEC_ERROR_INVALID_TIME:
     case SEC_ERROR_EXPIRED_CERTIFICATE:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
       return ERR_CERT_DATE_INVALID;
     case SEC_ERROR_UNKNOWN_ISSUER:
     case SEC_ERROR_UNTRUSTED_ISSUER:
     case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_APPLICATION_CALLBACK_ERROR:  // Rejected by
+                                                // chain_verify_callback.
       return ERR_CERT_AUTHORITY_INVALID;
     // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM.
     case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE:
     case SEC_ERROR_OCSP_SERVER_ERROR:
       return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
     case SEC_ERROR_REVOKED_CERTIFICATE:
     case SEC_ERROR_UNTRUSTED_CERT:  // Treat as revoked.
       return ERR_CERT_REVOKED;
     case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
       return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
@@ skipping 221 matching lines @@
 // additional_trust_anchors is an optional list of certificates that can be
 // trusted as anchors when building a certificate chain.
 // Caller must initialize cvout before calling this function.
 SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
                          bool check_revocation,
                          bool hard_fail,
                          bool cert_io_enabled,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTCertList* additional_trust_anchors,
+                         CERTChainVerifyCallback* chain_verify_callback,
                          CERTValOutParam* cvout) {
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
 
   PRUint64 revocation_method_flags =
       CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
       CERT_REV_M_ALLOW_NETWORK_FETCHING |
       CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
       CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
       CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
@@ skipping 69 matching lines @@
     cvin.push_back(in_param);
   }
   if (additional_trust_anchors) {
     in_param.type = cert_pi_trustAnchors;
     in_param.value.pointer.chain = additional_trust_anchors;
     cvin.push_back(in_param);
     in_param.type = cert_pi_useOnlyTrustAnchors;
     in_param.value.scalar.b = PR_FALSE;
     cvin.push_back(in_param);
   }
+  if (chain_verify_callback) {
+    in_param.type = cert_pi_chainVerifyCallback;
+    in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
+    cvin.push_back(in_param);
+  }
   in_param.type = cert_pi_end;
   cvin.push_back(in_param);
 
   SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
                                      &cvin[0], cvout, NULL);
   if (rv != SECSuccess) {
     rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
                                             cert_io_enabled, &cvin, cvout);
   }
   return rv;
@@ skipping 200 matching lines @@
 // the first PKIXVerifyCert call.  We look up the EV policy for the trust
 // anchor.  If the trust anchor has no EV policy, we know the cert isn't EV.
 // Otherwise, we pass just that EV policy (as opposed to all the EV policies)
 // to the second PKIXVerifyCert call.
 bool VerifyEV(CERTCertificate* cert_handle,
               int flags,
               CRLSet* crl_set,
               bool rev_checking_enabled,
               EVRootCAMetadata* metadata,
               SECOidTag ev_policy_oid,
-              CERTCertList* additional_trust_anchors) {
+              CERTCertList* additional_trust_anchors,
+              CERTChainVerifyCallback* chain_verify_callback) {
   CERTValOutParam cvout[3];
   int cvout_index = 0;
   cvout[cvout_index].type = cert_po_certList;
   cvout[cvout_index].value.pointer.chain = NULL;
   int cvout_cert_list_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_trustAnchor;
   cvout[cvout_index].value.pointer.cert = NULL;
   int cvout_trust_anchor_index = cvout_index;
   cvout_index++;
   cvout[cvout_index].type = cert_po_end;
   ScopedCERTValOutParam scoped_cvout(cvout);
 
   SECStatus status = PKIXVerifyCert(
       cert_handle,
       rev_checking_enabled,
       true, /* hard fail is implied in EV. */
       flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
       &ev_policy_oid,
       1,
       additional_trust_anchors,
+      chain_verify_callback,
       cvout);
   if (status != SECSuccess)
     return false;
 
   CERTCertificate* root_ca =
       cvout[cvout_trust_anchor_index].value.pointer.cert;
   if (root_ca == NULL)
     return false;
 
   // This second PKIXVerifyCert call could have found a different certification
@@ skipping 36 matching lines @@
 }  // namespace
 
 CertVerifyProcNSS::CertVerifyProcNSS() {}
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
-int CertVerifyProcNSS::VerifyInternal(
+int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
+    CERTChainVerifyCallback* chain_verify_callback,
     CertVerifyResult* verify_result) {
 #if defined(OS_IOS)
   // For iOS, the entire chain must be loaded into NSS's in-memory certificate
   // store.
   x509_util_ios::NSSCertChain scoped_chain(cert);
   CERTCertificate* cert_handle = scoped_chain.cert_handle();
 #else
   CERTCertificate* cert_handle = cert->os_cert_handle();
 #endif  // defined(OS_IOS)
 
@@ skipping 32 matching lines @@
       (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
   if (check_revocation)
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
   ScopedCERTCertList trust_anchors;
   if (!additional_trust_anchors.empty()) {
     trust_anchors.reset(
         CertificateListToCERTCertList(additional_trust_anchors));
   }
 
-  SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false,
-                                    cert_io_enabled, NULL, 0,
-                                    trust_anchors.get(), cvout);
+  SECStatus status = PKIXVerifyCert(cert_handle,
+                                    check_revocation,
+                                    false,
+                                    cert_io_enabled,
+                                    NULL,
+                                    0,
+                                    trust_anchors.get(),
+                                    chain_verify_callback,
+                                    cvout);
 
   if (status == SECSuccess &&
       (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
       !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) {
     // TODO(rsleevi): Optimize this by supplying the constructed chain to
     // libpkix via cvin. Omitting for now, due to lack of coverage in upstream
     // NSS tests for that feature.
     scoped_cvout.Clear();
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
-    status = PKIXVerifyCert(cert_handle, true, true,
-                            cert_io_enabled, NULL, 0, trust_anchors.get(),
+    status = PKIXVerifyCert(cert_handle,
+                            true,
+                            true,
+                            cert_io_enabled,
+                            NULL,
+                            0,
+                            trust_anchors.get(),
+                            chain_verify_callback,
                             cvout);
   }
 
   if (status == SECSuccess) {
     AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
                           cvout[cvout_trust_anchor_index].value.pointer.cert,
                           &verify_result->public_key_hashes);
 
     verify_result->is_issued_by_known_root =
         IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
@@ skipping 41 matching lines @@
     return MapCertStatusToNetError(verify_result->cert_status);
 
   if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) {
     check_revocation |=
         crl_set_result != kCRLSetOk &&
         cert_io_enabled &&
         (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
     if (check_revocation)
       verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
-    if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata,
-                 ev_policy_oid, trust_anchors.get())) {
+    if (VerifyEV(cert_handle,
+                 flags,
+                 crl_set,
+                 check_revocation,
+                 metadata,
+                 ev_policy_oid,
+                 trust_anchors.get(),
+                 chain_verify_callback)) {
       verify_result->cert_status |= CERT_STATUS_IS_EV;
     }
   }
 
   return OK;
 }
 
+int CertVerifyProcNSS::VerifyInternal(
+    X509Certificate* cert,
+    const std::string& hostname,
+    int flags,
+    CRLSet* crl_set,
+    const CertificateList& additional_trust_anchors,
+    CertVerifyResult* verify_result) {
+  return VerifyInternalImpl(cert,
+                            hostname,
+                            flags,
+                            crl_set,
+                            additional_trust_anchors,
+                            NULL,  // chain_verify_callback
+                            verify_result);
+}
+
 }  // namespace net