Chromium Code Reviews Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" | |
| 6 | |
| 7 #include "net/cert/test_root_certs.h" | |
| 8 | |
| 9 // NSS doesn't currently define CERT_LIST_TAIL. | |
| 10 // See https://bugzilla.mozilla.org/show_bug.cgi?id=962413 | |
| 11 // Can be removed once chrome requires NSS version 3.16 to build. | |
| 12 #ifndef CERT_LIST_TAIL | |
| 13 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) | |
| 14 #endif | |
| 15 | |
| 16 namespace chromeos { | |
| 17 | |
| 18 namespace { | |
| 19 | |
| 20 struct ChainVerifyArgs { | |
| 21 CertVerifyProcChromeOS* cert_verify_proc; | |
| 22 const net::CertificateList& additional_trust_anchors; | |
| 23 }; | |
| 24 | |
| 25 } // namespace | |
| 26 | |
| 27 CertVerifyProcChromeOS::CertVerifyProcChromeOS() {} | |
| 28 | |
| 29 CertVerifyProcChromeOS::CertVerifyProcChromeOS( | |
| 30 crypto::ScopedPK11Slot public_slot) { | |
| 31 profile_filter_.Init(public_slot.Pass(), crypto::ScopedPK11Slot()); | |
| 32 } | |
| 33 | |
| 34 CertVerifyProcChromeOS::~CertVerifyProcChromeOS() {} | |
| 35 | |
| 36 int CertVerifyProcChromeOS::VerifyInternal( | |
| 37 net::X509Certificate* cert, | |
| 38 const std::string& hostname, | |
| 39 int flags, | |
| 40 net::CRLSet* crl_set, | |
| 41 const net::CertificateList& additional_trust_anchors, | |
| 42 net::CertVerifyResult* verify_result) { | |
| 43 ChainVerifyArgs chain_verify_args = {this, additional_trust_anchors}; | |
| 44 | |
| 45 CERTChainVerifyCallback chain_verify_callback; | |
| 46 chain_verify_callback.isChainValid = | |
| 47 &CertVerifyProcChromeOS::IsChainValidFunc; | |
| 48 chain_verify_callback.isChainValidArg = | |
| 49 static_cast<void*>(&chain_verify_args); | |
| 50 | |
| 51 return VerifyInternalNSS(cert, | |
| 52 hostname, | |
| 53 flags, | |
| 54 crl_set, | |
| 55 additional_trust_anchors, | |
| 56 &chain_verify_callback, | |
| 57 verify_result); | |
| 58 } | |
| 59 | |
| 60 // static | |
| 61 SECStatus CertVerifyProcChromeOS::IsChainValidFunc( | |
| 62 void* is_chain_valid_arg, | |
| 63 const CERTCertList* current_chain, | |
| 64 PRBool* chain_ok) { | |
| 65 ChainVerifyArgs* args = static_cast<ChainVerifyArgs*>(is_chain_valid_arg); | |
| 66 CERTCertificate* cert = CERT_LIST_TAIL(current_chain)->cert; | |
| 67 | |
| 68 if (net::TestRootCerts::HasInstance()) { | |
| 69 net::TestRootCerts* root_certs = net::TestRootCerts::GetInstance(); | |
| 70 if (root_certs->Contains(cert)) { | |
|
Ryan Sleevi
2014/01/30 05:27:40
At least here, you can short change with
net::Test
mattm
2014/02/04 05:31:21
Done.
| |
| 71 *chain_ok = PR_TRUE; | |
|
Ryan Sleevi
2014/01/30 05:27:40
Add a comment explaining why this check and short-
mattm
2014/02/04 05:31:21
Done.
| |
| 72 return SECSuccess; | |
| 73 } | |
| 74 } | |
| 75 | |
| 76 for (net::CertificateList::const_iterator i = | |
| 77 args->additional_trust_anchors.begin(); | |
| 78 i != args->additional_trust_anchors.end(); | |
| 79 ++i) { | |
| 80 if (net::X509Certificate::IsSameOSCert(cert, (*i)->os_cert_handle())) { | |
| 81 *chain_ok = PR_TRUE; | |
|
Ryan Sleevi
2014/01/30 05:27:40
Ditto for adding comment explaining why
mattm
2014/02/04 05:31:21
Done.
| |
| 82 return SECSuccess; | |
| 83 } | |
| 84 } | |
| 85 | |
| 86 // TODO(mattm): If crbug.com/334384 is fixed to allow setting trust | |
| 87 // properly when the same cert is in multiple slots, this would also need | |
| 88 // updating to check the per-slot trust values. | |
| 89 *chain_ok = args->cert_verify_proc->profile_filter_.IsCertAllowed(cert) | |
| 90 ? PR_TRUE | |
| 91 : PR_FALSE; | |
| 92 return SECSuccess; | |
| 93 } | |
| 94 | |
| 95 } // namespace chromeos | |
| OLD | NEW |
