Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1151)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_nss.cc

Issue 137553004: NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: . Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/cert_verify_proc_nss.h ('K') | « net/cert/cert_verify_proc_nss.h ('k') | net/cert/nss_cert_database_chromeos_unittest.cc » ('j') | net/cert/nss_profile_filter_chromeos.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_nss.cc
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index e48888218b523da7786d719f724000b30efa0a8c..23d11168d517330557d0a30edf7cc72a937466b8 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -115,6 +115,8 @@ int MapSecurityError(int err) {
return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
case SEC_ERROR_REVOKED_CERTIFICATE:
case SEC_ERROR_UNTRUSTED_CERT: // Treat as revoked.
+ case SEC_ERROR_APPLICATION_CALLBACK_ERROR: // Rejected by
+ // chain_verify_callback.
return ERR_CERT_REVOKED;
case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
@@ -349,6 +351,7 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
const SECOidTag* policy_oids,
int num_policy_oids,
CERTCertList* additional_trust_anchors,
+ CERTChainVerifyCallback* chain_verify_callback,
CERTValOutParam* cvout) {
bool use_crl = check_revocation;
bool use_ocsp = check_revocation;
@@ -438,6 +441,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
in_param.value.scalar.b = PR_FALSE;
cvin.push_back(in_param);
}
+ if (chain_verify_callback) {
+ in_param.type = cert_pi_chainVerifyCallback;
+ in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
+ cvin.push_back(in_param);
+ }
in_param.type = cert_pi_end;
cvin.push_back(in_param);
@@ -658,7 +666,8 @@ bool VerifyEV(CERTCertificate* cert_handle,
bool rev_checking_enabled,
EVRootCAMetadata* metadata,
SECOidTag ev_policy_oid,
- CERTCertList* additional_trust_anchors) {
+ CERTCertList* additional_trust_anchors,
+ CERTChainVerifyCallback* chain_verify_callback) {
CERTValOutParam cvout[3];
int cvout_index = 0;
cvout[cvout_index].type = cert_po_certList;
@@ -680,6 +689,7 @@ bool VerifyEV(CERTCertificate* cert_handle,
&ev_policy_oid,
1,
additional_trust_anchors,
+ chain_verify_callback,
cvout);
if (status != SECSuccess)
return false;
@@ -728,7 +738,11 @@ CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
} // namespace
-CertVerifyProcNSS::CertVerifyProcNSS() {}
+CertVerifyProcNSS::CertVerifyProcNSS() : chain_verify_callback_(NULL) {}
+
+CertVerifyProcNSS::CertVerifyProcNSS(
+ CERTChainVerifyCallback* chain_verify_callback)
+ : chain_verify_callback_(chain_verify_callback) {}
CertVerifyProcNSS::~CertVerifyProcNSS() {}
@@ -794,9 +808,15 @@ int CertVerifyProcNSS::VerifyInternal(
CertificateListToCERTCertList(additional_trust_anchors));
}
- SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false,
- cert_io_enabled, NULL, 0,
- trust_anchors.get(), cvout);
+ SECStatus status = PKIXVerifyCert(cert_handle,
+ check_revocation,
+ false,
+ cert_io_enabled,
+ NULL,
+ 0,
+ trust_anchors.get(),
+ chain_verify_callback_,
+ cvout);
if (status == SECSuccess &&
(flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
@@ -806,8 +826,14 @@ int CertVerifyProcNSS::VerifyInternal(
// NSS tests for that feature.
scoped_cvout.Clear();
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
- status = PKIXVerifyCert(cert_handle, true, true,
- cert_io_enabled, NULL, 0, trust_anchors.get(),
+ status = PKIXVerifyCert(cert_handle,
+ true,
+ true,
+ cert_io_enabled,
+ NULL,
+ 0,
+ trust_anchors.get(),
+ chain_verify_callback_,
cvout);
}
@@ -870,7 +896,7 @@ int CertVerifyProcNSS::VerifyInternal(
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata,
- ev_policy_oid, trust_anchors.get())) {
+ ev_policy_oid, trust_anchors.get(), chain_verify_callback_)) {
verify_result->cert_status |= CERT_STATUS_IS_EV;
}
}
« net/cert/cert_verify_proc_nss.h ('K') | « net/cert/cert_verify_proc_nss.h ('k') | net/cert/nss_cert_database_chromeos_unittest.cc » ('j') | net/cert/nss_profile_filter_chromeos.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698