Chromium Code Reviews Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/cert/cert_verify_proc_nss.cc |
| diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc |
| index e48888218b523da7786d719f724000b30efa0a8c..23d11168d517330557d0a30edf7cc72a937466b8 100644 |
| --- a/net/cert/cert_verify_proc_nss.cc |
| +++ b/net/cert/cert_verify_proc_nss.cc |
| @@ -115,6 +115,8 @@ int MapSecurityError(int err) { |
| return ERR_CERT_UNABLE_TO_CHECK_REVOCATION; |
| case SEC_ERROR_REVOKED_CERTIFICATE: |
| case SEC_ERROR_UNTRUSTED_CERT: // Treat as revoked. |
| + case SEC_ERROR_APPLICATION_CALLBACK_ERROR: // Rejected by |
| + // chain_verify_callback. |
|
Ryan Sleevi
2014/01/25 01:50:17
wrong mapping
mattm
2014/01/28 04:36:44
Done.
|
| return ERR_CERT_REVOKED; |
| case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: |
| return ERR_CERT_NAME_CONSTRAINT_VIOLATION; |
| @@ -349,6 +351,7 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, |
| const SECOidTag* policy_oids, |
| int num_policy_oids, |
| CERTCertList* additional_trust_anchors, |
| + CERTChainVerifyCallback* chain_verify_callback, |
| CERTValOutParam* cvout) { |
| bool use_crl = check_revocation; |
| bool use_ocsp = check_revocation; |
| @@ -438,6 +441,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, |
| in_param.value.scalar.b = PR_FALSE; |
| cvin.push_back(in_param); |
| } |
| + if (chain_verify_callback) { |
| + in_param.type = cert_pi_chainVerifyCallback; |
| + in_param.value.pointer.chainVerifyCallback = chain_verify_callback; |
| + cvin.push_back(in_param); |
| + } |
| in_param.type = cert_pi_end; |
| cvin.push_back(in_param); |
| @@ -658,7 +666,8 @@ bool VerifyEV(CERTCertificate* cert_handle, |
| bool rev_checking_enabled, |
| EVRootCAMetadata* metadata, |
| SECOidTag ev_policy_oid, |
| - CERTCertList* additional_trust_anchors) { |
| + CERTCertList* additional_trust_anchors, |
| + CERTChainVerifyCallback* chain_verify_callback) { |
| CERTValOutParam cvout[3]; |
| int cvout_index = 0; |
| cvout[cvout_index].type = cert_po_certList; |
| @@ -680,6 +689,7 @@ bool VerifyEV(CERTCertificate* cert_handle, |
| &ev_policy_oid, |
| 1, |
| additional_trust_anchors, |
| + chain_verify_callback, |
| cvout); |
| if (status != SECSuccess) |
| return false; |
| @@ -728,7 +738,11 @@ CERTCertList* CertificateListToCERTCertList(const CertificateList& list) { |
| } // namespace |
| -CertVerifyProcNSS::CertVerifyProcNSS() {} |
| +CertVerifyProcNSS::CertVerifyProcNSS() : chain_verify_callback_(NULL) {} |
| + |
| +CertVerifyProcNSS::CertVerifyProcNSS( |
| + CERTChainVerifyCallback* chain_verify_callback) |
| + : chain_verify_callback_(chain_verify_callback) {} |
| CertVerifyProcNSS::~CertVerifyProcNSS() {} |
| @@ -794,9 +808,15 @@ int CertVerifyProcNSS::VerifyInternal( |
| CertificateListToCERTCertList(additional_trust_anchors)); |
| } |
| - SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false, |
| - cert_io_enabled, NULL, 0, |
| - trust_anchors.get(), cvout); |
| + SECStatus status = PKIXVerifyCert(cert_handle, |
| + check_revocation, |
| + false, |
| + cert_io_enabled, |
| + NULL, |
| + 0, |
| + trust_anchors.get(), |
| + chain_verify_callback_, |
| + cvout); |
| if (status == SECSuccess && |
| (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) && |
| @@ -806,8 +826,14 @@ int CertVerifyProcNSS::VerifyInternal( |
| // NSS tests for that feature. |
| scoped_cvout.Clear(); |
| verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| - status = PKIXVerifyCert(cert_handle, true, true, |
| - cert_io_enabled, NULL, 0, trust_anchors.get(), |
| + status = PKIXVerifyCert(cert_handle, |
| + true, |
| + true, |
| + cert_io_enabled, |
| + NULL, |
| + 0, |
| + trust_anchors.get(), |
| + chain_verify_callback_, |
| cvout); |
| } |
| @@ -870,7 +896,7 @@ int CertVerifyProcNSS::VerifyInternal( |
| verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata, |
| - ev_policy_oid, trust_anchors.get())) { |
| + ev_policy_oid, trust_anchors.get(), chain_verify_callback_)) { |
| verify_result->cert_status |= CERT_STATUS_IS_EV; |
| } |
| } |
