Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(577)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc

Issue 137553004: NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: handle additional trust roots, add TestRootCertsTest.Contains, remove instantiated certtests from c… Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/chromeos/net/cert_verify_proc_chromeos.h ('K') | « chrome/browser/chromeos/net/cert_verify_proc_chromeos.h ('k') | chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc » ('j') | chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc
diff --git a/chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc
new file mode 100644
index 0000000000000000000000000000000000000000..25ae8b5d7df212da0ed1dff448b1776bc4ad92d2
--- /dev/null
+++ b/chrome/browser/chromeos/net/cert_verify_proc_chromeos.cc
@@ -0,0 +1,95 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
+
+#include "net/cert/test_root_certs.h"
+
+// NSS doesn't currently define CERT_LIST_TAIL.
+// See https://bugzilla.mozilla.org/show_bug.cgi?id=962413
+// Can be removed once chrome requires NSS version 3.16 to build.
+#ifndef CERT_LIST_TAIL
+#define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list))
+#endif
+
+namespace chromeos {
+
+namespace {
+
+struct ChainVerifyArgs {
+ CertVerifyProcChromeOS* cert_verify_proc;
+ const net::CertificateList& additional_trust_anchors;
+};
+
+} // namespace
+
+CertVerifyProcChromeOS::CertVerifyProcChromeOS() {}
+
+CertVerifyProcChromeOS::CertVerifyProcChromeOS(
+ crypto::ScopedPK11Slot public_slot) {
+ profile_filter_.Init(public_slot.Pass(), crypto::ScopedPK11Slot());
+}
+
+CertVerifyProcChromeOS::~CertVerifyProcChromeOS() {}
+
+int CertVerifyProcChromeOS::VerifyInternal(
+ net::X509Certificate* cert,
+ const std::string& hostname,
+ int flags,
+ net::CRLSet* crl_set,
+ const net::CertificateList& additional_trust_anchors,
+ net::CertVerifyResult* verify_result) {
+ ChainVerifyArgs chain_verify_args = {this, additional_trust_anchors};
+
+ CERTChainVerifyCallback chain_verify_callback;
+ chain_verify_callback.isChainValid =
+ &CertVerifyProcChromeOS::IsChainValidFunc;
+ chain_verify_callback.isChainValidArg =
+ static_cast<void*>(&chain_verify_args);
+
+ return VerifyInternalNSS(cert,
+ hostname,
+ flags,
+ crl_set,
+ additional_trust_anchors,
+ &chain_verify_callback,
+ verify_result);
+}
+
+// static
+SECStatus CertVerifyProcChromeOS::IsChainValidFunc(
+ void* is_chain_valid_arg,
+ const CERTCertList* current_chain,
+ PRBool* chain_ok) {
+ ChainVerifyArgs* args = static_cast<ChainVerifyArgs*>(is_chain_valid_arg);
+ CERTCertificate* cert = CERT_LIST_TAIL(current_chain)->cert;
+
+ if (net::TestRootCerts::HasInstance()) {
+ net::TestRootCerts* root_certs = net::TestRootCerts::GetInstance();
+ if (root_certs->Contains(cert)) {
Ryan Sleevi 2014/01/30 05:27:40 At least here, you can short change with net::Test
mattm 2014/02/04 05:31:21 Done.
+ *chain_ok = PR_TRUE;
Ryan Sleevi 2014/01/30 05:27:40 Add a comment explaining why this check and short-
mattm 2014/02/04 05:31:21 Done.
+ return SECSuccess;
+ }
+ }
+
+ for (net::CertificateList::const_iterator i =
+ args->additional_trust_anchors.begin();
+ i != args->additional_trust_anchors.end();
+ ++i) {
+ if (net::X509Certificate::IsSameOSCert(cert, (*i)->os_cert_handle())) {
+ *chain_ok = PR_TRUE;
Ryan Sleevi 2014/01/30 05:27:40 Ditto for adding comment explaining why
mattm 2014/02/04 05:31:21 Done.
+ return SECSuccess;
+ }
+ }
+
+ // TODO(mattm): If crbug.com/334384 is fixed to allow setting trust
+ // properly when the same cert is in multiple slots, this would also need
+ // updating to check the per-slot trust values.
+ *chain_ok = args->cert_verify_proc->profile_filter_.IsCertAllowed(cert)
+ ? PR_TRUE
+ : PR_FALSE;
+ return SECSuccess;
+}
+
+} // namespace chromeos
« chrome/browser/chromeos/net/cert_verify_proc_chromeos.h ('K') | « chrome/browser/chromeos/net/cert_verify_proc_chromeos.h ('k') | chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc » ('j') | chrome/browser/chromeos/net/cert_verify_proc_chromeos_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698