trunk/src/net/cert/cert_verify_proc_nss.cc - Issue 18414004: Revert 209515 "Reland http://crrev.com/209278"

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: trunk/src/net/cert/cert_verify_proc_nss.cc

Issue 18414004: Revert 209515 "Reland http://crrev.com/209278" (Closed) Base URL: svn://svn.chromium.org/chrome/

Patch Set: Created 7 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: trunk/src/net/cert/cert_verify_proc_nss.cc

===================================================================

--- trunk/src/net/cert/cert_verify_proc_nss.cc (revision 209533)

+++ trunk/src/net/cert/cert_verify_proc_nss.cc (working copy)

@@ -158,6 +158,10 @@

void GetCertChainInfo(CERTCertList* cert_list,

CERTCertificate* root_cert,

CertVerifyResult* verify_result) {

+ // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the

+ // NSS version currently in use:

+ // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)

+ // 2. use ident libnss3.so* for the library's version

DCHECK(cert_list);

CERTCertificate* verified_cert = NULL;

@@ -342,6 +346,31 @@

bool use_crl = check_revocation;

bool use_ocsp = check_revocation;

+ // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.

+ // 1. NSS may use one key to verify a CRL signed with another key,

+ // incorrectly concluding that the CRL's signature is invalid.

+ // Hopefully this bug will be fixed in NSS 3.12.9.

+ // 2. NSS considers all certificates issued by the CA as revoked when it

+ // receives a CRL with an invalid signature. This overly strict policy

+ // has been relaxed in NSS 3.12.7. See

+ // https://bugzilla.mozilla.org/show_bug.cgi?id=562542.

+ // So we have to turn off CRL checking for these CAs. See

+ // http://crbug.com/55695.

+ static const char* const kMultipleKeyCA[] = {

+ "CN=Microsoft Secure Server Authority,"

+ "DC=redmond,DC=corp,DC=microsoft,DC=com",

+ "CN=Microsoft Secure Server Authority",

+ };

+ if (!NSS_VersionCheck("3.12.7")) {

+ for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {

+ if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {

+ use_crl = false;

+ break;

+ }

PRUint64 revocation_method_flags =

CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |

CERT_REV_M_ALLOW_NETWORK_FETCHING |

« no previous file with comments | « trunk/src/crypto/signature_creator_nss.cc ('k') | trunk/src/net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »