net/cert/x509_certificate_ios.cc - Issue 1988993002: Check self-signed certificate names and signatures

Unified Diff: net/cert/x509_certificate_ios.cc

Issue 1988993002: Check self-signed certificate names and signatures (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Formatting nits Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: net/cert/x509_certificate_ios.cc

diff --git a/net/cert/x509_certificate_ios.cc b/net/cert/x509_certificate_ios.cc

index 553c63a4281a43ba93b7a6298579f9a153f0afeb..7551e52eba4f107bd13c9b3dbc254e7f38ba9169 100644

--- a/net/cert/x509_certificate_ios.cc

+++ b/net/cert/x509_certificate_ios.cc

@@ -468,7 +468,10 @@ bool X509Certificate::IsSelfSigned(OSCertHandle os_cert) {

return false;

// NOTE: X509_verify() returns 1 in case of success, 0 or -1 on error.

- return X509_verify(cert.get(), scoped_key.get()) == 1;

+ if (X509_verify(cert.get(), scoped_key.get()) != 1)

+ return false;

+ // NOTE: x509_check_issued returns X509_V_OK in case of success

Ryan Sleevi 2016/05/26 07:57:08 You don't need this NOTE (X509_verify() was the we

estark 2016/05/26 16:26:51 FWIW, I think BoringSSL actually just returns 0/1

Ryan Sleevi 2016/05/26 16:36:41 If that's the case (and the API is fixed), we shou

estark 2016/05/27 00:59:13 I was thinking that we shouldn't remove the commen

dadrian 2016/05/27 01:05:02 Done.

+ return X509_check_issued(cert.get(), cert.get()) == X509_V_OK;

}

} // namespace net

« no previous file with comments | « no previous file | net/cert/x509_certificate_nss.cc » ('j') | net/cert/x509_certificate_nss.cc » ('J')