Index: net/http/http_stream_factory_impl_job.cc |
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc |
index d50d24fe13707a6db60bb9cf4537ce6273b2a6aa..f481c9d0975136928b47e556bf6ba119c846fe64 100644 |
--- a/net/http/http_stream_factory_impl_job.cc |
+++ b/net/http/http_stream_factory_impl_job.cc |
@@ -1528,6 +1528,30 @@ int HttpStreamFactoryImpl::Job::HandleCertificateError(int error) { |
load_flags |= LOAD_IGNORE_ALL_CERT_ERRORS; |
if (ssl_socket->IgnoreCertError(error, load_flags)) |
return OK; |
+ |
+ // Ignore errors for certificates that chain up to switch-whitelisted certs. |
+ if (!session_->params().ignore_certificate_error_spki_list.empty()) { |
+ // TODO(martinkr): Should we also include check the chain constructed by NSS |
+ // in case validation was successful (i.e. ssl_config_.public_key_hashes)? |
Ryan Sleevi
2017/03/16 23:19:14
I'm not sure why we would - but did I miss somethi
martinkr
2017/03/28 23:16:02
I guess it might be possible that the cert validat
|
+ HashValueVector hashes; |
+ hashes.push_back( |
+ HashValue(net::X509Certificate::CalculatePublicKeyHashSHA256( |
+ ssl_info_.unverified_cert->os_cert_handle()))); |
+ for (const net::X509Certificate::OSCertHandle& intermediate : |
+ ssl_info_.unverified_cert->GetIntermediateCertificates()) { |
+ hashes.push_back(HashValue( |
+ // Does this need a non-NSS implementation? |
+ net::X509Certificate::CalculatePublicKeyHashSHA256(intermediate))); |
+ } |
+ for (const HashValue& hash : hashes) { |
+ const std::string spki = hash.ToString().substr(7); // Strip 'sha256/'. |
Ryan Sleevi
2017/03/16 23:19:14
This ends up forcing multiple string allocation/co
martinkr
2017/03/28 23:16:02
I just assumed these sets to be tiny in all cases,
|
+ if (session_->params().ignore_certificate_error_spki_list.find(spki) != |
+ session_->params().ignore_certificate_error_spki_list.end()) { |
+ return OK; |
+ } |
+ } |
+ } |
+ |
return error; |
} |