Index: net/cert/cert_verify_proc_nss.cc |
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc |
index 27558f79d36a4a73e1010cf975d53357b083e47f..47c508be81479bcfc5fa3e61d76fa12d280a7ac4 100644 |
--- a/net/cert/cert_verify_proc_nss.cc |
+++ b/net/cert/cert_verify_proc_nss.cc |
@@ -152,7 +152,7 @@ CertStatus MapCertErrorToCertStatus(int err) { |
// *verify_result. The caller MUST initialize *verify_result before calling |
// this function. |
// Note that cert_list[0] is the end entity certificate. |
-void GetCertChainInfo(CERTCertList* cert_list, |
+bool GetCertChainInfo(CERTCertList* cert_list, |
CERTCertificate* root_cert, |
CertVerifyResult* verify_result) { |
DCHECK(cert_list); |
@@ -195,8 +195,13 @@ void GetCertChainInfo(CERTCertList* cert_list, |
if (root_cert) |
verified_chain.push_back(root_cert); |
- verify_result->verified_cert = |
+ |
+ scoped_refptr<X509Certificate> verified_cert_with_chain = |
X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
+ if (!verified_cert_with_chain) |
+ return false; |
+ verify_result->verified_cert = std::move(verified_cert_with_chain); |
+ return true; |
} |
// IsKnownRoot returns true if the given certificate is one that we believe |
@@ -879,9 +884,11 @@ int CertVerifyProcNSS::VerifyInternalImpl( |
trust_anchors.get(), |
cvout[cvout_trust_anchor_index].value.pointer.cert); |
- GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
- cvout[cvout_trust_anchor_index].value.pointer.cert, |
- verify_result); |
+ if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
+ cvout[cvout_trust_anchor_index].value.pointer.cert, |
+ verify_result)) { |
+ verify_result->cert_status |= CERT_STATUS_INVALID; |
+ } |
} |
CRLSetResult crl_set_result = kCRLSetUnknown; |