Index: net/cert/cert_verify_proc_openssl.cc |
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc |
index 13a19d8e16322329c01a24395f2f30ddf7c2520f..73fa97214d4129cbadeeb1047742b8cfe3e08589 100644 |
--- a/net/cert/cert_verify_proc_openssl.cc |
+++ b/net/cert/cert_verify_proc_openssl.cc |
@@ -109,8 +109,11 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, |
// Set verify_result->verified_cert and |
// verify_result->is_issued_by_known_root. |
if (verified_cert) { |
- verify_result->verified_cert = |
+ scoped_refptr<X509Certificate> verified_cert_with_chain = |
X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
+ if (!verified_cert_with_chain) |
+ return false; |
+ verify_result->verified_cert = std::move(verified_cert_with_chain); |
// For OpenSSL builds, only certificates used for unit tests are treated |
// as not issued by known roots. The only way to determine whether a |
@@ -129,6 +132,7 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, |
verify_result->is_issued_by_known_root = false; |
} |
} |
+ return true; |
} |
void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, |
@@ -212,7 +216,8 @@ int CertVerifyProcOpenSSL::VerifyInternal( |
verify_result->cert_status |= cert_status; |
} |
- GetCertChainInfo(ctx.get(), verify_result); |
+ if (!GetCertChainInfo(ctx.get(), verify_result)) |
+ verify_result->cert_status |= CERT_STATUS_INVALID; |
AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); |
if (IsCertStatusError(verify_result->cert_status)) |