Index: net/cert/cert_verify_proc_ios.cc |
diff --git a/net/cert/cert_verify_proc_ios.cc b/net/cert/cert_verify_proc_ios.cc |
index 84ecd2aea84ba31730c706d83dc16c03ed414667..4706f10dc646ac38e9da56bbad9167bf450d713e 100644 |
--- a/net/cert/cert_verify_proc_ios.cc |
+++ b/net/cert/cert_verify_proc_ios.cc |
@@ -101,7 +101,7 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array, |
return OK; |
} |
-void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) { |
+bool GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) { |
DCHECK_LT(0, CFArrayGetCount(cert_chain)); |
SecCertificateRef verified_cert = nullptr; |
@@ -117,7 +117,7 @@ void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) { |
std::string der_bytes; |
if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) |
- return; |
+ return false; |
base::StringPiece spki_bytes; |
if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
@@ -139,11 +139,12 @@ void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) { |
} |
if (!verified_cert) { |
NOTREACHED(); |
- return; |
+ return false; |
} |
verify_result->verified_cert = |
X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
+ return !!verify_result->verified_cert; |
} |
} // namespace |
@@ -264,7 +265,8 @@ int CertVerifyProcIOS::VerifyInternal( |
verify_result->cert_status |= GetCertFailureStatusFromTrust(trust_ref); |
} |
- GetCertChainInfo(final_chain, verify_result); |
+ if (!GetCertChainInfo(final_chain, verify_result)) |
+ return ERR_CERT_INVALID; |
eroman
2017/03/22 22:17:52
Is it necessary to set cert_status too?
mattm
2017/03/23 22:59:02
Hm, I guess setting cert_status and letting that p
|
// iOS lacks the ability to distinguish built-in versus non-built-in roots, |
// so opt to 'fail open' of any restrictive policies that apply to built-in |