components/cast_certificate/cast_crl.cc - Issue 2832703002: Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: components/cast_certificate/cast_crl.cc

Issue 2832703002: Allow the TrustStore interface to return matching intermediates, and identify distrusted certs. (Closed)

Patch Set: fix cert_verify_tool Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« components/cast_certificate/cast_cert_validator_unittest.cc ('K') | « components/cast_certificate/cast_cert_validator_unittest.cc ('k') | net/BUILD.gn » ('j') | net/cert/internal/path_builder.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: components/cast_certificate/cast_crl.cc

diff --git a/components/cast_certificate/cast_crl.cc b/components/cast_certificate/cast_crl.cc

index 7d866e370884982d920e4c4285217fe5d2f323ed..e8e0595892d7642602efadc9acb979e143f9a376 100644

--- a/components/cast_certificate/cast_crl.cc

+++ b/components/cast_certificate/cast_crl.cc

@@ -70,10 +70,7 @@ class CastCRLTrustStore {

kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer), {}, &errors);

CHECK(cert) << errors.ToDebugString();

// Enforce pathlen constraints and policies defined on the root certificate.

- scoped_refptr<net::TrustAnchor> anchor =

- net::TrustAnchor::CreateFromCertificateWithConstraints(std::move(cert));

- CHECK(anchor);

- store_.AddTrustAnchor(std::move(anchor));

+ store_.AddTrustAnchorWithConstraints(std::move(cert));

}

net::TrustStoreInMemory store_;

@@ -261,7 +258,7 @@ bool CastCRLImpl::CheckRevocation(const net::CertPath& trusted_chain,

if (trusted_chain.IsEmpty())

return false;

- DCHECK(trusted_chain.trust_anchor);

+ DCHECK(trusted_chain.last_cert_trust.IsTrustAnchor());

// Check the validity of the CRL at the specified time.

net::der::GeneralizedTime verification_time;

@@ -274,17 +271,10 @@ bool CastCRLImpl::CheckRevocation(const net::CertPath& trusted_chain,

return false;

}

- // Check revocation. Note that this loop has "+ 1" in order to also loop

- // over the trust anchor (which is treated specially).

- for (size_t i = 0; i < trusted_chain.certs.size() + 1; ++i) {

- // This loop iterates over both certificates AND then the trust

- // anchor after exhausing the certs.

- net::der::Input spki_tlv;

- if (i == trusted_chain.certs.size()) {

- spki_tlv = trusted_chain.trust_anchor->spki();

- } else {

- spki_tlv = trusted_chain.certs[i]->tbs().spki_tlv;

- }

+ // Check revocation. This loop iterates over both certificates AND then the

+ // trust anchor after exhausting the certs.

+ for (size_t i = 0; i < trusted_chain.certs.size(); ++i) {

+ const net::der::Input& spki_tlv = trusted_chain.certs[i]->tbs().spki_tlv;

// Calculate the public key's hash to check for revocation.

std::string spki_hash = crypto::SHA256HashString(spki_tlv.AsString());