Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(44)

Issue 545103: Work around the SEC_ERROR_POLICY_VALIDATION_FAILED error from... (Closed)

Created:
10 years, 11 months ago by wtc
Modified:
9 years, 7 months ago
Reviewers:
eroman, Evan Martin
CC:
chromium-reviews, darin (slow to review)
Visibility:
Public.

Description

Do not use cert_pi_useAIACertFetch by default. Use it only when we are likely to be missing intermediate CA certificates. Work around the SEC_ERROR_POLICY_VALIDATION_FAILED error from CERT_PKIXVerifyCert by retrying CERT_PKIXVerifyCert with the certificate policy in the certificate. Map SEC_ERROR_POLICY_VALIDATION_FAILED to ERR_CERT_INVALID if we can't work around the error. Start the migration away from test_certificate_data.h to the certificate files in the src/net/data/ssl/certificates directory. R=eroman BUG=31497, 30891, 37549 TEST=A new unit test. To verify the fix for issue 31497 manually, must install the "DoD Root CA 2" certificate first (see comment 9 of bug 31497). Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=42118

Patch Set 1 #

Patch Set 2 : Polished and ready for review. #

Patch Set 3 : Add a unit test #

Patch Set 4 : Minor fixes. #

Total comments: 3

Patch Set 5 : '' #

Total comments: 2

Patch Set 6 : Use std::vector like a real C++ programmer. More refactoring. Disable new unit test for Mac. #

Patch Set 7 : Use std::vector like a real C++ programmer. More refactoring. Disable new unit test for Mac. #

Patch Set 8 : Better workaround #

Patch Set 9 : New workaround doesn't work in some cases. Revert to Patch Set 7. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+207 lines, -163 lines) Patch
M net/base/test_certificate_data.h View 3 4 1 chunk +0 lines, -123 lines 0 comments Download
M net/base/x509_certificate_nss.cc View 1 2 3 4 5 8 4 chunks +141 lines, -35 lines 0 comments Download
M net/base/x509_certificate_unittest.cc View 3 4 5 5 chunks +66 lines, -5 lines 0 comments Download

Messages

Total messages: 12 (0 generated)
ukai
LGTM
10 years, 11 months ago (2010-01-19 04:30:43 UTC) #1
Evan Martin
ping
10 years, 10 months ago (2010-02-23 10:00:03 UTC) #2
wtc
Hi Fumitoshi, Could you please review this CL again? Now it is finally ready for ...
10 years, 9 months ago (2010-03-10 03:38:49 UTC) #3
wtc
eroman: please review this CL. Thanks.
10 years, 9 months ago (2010-03-17 00:30:40 UTC) #4
eroman
I got lost in PKIXVerifyCert(), since I am not very familiar with NSS. (I will ...
10 years, 9 months ago (2010-03-17 03:08:42 UTC) #5
wtc
Eric, please review Patch Set 5. 1. The new test certificates were removed from this ...
10 years, 9 months ago (2010-03-18 01:41:23 UTC) #6
eroman
http://codereview.chromium.org/545103/diff/21001/18002 File net/base/x509_certificate_nss.cc (right): http://codereview.chromium.org/545103/diff/21001/18002#newcode327 net/base/x509_certificate_nss.cc:327: std::vector<CERTValInParam>& cvin, int cvin_index, google style doesn't allow for ...
10 years, 9 months ago (2010-03-18 19:09:46 UTC) #7
wtc
Eric, thanks for your review comments. It seems inconvenient to use push_back() in this case. ...
10 years, 9 months ago (2010-03-18 19:23:13 UTC) #8
wtc
Eric: please review Patch Set 7.
10 years, 9 months ago (2010-03-19 01:08:34 UTC) #9
eroman
lgtm, thanks for making those changes.
10 years, 9 months ago (2010-03-19 02:15:05 UTC) #10
wtc
Eric, sorry to make you review a new patch set. I found a better workaround ...
10 years, 9 months ago (2010-03-19 04:20:48 UTC) #11
wtc
10 years, 9 months ago (2010-03-19 18:03:40 UTC) #12
Eric, please ignore my latest review request.  Patch Set 8
doesn't work.

Powered by Google App Engine
This is Rietveld 408576698