Check whether or not a certificate is self-signed.

net/cert/x509_certificate_openssl.cc

Index: net/cert/x509_certificate_openssl.cc
diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl.cc
index 91501f84ecd8cb2d91354cdf47f38c2c54101b71..6ca32cca8a65cd39b05cb453008c380f210b3ad4 100644
--- a/net/cert/x509_certificate_openssl.cc
+++ b/net/cert/x509_certificate_openssl.cc
@@ -14,6 +14,7 @@
 #include <openssl/x509v3.h>
 
 #include "base/memory/singleton.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/strings/string_number_conversions.h"
@@ -36,6 +37,7 @@ namespace {
 
 typedef crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>::Type
     ScopedGENERAL_NAMES;
+typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
 
 void CreateOSCertHandlesFromPKCS7Bytes(
     const char* data, int length,
@@ -449,4 +451,24 @@ bool X509Certificate::IsIssuedByEncoded(
   return false;
 }
 
+// static
+bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
+  std::string der_cert;
+  if (!GetDEREncoded(cert_handle, &der_cert))
+    return false;
+
+  const unsigned char* cert_data =
+      reinterpret_cast<const unsigned char*>(der_cert.data());
+  int cert_data_len = base::checked_cast<int>(der_cert.size());
+  ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
+  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle));
+  if (!scoped_key)
+    return false;
+  DCHECK(scoped_key.get());
+  EVP_PKEY* key = scoped_key.get();
+
+  // NOTE: X509_verify() returns 1 in case of success, 0 or -1 on error.
+  return X509_verify(cert.get(), key) == 1;
+}
+
 }  // namespace net