net/base/x509_certificate_nss.cc - Issue 6793041: net: add ability to distinguish user-added root CAs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_nss.cc

Issue 6793041: net: add ability to distinguish user-added root CAs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 9 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_nss.cc

diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc

index d71381ac7bf1547958775979bb8b890eebd73115..928883511467ca50a23b8d71ca460bad92b7c3e6 100644

--- a/net/base/x509_certificate_nss.cc

+++ b/net/base/x509_certificate_nss.cc

@@ -203,6 +203,18 @@ void GetCertChainInfo(CERTCertList* cert_list,

}

+// IsKnownRoot returns true if the given certificate is one that we believe is

+// a standard (as opposed to user-installed) root.

+static bool IsKnownRoot(CERTCertificate* root) {

wtc 2011/04/06 04:28:38 Remove 'static', because this is in the unnamed na

agl 2011/04/06 19:02:02 Done.

+ if (!root->slot)

+ return false;

+ // This magic name is taken from

+ // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79

+ return 0 == strcmp(PK11_GetSlotName(root->slot),

+ "NSS Builtin Objects");

typedef char* (*CERTGetNameFunc)(CERTName* name);

void ParsePrincipal(CERTName* name,

@@ -774,6 +786,10 @@ int X509Certificate::Verify(const std::string& hostname,

cvout[cvout_index].value.pointer.chain = NULL;

int cvout_cert_list_index = cvout_index;

cvout_index++;

+ cvout[cvout_index].type = cert_po_trustAnchor;

+ cvout[cvout_index].value.pointer.cert = NULL;

+ int cvout_trust_anchor_index = cvout_index;

+ cvout_index++;

cvout[cvout_index].type = cert_po_end;

ScopedCERTValOutParam scoped_cvout(cvout);

@@ -808,6 +824,9 @@ int X509Certificate::Verify(const std::string& hostname,

if (IsCertStatusError(verify_result->cert_status))

return MapCertStatusToNetError(verify_result->cert_status);

+ verify_result->is_probably_mitm_cert =

+ !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);

if ((flags & VERIFY_EV_CERT) && VerifyEV())

verify_result->cert_status |= CERT_STATUS_IS_EV;

return OK;

« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_mac.cc ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')