net/base/x509_certificate_mac.cc - Issue 6793041: net: add ability to distinguish user-added root CAs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_mac.cc

Issue 6793041: net: add ability to distinguish user-added root CAs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_mac.cc

diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc

index 4cecb50cc211a2969d133621bee2c1858120893f..9f995660a4ab89f3cc38e2993f3858c1227bb564 100644

--- a/net/base/x509_certificate_mac.cc

+++ b/net/base/x509_certificate_mac.cc

@@ -14,15 +14,17 @@

#include "base/crypto/rsa_private_key.h"

#include "base/lazy_instance.h"

#include "base/logging.h"

+#include "base/mac/scoped_cftyperef.h"

#include "base/memory/singleton.h"

#include "base/nss_util.h"

#include "base/pickle.h"

-#include "base/mac/scoped_cftyperef.h"

+#include "base/sha1.h"

#include "base/sys_string_conversions.h"

#include "net/base/cert_status_flags.h"

#include "net/base/cert_verify_result.h"

#include "net/base/net_errors.h"

#include "net/base/test_root_certs.h"

+#include "net/base/x509_certificate_mac_known_hashes.h"

#include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h"

using base::mac::ScopedCFTypeRef;

@@ -514,6 +516,19 @@ void X509Certificate::Initialize() {

serial_number_ = GetCertSerialNumber(cert_handle_);

}

+// IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA

+// that we recognise as a standard root.

+bool X509Certificate::IsIssuedByKnownRoot(CFArrayRef chain) {

+ int n = CFArrayGetCount(chain);

+ if (n < 1)

+ return true;

+ SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(

+ const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));

+ SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref);

+ return X509Certificate::IsSHA1HashInSortedArray(

wtc 2011/04/07 05:01:54 Can we omit X509Certificate:: in this method?

agl 2011/04/07 15:02:49 Done.

+ hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));

// static

X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle,

void** pickle_iter) {

@@ -789,6 +804,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags,

return NetErrorFromOSStatus(status);

ScopedCFTypeRef<CFArrayRef> scoped_completed_chain(completed_chain);

+ verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);

// Evaluate the results

OSStatus cssm_result;

bool got_certificate_error = false;

« net/base/x509_certificate.h ('K') | « net/base/x509_certificate.cc ('k') | net/base/x509_certificate_mac_known_roots.h » ('j') | net/base/x509_certificate_nss.cc » ('J')