Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(205)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/x509_certificate_nss.cc

Issue 6793041: net: add ability to distinguish user-added root CAs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_mac_known_roots.h ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate_nss.cc
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index d71381ac7bf1547958775979bb8b890eebd73115..aa54d3b3492f2fdbdc3d7da9354d0ae8ce30cf6a 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -203,6 +203,18 @@ void GetCertChainInfo(CERTCertList* cert_list,
}
}
+// IsBuiltinRoot returns true if the given certificate is one that we believe
+// is a standard (as opposed to user-installed) root.
+bool IsBuiltinRoot(CERTCertificate* root) {
wtc 2011/04/07 05:01:54 Please change this back to IsKnownRoot for consist
agl 2011/04/07 15:02:49 Done.
+ if (!root->slot)
+ return true;
wtc 2011/04/07 05:01:54 BUG: this should still return false.
agl 2011/04/07 15:02:49 I'm not sure that it should. In the event of an er
+
+ // This magic name is taken from
+ // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
+ return 0 == strcmp(PK11_GetSlotName(root->slot),
+ "NSS Builtin Objects");
+}
+
typedef char* (*CERTGetNameFunc)(CERTName* name);
void ParsePrincipal(CERTName* name,
@@ -769,11 +781,14 @@ int X509Certificate::Verify(const std::string& hostname,
CERTValOutParam cvout[3];
int cvout_index = 0;
- // We don't need the trust anchor for the first PKIXVerifyCert call.
cvout[cvout_index].type = cert_po_certList;
cvout[cvout_index].value.pointer.chain = NULL;
int cvout_cert_list_index = cvout_index;
cvout_index++;
+ cvout[cvout_index].type = cert_po_trustAnchor;
+ cvout[cvout_index].value.pointer.cert = NULL;
+ int cvout_trust_anchor_index = cvout_index;
+ cvout_index++;
cvout[cvout_index].type = cert_po_end;
ScopedCERTValOutParam scoped_cvout(cvout);
@@ -808,6 +823,9 @@ int X509Certificate::Verify(const std::string& hostname,
if (IsCertStatusError(verify_result->cert_status))
return MapCertStatusToNetError(verify_result->cert_status);
+ verify_result->is_issued_by_known_root =
+ IsBuiltinRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
+
if ((flags & VERIFY_EV_CERT) && VerifyEV())
verify_result->cert_status |= CERT_STATUS_IS_EV;
return OK;
« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_mac_known_roots.h ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698