Mark DigiNotar as untrusted

net/base/x509_certificate.cc

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index c4a7f5113322d3ba41a1f8fb2b669b5869238b2e..615c5ea792f5c6ce80e15d1b4a45222eff949dc2 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -591,7 +591,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
 
   int rv = VerifyInternal(hostname, flags, verify_result);
 
-  // If needed, do any post-validation here.
+  if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
+    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+    rv = ERR_CERT_AUTHORITY_INVALID;

[wtc, 2011/08/30 00:02:44]

This line should say:
    rv = MapCertStatusToNetError(verify_result->cert_status);

MapCertStatusToNetError picks the most serious error from
the error bits in verify_result->cert_status.

This way we won't lose the ERR_CERT_REVOKED error if it's
reported by the VerifyInternal() call.

You should add a comment to explain why you are calling
IsPublicKeyBlacklisted after VerifyInternal, in contrast
to the IsBlacklisted call above.  I believe you want Chrome
to hit the CA's OCSP responder.

[agl, 2011/08/30 00:13:48]

Done.

+  }
+
   return rv;
 }
 
@@ -689,6 +693,28 @@ bool X509Certificate::IsBlacklisted() const {
 }
 
 // static
+bool X509Certificate::IsPublicKeyBlacklisted(
+    const std::vector<SHA1Fingerprint>& public_key_hashes) {
+  static const unsigned kNumHashes = 1;
+  static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
+    // CN=DigiNotar Root CA/emailAddress=info@diginotar.nl

[wtc, 2011/08/30 00:02:44]

Nit: you can probably omit the emailAddress component of the
subject name.  Chrome displays the subject name as follows:

E = info@diginotar.nl
CN = DigiNotar Root CA
O = DigiNotar
C = NL

So the complete subject name also has O= and C= components.

[agl, 2011/08/30 00:13:48]

Done.

+    {0x41,0x0f,0x36,0x36,0x32,0x58,0xf3,0x0b,0x34,0x7d,
+     0x12,0xce,0x48,0x63,0xe4,0x33,0x43,0x78,0x06,0xa8},

[wtc, 2011/08/30 00:02:44]

Nit: add a space between the bytes (unless they make the line
longer than 80 characters).

[agl, 2011/08/30 00:13:48]

Done.

+  };
+
+  for (unsigned i = 0; i < kNumHashes; i++) {
+    for (std::vector<SHA1Fingerprint>::const_iterator
+         j = public_key_hashes.begin(); j != public_key_hashes.end(); j++) {

[wtc, 2011/08/30 00:02:44]

Nit: j++ => ++j

Nit: omit the curly braces on line 708 and line 710, around
the one-line if statement.

[agl, 2011/08/30 00:13:48]

Done.

+      if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
+// static
 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
                                               const uint8* array,
                                               size_t array_byte_len) {