Index: net/base/x509_certificate.cc |
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc |
index c4a7f5113322d3ba41a1f8fb2b669b5869238b2e..615c5ea792f5c6ce80e15d1b4a45222eff949dc2 100644 |
--- a/net/base/x509_certificate.cc |
+++ b/net/base/x509_certificate.cc |
@@ -591,7 +591,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags, |
int rv = VerifyInternal(hostname, flags, verify_result); |
- // If needed, do any post-validation here. |
+ if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
+ verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
+ rv = ERR_CERT_AUTHORITY_INVALID; |
wtc
2011/08/30 00:02:44
This line should say:
rv = MapCertStatusToNetE
agl
2011/08/30 00:13:48
Done.
|
+ } |
+ |
return rv; |
} |
@@ -689,6 +693,28 @@ bool X509Certificate::IsBlacklisted() const { |
} |
// static |
+bool X509Certificate::IsPublicKeyBlacklisted( |
+ const std::vector<SHA1Fingerprint>& public_key_hashes) { |
+ static const unsigned kNumHashes = 1; |
+ static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = { |
+ // CN=DigiNotar Root CA/emailAddress=info@diginotar.nl |
wtc
2011/08/30 00:02:44
Nit: you can probably omit the emailAddress compon
agl
2011/08/30 00:13:48
Done.
|
+ {0x41,0x0f,0x36,0x36,0x32,0x58,0xf3,0x0b,0x34,0x7d, |
+ 0x12,0xce,0x48,0x63,0xe4,0x33,0x43,0x78,0x06,0xa8}, |
wtc
2011/08/30 00:02:44
Nit: add a space between the bytes (unless they ma
agl
2011/08/30 00:13:48
Done.
|
+ }; |
+ |
+ for (unsigned i = 0; i < kNumHashes; i++) { |
+ for (std::vector<SHA1Fingerprint>::const_iterator |
+ j = public_key_hashes.begin(); j != public_key_hashes.end(); j++) { |
wtc
2011/08/30 00:02:44
Nit: j++ => ++j
Nit: omit the curly braces on lin
agl
2011/08/30 00:13:48
Done.
|
+ if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0) { |
+ return true; |
+ } |
+ } |
+ } |
+ |
+ return false; |
+} |
+ |
+// static |
bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
const uint8* array, |
size_t array_byte_len) { |