Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1207)

Unified Diff: net/base/x509_certificate.cc

Issue 7795014: Mark DigiNotar as untrusted (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 9 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/x509_certificate.h ('K') | « net/base/x509_certificate.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index c4a7f5113322d3ba41a1f8fb2b669b5869238b2e..615c5ea792f5c6ce80e15d1b4a45222eff949dc2 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -591,7 +591,11 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
int rv = VerifyInternal(hostname, flags, verify_result);
- // If needed, do any post-validation here.
+ if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
+ verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+ rv = ERR_CERT_AUTHORITY_INVALID;
wtc 2011/08/30 00:02:44 This line should say: rv = MapCertStatusToNetE
agl 2011/08/30 00:13:48 Done.
+ }
+
return rv;
}
@@ -689,6 +693,28 @@ bool X509Certificate::IsBlacklisted() const {
}
// static
+bool X509Certificate::IsPublicKeyBlacklisted(
+ const std::vector<SHA1Fingerprint>& public_key_hashes) {
+ static const unsigned kNumHashes = 1;
+ static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
+ // CN=DigiNotar Root CA/emailAddress=info@diginotar.nl
wtc 2011/08/30 00:02:44 Nit: you can probably omit the emailAddress compon
agl 2011/08/30 00:13:48 Done.
+ {0x41,0x0f,0x36,0x36,0x32,0x58,0xf3,0x0b,0x34,0x7d,
+ 0x12,0xce,0x48,0x63,0xe4,0x33,0x43,0x78,0x06,0xa8},
wtc 2011/08/30 00:02:44 Nit: add a space between the bytes (unless they ma
agl 2011/08/30 00:13:48 Done.
+ };
+
+ for (unsigned i = 0; i < kNumHashes; i++) {
+ for (std::vector<SHA1Fingerprint>::const_iterator
+ j = public_key_hashes.begin(); j != public_key_hashes.end(); j++) {
wtc 2011/08/30 00:02:44 Nit: j++ => ++j Nit: omit the curly braces on lin
agl 2011/08/30 00:13:48 Done.
+ if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+// static
bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
const uint8* array,
size_t array_byte_len) {
« net/base/x509_certificate.h ('K') | « net/base/x509_certificate.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698