Mark DigiNotar as untrusted

net/base/x509_certificate.cc

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index c4a7f5113322d3ba41a1f8fb2b669b5869238b2e..b38081686c95a63d114aedafd3ae56418df4088c 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -591,7 +591,13 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
 
   int rv = VerifyInternal(hostname, flags, verify_result);
 
-  // If needed, do any post-validation here.
+  // This check is done after VerifyInternal so that VerifyInternal can fill in
+  // the list of public key hashes.
+  if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
+    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+    rv = MapCertStatusToNetError(verify_result->cert_status);
+  }
+
   return rv;
 }
 
@@ -689,6 +695,27 @@ bool X509Certificate::IsBlacklisted() const {
 }
 
 // static
+bool X509Certificate::IsPublicKeyBlacklisted(
+    const std::vector<SHA1Fingerprint>& public_key_hashes) {
+  static const unsigned kNumHashes = 1;
+  static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
+    // CN=DigiNotar Root CA
+    {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d,
+     0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8},
+  };
+
+  for (unsigned i = 0; i < kNumHashes; i++) {
+    for (std::vector<SHA1Fingerprint>::const_iterator
+         j = public_key_hashes.begin(); j != public_key_hashes.end(); ++j) {
+      if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0)
+        return true;
+    }
+  }
+
+  return false;
+}
+
+// static
 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
                                               const uint8* array,
                                               size_t array_byte_len) {