diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-11-01 09:10:08 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-11-01 09:10:08 +0000 |
| commit | 355217914277da1e0370031fa5ebabe1ce4cf500 (patch) | |
| tree | a880df1aaeaf0d404d3bdd7eca1c2b4c6035e722 /net/base | |
| parent | 0c9b0f527a876fd385e396442b6ca87f19b68aca (diff) | |
| download | chromium_src-355217914277da1e0370031fa5ebabe1ce4cf500.zip chromium_src-355217914277da1e0370031fa5ebabe1ce4cf500.tar.gz chromium_src-355217914277da1e0370031fa5ebabe1ce4cf500.tar.bz2 | |
Consider the signature algorithms of incomplete chains on Windows
R=wtc@chromium.org
BUG=101123
Review URL: http://codereview.chromium.org/8382026
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108082 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 4 | ||||
| -rw-r--r-- | net/base/x509_certificate_win.cc | 23 |
2 files changed, 18 insertions, 9 deletions
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 52a6980..4d8b719 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -1641,11 +1641,9 @@ const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = { { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", false, false, true, false, true }, }; -// Disabled on Windows - http://crbug.com/101123. The Windows implementation -// does not report the status of the last intermediate for incomplete chains. // Disabled on NSS - libpkix does not return constructed chains on error, // preventing us from detecting/inspecting the verified chain. -#if defined(OS_WIN) || defined(USE_NSS) +#if defined(USE_NSS) #define MAYBE_VerifyIncompleteIntermediate \ DISABLED_VerifyIncompleteIntermediate #else diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index 4f27836..4f0d40c 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -330,11 +330,22 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, PCCERT_CONTEXT verified_cert = NULL; std::vector<PCCERT_CONTEXT> verified_chain; + bool has_root_ca = num_elements > 1 && + !(chain_context->TrustStatus.dwErrorStatus & + CERT_TRUST_IS_PARTIAL_CHAIN); + // Each chain starts with the end entity certificate (i = 0) and ends with - // the root CA certificate (i = num_elements - 1). Do not inspect the - // signature algorithm of the root CA certificate because the signature on - // the trust anchor is not important. - for (int i = 0; i < num_elements - 1; ++i) { + // either the root CA certificate or the last available intermediate. If a + // root CA certificate is present, do not inspect the signature algorithm of + // the root CA certificate because the signature on the trust anchor is not + // important. + if (has_root_ca) { + // If a full chain was constructed, regardless of whether it was trusted, + // don't inspect the root's signature algorithm. + num_elements -= 1; + } + + for (int i = 0; i < num_elements; ++i) { PCCERT_CONTEXT cert = element[i]->pCertContext; if (i == 0) { verified_cert = cert; @@ -361,8 +372,8 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, if (verified_cert) { // Add the root certificate, if present, as it was not added above. - if (num_elements > 1) - verified_chain.push_back(element[num_elements - 1]->pCertContext); + if (has_root_ca) + verified_chain.push_back(element[num_elements]->pCertContext); verify_result->verified_cert = X509Certificate::CreateFromHandle(verified_cert, verified_chain); } |