diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-09-25 16:48:27 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-09-25 16:48:27 +0000 |
| commit | f3713446e406bc6ae34a2d872909dbfdf1ff2f02 (patch) | |
| tree | 1029eb4ebe5197fd7d12e81fa7593d16f3ce5eb1 /net/base | |
| parent | 4fb2f11929213712d0059d74ba008c1964fc0932 (diff) | |
| download | chromium_src-f3713446e406bc6ae34a2d872909dbfdf1ff2f02.zip chromium_src-f3713446e406bc6ae34a2d872909dbfdf1ff2f02.tar.gz chromium_src-f3713446e406bc6ae34a2d872909dbfdf1ff2f02.tar.bz2 | |
Turn off CRL checking for CAs that have multiple keys to work around
bugs in CRL handling in NSS 3.12.6 and older.
R=agl
BUG=53334
TEST=On a Linux computer with NSS 3.12.6, such as Ubuntu 10.04 Lucid,
visit https://outlook.com and then visit https://msdn.microsoft.com.
Chrome should not report the "certificate is revoked" error.
Review URL: http://codereview.chromium.org/3391024
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60581 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index e7c168f..00880022 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -310,6 +310,31 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, bool use_crl = check_revocation; bool use_ocsp = check_revocation; + // These CAs have multiple keys, which trigger two bugs in NSS's CRL code. + // 1. NSS may use one key to verify a CRL signed with another key, + // incorrectly concluding that the CRL's signature is invalid. + // Hopefully this bug will be fixed in NSS 3.12.9. + // 2. NSS considers all certificates issued by the CA as revoked when it + // receives a CRL with an invalid signature. This overly strict policy + // has been relaxed in NSS 3.12.7. See + // https://bugzilla.mozilla.org/show_bug.cgi?id=562542. + // So we have to turn off CRL checking for these CAs. See + // http://crbug.com/55695. + static const char* const kMultipleKeyCA[] = { + "CN=Microsoft Secure Server Authority," + "DC=redmond,DC=corp,DC=microsoft,DC=com", + "CN=Microsoft Secure Server Authority", + }; + + if (!NSS_VersionCheck("3.12.7")) { + for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) { + if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) { + use_crl = false; + break; + } + } + } + PRUint64 revocation_method_flags = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | |