diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-01 23:23:37 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-07-01 23:23:37 +0000 |
| commit | ec27c0de4e9c1054f2d7faed2dae910ef5b88f17 (patch) | |
| tree | de709d2f1141ca53a4429017bbd6151813882b79 /net/cert/cert_verify_proc_nss.cc | |
| parent | 5b6838b421fe7e4d4bcd027035f049164901591d (diff) | |
| download | chromium_src-ec27c0de4e9c1054f2d7faed2dae910ef5b88f17.zip chromium_src-ec27c0de4e9c1054f2d7faed2dae910ef5b88f17.tar.gz chromium_src-ec27c0de4e9c1054f2d7faed2dae910ef5b88f17.tar.bz2 | |
Revert 209515 "Reland http://crrev.com/209278"
> Reland http://crrev.com/209278
>
> Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2
>
> Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still
> ships 4.9.2 on stable, so this is the lower bound.
>
> 3.14.3 contains a number of important security fixes, and support for
> older systems is no longer desirable.
>
> BUG=245370
> TBR=thestig@chromium.org, wtc@chromium.org
>
> Review URL: https://chromiumcodereview.appspot.com/18332012
TBR=rsleevi@chromium.org
Review URL: https://codereview.chromium.org/18414004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209534 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/cert_verify_proc_nss.cc')
| -rw-r--r-- | net/cert/cert_verify_proc_nss.cc | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc index c3b3ae8..2a944e6 100644 --- a/net/cert/cert_verify_proc_nss.cc +++ b/net/cert/cert_verify_proc_nss.cc @@ -158,6 +158,10 @@ CertStatus MapCertErrorToCertStatus(int err) { void GetCertChainInfo(CERTCertList* cert_list, CERTCertificate* root_cert, CertVerifyResult* verify_result) { + // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the + // NSS version currently in use: + // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) + // 2. use ident libnss3.so* for the library's version DCHECK(cert_list); CERTCertificate* verified_cert = NULL; @@ -342,6 +346,31 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, bool use_crl = check_revocation; bool use_ocsp = check_revocation; + // These CAs have multiple keys, which trigger two bugs in NSS's CRL code. + // 1. NSS may use one key to verify a CRL signed with another key, + // incorrectly concluding that the CRL's signature is invalid. + // Hopefully this bug will be fixed in NSS 3.12.9. + // 2. NSS considers all certificates issued by the CA as revoked when it + // receives a CRL with an invalid signature. This overly strict policy + // has been relaxed in NSS 3.12.7. See + // https://bugzilla.mozilla.org/show_bug.cgi?id=562542. + // So we have to turn off CRL checking for these CAs. See + // http://crbug.com/55695. + static const char* const kMultipleKeyCA[] = { + "CN=Microsoft Secure Server Authority," + "DC=redmond,DC=corp,DC=microsoft,DC=com", + "CN=Microsoft Secure Server Authority", + }; + + if (!NSS_VersionCheck("3.12.7")) { + for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) { + if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) { + use_crl = false; + break; + } + } + } + PRUint64 revocation_method_flags = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | |