diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-09-16 19:24:45 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-09-16 19:24:45 +0000 |
| commit | 43025b7aae5cc78c35317d46eb2192ac23943a2b (patch) | |
| tree | b9df83dbb092bf94843278435e72459ce69c4b7e /net/socket | |
| parent | 1c636142456e6bdf09684a09a4bb843af4499833 (diff) | |
| download | chromium_src-43025b7aae5cc78c35317d46eb2192ac23943a2b.zip chromium_src-43025b7aae5cc78c35317d46eb2192ac23943a2b.tar.gz chromium_src-43025b7aae5cc78c35317d46eb2192ac23943a2b.tar.bz2 | |
Show "DNS" as the authority for DNSSEC validated certficiates.
At the moment, if we validate a certificate using DNSSEC the Page Info
dialog will show whatever Issuer the site chose as the issuing
authority. That's confusing because the site could choose a string
like 'US Dept of Homeland Security' (for example) which is misleading.
This patch forces the authority string to always be "DNSSEC" in the
case that we used DNSSEC to validate the certificate.
(The string "DNSSEC" isn't translated as it's an acronym.)
BUG=none
TEST=none
http://codereview.chromium.org/3304016/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59686 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 035007f..9b706ce 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -69,6 +69,7 @@ #include "base/string_number_conversions.h" #include "base/string_util.h" #include "net/base/address_list.h" +#include "net/base/cert_status_flags.h" #include "net/base/cert_verifier.h" #include "net/base/dnsrr_resolver.h" #include "net/base/dnssec_chain_verifier.h" @@ -1708,6 +1709,7 @@ int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_); if (r == DNSVR_SUCCESS) { + server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; GotoState(STATE_VERIFY_CERT_COMPLETE); return OK; } @@ -1746,18 +1748,19 @@ int SSLClientSocketNSS::DoVerifyDNSSECComplete(int result) { if (!ssl_config_.dnssec_enabled) { // If DNSSEC is not enabled we don't take any action based on the result, // except to record the latency, above. - GotoState(STATE_VERIFY_CERT); return OK; } switch (r) { case DNSVR_FAILURE: GotoState(STATE_VERIFY_CERT_COMPLETE); + server_cert_verify_result_.cert_status |= CERT_STATUS_NOT_IN_DNS; return ERR_CERT_NOT_IN_DNS; case DNSVR_CONTINUE: GotoState(STATE_VERIFY_CERT); break; case DNSVR_SUCCESS: + server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; GotoState(STATE_VERIFY_CERT_COMPLETE); break; default: |