summaryrefslogtreecommitdiffstats
path: root/net/cert/cert_verify_proc_nss.cc
diff options
context:
space:
mode:
Diffstat (limited to 'net/cert/cert_verify_proc_nss.cc')
-rw-r--r--net/cert/cert_verify_proc_nss.cc29
1 files changed, 29 insertions, 0 deletions
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index c3b3ae8..2a944e6 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -158,6 +158,10 @@ CertStatus MapCertErrorToCertStatus(int err) {
void GetCertChainInfo(CERTCertList* cert_list,
CERTCertificate* root_cert,
CertVerifyResult* verify_result) {
+ // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the
+ // NSS version currently in use:
+ // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)
+ // 2. use ident libnss3.so* for the library's version
DCHECK(cert_list);
CERTCertificate* verified_cert = NULL;
@@ -342,6 +346,31 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
bool use_crl = check_revocation;
bool use_ocsp = check_revocation;
+ // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.
+ // 1. NSS may use one key to verify a CRL signed with another key,
+ // incorrectly concluding that the CRL's signature is invalid.
+ // Hopefully this bug will be fixed in NSS 3.12.9.
+ // 2. NSS considers all certificates issued by the CA as revoked when it
+ // receives a CRL with an invalid signature. This overly strict policy
+ // has been relaxed in NSS 3.12.7. See
+ // https://bugzilla.mozilla.org/show_bug.cgi?id=562542.
+ // So we have to turn off CRL checking for these CAs. See
+ // http://crbug.com/55695.
+ static const char* const kMultipleKeyCA[] = {
+ "CN=Microsoft Secure Server Authority,"
+ "DC=redmond,DC=corp,DC=microsoft,DC=com",
+ "CN=Microsoft Secure Server Authority",
+ };
+
+ if (!NSS_VersionCheck("3.12.7")) {
+ for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {
+ if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {
+ use_crl = false;
+ break;
+ }
+ }
+ }
+
PRUint64 revocation_method_flags =
CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
CERT_REV_M_ALLOW_NETWORK_FETCHING |
generated by cgit v1.1 at 2025-01-07 22:38:40 +0000