diff options
| author | Kristian Monsen <kristianm@google.com> | 2011-09-01 03:19:57 +0100 |
|---|---|---|
| committer | Kristian Monsen <kristianm@google.com> | 2011-09-01 23:13:55 +0100 |
| commit | 94ea77830f08742eaf1760a8ccc858530cb1c36e (patch) | |
| tree | effe18073eca11ce00a03b21b1c0c934364186cb /net/base/x509_certificate_openssl.cc | |
| parent | 9eb037c1f79223822fda1b86c181948ff72fdd99 (diff) | |
| download | external_chromium-94ea77830f08742eaf1760a8ccc858530cb1c36e.zip external_chromium-94ea77830f08742eaf1760a8ccc858530cb1c36e.tar.gz external_chromium-94ea77830f08742eaf1760a8ccc858530cb1c36e.tar.bz2 | |
Fix for bug 5232736 Remove "DigiNotar Root CA"
Chery pick of:
http://src.chromium.org/viewvc/chrome?view=rev&revision=98750
http://codereview.chromium.org/7791032/diff/6001/net/base/x509_certificate.cc
This should be it for master.
Change-Id: I077b2efb328bda349232cd6e3e3f69e1c5460367
Diffstat (limited to 'net/base/x509_certificate_openssl.cc')
| -rw-r--r-- | net/base/x509_certificate_openssl.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc index 18d021f..aecf75d 100644 --- a/net/base/x509_certificate_openssl.cc +++ b/net/base/x509_certificate_openssl.cc @@ -477,6 +477,11 @@ int X509Certificate::Verify(const std::string& hostname, verify_result->public_key_hashes.push_back(hash); } + if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { + verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; + return MapCertStatusToNetError(verify_result->cert_status); + } + // Currently we only ues OpenSSL's default root CA paths, so treat all // correctly verified certs as being from a known root. TODO(joth): if the // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 |