net/cert/cert_verify_proc_nss.cc - Issue 18332012: Reland r209278

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/cert_verify_proc_nss.cc

Issue 18332012: Reland r209278 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc_nss.cc

diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc

index 2a944e6f1bd6278909af5f2b9ff296e1b5cf37de..c3b3ae8d6c9982107e53809bec6e909e3fc2fa54 100644

--- a/net/cert/cert_verify_proc_nss.cc

+++ b/net/cert/cert_verify_proc_nss.cc

@@ -158,10 +158,6 @@ CertStatus MapCertErrorToCertStatus(int err) {

void GetCertChainInfo(CERTCertList* cert_list,

CERTCertificate* root_cert,

CertVerifyResult* verify_result) {

- // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the

- // NSS version currently in use:

- // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)

- // 2. use ident libnss3.so* for the library's version

DCHECK(cert_list);

CERTCertificate* verified_cert = NULL;

@@ -346,31 +342,6 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,

bool use_crl = check_revocation;

bool use_ocsp = check_revocation;

- // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.

- // 1. NSS may use one key to verify a CRL signed with another key,

- // incorrectly concluding that the CRL's signature is invalid.

- // Hopefully this bug will be fixed in NSS 3.12.9.

- // 2. NSS considers all certificates issued by the CA as revoked when it

- // receives a CRL with an invalid signature. This overly strict policy

- // has been relaxed in NSS 3.12.7. See

- // https://bugzilla.mozilla.org/show_bug.cgi?id=562542.

- // So we have to turn off CRL checking for these CAs. See

- // http://crbug.com/55695.

- static const char* const kMultipleKeyCA[] = {

- "CN=Microsoft Secure Server Authority,"

- "DC=redmond,DC=corp,DC=microsoft,DC=com",

- "CN=Microsoft Secure Server Authority",

- };

- if (!NSS_VersionCheck("3.12.7")) {

- for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {

- if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {

- use_crl = false;

- break;

- }

PRUint64 revocation_method_flags =

CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |

CERT_REV_M_ALLOW_NETWORK_FETCHING |

« no previous file with comments | « crypto/signature_creator_nss.cc ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »