-
Ryan Sleevi authored
On Windows and macOS, when a CRLSet is used to revoke a certificate, the chain originally constructed by the OS verifier is made available, as well as having the hashes for that chain computed in CertVerifyResult.public_key_hashes. For Linux/ChromeOS, due to a bug in NSS's libpkix's memoization of certificate paths during the chain building process, combined with how Chromium implemented CRLSets using an application-verifier callback, the constructed chain was forgotten and not placed into the CertVerifyResult. Align the platforms to ensure that the CertVerifyResult is populated with the (revoked) chain information. This can be used with the ssl_error_assistant in //chrome to provide additional error messaging for entries in CRLSets. Bug: 989220 Change-Id: If4bf73d3548b0dec60980070ea7fa4c28edb0f08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1727446 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by:
Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#682584}
3d4414f3
