Consider the signature algorithms of incomplete chains on Windows

R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8382026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108082 0039d316-1c4b-4281-b951-d872f2087c98

Consider the signature algorithms of incomplete chains on Windows
R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8382026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108082 0039d316-1c4b-4281-b951-d872f2087c98
35521791 · rsleevi@chromium.org · 0c9b0f52 · 35521791 · 35521791
Commit 35521791 authored Nov 01, 2011 by rsleevi@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 9 deletions

net/base/x509_certificate_unittest.cc net/base/x509_certificate_unittest.cc +1 -3

net/base/x509_certificate_win.cc net/base/x509_certificate_win.cc +17 -6

No files found.
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1641,11 +1641,9 @@ const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
  { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
    false, false, true, false, true },
 };
-// Disabled on Windows - http://crbug.com/101123. The Windows implementation
-// does not report the status of the last intermediate for incomplete chains.
 // Disabled on NSS - libpkix does not return constructed chains on error,
 // preventing us from detecting/inspecting the verified chain.
-#if defined(OS_WIN) || defined(USE_NSS)
+#if defined(USE_NSS)
 #define MAYBE_VerifyIncompleteIntermediate \
    DISABLED_VerifyIncompleteIntermediate
 #else

--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -330,11 +330,22 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
  PCCERT_CONTEXT verified_cert = NULL;
  std::vector<PCCERT_CONTEXT> verified_chain;

+  bool has_root_ca = num_elements > 1 &&
+      !(chain_context->TrustStatus.dwErrorStatus &
+          CERT_TRUST_IS_PARTIAL_CHAIN);
+
  // Each chain starts with the end entity certificate (i = 0) and ends with
-  // the root CA certificate (i = num_elements - 1).  Do not inspect the
-  // signature algorithm of the root CA certificate because the signature on
-  // the trust anchor is not important.
-  for (int i = 0; i < num_elements - 1; ++i) {
+  // either the root CA certificate or the last available intermediate. If a
+  // root CA certificate is present, do not inspect the signature algorithm of
+  // the root CA certificate because the signature on the trust anchor is not
+  // important.
+  if (has_root_ca) {
+    // If a full chain was constructed, regardless of whether it was trusted,
+    // don't inspect the root's signature algorithm.
+    num_elements -= 1;
+  }
+
+  for (int i = 0; i < num_elements; ++i) {
    PCCERT_CONTEXT cert = element[i]->pCertContext;
    if (i == 0) {
      verified_cert = cert;
@@ -361,8 +372,8 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

  if (verified_cert) {
    // Add the root certificate, if present, as it was not added above.
-    if (num_elements > 1)
-      verified_chain.push_back(element[num_elements - 1]->pCertContext);
+    if (has_root_ca)
+      verified_chain.push_back(element[num_elements]->pCertContext);
    verify_result->verified_cert =
          X509Certificate::CreateFromHandle(verified_cert, verified_chain);
  }