Bug 790809 - Add callback for in libpkix for extra app checks (in usage sslserver). r=dkeeler

security/certverifier/CertVerifier.cpp

@@ -93,6 +93,24 @@ insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
 }
 #endif
 
+SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
+                                  PRBool* chainOK)
+{
+  *chainOK = PR_FALSE;
+
+  PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("verifycert: Inside the Callback \n"));
+
+  // On sanity failure we fail closed.
+  if (!certList) {
+    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("verifycert: Short circuit, callback, "
+                                            "sanity check failed \n"));
+    PR_SetError(PR_INVALID_STATE_ERROR, 0);
+    return SECFailure;
+  }
+  *chainOK = PR_TRUE;
+  return SECSuccess;
+}
+
 static SECStatus
 ClassicVerifyCert(CERTCertificate* cert,
                   const SECCertificateUsage usage,
@@ -300,7 +318,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
   rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
 
   const bool localOnly = flags & FLAG_LOCAL_ONLY;
-  CERTValInParam cvin[6];
+  CERTValInParam cvin[7];
 
   // Parameters for both EV and DV validation
   cvin[0].type = cert_pi_useAIACertFetch;
@@ -310,6 +328,16 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
   cvin[2].type = cert_pi_date;
   cvin[2].value.scalar.time = time;
   i = 3;
+
+  CERTChainVerifyCallback callbackContainer;
+  if (usage == certificateUsageSSLServer) {
+    callbackContainer.isChainValid = chainValidationCallback;
+    callbackContainer.isChainValidArg = nullptr;
+    cvin[i].type = cert_pi_chainVerifyCallback;
+    cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
+    ++i;
+  }
+
   const size_t evParamLocation = i;
 
   if (evPolicy != SEC_OID_UNKNOWN) {