Double-check signatures on verified chains

CryptoAPI allows third-parties to override a variety of functions,
potentially returning invalid chains. Add an extra signature check
to make sure the chain is reasonably sensible. This isn't perfect,
but is enough of a safety check until we switch to our verifier or
tighten down the blocking of 3P modules, even for CAPI.

(cherry picked from commit bd3442a4957d0a185bdeaf65649d15926f412add)

Bug: 1040772
Change-Id: I75ded0932e32b1abf23969d6c6bd9744b72f1a3d
Commit-Queue: Ryan Sleevi <>
Reviewed-by: Adam Langley <>
Reviewed-by: Ryan Sleevi <>
Cr-Original-Commit-Position: refs/heads/master@{#730368}
Cr-Commit-Position: refs/branch-heads/3945@{#1045}
Cr-Branched-From: e4635fff7defbae0f9c29e798349f6fc0cce4b1b-refs/heads/master@{#706915}
1 file changed