| Index: net/base/cert_database_win.cc
|
| ===================================================================
|
| --- net/base/cert_database_win.cc (revision 49024)
|
| +++ net/base/cert_database_win.cc (working copy)
|
| @@ -9,7 +9,10 @@
|
| #pragma comment(lib, "crypt32.lib")
|
|
|
| #include "base/logging.h"
|
| +#include "base/scoped_ptr.h"
|
| #include "base/string_util.h"
|
| +#include "base/time.h"
|
| +#include "base/crypto/scoped_capi_types.h"
|
| #include "net/base/keygen_handler.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/base/x509_certificate.h"
|
| @@ -18,60 +21,133 @@
|
|
|
| namespace {
|
|
|
| -// Returns an encoded version of SubjectPublicKeyInfo from |cert| that is
|
| -// compatible with KeygenHandler::Cache. If the cert cannot be converted, an
|
| -// empty string is returned.
|
| -std::string GetSubjectPublicKeyInfo(const X509Certificate* cert) {
|
| - DCHECK(cert);
|
| +typedef base::ScopedCAPIHandle<PCCERT_CHAIN_CONTEXT,
|
| + base::CAPIDestroyerVOID<PCCERT_CHAIN_CONTEXT,
|
| + CertFreeCertificateChain> >
|
| + ScopedPCCERT_CHAIN_CONTEXT;
|
| +typedef base::ScopedCAPIHandle<HCERTSTORE,
|
| + base::CAPIDestroyerWithFlags<HCERTSTORE, CertCloseStore, 0> >
|
| + ScopedHCERTSTORE;
|
|
|
| - std::string result;
|
| - if (!cert->os_cert_handle() || !cert->os_cert_handle()->pCertInfo)
|
| - return result;
|
| +// From an arbitrary, unordered list of certificate, attempt to import every
|
| +// certificate that:
|
| +// 1) Is a CA
|
| +// 2) Results in a valid certificate chain
|
| +void ImportValidIntermediates(
|
| + const X509Certificate::OSCertHandles& intermediates) {
|
|
|
| - BOOL ok;
|
| - DWORD size = 0;
|
| - PCERT_PUBLIC_KEY_INFO key_info =
|
| - &(cert->os_cert_handle()->pCertInfo->SubjectPublicKeyInfo);
|
| - ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info,
|
| - NULL, &size);
|
| - if (!ok)
|
| - return result;
|
| + // First, create a local in memory store. The handles in intermediates may
|
| + // be from one or more stores, or not even be in a formal store (eg: when
|
| + // decoded from a byte sequence by X509Certificate), and thus may not be
|
| + // picked up by the default HCERTCHAINENGINE when it's attempting to build
|
| + ScopedHCERTSTORE temp_store(
|
| + CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL,
|
| + CERT_STORE_CREATE_NEW_FLAG, NULL));
|
| + if (temp_store == NULL)
|
| + return;
|
|
|
| - ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info,
|
| - reinterpret_cast<BYTE*>(WriteInto(&result, size + 1)),
|
| - &size);
|
| - if (!ok) {
|
| - result.clear();
|
| - return result;
|
| + // Add links to all of the existing contexts into the temp store, so
|
| + // that they will be available to chain building.
|
| + for (X509Certificate::OSCertHandles::const_iterator it =
|
| + intermediates.begin(); it != intermediates.end(); ++it) {
|
| + BOOL added = CertAddCertificateLinkToStore(
|
| + temp_store, *it, CERT_STORE_ADD_USE_EXISTING, NULL);
|
| }
|
|
|
| - // Per MSDN, the resultant structure may be smaller than the original size
|
| - // supplied, so shrink to the actual size output.
|
| - result.resize(size);
|
| + std::vector<PCCERT_CONTEXT> to_add;
|
| + FILETIME now = base::Time::Now().ToFileTime();
|
| + CERT_CHAIN_PARA chain_params;
|
| + memset(&chain_params, 0, sizeof(chain_params));
|
| + chain_params.cbSize = sizeof(chain_params);
|
|
|
| - return result;
|
| -}
|
| + // For every certificate, attempt to build a chain to an existing trust
|
| + // root, where each certificate is minimally valid to be used as a CA
|
| + // certificate (measured by adherance to basicConstraints restrictions,
|
| + // if any, not by key usage)
|
| + size_t offset = 0;
|
| + for (X509Certificate::OSCertHandles::const_iterator it =
|
| + intermediates.begin(); it != intermediates.end(); ++it, ++offset) {
|
| + ScopedPCCERT_CHAIN_CONTEXT chain_context;
|
| + if (!CertGetCertificateChain(NULL, *it, &now, temp_store, &chain_params,
|
| + CERT_CHAIN_CACHE_END_CERT |
|
| + CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE,
|
| + NULL, chain_context.receive())) {
|
| + DPLOG(WARNING) << "Unable to get the certificate chain for "
|
| + << "intermediate " << offset << ". Skipping import of "
|
| + << "this certificate.";
|
| + continue;
|
| + }
|
|
|
| -// Returns true if |cert| was successfully modified to reference |location| to
|
| -// obtain the associated private key.
|
| -bool LinkCertToPrivateKey(X509Certificate* cert,
|
| - KeygenHandler::KeyLocation location) {
|
| - DCHECK(cert);
|
| + CERT_CHAIN_POLICY_PARA chain_policy_params;
|
| + memset(&chain_policy_params, 0, sizeof(chain_policy_params));
|
| + chain_policy_params.cbSize = sizeof(chain_policy_params);
|
| + chain_policy_params.dwFlags =
|
| + BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG;
|
|
|
| - CRYPT_KEY_PROV_INFO prov_info = { 0 };
|
| - prov_info.pwszContainerName =
|
| - const_cast<LPWSTR>(location.container_name.c_str());
|
| - prov_info.pwszProvName =
|
| - const_cast<LPWSTR>(location.provider_name.c_str());
|
| + CERT_CHAIN_POLICY_STATUS chain_policy_status;
|
| + memset(&chain_policy_status, 0, sizeof(chain_policy_status));
|
| + chain_policy_status.cbSize = sizeof(chain_policy_status);
|
|
|
| - // Implicit by it being from KeygenHandler, which only supports RSA keys.
|
| - prov_info.dwProvType = PROV_RSA_FULL;
|
| - prov_info.dwKeySpec = AT_KEYEXCHANGE;
|
| + // TODO(rsleevi): In the event of bridge/federated chains, where
|
| + // chain_context contains more than one SIMPLE_CHAINS, check what
|
| + // the result will be if the chain context is:
|
| + // cChain = 2
|
| + // rgpChain[0] = Valid chain
|
| + // rgpChain[1] = Invalid chain
|
| + if (!CertVerifyCertificateChainPolicy(
|
| + CERT_CHAIN_POLICY_BASIC_CONSTRAINTS, chain_context,
|
| + &chain_policy_params, &chain_policy_status)) {
|
| + DPLOG(WARNING) << "Unable to get validate the certificate chain for "
|
| + << "intermediate " << offset << ". Skipping import of "
|
| + << "this certificate.";
|
| + continue;
|
| + }
|
|
|
| - BOOL ok = CertSetCertificateContextProperty(cert->os_cert_handle(),
|
| - CERT_KEY_PROV_INFO_PROP_ID, 0,
|
| - &prov_info);
|
| - return ok != FALSE;
|
| + if (chain_policy_status.dwError != 0) {
|
| + DLOG(WARNING) << "Chain for intermediate " << offset << " returned: "
|
| + << std::endl << " Error: " << chain_policy_status.dwError
|
| + << std::endl << " Chain Index: "
|
| + << chain_policy_status.lChainIndex
|
| + << std::endl << " Element Index: "
|
| + << chain_policy_status.lElementIndex;
|
| + continue;
|
| + }
|
| +
|
| + // With CryptoAPI, there may be multiple chains for a given certificate,
|
| + // such as the case with bridged CAs. For each chain, iterate through the
|
| + // certificates that make up the chain. If the certificate was one of the
|
| + // supplied intermediates, then it is appropriate to add to the
|
| + // intermediate list.
|
| + for (DWORD i = 0; i < chain_context.get()->cChain; ++i) {
|
| + for (DWORD j = 0; j < chain_context.get()->rgpChain[i]->cElement; ++j) {
|
| + PCCERT_CONTEXT cert_in_temp_store = CertFindCertificateInStore(
|
| + temp_store.get(), X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
|
| + CERT_FIND_EXISTING,
|
| + chain_context.get()->rgpChain[i]->rgpElement[j], NULL);
|
| + if (cert_in_temp_store != NULL)
|
| + to_add.push_back(cert_in_temp_store);
|
| + }
|
| + }
|
| + }
|
| +
|
| + // After sifting through all of |intermediates|, add any certificates that
|
| + // passed the checks.
|
| + if (!to_add.empty()) {
|
| + ScopedHCERTSTORE intermediate_db(CertOpenSystemStore(NULL, L"CA"));
|
| + if (intermediate_db) {
|
| + for (std::vector<PCCERT_CONTEXT>::iterator it = to_add.begin();
|
| + it != to_add.end(); ++it) {
|
| + CertAddCertificateContextToStore(intermediate_db, *it,
|
| + CERT_STORE_ADD_USE_EXISTING, NULL);
|
| + }
|
| + }
|
| + }
|
| +
|
| + for (std::vector<PCCERT_CONTEXT>::iterator it = to_add.begin();
|
| + it != to_add.end(); ++it) {
|
| + BOOL freed = CertFreeCertificateContext(*it);
|
| + DCHECK(freed);
|
| + }
|
| }
|
|
|
| } // namespace
|
| @@ -85,12 +161,9 @@
|
| if (cert->HasExpired())
|
| return ERR_CERT_DATE_INVALID;
|
|
|
| - std::string encoded_info = GetSubjectPublicKeyInfo(cert);
|
| - KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance();
|
| - KeygenHandler::KeyLocation location;
|
| -
|
| - if (encoded_info.empty() || !cache->Find(encoded_info, &location) ||
|
| - !LinkCertToPrivateKey(cert, location))
|
| + BOOL found = CryptFindCertificateKeyProvInfo(cert->os_cert_handle(),
|
| + 0, NULL);
|
| + if (!found)
|
| return ERR_NO_PRIVATE_KEY_FOR_CERT;
|
|
|
| return OK;
|
| @@ -102,7 +175,7 @@
|
| // NSS, and Store Type / Path) here? For now, certs will be stashed into the
|
| // user's personal store, which will not automatically mark them as trusted,
|
| // but will allow them to be used for client auth.
|
| - HCERTSTORE cert_db = CertOpenSystemStore(NULL, L"MY");
|
| + ScopedHCERTSTORE cert_db(CertOpenSystemStore(NULL, L"MY"));
|
| if (!cert_db)
|
| return ERR_ADD_USER_CERT_FAILED;
|
|
|
| @@ -111,7 +184,7 @@
|
| CERT_STORE_ADD_USE_EXISTING,
|
| NULL);
|
|
|
| - CertCloseStore(cert_db, 0);
|
| + ImportValidIntermediates(cert->GetIntermediateCertificates());
|
|
|
| if (!added)
|
| return ERR_ADD_USER_CERT_FAILED;
|
|
|
Chromium Code Reviews
Issue 2668005:
Bring the handling of <keygen> and support for the application/x-x509-user-ce... (Closed)
Base URL: http://src.chromium.org/svn/trunk/src/