OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/x509_certificate.h" | |
6 | |
7 #include <map> | |
8 | |
9 #include "base/histogram.h" | |
10 #include "base/lock.h" | |
11 #include "base/pickle.h" | |
12 #include "base/singleton.h" | |
13 #include "base/string_tokenizer.h" | |
14 #include "base/string_util.h" | |
15 #include "net/base/cert_status_flags.h" | |
16 #include "net/base/ev_root_ca_metadata.h" | |
17 | |
18 #pragma comment(lib, "crypt32.lib") | |
19 | |
20 namespace net { | |
21 | |
22 namespace { | |
23 | |
24 // Returns true if this cert fingerprint is the null (all zero) fingerprint. | |
25 // We use this as a bogus fingerprint value. | |
26 bool IsNullFingerprint(const X509Certificate::Fingerprint& fingerprint) { | |
27 for (int i = 0; i < arraysize(fingerprint.data); ++i) { | |
28 if (fingerprint.data[i] != 0) | |
29 return false; | |
30 } | |
31 return true; | |
32 } | |
33 | |
34 // Calculates the SHA-1 fingerprint of the certificate. Returns an empty | |
35 // (all zero) fingerprint on failure. | |
36 X509Certificate::Fingerprint CalculateFingerprint(PCCERT_CONTEXT cert) { | |
37 DCHECK(NULL != cert->pbCertEncoded); | |
38 DCHECK(0 != cert->cbCertEncoded); | |
39 | |
40 BOOL rv; | |
41 X509Certificate::Fingerprint sha1; | |
42 DWORD sha1_size = sizeof(sha1.data); | |
43 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | |
44 cert->cbCertEncoded, sha1.data, &sha1_size); | |
45 DCHECK(rv && sha1_size == sizeof(sha1.data)); | |
46 if (!rv) | |
47 memset(sha1.data, 0, sizeof(sha1.data)); | |
48 return sha1; | |
49 } | |
50 | |
51 // Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the | |
52 // WINAPI calling convention. | |
53 void* WINAPI MyCryptAlloc(size_t size) { | |
54 return malloc(size); | |
55 } | |
56 | |
57 void WINAPI MyCryptFree(void* p) { | |
58 free(p); | |
59 } | |
60 | |
61 // Decodes the cert's subjectAltName extension into a CERT_ALT_NAME_INFO | |
62 // structure and stores it in *output. | |
63 void GetCertSubjectAltName(PCCERT_CONTEXT cert, | |
64 scoped_ptr_malloc<CERT_ALT_NAME_INFO>* output) { | |
65 PCERT_EXTENSION extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2, | |
66 cert->pCertInfo->cExtension, | |
67 cert->pCertInfo->rgExtension); | |
68 if (!extension) | |
69 return; | |
70 | |
71 CRYPT_DECODE_PARA decode_para; | |
72 decode_para.cbSize = sizeof(decode_para); | |
73 decode_para.pfnAlloc = MyCryptAlloc; | |
74 decode_para.pfnFree = MyCryptFree; | |
75 CERT_ALT_NAME_INFO* alt_name_info = NULL; | |
76 DWORD alt_name_info_size = 0; | |
77 BOOL rv; | |
78 rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, | |
79 szOID_SUBJECT_ALT_NAME2, | |
80 extension->Value.pbData, | |
81 extension->Value.cbData, | |
82 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, | |
83 &decode_para, | |
84 &alt_name_info, | |
85 &alt_name_info_size); | |
86 if (rv) | |
87 output->reset(alt_name_info); | |
88 } | |
89 | |
90 /////////////////////////////////////////////////////////////////////////// | |
91 // | |
92 // Functions used by X509Certificate::IsEV | |
93 // | |
94 /////////////////////////////////////////////////////////////////////////// | |
95 | |
96 // Constructs a certificate chain starting from the end certificate | |
97 // 'cert_context', matching any of the certificate policies. | |
98 // | |
99 // Returns the certificate chain context on success, or NULL on failure. | |
100 // The caller is responsible for freeing the certificate chain context with | |
101 // CertFreeCertificateChain. | |
102 PCCERT_CHAIN_CONTEXT ConstructCertChain( | |
103 PCCERT_CONTEXT cert_context, | |
104 const char* const* policies, | |
105 int num_policies) { | |
106 CERT_CHAIN_PARA chain_para; | |
107 memset(&chain_para, 0, sizeof(chain_para)); | |
108 chain_para.cbSize = sizeof(chain_para); | |
109 chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND; | |
110 chain_para.RequestedUsage.Usage.cUsageIdentifier = 0; | |
111 chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL; // LPSTR* | |
112 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_OR; | |
113 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = num_policies; | |
114 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | |
115 const_cast<char**>(policies); | |
116 PCCERT_CHAIN_CONTEXT chain_context; | |
117 if (!CertGetCertificateChain( | |
118 NULL, // default chain engine, HCCE_CURRENT_USER | |
119 cert_context, | |
120 NULL, // current system time | |
121 cert_context->hCertStore, // search this store | |
122 &chain_para, | |
123 CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | | |
124 CERT_CHAIN_CACHE_END_CERT, | |
125 NULL, // reserved | |
126 &chain_context)) { | |
127 return NULL; | |
128 } | |
129 return chain_context; | |
130 } | |
131 | |
132 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | |
133 // structure and stores it in *output. | |
134 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, | |
135 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { | |
136 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | |
137 cert->pCertInfo->cExtension, | |
138 cert->pCertInfo->rgExtension); | |
139 if (!extension) | |
140 return; | |
141 | |
142 CRYPT_DECODE_PARA decode_para; | |
143 decode_para.cbSize = sizeof(decode_para); | |
144 decode_para.pfnAlloc = MyCryptAlloc; | |
145 decode_para.pfnFree = MyCryptFree; | |
146 CERT_POLICIES_INFO* policies_info = NULL; | |
147 DWORD policies_info_size = 0; | |
148 BOOL rv; | |
149 rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, | |
150 szOID_CERT_POLICIES, | |
151 extension->Value.pbData, | |
152 extension->Value.cbData, | |
153 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, | |
154 &decode_para, | |
155 &policies_info, | |
156 &policies_info_size); | |
157 if (rv) | |
158 output->reset(policies_info); | |
159 } | |
160 | |
161 // Returns true if the policy is in the array of CERT_POLICY_INFO in | |
162 // the CERT_POLICIES_INFO structure. | |
163 bool ContainsPolicy(const CERT_POLICIES_INFO* policies_info, | |
164 const char* policy) { | |
165 int num_policies = policies_info->cPolicyInfo; | |
166 for (int i = 0; i < num_policies; i++) { | |
167 if (!strcmp(policies_info->rgPolicyInfo[i].pszPolicyIdentifier, policy)) | |
168 return true; | |
169 } | |
170 return false; | |
171 } | |
172 | |
173 // This class wraps the CertFreeCertificateChain function in a class that can | |
174 // be passed as a template argument to scoped_ptr_malloc. | |
175 class ScopedPtrMallocFreeCertChain { | |
176 public: | |
177 void operator()(const CERT_CHAIN_CONTEXT* x) const { | |
178 CertFreeCertificateChain(x); | |
179 } | |
180 }; | |
181 | |
182 typedef scoped_ptr_malloc<const CERT_CHAIN_CONTEXT, | |
183 ScopedPtrMallocFreeCertChain> ScopedCertChainContext; | |
184 | |
185 } // namespace | |
186 | |
187 bool X509Certificate::FingerprintLessThan::operator()( | |
188 const Fingerprint& lhs, | |
189 const Fingerprint& rhs) const { | |
190 for (int i = 0; i < sizeof(lhs.data); ++i) { | |
191 if (lhs.data[i] < rhs.data[i]) | |
192 return true; | |
193 if (lhs.data[i] > rhs.data[i]) | |
194 return false; | |
195 } | |
196 return false; | |
197 } | |
198 | |
199 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, | |
200 X509Certificate* rhs) const { | |
201 if (lhs == rhs) | |
202 return false; | |
203 | |
204 X509Certificate::FingerprintLessThan fingerprint_functor; | |
205 return fingerprint_functor(lhs->fingerprint_, rhs->fingerprint_); | |
206 } | |
207 | |
208 // A thread-safe cache for X509Certificate objects. | |
209 // | |
210 // The cache does not hold a reference to the certificate objects. The objects | |
211 // must |Remove| themselves from the cache upon destruction (or else the cache | |
212 // will be holding dead pointers to the objects). | |
213 class X509Certificate::Cache { | |
214 public: | |
215 // Get the singleton object for the cache. | |
216 static X509Certificate::Cache* GetInstance() { | |
217 return Singleton<X509Certificate::Cache>::get(); | |
218 } | |
219 | |
220 // Insert |cert| into the cache. The cache does NOT AddRef |cert|. The cache | |
221 // must not already contain a certificate with the same fingerprint. | |
222 void Insert(X509Certificate* cert) { | |
223 AutoLock lock(lock_); | |
224 | |
225 DCHECK(!IsNullFingerprint(cert->fingerprint())) << | |
226 "Only insert certs with real fingerprints."; | |
227 DCHECK(cache_.find(cert->fingerprint()) == cache_.end()); | |
228 cache_[cert->fingerprint()] = cert; | |
229 }; | |
230 | |
231 // Remove |cert| from the cache. The cache does not assume that |cert| is | |
232 // already in the cache. | |
233 void Remove(X509Certificate* cert) { | |
234 AutoLock lock(lock_); | |
235 | |
236 CertMap::iterator pos(cache_.find(cert->fingerprint())); | |
237 if (pos == cache_.end()) | |
238 return; // It is not an error to remove a cert that is not in the cache. | |
239 cache_.erase(pos); | |
240 }; | |
241 | |
242 // Find a certificate in the cache with the given fingerprint. If one does | |
243 // not exist, this method returns NULL. | |
244 X509Certificate* Find(const Fingerprint& fingerprint) { | |
245 AutoLock lock(lock_); | |
246 | |
247 CertMap::iterator pos(cache_.find(fingerprint)); | |
248 if (pos == cache_.end()) | |
249 return NULL; | |
250 | |
251 return pos->second; | |
252 }; | |
253 | |
254 private: | |
255 typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan> CertMap; | |
256 | |
257 // Obtain an instance of X509Certificate::Cache via GetInstance(). | |
258 Cache() { } | |
259 friend DefaultSingletonTraits<X509Certificate::Cache>; | |
260 | |
261 // You must acquire this lock before using any private data of this object. | |
262 // You must not block while holding this lock. | |
263 Lock lock_; | |
264 | |
265 // The certificate cache. You must acquire |lock_| before using |cache_|. | |
266 CertMap cache_; | |
267 | |
268 DISALLOW_EVIL_CONSTRUCTORS(X509Certificate::Cache); | |
269 }; | |
270 | |
271 void X509Certificate::Initialize() { | |
272 std::wstring subject_info; | |
273 std::wstring issuer_info; | |
274 DWORD name_size; | |
275 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, | |
276 &cert_handle_->pCertInfo->Subject, | |
277 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, | |
278 NULL, 0); | |
279 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, | |
280 &cert_handle_->pCertInfo->Subject, | |
281 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, | |
282 WriteInto(&subject_info, name_size), name_size); | |
283 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, | |
284 &cert_handle_->pCertInfo->Issuer, | |
285 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, | |
286 NULL, 0); | |
287 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, | |
288 &cert_handle_->pCertInfo->Issuer, | |
289 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, | |
290 WriteInto(&issuer_info, name_size), name_size); | |
291 ParsePrincipal(WideToUTF8(subject_info), &subject_); | |
292 ParsePrincipal(WideToUTF8(issuer_info), &issuer_); | |
293 | |
294 valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore); | |
295 valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter); | |
296 | |
297 fingerprint_ = CalculateFingerprint(cert_handle_); | |
298 | |
299 // Store the certificate in the cache in case we need it later. | |
300 X509Certificate::Cache::GetInstance()->Insert(this); | |
301 } | |
302 | |
303 // static | |
304 X509Certificate* X509Certificate::CreateFromHandle(OSCertHandle cert_handle) { | |
305 DCHECK(cert_handle); | |
306 | |
307 // Check if we already have this certificate in memory. | |
308 X509Certificate::Cache* cache = X509Certificate::Cache::GetInstance(); | |
309 X509Certificate* cert = cache->Find(CalculateFingerprint(cert_handle)); | |
310 if (cert) { | |
311 // We've found a certificate with the same fingerprint in our cache. We own | |
312 // the |cert_handle|, which makes it our job to free it. | |
313 CertFreeCertificateContext(cert_handle); | |
314 DHISTOGRAM_COUNTS(L"X509CertificateReuseCount", 1); | |
315 return cert; | |
316 } | |
317 // Otherwise, allocate a new object. | |
318 return new X509Certificate(cert_handle); | |
319 } | |
320 | |
321 // static | |
322 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, | |
323 void** pickle_iter) { | |
324 const char* data; | |
325 int length; | |
326 if (!pickle.ReadData(pickle_iter, &data, &length)) | |
327 return NULL; | |
328 | |
329 OSCertHandle cert_handle = NULL; | |
330 if (!CertAddSerializedElementToStore( | |
331 NULL, // the cert won't be persisted in any cert store | |
332 reinterpret_cast<const BYTE*>(data), length, | |
333 CERT_STORE_ADD_USE_EXISTING, 0, CERT_STORE_CERTIFICATE_CONTEXT_FLAG, | |
334 NULL, reinterpret_cast<const void **>(&cert_handle))) | |
335 return NULL; | |
336 | |
337 return CreateFromHandle(cert_handle); | |
338 } | |
339 | |
340 X509Certificate::X509Certificate(OSCertHandle cert_handle) | |
341 : cert_handle_(cert_handle) { | |
342 Initialize(); | |
343 } | |
344 | |
345 X509Certificate::X509Certificate(std::string subject, std::string issuer, | |
346 Time start_date, Time expiration_date) | |
347 : subject_(subject), | |
348 issuer_(issuer), | |
349 valid_start_(start_date), | |
350 valid_expiry_(expiration_date), | |
351 cert_handle_(NULL) { | |
352 memset(fingerprint_.data, 0, sizeof(fingerprint_.data)); | |
353 } | |
354 | |
355 void X509Certificate::Persist(Pickle* pickle) { | |
356 DWORD length; | |
357 if (!CertSerializeCertificateStoreElement(cert_handle_, 0, | |
358 NULL, &length)) { | |
359 NOTREACHED(); | |
360 return; | |
361 } | |
362 BYTE* data = reinterpret_cast<BYTE*>(pickle->BeginWriteData(length)); | |
363 if (!CertSerializeCertificateStoreElement(cert_handle_, 0, | |
364 data, &length)) { | |
365 NOTREACHED(); | |
366 length = 0; | |
367 } | |
368 pickle->TrimWriteData(length); | |
369 } | |
370 | |
371 X509Certificate::~X509Certificate() { | |
372 // We might not be in the cache, but it is safe to remove ourselves anyway. | |
373 X509Certificate::Cache::GetInstance()->Remove(this); | |
374 if (cert_handle_) | |
375 CertFreeCertificateContext(cert_handle_); | |
376 } | |
377 | |
378 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const { | |
379 dns_names->clear(); | |
380 scoped_ptr_malloc<CERT_ALT_NAME_INFO> alt_name_info; | |
381 GetCertSubjectAltName(cert_handle_, &alt_name_info); | |
382 CERT_ALT_NAME_INFO* alt_name = alt_name_info.get(); | |
383 if (alt_name) { | |
384 int num_entries = alt_name->cAltEntry; | |
385 for (int i = 0; i < num_entries; i++) { | |
386 // dNSName is an ASN.1 IA5String representing a string of ASCII | |
387 // characters, so we can use WideToASCII here. | |
388 if (alt_name->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) | |
389 dns_names->push_back(WideToASCII(alt_name->rgAltEntry[i].pwszDNSName)); | |
390 } | |
391 } | |
392 if (dns_names->empty()) | |
393 dns_names->push_back(subject_.common_name); | |
394 } | |
395 | |
396 bool X509Certificate::HasExpired() const { | |
397 return Time::Now() > valid_expiry(); | |
398 } | |
399 | |
400 // Returns true if the certificate is an extended-validation certificate. | |
401 // | |
402 // The certificate has already been verified by the HTTP library. cert_status | |
403 // represents the result of that verification. This function performs | |
404 // additional checks of the certificatePolicies extensions of the certificates | |
405 // in the certificate chain according to Section 7 (pp. 11-12) of the EV | |
406 // Certificate Guidelines Version 1.0 at | |
407 // http://cabforum.org/EV_Certificate_Guidelines.pdf. | |
408 bool X509Certificate::IsEV(int cert_status) const { | |
409 if (net::IsCertStatusError(cert_status) || | |
410 (cert_status & net::CERT_STATUS_REV_CHECKING_ENABLED) == 0) | |
411 return false; | |
412 | |
413 net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance(); | |
414 | |
415 PCCERT_CHAIN_CONTEXT chain_context = ConstructCertChain(cert_handle_, | |
416 metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs()); | |
417 if (!chain_context) | |
418 return false; | |
419 ScopedCertChainContext scoped_chain_context(chain_context); | |
420 | |
421 DCHECK(chain_context->cChain != 0); | |
422 // If the cert doesn't match any of the policies, the | |
423 // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in | |
424 // chain_context->TrustStatus.dwErrorStatus is set. | |
425 DWORD error_status = chain_context->TrustStatus.dwErrorStatus; | |
426 DWORD info_status = chain_context->TrustStatus.dwInfoStatus; | |
427 if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR) | |
428 return false; | |
429 | |
430 // Check the end certificate simple chain (chain_context->rgpChain[0]). | |
431 // If the end certificate's certificatePolicies extension contains the | |
432 // EV policy OID of the root CA, return true. | |
433 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; | |
434 int num_elements = chain_context->rgpChain[0]->cElement; | |
435 if (num_elements < 2) | |
436 return false; | |
437 | |
438 // Look up the EV policy OID of the root CA. | |
439 PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext; | |
440 X509Certificate::Fingerprint fingerprint = CalculateFingerprint(root_cert); | |
441 std::string ev_policy_oid; | |
442 if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid)) | |
443 return false; | |
444 DCHECK(!ev_policy_oid.empty()); | |
445 | |
446 // Get the certificatePolicies extension of the end certificate. | |
447 PCCERT_CONTEXT end_cert = element[0]->pCertContext; | |
448 scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info; | |
449 GetCertPoliciesInfo(end_cert, &policies_info); | |
450 if (!policies_info.get()) | |
451 return false; | |
452 | |
453 return ContainsPolicy(policies_info.get(), ev_policy_oid.c_str()); | |
454 } | |
455 | |
456 // static | |
457 void X509Certificate::ParsePrincipal(const std::string& description, | |
458 Principal* principal) { | |
459 // The description of the principal is a string with each LDAP value on | |
460 // a separate line. | |
461 const std::string kDelimiters("\r\n"); | |
462 | |
463 std::vector<std::string> common_names, locality_names, state_names, | |
464 country_names, street_addresses; | |
465 | |
466 // TODO(jcampan): add business_category and serial_number. | |
467 const std::string kPrefixes[8] = { std::string("CN="), | |
468 std::string("L="), | |
469 std::string("S="), | |
470 std::string("C="), | |
471 std::string("STREET="), | |
472 std::string("O="), | |
473 std::string("OU="), | |
474 std::string("DC=") }; | |
475 | |
476 std::vector<std::string>* values[8] = { | |
477 &common_names, &locality_names, | |
478 &state_names, &country_names, | |
479 &(principal->street_addresses), | |
480 &(principal->organization_names), | |
481 &(principal->organization_unit_names), | |
482 &(principal->domain_components) }; | |
483 DCHECK(arraysize(kPrefixes) == arraysize(values)); | |
484 | |
485 StringTokenizer str_tok(description, kDelimiters); | |
486 while (str_tok.GetNext()) { | |
487 std::string entry = str_tok.token(); | |
488 for (int i = 0; i < arraysize(kPrefixes); i++) { | |
489 if (!entry.compare(0, kPrefixes[i].length(), kPrefixes[i])) { | |
490 std::string value = entry.substr(kPrefixes[i].length()); | |
491 // Remove enclosing double-quotes if any. | |
492 if (value.size() >= 2 && | |
493 value[0] == '"' && value[value.size() - 1] == '"') | |
494 value = value.substr(1, value.size() - 2); | |
495 values[i]->push_back(value); | |
496 break; | |
497 } | |
498 } | |
499 } | |
500 | |
501 // We don't expect to have more than one CN, L, S, and C. | |
502 std::vector<std::string>* single_value_lists[4] = { | |
503 &common_names, &locality_names, &state_names, &country_names }; | |
504 std::string* single_values[4] = { | |
505 &principal->common_name, &principal->locality_name, | |
506 &principal->state_or_province_name, &principal->country_name }; | |
507 for (int i = 0; i < arraysize(single_value_lists); ++i) { | |
508 int length = static_cast<int>(single_value_lists[i]->size()); | |
509 DCHECK(single_value_lists[i]->size() <= 1); | |
510 if (single_value_lists[i]->size() > 0) | |
511 *(single_values[i]) = (*(single_value_lists[i]))[0]; | |
512 } | |
513 } | |
514 | |
515 X509Certificate::Policy::Judgment X509Certificate::Policy::Check( | |
516 X509Certificate* cert) const { | |
517 // It shouldn't matter which set we check first, but we check denied first | |
518 // in case something strange has happened. | |
519 | |
520 if (denied_.find(cert->fingerprint()) != denied_.end()) { | |
521 // DCHECK that the order didn't matter. | |
522 DCHECK(allowed_.find(cert->fingerprint()) == allowed_.end()); | |
523 return DENIED; | |
524 } | |
525 | |
526 if (allowed_.find(cert->fingerprint()) != allowed_.end()) { | |
527 // DCHECK that the order didn't matter. | |
528 DCHECK(denied_.find(cert->fingerprint()) == denied_.end()); | |
529 return ALLOWED; | |
530 } | |
531 | |
532 // We don't have a policy for this cert. | |
533 return UNKNOWN; | |
534 } | |
535 | |
536 void X509Certificate::Policy::Allow(X509Certificate* cert) { | |
537 // Put the cert in the allowed set and (maybe) remove it from the denied set. | |
538 denied_.erase(cert->fingerprint()); | |
539 allowed_.insert(cert->fingerprint()); | |
540 } | |
541 | |
542 void X509Certificate::Policy::Deny(X509Certificate* cert) { | |
543 // Put the cert in the denied set and (maybe) remove it from the allowed set. | |
544 allowed_.erase(cert->fingerprint()); | |
545 denied_.insert(cert->fingerprint()); | |
546 } | |
547 | |
548 } // namespace net | |
549 | |
OLD | NEW |