net/base/x509_chain_win.cc - Issue 3112013: Move chain building/verification out of X509Certificate

Unified Diff: net/base/x509_chain_win.cc

Issue 3112013: Move chain building/verification out of X509Certificate (Closed)

Patch Set: Rebase to trunk - Without OpenSSL fixes Created 10 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/base/x509_chain_win.cc

diff --git a/net/base/x509_chain_win.cc b/net/base/x509_chain_win.cc

new file mode 100644

index 0000000000000000000000000000000000000000..49ddc3f6908e4976986ca125c533bb707ac00061

--- /dev/null

+++ b/net/base/x509_chain_win.cc

@@ -0,0 +1,599 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "net/base/x509_chain.h"

+#include "base/logging.h"

+#include "base/utf_string_conversions.h"

+#include "net/base/cert_status_flags.h"

+#include "net/base/cert_verify_result.h"

+#include "net/base/ev_root_ca_metadata.h"

+#include "net/base/net_errors.h"

+#include "net/base/scoped_cert_chain_context.h"

+#include "net/base/x509_certificate.h"

+#pragma comment(lib, "crypt32.lib")

+namespace net {

+namespace {

+//-----------------------------------------------------------------------------

+// TODO(wtc): This is a copy of the MapSecurityError function in

+// ssl_client_socket_win.cc. Another function that maps Windows error codes

+// to our network error codes is WinInetUtil::OSErrorToNetError. We should

+// eliminate the code duplication.

+int MapSecurityError(SECURITY_STATUS err) {

+ // There are numerous security error codes, but these are the ones we thus

+ // far find interesting.

+ switch (err) {

+ case SEC_E_WRONG_PRINCIPAL: // Schannel

+ case CERT_E_CN_NO_MATCH: // CryptoAPI

+ return ERR_CERT_COMMON_NAME_INVALID;

+ case SEC_E_UNTRUSTED_ROOT: // Schannel

+ case CERT_E_UNTRUSTEDROOT: // CryptoAPI

+ return ERR_CERT_AUTHORITY_INVALID;

+ case SEC_E_CERT_EXPIRED: // Schannel

+ case CERT_E_EXPIRED: // CryptoAPI

+ return ERR_CERT_DATE_INVALID;

+ case CRYPT_E_NO_REVOCATION_CHECK:

+ return ERR_CERT_NO_REVOCATION_MECHANISM;

+ case CRYPT_E_REVOCATION_OFFLINE:

+ return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;

+ case CRYPT_E_REVOKED: // Schannel and CryptoAPI

+ return ERR_CERT_REVOKED;

+ case SEC_E_CERT_UNKNOWN:

+ case CERT_E_ROLE:

+ return ERR_CERT_INVALID;

+ case CERT_E_WRONG_USAGE:

+ // TODO(wtc): Should we add ERR_CERT_WRONG_USAGE?

+ return ERR_CERT_INVALID;

+ // We received an unexpected_message or illegal_parameter alert message

+ // from the server.

+ case SEC_E_ILLEGAL_MESSAGE:

+ return ERR_SSL_PROTOCOL_ERROR;

+ case SEC_E_ALGORITHM_MISMATCH:

+ return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;

+ case SEC_E_INVALID_HANDLE:

+ return ERR_UNEXPECTED;

+ case SEC_E_OK:

+ return OK;

+ default:

+ LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";

+ return ERR_FAILED;

+ }

+// Map the errors in the chain_context->TrustStatus.dwErrorStatus returned by

+// CertGetCertificateChain to our certificate status flags.

+int MapCertChainErrorStatusToCertStatus(DWORD error_status) {

+ int cert_status = 0;

+ // CERT_TRUST_IS_NOT_TIME_NESTED means a subject certificate's time validity

+ // does not nest correctly within its issuer's time validity.

+ const DWORD kDateInvalidErrors = CERT_TRUST_IS_NOT_TIME_VALID |

+ CERT_TRUST_IS_NOT_TIME_NESTED |

+ CERT_TRUST_CTL_IS_NOT_TIME_VALID;

+ if (error_status & kDateInvalidErrors)

+ cert_status |= CERT_STATUS_DATE_INVALID;

+ const DWORD kAuthorityInvalidErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |

+ CERT_TRUST_IS_EXPLICIT_DISTRUST |

+ CERT_TRUST_IS_PARTIAL_CHAIN;

+ if (error_status & kAuthorityInvalidErrors)

+ cert_status |= CERT_STATUS_AUTHORITY_INVALID;

+ if ((error_status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN) &&

+ !(error_status & CERT_TRUST_IS_OFFLINE_REVOCATION))

+ cert_status |= CERT_STATUS_NO_REVOCATION_MECHANISM;

+ if (error_status & CERT_TRUST_IS_OFFLINE_REVOCATION)

+ cert_status |= CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;

+ if (error_status & CERT_TRUST_IS_REVOKED)

+ cert_status |= CERT_STATUS_REVOKED;

+ const DWORD kWrongUsageErrors = CERT_TRUST_IS_NOT_VALID_FOR_USAGE |

+ CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE;

+ if (error_status & kWrongUsageErrors) {

+ // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?

+ cert_status |= CERT_STATUS_INVALID;

+ }

+ // The rest of the errors.

+ const DWORD kCertInvalidErrors =

+ CERT_TRUST_IS_NOT_SIGNATURE_VALID |

+ CERT_TRUST_IS_CYCLIC |

+ CERT_TRUST_INVALID_EXTENSION |

+ CERT_TRUST_INVALID_POLICY_CONSTRAINTS |

+ CERT_TRUST_INVALID_BASIC_CONSTRAINTS |

+ CERT_TRUST_INVALID_NAME_CONSTRAINTS |

+ CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID |

+ CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT |

+ CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |

+ CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |

+ CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT |

+ CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY |

+ CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT;

+ if (error_status & kCertInvalidErrors)

+ cert_status |= CERT_STATUS_INVALID;

+ return cert_status;

+//-----------------------------------------------------------------------------

+// Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the

+// WINAPI calling convention.

+void* WINAPI MyCryptAlloc(size_t size) {

+ return malloc(size);

+void WINAPI MyCryptFree(void* p) {

+ free(p);

+// Decodes the cert's subjectAltName extension into a CERT_ALT_NAME_INFO

+// structure and stores it in *output.

+void GetCertSubjectAltName(PCCERT_CONTEXT cert,

+ scoped_ptr_malloc<CERT_ALT_NAME_INFO>* output) {

+ PCERT_EXTENSION extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,

+ cert->pCertInfo->cExtension,

+ cert->pCertInfo->rgExtension);

+ if (!extension)

+ return;

+ CRYPT_DECODE_PARA decode_para;

+ decode_para.cbSize = sizeof(decode_para);

+ decode_para.pfnAlloc = MyCryptAlloc;

+ decode_para.pfnFree = MyCryptFree;

+ CERT_ALT_NAME_INFO* alt_name_info = NULL;

+ DWORD alt_name_info_size = 0;

+ BOOL rv;

+ rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

+ szOID_SUBJECT_ALT_NAME2,

+ extension->Value.pbData,

+ extension->Value.cbData,

+ CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,

+ &decode_para,

+ &alt_name_info,

+ &alt_name_info_size);

+ if (rv)

+ output->reset(alt_name_info);

+// Returns true if any common name in the certificate's Subject field contains

+// a NULL character.

+bool CertSubjectCommonNameHasNull(PCCERT_CONTEXT cert) {

+ CRYPT_DECODE_PARA decode_para;

+ decode_para.cbSize = sizeof(decode_para);

+ decode_para.pfnAlloc = MyCryptAlloc;

+ decode_para.pfnFree = MyCryptFree;

+ CERT_NAME_INFO* name_info = NULL;

+ DWORD name_info_size = 0;

+ BOOL rv;

+ rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

+ X509_NAME,

+ cert->pCertInfo->Subject.pbData,

+ cert->pCertInfo->Subject.cbData,

+ CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,

+ &decode_para,

+ &name_info,

+ &name_info_size);

+ if (rv) {

+ scoped_ptr_malloc<CERT_NAME_INFO> scoped_name_info(name_info);

+ // The Subject field may have multiple common names. According to the

+ // "PKI Layer Cake" paper, CryptoAPI uses every common name in the

+ // Subject field, so we inspect every common name.

+ //

+ // From RFC 5280:

+ // X520CommonName ::= CHOICE {

+ // teletexString TeletexString (SIZE (1..ub-common-name)),

+ // printableString PrintableString (SIZE (1..ub-common-name)),

+ // universalString UniversalString (SIZE (1..ub-common-name)),

+ // utf8String UTF8String (SIZE (1..ub-common-name)),

+ // bmpString BMPString (SIZE (1..ub-common-name)) }

+ //

+ // We also check IA5String and VisibleString.

+ for (DWORD i = 0; i < name_info->cRDN; ++i) {

+ PCERT_RDN rdn = &name_info->rgRDN[i];

+ for (DWORD j = 0; j < rdn->cRDNAttr; ++j) {

+ PCERT_RDN_ATTR rdn_attr = &rdn->rgRDNAttr[j];

+ if (strcmp(rdn_attr->pszObjId, szOID_COMMON_NAME) == 0) {

+ switch (rdn_attr->dwValueType) {

+ // After the CryptoAPI ASN.1 security vulnerabilities described in

+ // http://www.microsoft.com/technet/security/Bulletin/MS09-056.mspx

+ // were patched, we get CERT_RDN_ENCODED_BLOB for a common name

+ // that contains a NULL character.

+ case CERT_RDN_ENCODED_BLOB:

+ break;

+ // Array of 8-bit characters.

+ case CERT_RDN_PRINTABLE_STRING:

+ case CERT_RDN_TELETEX_STRING:

+ case CERT_RDN_IA5_STRING:

+ case CERT_RDN_VISIBLE_STRING:

+ for (DWORD k = 0; k < rdn_attr->Value.cbData; ++k) {

+ if (rdn_attr->Value.pbData[k] == '\0')

+ return true;

+ }

+ break;

+ // Array of 16-bit characters.

+ case CERT_RDN_BMP_STRING:

+ case CERT_RDN_UTF8_STRING: {

+ DWORD num_wchars = rdn_attr->Value.cbData / 2;

bulach 2010/10/21 10:21:33 nit: const DWORD kNumWChars

+ wchar_t* common_name =

+ reinterpret_cast<wchar_t*>(rdn_attr->Value.pbData);

+ for (DWORD k = 0; k < num_wchars; ++k) {

+ if (common_name[k] == L'\0')

+ return true;

+ }

+ break;

+ }

+ // Array of ints (32-bit).

+ case CERT_RDN_UNIVERSAL_STRING: {

+ DWORD num_ints = rdn_attr->Value.cbData / 4;

bulach 2010/10/21 10:21:33 nit: const DWORD kNumInts

+ int* common_name =

+ reinterpret_cast<int*>(rdn_attr->Value.pbData);

+ for (DWORD k = 0; k < num_ints; ++k) {

+ if (common_name[k] == 0)

+ return true;

+ }

+ break;

+ }

+ default:

+ NOTREACHED();

+ break;

+ }

+ return false;

+// Saves some information about the certificate chain chain_context in

+// *verify_result. The caller MUST initialize *verify_result before calling

+// this function.

+void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,

+ CertVerifyResult* verify_result) {

+ PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];

+ int num_elements = first_chain->cElement;

bulach 2010/10/21 10:21:33 nit: const kNumElements

+ PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;

+ // Each chain starts with the end entity certificate (i = 0) and ends with

+ // the root CA certificate (i = num_elements - 1). Do not inspect the

+ // signature algorithm of the root CA certificate because the signature on

+ // the trust anchor is not important.

+ for (int i = 0; i < num_elements - 1; ++i) {

+ PCCERT_CONTEXT cert = element[i]->pCertContext;

+ const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;

+ if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {

+ // md5WithRSAEncryption: 1.2.840.113549.1.1.4

+ verify_result->has_md5 = true;

+ if (i != 0)

+ verify_result->has_md5_ca = true;

+ } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) {

+ // md2WithRSAEncryption: 1.2.840.113549.1.1.2

+ verify_result->has_md2 = true;

+ if (i != 0)

+ verify_result->has_md2_ca = true;

+ } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) {

+ // md4WithRSAEncryption: 1.2.840.113549.1.1.3

+ verify_result->has_md4 = true;

+ }

+///////////////////////////////////////////////////////////////////////////

+//

+// Functions used by X509Certificate::IsEV

+//

+///////////////////////////////////////////////////////////////////////////

+// Constructs a certificate chain starting from the end certificate

+// 'cert_context', matching any of the certificate policies.

+//

+// Returns the certificate chain context on success, or NULL on failure.

+// The caller is responsible for freeing the certificate chain context with

+// CertFreeCertificateChain.

+PCCERT_CHAIN_CONTEXT ConstructCertChain(

+ PCCERT_CONTEXT cert_context,

+ const char* const* policies,

+ int num_policies) {

+ CERT_CHAIN_PARA chain_para;

bulach 2010/10/21 10:21:33 can remove the memset with: CERT_CHAIN_PARA chain

+ memset(&chain_para, 0, sizeof(chain_para));

+ chain_para.cbSize = sizeof(chain_para);

+ chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;

+ chain_para.RequestedUsage.Usage.cUsageIdentifier = 0;

+ chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL; // LPSTR*

+ chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_OR;

+ chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = num_policies;

+ chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =

+ const_cast<char**>(policies);

+ PCCERT_CHAIN_CONTEXT chain_context;

+ if (!CertGetCertificateChain(

+ NULL, // default chain engine, HCCE_CURRENT_USER

+ cert_context,

+ NULL, // current system time

+ cert_context->hCertStore, // search this store

+ &chain_para,

+ CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT |

+ CERT_CHAIN_CACHE_END_CERT,

+ NULL, // reserved

+ &chain_context)) {

+ return NULL;

+ }

+ return chain_context;

+// Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO

+// structure and stores it in *output.

+void GetCertPoliciesInfo(PCCERT_CONTEXT cert,

+ scoped_ptr_malloc<CERT_POLICIES_INFO>* output) {

+ PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES,

+ cert->pCertInfo->cExtension,

+ cert->pCertInfo->rgExtension);

+ if (!extension)

+ return;

+ CRYPT_DECODE_PARA decode_para;

+ decode_para.cbSize = sizeof(decode_para);

+ decode_para.pfnAlloc = MyCryptAlloc;

+ decode_para.pfnFree = MyCryptFree;

+ CERT_POLICIES_INFO* policies_info = NULL;

+ DWORD policies_info_size = 0;

+ BOOL rv;

+ rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

+ szOID_CERT_POLICIES,

+ extension->Value.pbData,

+ extension->Value.cbData,

+ CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,

+ &decode_para,

+ &policies_info,

+ &policies_info_size);

+ if (rv)

+ output->reset(policies_info);

+// Returns true if the policy is in the array of CERT_POLICY_INFO in

+// the CERT_POLICIES_INFO structure.

+bool ContainsPolicy(const CERT_POLICIES_INFO* policies_info,

+ const char* policy) {

+ int num_policies = policies_info->cPolicyInfo;

+ for (int i = 0; i < num_policies; i++) {

bulach 2010/10/21 10:21:33 nit: ++i

+ if (!strcmp(policies_info->rgPolicyInfo[i].pszPolicyIdentifier, policy))

+ return true;

+ }

+ return false;

+// Returns true if the certificate is an extended-validation certificate.

+//

+// This function checks the certificatePolicies extensions of the

+// certificates in the certificate chain according to Section 7 (pp. 11-12)

+// of the EV Certificate Guidelines Version 1.0 at

+// http://cabforum.org/EV_Certificate_Guidelines.pdf.

+bool VerifyEV(X509Certificate* certificate) {

+ DCHECK(certificate);

+ net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance();

+ X509Certificate::OSCertListHandle cert_list =

+ certificate->CreateOSCertListHandle();

+ PCCERT_CHAIN_CONTEXT chain_context = ConstructCertChain(cert_list,

+ metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs());

+ X509Certificate::FreeOSCertListHandle(cert_list);

+ if (!chain_context)

+ return false;

+ ScopedCertChainContext scoped_chain_context(chain_context);

+ DCHECK(chain_context->cChain != 0);

+ // If the cert doesn't match any of the policies, the

+ // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in

+ // chain_context->TrustStatus.dwErrorStatus is set.

+ DWORD error_status = chain_context->TrustStatus.dwErrorStatus;

+ DWORD info_status = chain_context->TrustStatus.dwInfoStatus;

+ if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR)

+ return false;

+ // Check the end certificate simple chain (chain_context->rgpChain[0]).

+ // If the end certificate's certificatePolicies extension contains the

+ // EV policy OID of the root CA, return true.

+ PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;

+ int num_elements = chain_context->rgpChain[0]->cElement;

+ if (num_elements < 2)

+ return false;

+ // Look up the EV policy OID of the root CA.

+ PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;

+ SHA1Fingerprint fingerprint =

+ X509Certificate::CalculateFingerprint(root_cert);

+ const char* ev_policy_oid = NULL;

+ if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid))

+ return false;

+ DCHECK(ev_policy_oid);

+ // Get the certificatePolicies extension of the end certificate.

+ PCCERT_CONTEXT end_cert = element[0]->pCertContext;

+ scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;

+ GetCertPoliciesInfo(end_cert, &policies_info);

+ if (!policies_info.get())

+ return false;

+ return ContainsPolicy(policies_info.get(), ev_policy_oid);

+} // namespace

+namespace x509_chain {

+int VerifySSLServer(X509Certificate* certificate, const std::string& hostname,

+ int flags, CertVerifyResult* verify_result) {

+ verify_result->Reset();

+ if (!certificate || !certificate->os_cert_handle())

+ return ERR_UNEXPECTED;

+ // Build and validate certificate chain.

+ CERT_CHAIN_PARA chain_para;

+ memset(&chain_para, 0, sizeof(chain_para));

bulach 2010/10/21 10:21:33 ditto, = {0};

+ chain_para.cbSize = sizeof(chain_para);

+ // ExtendedKeyUsage.

+ // We still need to request szOID_SERVER_GATED_CRYPTO and szOID_SGC_NETSCAPE

+ // today because some certificate chains need them. IE also requests these

+ // two usages.

+ static const LPSTR usage[] = {

+ szOID_PKIX_KP_SERVER_AUTH,

+ szOID_SERVER_GATED_CRYPTO,

+ szOID_SGC_NETSCAPE

+ };

+ chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;

+ chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);

+ chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =

+ const_cast<LPSTR*>(usage);

+ // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.

+ DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT;

+ if (flags & VERIFY_REV_CHECKING_ENABLED) {

+ verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;

+ chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;

+ } else {

+ chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;

+ // EV requires revocation checking.

+ flags &= ~VERIFY_EV_CERT;

+ }

+ X509Certificate::OSCertListHandle cert_list =

+ certificate->CreateOSCertListHandle();

bulach 2010/10/21 10:21:33 there's a bunch of places that CreateOSCertListHan

+ PCCERT_CHAIN_CONTEXT chain_context;

+ // IE passes a non-NULL pTime argument that specifies the current system

+ // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the

+ // chain_flags argument.

+ if (!CertGetCertificateChain(

+ NULL, // default chain engine, HCCE_CURRENT_USER

+ cert_list,

+ NULL, // current system time

+ cert_list->hCertStore, // search this store

+ &chain_para,

+ chain_flags,

+ NULL, // reserved

+ &chain_context)) {

+ X509Certificate::FreeOSCertListHandle(cert_list);

+ return MapSecurityError(GetLastError());

+ }

+ X509Certificate::FreeOSCertListHandle(cert_list);

+ ScopedCertChainContext scoped_chain_context(chain_context);

+ GetCertChainInfo(chain_context, verify_result);

+ verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(

+ chain_context->TrustStatus.dwErrorStatus);

+ // Treat certificates signed using broken signature algorithms as invalid.

+ if (verify_result->has_md4)

+ verify_result->cert_status |= CERT_STATUS_INVALID;

+ // Flag certificates signed using weak signature algorithms.

+ if (verify_result->has_md2)

+ verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

+ // Flag certificates that have a Subject common name with a NULL character.

+ if (CertSubjectCommonNameHasNull(cert_list))

+ verify_result->cert_status |= CERT_STATUS_INVALID;

+ std::wstring wstr_hostname = ASCIIToWide(hostname);

+ SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para;

+ memset(&extra_policy_para, 0, sizeof(extra_policy_para));

+ extra_policy_para.cbSize = sizeof(extra_policy_para);

+ extra_policy_para.dwAuthType = AUTHTYPE_SERVER;

+ extra_policy_para.fdwChecks = 0;

+ extra_policy_para.pwszServerName =

+ const_cast<wchar_t*>(wstr_hostname.c_str());

+ CERT_CHAIN_POLICY_PARA policy_para;

+ memset(&policy_para, 0, sizeof(policy_para));

+ policy_para.cbSize = sizeof(policy_para);

+ policy_para.dwFlags = 0;

+ policy_para.pvExtraPolicyPara = &extra_policy_para;

+ CERT_CHAIN_POLICY_STATUS policy_status;

+ memset(&policy_status, 0, sizeof(policy_status));

+ policy_status.cbSize = sizeof(policy_status);

+ if (!CertVerifyCertificateChainPolicy(

+ CERT_CHAIN_POLICY_SSL,

+ chain_context,

+ &policy_para,

+ &policy_status)) {

+ return MapSecurityError(GetLastError());

+ }

+ if (policy_status.dwError) {

+ verify_result->cert_status |= MapNetErrorToCertStatus(

+ MapSecurityError(policy_status.dwError));

+ // CertVerifyCertificateChainPolicy reports only one error (in

+ // policy_status.dwError) if the certificate has multiple errors.

+ // CertGetCertificateChain doesn't report certificate name mismatch, so

+ // CertVerifyCertificateChainPolicy is the only function that can report

+ // certificate name mismatch.

+ //

+ // To prevent a potential certificate name mismatch from being hidden by

+ // some other certificate error, if we get any other certificate error,

+ // we call CertVerifyCertificateChainPolicy again, ignoring all other

+ // certificate errors. Both extra_policy_para.fdwChecks and

+ // policy_para.dwFlags allow us to ignore certificate errors, so we set

+ // them both.

+ if (policy_status.dwError != CERT_E_CN_NO_MATCH) {

+ const DWORD extra_ignore_flags =

+ 0x00000080 | // SECURITY_FLAG_IGNORE_REVOCATION

+ 0x00000100 | // SECURITY_FLAG_IGNORE_UNKNOWN_CA

+ 0x00002000 | // SECURITY_FLAG_IGNORE_CERT_DATE_INVALID

+ 0x00000200; // SECURITY_FLAG_IGNORE_WRONG_USAGE

+ extra_policy_para.fdwChecks = extra_ignore_flags;

+ const DWORD ignore_flags =

+ CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS |

+ CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG |

+ CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS |

+ CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG |

+ CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_NOT_SUPPORTED_CRITICAL_EXT_FLAG |

+ CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG;

+ policy_para.dwFlags = ignore_flags;

+ if (!CertVerifyCertificateChainPolicy(

+ CERT_CHAIN_POLICY_SSL,

+ chain_context,

+ &policy_para,

+ &policy_status)) {

+ return MapSecurityError(GetLastError());

+ }

+ if (policy_status.dwError) {

+ verify_result->cert_status |= MapNetErrorToCertStatus(

+ MapSecurityError(policy_status.dwError));

+ }

+ // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be

+ // compatible with WinHTTP, which doesn't report this error (bug 3004).

+ verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;

+ if (IsCertStatusError(verify_result->cert_status))

+ return MapCertStatusToNetError(verify_result->cert_status);

+ // TODO(ukai): combine regular cert verification and EV cert verification.

+ if ((flags & VERIFY_EV_CERT) && VerifyEV(certificate))

+ verify_result->cert_status |= CERT_STATUS_IS_EV;

+ return OK;

+} // namespace x509_chain

+} // namespace net

« net/base/x509_chain_nss.cc ('K') | « net/base/x509_chain_nss.cc ('k') | net/net.gyp » ('j') | no next file with comments »