| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_chain.h" | 5 #include "net/base/x509_chain.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/utf_string_conversions.h" | 8 #include "base/utf_string_conversions.h" |
| 9 #include "net/base/cert_status_flags.h" | 9 #include "net/base/cert_status_flags.h" |
| 10 #include "net/base/cert_verify_result.h" | 10 #include "net/base/cert_verify_result.h" |
| (...skipping 239 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 250 } | 250 } |
| 251 } | 251 } |
| 252 } | 252 } |
| 253 } | 253 } |
| 254 return false; | 254 return false; |
| 255 } | 255 } |
| 256 | 256 |
| 257 // Saves some information about the certificate chain chain_context in | 257 // Saves some information about the certificate chain chain_context in |
| 258 // *verify_result. The caller MUST initialize *verify_result before calling | 258 // *verify_result. The caller MUST initialize *verify_result before calling |
| 259 // this function. | 259 // this function. |
| 260 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, | 260 void GetCertChainInfo(int flags, |
| 261 PCCERT_CHAIN_CONTEXT chain_context, |
| 261 CertVerifyResult* verify_result) { | 262 CertVerifyResult* verify_result) { |
| 262 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 263 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
| 263 int num_elements = first_chain->cElement; | 264 int num_elements = first_chain->cElement; |
| 264 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 265 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
| 265 | 266 |
| 266 // Each chain starts with the end entity certificate (i = 0) and ends with | 267 // Each chain starts with the end entity certificate (i = 0) and ends with |
| 267 // the root CA certificate (i = num_elements - 1). Do not inspect the | 268 // the root CA certificate (i = num_elements - 1). Do not inspect the |
| 268 // signature algorithm of the root CA certificate because the signature on | 269 // signature algorithm of the root CA certificate because the signature on |
| 269 // the trust anchor is not important. | 270 // the trust anchor is not important. |
| 270 for (int i = 0; i < num_elements - 1; ++i) { | 271 for (int i = 0; i < num_elements - 1; ++i) { |
| 271 PCCERT_CONTEXT cert = element[i]->pCertContext; | 272 PCCERT_CONTEXT cert = element[i]->pCertContext; |
| 272 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; | 273 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; |
| 273 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { | 274 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { |
| 274 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 | 275 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 |
| 275 verify_result->has_md5 = true; | 276 verify_result->has_md5 = true; |
| 276 if (i != 0) | 277 if (i != 0) |
| 277 verify_result->has_md5_ca = true; | 278 verify_result->has_md5_ca = true; |
| 278 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { | 279 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { |
| 279 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 | 280 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 |
| 280 verify_result->has_md2 = true; | 281 verify_result->has_md2 = true; |
| 281 if (i != 0) | 282 if (i != 0) |
| 282 verify_result->has_md2_ca = true; | 283 verify_result->has_md2_ca = true; |
| 283 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { | 284 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { |
| 284 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 | 285 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 |
| 285 verify_result->has_md4 = true; | 286 verify_result->has_md4 = true; |
| 286 } | 287 } |
| 287 } | 288 } |
| 289 |
| 290 bool return_chain = !!(flags & x509_chain::VERIFY_RETURN_CHAIN); |
| 291 X509Certificate::OSCertHandles intermediates; |
| 292 for (int i = 1; return_chain && i < num_elements; ++i) { |
| 293 PCCERT_CONTEXT cert = element[i]->pCertContext; |
| 294 intermediates.push_back(cert); |
| 295 } |
| 296 |
| 297 if (return_chain && num_elements > 0) { |
| 298 verify_result->certificate = X509Certificate::CreateFromHandle( |
| 299 element[0]->pCertContext, intermediates); |
| 300 } |
| 288 } | 301 } |
| 289 | 302 |
| 290 /////////////////////////////////////////////////////////////////////////// | 303 /////////////////////////////////////////////////////////////////////////// |
| 291 // | 304 // |
| 292 // Functions used by X509Certificate::IsEV | 305 // Functions used by X509Certificate::IsEV |
| 293 // | 306 // |
| 294 /////////////////////////////////////////////////////////////////////////// | 307 /////////////////////////////////////////////////////////////////////////// |
| 295 | 308 |
| 296 // Constructs a certificate chain starting from the end certificate | 309 // Constructs a certificate chain starting from the end certificate |
| 297 // 'cert_context', matching any of the certificate policies. | 310 // 'cert_context', matching any of the certificate policies. |
| (...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 479 &chain_para, | 492 &chain_para, |
| 480 chain_flags, | 493 chain_flags, |
| 481 NULL, // reserved | 494 NULL, // reserved |
| 482 &chain_context)) { | 495 &chain_context)) { |
| 483 X509Certificate::FreeOSCertListHandle(cert_list); | 496 X509Certificate::FreeOSCertListHandle(cert_list); |
| 484 return MapSecurityError(GetLastError()); | 497 return MapSecurityError(GetLastError()); |
| 485 } | 498 } |
| 486 X509Certificate::FreeOSCertListHandle(cert_list); | 499 X509Certificate::FreeOSCertListHandle(cert_list); |
| 487 ScopedCertChainContext scoped_chain_context(chain_context); | 500 ScopedCertChainContext scoped_chain_context(chain_context); |
| 488 | 501 |
| 489 GetCertChainInfo(chain_context, verify_result); | 502 GetCertChainInfo(flags, chain_context, verify_result); |
| 490 | 503 |
| 491 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 504 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
| 492 chain_context->TrustStatus.dwErrorStatus); | 505 chain_context->TrustStatus.dwErrorStatus); |
| 493 | 506 |
| 494 // Treat certificates signed using broken signature algorithms as invalid. | 507 // Treat certificates signed using broken signature algorithms as invalid. |
| 495 if (verify_result->has_md4) | 508 if (verify_result->has_md4) |
| 496 verify_result->cert_status |= CERT_STATUS_INVALID; | 509 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 497 | 510 |
| 498 // Flag certificates signed using weak signature algorithms. | 511 // Flag certificates signed using weak signature algorithms. |
| 499 if (verify_result->has_md2) | 512 if (verify_result->has_md2) |
| (...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 590 | 603 |
| 591 // TODO(ukai): combine regular cert verification and EV cert verification. | 604 // TODO(ukai): combine regular cert verification and EV cert verification. |
| 592 if ((flags & VERIFY_EV_CERT) && VerifyEV(certificate)) | 605 if ((flags & VERIFY_EV_CERT) && VerifyEV(certificate)) |
| 593 verify_result->cert_status |= CERT_STATUS_IS_EV; | 606 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 594 return OK; | 607 return OK; |
| 595 } | 608 } |
| 596 | 609 |
| 597 } // namespace x509_chain | 610 } // namespace x509_chain |
| 598 | 611 |
| 599 } // namespace net | 612 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3146034:
Allow the constructed certificate chain to be returned in CertVerifyResult (Closed)
