| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 |
| 8 // until NSS 3.12.2 comes out and we update to it. | 8 // until NSS 3.12.2 comes out and we update to it. |
| 9 #define Lock FOO_NSS_Lock | 9 #define Lock FOO_NSS_Lock |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 113 | 113 |
| 114 private: | 114 private: |
| 115 CERTValOutParam* cvout_; | 115 CERTValOutParam* cvout_; |
| 116 | 116 |
| 117 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); | 117 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); |
| 118 }; | 118 }; |
| 119 | 119 |
| 120 // Map PORT_GetError() return values to our network error codes. | 120 // Map PORT_GetError() return values to our network error codes. |
| 121 int MapSecurityError(int err) { | 121 int MapSecurityError(int err) { |
| 122 switch (err) { | 122 switch (err) { |
| 123 case SEC_ERROR_INVALID_ARGS: |
| 124 return ERR_INVALID_ARGUMENT; |
| 123 case SEC_ERROR_INVALID_TIME: | 125 case SEC_ERROR_INVALID_TIME: |
| 124 case SEC_ERROR_EXPIRED_CERTIFICATE: | 126 case SEC_ERROR_EXPIRED_CERTIFICATE: |
| 125 return ERR_CERT_DATE_INVALID; | 127 return ERR_CERT_DATE_INVALID; |
| 126 case SEC_ERROR_UNKNOWN_ISSUER: | 128 case SEC_ERROR_UNKNOWN_ISSUER: |
| 127 case SEC_ERROR_UNTRUSTED_ISSUER: | 129 case SEC_ERROR_UNTRUSTED_ISSUER: |
| 128 case SEC_ERROR_CA_CERT_INVALID: | 130 case SEC_ERROR_CA_CERT_INVALID: |
| 129 case SEC_ERROR_UNTRUSTED_CERT: | 131 case SEC_ERROR_UNTRUSTED_CERT: |
| 130 return ERR_CERT_AUTHORITY_INVALID; | 132 return ERR_CERT_AUTHORITY_INVALID; |
| 131 case SEC_ERROR_REVOKED_CERTIFICATE: | 133 case SEC_ERROR_REVOKED_CERTIFICATE: |
| 132 return ERR_CERT_REVOKED; | 134 return ERR_CERT_REVOKED; |
| (...skipping 196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 329 } | 331 } |
| 330 PORT_FreeArena(arena, PR_FALSE); | 332 PORT_FreeArena(arena, PR_FALSE); |
| 331 } | 333 } |
| 332 | 334 |
| 333 // Call CERT_PKIXVerifyCert for the cert_handle. | 335 // Call CERT_PKIXVerifyCert for the cert_handle. |
| 334 // Verification results are stored in an array of CERTValOutParam. | 336 // Verification results are stored in an array of CERTValOutParam. |
| 335 // If policy_oids is not NULL and num_policy_oids is positive, policies | 337 // If policy_oids is not NULL and num_policy_oids is positive, policies |
| 336 // are also checked. | 338 // are also checked. |
| 337 // Caller must initialize cvout before calling this function. | 339 // Caller must initialize cvout before calling this function. |
| 338 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, | 340 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, |
| 341 bool check_revocation, |
| 339 const SECOidTag* policy_oids, | 342 const SECOidTag* policy_oids, |
| 340 int num_policy_oids, | 343 int num_policy_oids, |
| 341 CERTValOutParam* cvout) { | 344 CERTValOutParam* cvout) { |
| 342 bool use_crl = true; | 345 bool use_crl = check_revocation; |
| 343 bool use_ocsp = true; | 346 bool use_ocsp = check_revocation; |
| 344 | 347 |
| 345 PRUint64 revocation_method_flags = | 348 PRUint64 revocation_method_flags = |
| 346 CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | | 349 CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | |
| 347 CERT_REV_M_ALLOW_NETWORK_FETCHING | | 350 CERT_REV_M_ALLOW_NETWORK_FETCHING | |
| 348 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | | 351 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | |
| 349 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | | 352 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | |
| 350 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; | 353 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; |
| 351 PRUint64 revocation_method_independent_flags = | 354 PRUint64 revocation_method_independent_flags = |
| 352 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; | 355 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; |
| 353 if (policy_oids && num_policy_oids > 0) { | 356 if (policy_oids && num_policy_oids > 0) { |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 395 | 398 |
| 396 revocation_flags.chainTests.number_of_defined_methods = | 399 revocation_flags.chainTests.number_of_defined_methods = |
| 397 arraysize(method_flags); | 400 arraysize(method_flags); |
| 398 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; | 401 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; |
| 399 revocation_flags.chainTests.number_of_preferred_methods = | 402 revocation_flags.chainTests.number_of_preferred_methods = |
| 400 arraysize(preferred_revocation_methods); | 403 arraysize(preferred_revocation_methods); |
| 401 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; | 404 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; |
| 402 revocation_flags.chainTests.cert_rev_method_independent_flags = | 405 revocation_flags.chainTests.cert_rev_method_independent_flags = |
| 403 revocation_method_independent_flags; | 406 revocation_method_independent_flags; |
| 404 | 407 |
| 405 CERTValInParam cvin[3]; | 408 CERTValInParam cvin[4]; |
| 406 int cvin_index = 0; | 409 int cvin_index = 0; |
| 407 // No need to set cert_pi_trustAnchors here. | 410 // No need to set cert_pi_trustAnchors here. |
| 408 // TODO(ukai): use cert_pi_useAIACertFetch (new feature in NSS 3.12.1). | |
| 409 cvin[cvin_index].type = cert_pi_revocationFlags; | 411 cvin[cvin_index].type = cert_pi_revocationFlags; |
| 410 cvin[cvin_index].value.pointer.revocation = &revocation_flags; | 412 cvin[cvin_index].value.pointer.revocation = &revocation_flags; |
| 411 cvin_index++; | 413 cvin_index++; |
| 414 cvin[cvin_index].type = cert_pi_useAIACertFetch; |
| 415 cvin[cvin_index].value.scalar.b = PR_TRUE; |
| 416 cvin_index++; |
| 412 std::vector<SECOidTag> policies; | 417 std::vector<SECOidTag> policies; |
| 413 if (policy_oids && num_policy_oids > 0) { | 418 if (policy_oids && num_policy_oids > 0) { |
| 414 cvin[cvin_index].type = cert_pi_policyOID; | 419 cvin[cvin_index].type = cert_pi_policyOID; |
| 415 cvin[cvin_index].value.arraySize = num_policy_oids; | 420 cvin[cvin_index].value.arraySize = num_policy_oids; |
| 416 cvin[cvin_index].value.array.oids = policy_oids; | 421 cvin[cvin_index].value.array.oids = policy_oids; |
| 417 cvin_index++; | 422 cvin_index++; |
| 418 } | 423 } |
| 419 cvin[cvin_index].type = cert_pi_end; | 424 cvin[cvin_index].type = cert_pi_end; |
| 420 | 425 |
| 421 return CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, | 426 return CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, |
| (...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 516 CERTValOutParam cvout[3]; | 521 CERTValOutParam cvout[3]; |
| 517 int cvout_index = 0; | 522 int cvout_index = 0; |
| 518 // We don't need the trust anchor for the first PKIXVerifyCert call. | 523 // We don't need the trust anchor for the first PKIXVerifyCert call. |
| 519 cvout[cvout_index].type = cert_po_certList; | 524 cvout[cvout_index].type = cert_po_certList; |
| 520 cvout[cvout_index].value.pointer.chain = NULL; | 525 cvout[cvout_index].value.pointer.chain = NULL; |
| 521 int cvout_cert_list_index = cvout_index; | 526 int cvout_cert_list_index = cvout_index; |
| 522 cvout_index++; | 527 cvout_index++; |
| 523 cvout[cvout_index].type = cert_po_end; | 528 cvout[cvout_index].type = cert_po_end; |
| 524 ScopedCERTValOutParam scoped_cvout(cvout); | 529 ScopedCERTValOutParam scoped_cvout(cvout); |
| 525 | 530 |
| 526 verify_result->cert_status |= net::CERT_STATUS_REV_CHECKING_ENABLED; | 531 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); |
| 527 status = PKIXVerifyCert(cert_handle_, NULL, 0, cvout); | 532 if (check_revocation) { |
| 533 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 534 } else { |
| 535 // EV requires revocation checking. |
| 536 flags &= ~VERIFY_EV_CERT; |
| 537 } |
| 538 status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout); |
| 528 if (status != SECSuccess) { | 539 if (status != SECSuccess) { |
| 529 int err = PORT_GetError(); | 540 int err = PORT_GetError(); |
| 530 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname | 541 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname |
| 531 << " failed err=" << err; | 542 << " failed err=" << err; |
| 532 // CERT_PKIXVerifyCert rerports the wrong error code for | 543 // CERT_PKIXVerifyCert rerports the wrong error code for |
| 533 // expired certificates (NSS bug 491174) | 544 // expired certificates (NSS bug 491174) |
| 534 if (err == SEC_ERROR_CERT_NOT_VALID && | 545 if (err == SEC_ERROR_CERT_NOT_VALID && |
| 535 (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0) | 546 (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0) |
| 536 err = SEC_ERROR_EXPIRED_CERTIFICATE; | 547 err = SEC_ERROR_EXPIRED_CERTIFICATE; |
| 537 verify_result->cert_status |= MapCertErrorToCertStatus(err); | 548 int cert_status = MapCertErrorToCertStatus(err); |
| 538 return MapCertStatusToNetError(verify_result->cert_status); | 549 if (cert_status) { |
| 550 verify_result->cert_status |= cert_status; |
| 551 return MapCertStatusToNetError(verify_result->cert_status); |
| 552 } |
| 553 // |err| is not a certificate error. |
| 554 return MapSecurityError(err); |
| 539 } | 555 } |
| 540 | 556 |
| 541 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 557 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
| 542 verify_result); | 558 verify_result); |
| 543 if (IsCertStatusError(verify_result->cert_status)) | 559 if (IsCertStatusError(verify_result->cert_status)) |
| 544 return MapCertStatusToNetError(verify_result->cert_status); | 560 return MapCertStatusToNetError(verify_result->cert_status); |
| 545 | 561 |
| 546 if ((flags & VERIFY_EV_CERT) && VerifyEV()) | 562 if ((flags & VERIFY_EV_CERT) && VerifyEV()) |
| 547 verify_result->cert_status |= CERT_STATUS_IS_EV; | 563 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 548 return OK; | 564 return OK; |
| (...skipping 12 matching lines...) Expand all Loading... |
| 561 CERTValOutParam cvout[3]; | 577 CERTValOutParam cvout[3]; |
| 562 int cvout_index = 0; | 578 int cvout_index = 0; |
| 563 cvout[cvout_index].type = cert_po_trustAnchor; | 579 cvout[cvout_index].type = cert_po_trustAnchor; |
| 564 cvout[cvout_index].value.pointer.cert = NULL; | 580 cvout[cvout_index].value.pointer.cert = NULL; |
| 565 int cvout_trust_anchor_index = cvout_index; | 581 int cvout_trust_anchor_index = cvout_index; |
| 566 cvout_index++; | 582 cvout_index++; |
| 567 cvout[cvout_index].type = cert_po_end; | 583 cvout[cvout_index].type = cert_po_end; |
| 568 ScopedCERTValOutParam scoped_cvout(cvout); | 584 ScopedCERTValOutParam scoped_cvout(cvout); |
| 569 | 585 |
| 570 SECStatus status = PKIXVerifyCert(cert_handle_, | 586 SECStatus status = PKIXVerifyCert(cert_handle_, |
| 587 true, |
| 571 metadata->GetPolicyOIDs(), | 588 metadata->GetPolicyOIDs(), |
| 572 metadata->NumPolicyOIDs(), | 589 metadata->NumPolicyOIDs(), |
| 573 cvout); | 590 cvout); |
| 574 if (status != SECSuccess) | 591 if (status != SECSuccess) |
| 575 return false; | 592 return false; |
| 576 | 593 |
| 577 CERTCertificate* root_ca = | 594 CERTCertificate* root_ca = |
| 578 cvout[cvout_trust_anchor_index].value.pointer.cert; | 595 cvout[cvout_trust_anchor_index].value.pointer.cert; |
| 579 if (root_ca == NULL) | 596 if (root_ca == NULL) |
| 580 return false; | 597 return false; |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 617 DCHECK(0 != cert->derCert.len); | 634 DCHECK(0 != cert->derCert.len); |
| 618 | 635 |
| 619 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 636 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
| 620 cert->derCert.data, cert->derCert.len); | 637 cert->derCert.data, cert->derCert.len); |
| 621 DCHECK(rv == SECSuccess); | 638 DCHECK(rv == SECSuccess); |
| 622 | 639 |
| 623 return sha1; | 640 return sha1; |
| 624 } | 641 } |
| 625 | 642 |
| 626 } // namespace net | 643 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 333033:
X509CertificateNSS::Verify should honor the VERIFY_REV_CHECKING_ENABLED... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/