Chromium Code Reviews Chromium Code Reviews
Issue 4184004:
Add support for certificate name checking (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
| 8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
| 9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
| 10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
| 11 #include <openssl/pkcs7.h> | 11 #include <openssl/pkcs7.h> |
| (...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 372 | 372 |
| 373 if (dns_names->empty()) | 373 if (dns_names->empty()) |
| 374 dns_names->push_back(subject_.common_name); | 374 dns_names->push_back(subject_.common_name); |
| 375 } | 375 } |
| 376 | 376 |
| 377 int X509Certificate::Verify(const std::string& hostname, | 377 int X509Certificate::Verify(const std::string& hostname, |
| 378 int flags, | 378 int flags, |
| 379 CertVerifyResult* verify_result) const { | 379 CertVerifyResult* verify_result) const { |
| 380 verify_result->Reset(); | 380 verify_result->Reset(); |
| 381 | 381 |
| 382 // TODO(joth): We should fetch the subjectAltNames directly rather than via | |
|
wtc
2010/11/03 00:29:49
Please file a bug report for this work.
joth
2010/11/12 18:55:23
Done.
| |
| 383 // GetDNSNames, so we can apply special handling for IP addresses vs DNS | |
| 384 // names, etc. | |
| 385 std::vector<std::string> cert_names; | |
| 386 GetDNSNames(&cert_names); | |
| 387 if (!x509_openssl_util::VerifyHostname(hostname, cert_names)) | |
| 388 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | |
| 389 | |
| 382 ScopedSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(X509_STORE_CTX_new()); | 390 ScopedSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(X509_STORE_CTX_new()); |
| 383 | 391 |
| 384 ScopedSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(sk_X509_new_null()); | 392 ScopedSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(sk_X509_new_null()); |
| 385 if (!intermediates.get()) | 393 if (!intermediates.get()) |
| 386 return ERR_OUT_OF_MEMORY; | 394 return ERR_OUT_OF_MEMORY; |
| 387 | 395 |
| 388 for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin(); | 396 for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin(); |
| 389 it != intermediate_ca_certs_.end(); ++it) { | 397 it != intermediate_ca_certs_.end(); ++it) { |
| 390 if (!sk_X509_push(intermediates.get(), *it)) | 398 if (!sk_X509_push(intermediates.get(), *it)) |
| 391 return ERR_OUT_OF_MEMORY; | 399 return ERR_OUT_OF_MEMORY; |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 422 // cache the DER (if not already cached via X509_set_ex_data). | 430 // cache the DER (if not already cached via X509_set_ex_data). |
| 423 DERCache der_cache_a, der_cache_b; | 431 DERCache der_cache_a, der_cache_b; |
| 424 | 432 |
| 425 return GetDERAndCacheIfNeeded(a, &der_cache_a) && | 433 return GetDERAndCacheIfNeeded(a, &der_cache_a) && |
| 426 GetDERAndCacheIfNeeded(b, &der_cache_b) && | 434 GetDERAndCacheIfNeeded(b, &der_cache_b) && |
| 427 der_cache_a.data_length == der_cache_b.data_length && | 435 der_cache_a.data_length == der_cache_b.data_length && |
| 428 memcmp(der_cache_a.data, der_cache_b.data, der_cache_a.data_length) == 0; | 436 memcmp(der_cache_a.data, der_cache_b.data, der_cache_a.data_length) == 0; |
| 429 } | 437 } |
| 430 | 438 |
| 431 } // namespace net | 439 } // namespace net |
| OLD | NEW |
