OLD | NEW |
---|---|
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include "base/crypto/scoped_capi_types.h" | |
7 #include "base/logging.h" | 8 #include "base/logging.h" |
8 #include "base/pickle.h" | 9 #include "base/pickle.h" |
9 #include "base/string_tokenizer.h" | 10 #include "base/string_tokenizer.h" |
10 #include "base/string_util.h" | 11 #include "base/string_util.h" |
11 #include "base/utf_string_conversions.h" | 12 #include "base/utf_string_conversions.h" |
12 #include "net/base/cert_status_flags.h" | 13 #include "net/base/cert_status_flags.h" |
13 #include "net/base/cert_verify_result.h" | 14 #include "net/base/cert_verify_result.h" |
14 #include "net/base/ev_root_ca_metadata.h" | 15 #include "net/base/ev_root_ca_metadata.h" |
15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
16 #include "net/base/scoped_cert_chain_context.h" | 17 #include "net/base/scoped_cert_chain_context.h" |
18 #include "net/base/temporary_root_certs.h" | |
17 | 19 |
18 #pragma comment(lib, "crypt32.lib") | 20 #pragma comment(lib, "crypt32.lib") |
19 | 21 |
20 using base::Time; | 22 using base::Time; |
21 | 23 |
22 namespace net { | 24 namespace net { |
23 | 25 |
24 namespace { | 26 namespace { |
25 | 27 |
28 typedef base::ScopedCAPIHandle< | |
29 HCERTSTORE, | |
30 base::CAPIDestroyerWithFlags<HCERTSTORE, | |
31 CertCloseStore, 0> > ScopedHCERTSTORE; | |
32 | |
26 //----------------------------------------------------------------------------- | 33 //----------------------------------------------------------------------------- |
27 | 34 |
28 // TODO(wtc): This is a copy of the MapSecurityError function in | 35 // TODO(wtc): This is a copy of the MapSecurityError function in |
29 // ssl_client_socket_win.cc. Another function that maps Windows error codes | 36 // ssl_client_socket_win.cc. Another function that maps Windows error codes |
30 // to our network error codes is WinInetUtil::OSErrorToNetError. We should | 37 // to our network error codes is WinInetUtil::OSErrorToNetError. We should |
31 // eliminate the code duplication. | 38 // eliminate the code duplication. |
32 int MapSecurityError(SECURITY_STATUS err) { | 39 int MapSecurityError(SECURITY_STATUS err) { |
33 // There are numerous security error codes, but these are the ones we thus | 40 // There are numerous security error codes, but these are the ones we thus |
34 // far find interesting. | 41 // far find interesting. |
35 switch (err) { | 42 switch (err) { |
(...skipping 248 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
284 verify_result->has_md2 = true; | 291 verify_result->has_md2 = true; |
285 if (i != 0) | 292 if (i != 0) |
286 verify_result->has_md2_ca = true; | 293 verify_result->has_md2_ca = true; |
287 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { | 294 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { |
288 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 | 295 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 |
289 verify_result->has_md4 = true; | 296 verify_result->has_md4 = true; |
290 } | 297 } |
291 } | 298 } |
292 } | 299 } |
293 | 300 |
301 void FixTestRootTrust(PCERT_CHAIN_CONTEXT chain_context) { | |
bulach
2010/11/09 16:21:09
same as above, I think this should be exposed some
| |
302 if ((chain_context->TrustStatus.dwErrorStatus & | |
303 CERT_TRUST_IS_UNTRUSTED_ROOT) == 0) | |
304 return; // Trusted certificate - nothing to fix. | |
305 | |
306 TemporaryRootCerts* temporary_roots = TemporaryRootCerts::GetInstance(); | |
307 if (temporary_roots->IsEmpty()) | |
308 return; // No need to scan - no temporary trusted certificates. | |
309 | |
310 // Windows does not support application-level trusts until Win 7, via | |
311 // CERT_CHAIN_ENGINE_CONFIG.hExclusiveRoot. Because of this, a messy, | |
312 // manual, brute-force method is used for unit tests. Look through every | |
313 // chain on |chain_context|, looking for a chain which contains one of the | |
314 // trusted certificates. If a matching certificate is found, unset the | |
315 // three status-bits that Windows sets when an untrusted root is found. | |
316 // Any other failure states are left unmodified, so that situations like | |
317 // name or date mismatches are properly reported. | |
318 for (DWORD chain_index = 0; chain_index < chain_context->cChain; | |
319 ++chain_index) { | |
320 PCERT_SIMPLE_CHAIN chain = chain_context->rgpChain[chain_index]; | |
321 // Scan through all the certificates, rather than just the root, since | |
322 // an RFC 3280/5280 trust anchor may be any certificate in the chain, not | |
323 // just the root certificate. | |
324 for (DWORD element_index = 0; element_index < chain->cElement; | |
325 ++element_index) { | |
326 PCERT_CHAIN_ELEMENT element = chain->rgpElement[element_index]; | |
327 PCCERT_CONTEXT cert = CertFindCertificateInStore( | |
328 temporary_roots->temporary_roots(), | |
329 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_EXISTING, | |
330 element->pCertContext, NULL); | |
331 if (cert != NULL) { | |
332 CertFreeCertificateContext(cert); | |
333 | |
334 // Unset both the element status and the overall chain status, in the | |
335 // event a Windows function drills down into the chain. | |
336 if (element->TrustStatus.dwErrorStatus & | |
337 CERT_TRUST_IS_UNTRUSTED_ROOT) { | |
338 element->TrustStatus.dwErrorStatus &= | |
339 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | | |
340 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | | |
341 CERT_TRUST_IS_OFFLINE_REVOCATION); | |
342 chain_context->TrustStatus.dwErrorStatus &= | |
343 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | | |
344 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | | |
345 CERT_TRUST_IS_OFFLINE_REVOCATION); | |
346 return; | |
347 } | |
348 } | |
349 } | |
350 } | |
351 } | |
352 | |
294 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | 353 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO |
295 // structure and stores it in *output. | 354 // structure and stores it in *output. |
296 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, | 355 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, |
297 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { | 356 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { |
298 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | 357 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, |
299 cert->pCertInfo->cExtension, | 358 cert->pCertInfo->cExtension, |
300 cert->pCertInfo->rgExtension); | 359 cert->pCertInfo->rgExtension); |
301 if (!extension) | 360 if (!extension) |
302 return; | 361 return; |
303 | 362 |
(...skipping 294 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
598 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 657 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
599 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 658 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
600 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 659 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
601 &ev_policy_oid; | 660 &ev_policy_oid; |
602 break; | 661 break; |
603 } | 662 } |
604 } | 663 } |
605 } | 664 } |
606 } | 665 } |
607 | 666 |
667 // Temporary roots may not exist in any system store, and therefore may not | |
668 // be available for certificate chain building. Create a certificate store | |
669 // collection containing both the certificate chain (the cert_handle's | |
670 // HCERTSTORE) and the temporary root's HCERTSTORE, so that Windows will | |
671 // search both. | |
672 TemporaryRootCerts* temporary_roots = TemporaryRootCerts::GetInstance(); | |
673 HCERTSTORE collection_store = | |
674 temporary_roots->IsEmpty() ? NULL : | |
675 CertOpenStore(CERT_STORE_PROV_COLLECTION, | |
676 0, NULL, 0, NULL); | |
677 if (collection_store) { | |
678 // Add the temporary roots with priority 0, so that certificates from the | |
679 // temporary roots will be of a higher priority for chain building. If | |
680 // they were a lower priority, it's possible a different root certificate | |
681 // than the one in the temporary roots will be used, which would cause | |
682 // the detection logic in FixTestRootTrust() to fail. | |
683 BOOL ok = CertAddStoreToCollection(collection_store, | |
684 temporary_roots->temporary_roots(), | |
685 0, 0); | |
686 if (ok) | |
687 ok = CertAddStoreToCollection(collection_store, | |
688 cert_handle_->hCertStore, 0, 1); | |
689 if (!ok) { | |
690 PLOG(ERROR) << "Unable to create temporary linked certificate store"; | |
691 CertCloseStore(collection_store, 0); | |
692 collection_store = NULL; | |
693 } | |
694 } | |
695 ScopedHCERTSTORE scoped_collection_store(collection_store); | |
696 | |
608 PCCERT_CHAIN_CONTEXT chain_context; | 697 PCCERT_CHAIN_CONTEXT chain_context; |
609 // IE passes a non-NULL pTime argument that specifies the current system | 698 // IE passes a non-NULL pTime argument that specifies the current system |
610 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the | 699 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the |
611 // chain_flags argument. | 700 // chain_flags argument. |
612 if (!CertGetCertificateChain( | 701 if (!CertGetCertificateChain( |
613 NULL, // default chain engine, HCCE_CURRENT_USER | 702 NULL, // default chain engine, HCCE_CURRENT_USER |
614 cert_handle_, | 703 cert_handle_, |
615 NULL, // current system time | 704 NULL, // current system time |
616 cert_handle_->hCertStore, // search this store | 705 scoped_collection_store ? scoped_collection_store : |
wtc
2010/11/16 23:24:01
Nit: use a local variable for this, so that we don
| |
706 cert_handle_->hCertStore, | |
617 &chain_para, | 707 &chain_para, |
618 chain_flags, | 708 chain_flags, |
619 NULL, // reserved | 709 NULL, // reserved |
620 &chain_context)) { | 710 &chain_context)) { |
621 return MapSecurityError(GetLastError()); | 711 return MapSecurityError(GetLastError()); |
622 } | 712 } |
623 if (chain_context->TrustStatus.dwErrorStatus & | 713 if (chain_context->TrustStatus.dwErrorStatus & |
624 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 714 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
625 ev_policy_oid = NULL; | 715 ev_policy_oid = NULL; |
626 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 716 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
627 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 717 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
628 CertFreeCertificateChain(chain_context); | 718 CertFreeCertificateChain(chain_context); |
629 if (!CertGetCertificateChain( | 719 if (!CertGetCertificateChain( |
630 NULL, // default chain engine, HCCE_CURRENT_USER | 720 NULL, // default chain engine, HCCE_CURRENT_USER |
631 cert_handle_, | 721 cert_handle_, |
632 NULL, // current system time | 722 NULL, // current system time |
633 cert_handle_->hCertStore, // search this store | 723 scoped_collection_store ? scoped_collection_store : |
724 cert_handle_->hCertStore, | |
634 &chain_para, | 725 &chain_para, |
635 chain_flags, | 726 chain_flags, |
636 NULL, // reserved | 727 NULL, // reserved |
637 &chain_context)) { | 728 &chain_context)) { |
638 return MapSecurityError(GetLastError()); | 729 return MapSecurityError(GetLastError()); |
639 } | 730 } |
640 } | 731 } |
641 ScopedCertChainContext scoped_chain_context(chain_context); | 732 ScopedCertChainContext scoped_chain_context(chain_context); |
642 | 733 |
643 GetCertChainInfo(chain_context, verify_result); | 734 GetCertChainInfo(chain_context, verify_result); |
644 | 735 |
736 FixTestRootTrust(const_cast<PCERT_CHAIN_CONTEXT>(chain_context)); | |
wtc
2010/11/16 23:24:01
BUG: Move this up, so that we call FixTestRootTrus
| |
737 | |
645 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 738 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
646 chain_context->TrustStatus.dwErrorStatus); | 739 chain_context->TrustStatus.dwErrorStatus); |
647 | 740 |
648 // Treat certificates signed using broken signature algorithms as invalid. | 741 // Treat certificates signed using broken signature algorithms as invalid. |
649 if (verify_result->has_md4) | 742 if (verify_result->has_md4) |
650 verify_result->cert_status |= CERT_STATUS_INVALID; | 743 verify_result->cert_status |= CERT_STATUS_INVALID; |
651 | 744 |
652 // Flag certificates signed using weak signature algorithms. | 745 // Flag certificates signed using weak signature algorithms. |
653 if (verify_result->has_md2) | 746 if (verify_result->has_md2) |
654 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 747 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
856 DWORD sha1_size = sizeof(sha1.data); | 949 DWORD sha1_size = sizeof(sha1.data); |
857 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 950 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
858 cert->cbCertEncoded, sha1.data, &sha1_size); | 951 cert->cbCertEncoded, sha1.data, &sha1_size); |
859 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 952 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
860 if (!rv) | 953 if (!rv) |
861 memset(sha1.data, 0, sizeof(sha1.data)); | 954 memset(sha1.data, 0, sizeof(sha1.data)); |
862 return sha1; | 955 return sha1; |
863 } | 956 } |
864 | 957 |
865 } // namespace net | 958 } // namespace net |
OLD | NEW |