OLD | NEW |
---|---|
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include "base/crypto/scoped_capi_types.h" | |
7 #include "base/logging.h" | 8 #include "base/logging.h" |
8 #include "base/pickle.h" | 9 #include "base/pickle.h" |
9 #include "base/string_tokenizer.h" | 10 #include "base/string_tokenizer.h" |
10 #include "base/string_util.h" | 11 #include "base/string_util.h" |
11 #include "base/utf_string_conversions.h" | 12 #include "base/utf_string_conversions.h" |
12 #include "net/base/cert_status_flags.h" | 13 #include "net/base/cert_status_flags.h" |
13 #include "net/base/cert_verify_result.h" | 14 #include "net/base/cert_verify_result.h" |
14 #include "net/base/ev_root_ca_metadata.h" | 15 #include "net/base/ev_root_ca_metadata.h" |
15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
16 #include "net/base/scoped_cert_chain_context.h" | 17 #include "net/base/scoped_cert_chain_context.h" |
18 #include "net/base/test_root_certs.h" | |
17 | 19 |
18 #pragma comment(lib, "crypt32.lib") | 20 #pragma comment(lib, "crypt32.lib") |
19 | 21 |
20 using base::Time; | 22 using base::Time; |
21 | 23 |
22 namespace net { | 24 namespace net { |
23 | 25 |
24 namespace { | 26 namespace { |
25 | 27 |
28 typedef base::ScopedCAPIHandle< | |
29 HCERTSTORE, | |
30 base::CAPIDestroyerWithFlags<HCERTSTORE, | |
31 CertCloseStore, 0> > ScopedHCERTSTORE; | |
32 | |
26 //----------------------------------------------------------------------------- | 33 //----------------------------------------------------------------------------- |
27 | 34 |
28 // TODO(wtc): This is a copy of the MapSecurityError function in | 35 // TODO(wtc): This is a copy of the MapSecurityError function in |
29 // ssl_client_socket_win.cc. Another function that maps Windows error codes | 36 // ssl_client_socket_win.cc. Another function that maps Windows error codes |
30 // to our network error codes is WinInetUtil::OSErrorToNetError. We should | 37 // to our network error codes is WinInetUtil::OSErrorToNetError. We should |
31 // eliminate the code duplication. | 38 // eliminate the code duplication. |
32 int MapSecurityError(SECURITY_STATUS err) { | 39 int MapSecurityError(SECURITY_STATUS err) { |
33 // There are numerous security error codes, but these are the ones we thus | 40 // There are numerous security error codes, but these are the ones we thus |
34 // far find interesting. | 41 // far find interesting. |
35 switch (err) { | 42 switch (err) { |
(...skipping 562 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
598 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 605 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
599 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 606 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
600 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 607 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
601 &ev_policy_oid; | 608 &ev_policy_oid; |
602 break; | 609 break; |
603 } | 610 } |
604 } | 611 } |
605 } | 612 } |
606 } | 613 } |
607 | 614 |
615 // Temporary roots may not exist in any system store, and therefore may not | |
616 // be available for certificate chain building. Create a certificate store | |
617 // collection containing both the certificate chain (the cert_handle's | |
618 // HCERTSTORE) and the temporary root's HCERTSTORE, so that Windows will | |
619 // search both. | |
bulach
2010/11/17 17:17:30
similarly here.
my (ignorable) suggestion both her
| |
620 TestRootCerts* temporary_roots = TestRootCerts::GetInstance(); | |
621 HCERTSTORE collection_store = temporary_roots->IsEmpty() ? | |
622 NULL : CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, NULL, 0, NULL); | |
623 if (collection_store) { | |
624 // Add the temporary roots with priority 0, so that certificates from the | |
625 // temporary roots will be of a higher priority for chain building. If | |
626 // they were a lower priority, it's possible a different root certificate | |
627 // than the one in the temporary roots will be used, which would cause | |
628 // the detection logic in FixTestRootTrust() to fail. | |
629 BOOL ok = CertAddStoreToCollection(collection_store, | |
630 temporary_roots->temporary_roots(), | |
631 0, 0); | |
632 if (ok) | |
633 ok = CertAddStoreToCollection(collection_store, | |
634 cert_handle_->hCertStore, 0, 1); | |
635 if (!ok) { | |
636 PLOG(ERROR) << "Unable to create temporary linked certificate store"; | |
637 CertCloseStore(collection_store, 0); | |
638 collection_store = NULL; | |
639 } | |
640 } | |
641 ScopedHCERTSTORE scoped_collection_store(collection_store); | |
642 HCERTSTORE intermediates_store = collection_store ? | |
643 collection_store : cert_handle_->hCertStore; | |
644 | |
608 PCCERT_CHAIN_CONTEXT chain_context; | 645 PCCERT_CHAIN_CONTEXT chain_context; |
609 // IE passes a non-NULL pTime argument that specifies the current system | 646 // IE passes a non-NULL pTime argument that specifies the current system |
610 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the | 647 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the |
611 // chain_flags argument. | 648 // chain_flags argument. |
612 if (!CertGetCertificateChain( | 649 if (!CertGetCertificateChain( |
613 NULL, // default chain engine, HCCE_CURRENT_USER | 650 NULL, // default chain engine, HCCE_CURRENT_USER |
614 cert_handle_, | 651 cert_handle_, |
615 NULL, // current system time | 652 NULL, // current system time |
616 cert_handle_->hCertStore, // search this store | 653 intermediates_store, |
617 &chain_para, | 654 &chain_para, |
618 chain_flags, | 655 chain_flags, |
619 NULL, // reserved | 656 NULL, // reserved |
620 &chain_context)) { | 657 &chain_context)) { |
621 return MapSecurityError(GetLastError()); | 658 return MapSecurityError(GetLastError()); |
622 } | 659 } |
623 if (chain_context->TrustStatus.dwErrorStatus & | 660 if (chain_context->TrustStatus.dwErrorStatus & |
624 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 661 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
625 ev_policy_oid = NULL; | 662 ev_policy_oid = NULL; |
626 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 663 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
627 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 664 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
628 CertFreeCertificateChain(chain_context); | 665 CertFreeCertificateChain(chain_context); |
629 if (!CertGetCertificateChain( | 666 if (!CertGetCertificateChain( |
630 NULL, // default chain engine, HCCE_CURRENT_USER | 667 NULL, // default chain engine, HCCE_CURRENT_USER |
631 cert_handle_, | 668 cert_handle_, |
632 NULL, // current system time | 669 NULL, // current system time |
633 cert_handle_->hCertStore, // search this store | 670 intermediates_store, |
634 &chain_para, | 671 &chain_para, |
635 chain_flags, | 672 chain_flags, |
636 NULL, // reserved | 673 NULL, // reserved |
637 &chain_context)) { | 674 &chain_context)) { |
638 return MapSecurityError(GetLastError()); | 675 return MapSecurityError(GetLastError()); |
639 } | 676 } |
640 } | 677 } |
641 ScopedCertChainContext scoped_chain_context(chain_context); | 678 ScopedCertChainContext scoped_chain_context(chain_context); |
642 | 679 |
680 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | |
681 root_certs->UpdateChainContext( | |
682 const_cast<PCERT_CHAIN_CONTEXT>(chain_context)); | |
683 | |
643 GetCertChainInfo(chain_context, verify_result); | 684 GetCertChainInfo(chain_context, verify_result); |
644 | |
645 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 685 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
646 chain_context->TrustStatus.dwErrorStatus); | 686 chain_context->TrustStatus.dwErrorStatus); |
647 | 687 |
648 // Treat certificates signed using broken signature algorithms as invalid. | 688 // Treat certificates signed using broken signature algorithms as invalid. |
649 if (verify_result->has_md4) | 689 if (verify_result->has_md4) |
650 verify_result->cert_status |= CERT_STATUS_INVALID; | 690 verify_result->cert_status |= CERT_STATUS_INVALID; |
651 | 691 |
652 // Flag certificates signed using weak signature algorithms. | 692 // Flag certificates signed using weak signature algorithms. |
653 if (verify_result->has_md2) | 693 if (verify_result->has_md2) |
654 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 694 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
856 DWORD sha1_size = sizeof(sha1.data); | 896 DWORD sha1_size = sizeof(sha1.data); |
857 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 897 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
858 cert->cbCertEncoded, sha1.data, &sha1_size); | 898 cert->cbCertEncoded, sha1.data, &sha1_size); |
859 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 899 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
860 if (!rv) | 900 if (!rv) |
861 memset(sha1.data, 0, sizeof(sha1.data)); | 901 memset(sha1.data, 0, sizeof(sha1.data)); |
862 return sha1; | 902 return sha1; |
863 } | 903 } |
864 | 904 |
865 } // namespace net | 905 } // namespace net |
OLD | NEW |