OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
9 #include <time.h> | 9 #include <time.h> |
10 | 10 |
11 #include "base/logging.h" | 11 #include "base/logging.h" |
12 #include "base/pickle.h" | 12 #include "base/pickle.h" |
13 #include "base/mac/scoped_cftyperef.h" | 13 #include "base/mac/scoped_cftyperef.h" |
14 #include "base/sys_string_conversions.h" | 14 #include "base/sys_string_conversions.h" |
15 #include "net/base/cert_status_flags.h" | 15 #include "net/base/cert_status_flags.h" |
16 #include "net/base/cert_verify_result.h" | 16 #include "net/base/cert_verify_result.h" |
17 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 18 #include "net/base/test_root_certs.h" |
18 | 19 |
19 using base::mac::ScopedCFTypeRef; | 20 using base::mac::ScopedCFTypeRef; |
20 using base::Time; | 21 using base::Time; |
21 | 22 |
22 namespace net { | 23 namespace net { |
23 | 24 |
24 class MacTrustedCertificates { | |
25 public: | |
26 // Sets the trusted root certificate used by tests. Call with |cert| set | |
27 // to NULL to clear the test certificate. | |
28 void SetTestCertificate(X509Certificate* cert) { | |
29 AutoLock lock(lock_); | |
30 test_certificate_ = cert; | |
31 } | |
32 | |
33 // Returns an array containing the trusted certificates for use with | |
34 // SecTrustSetAnchorCertificates(). Returns NULL if the system-supplied | |
35 // list of trust anchors is acceptable (that is, there is not test | |
36 // certificate available). Ownership follows the Create Rule (caller | |
37 // is responsible for calling CFRelease on the non-NULL result). | |
38 CFArrayRef CopyTrustedCertificateArray() { | |
39 AutoLock lock(lock_); | |
40 | |
41 if (!test_certificate_) | |
42 return NULL; | |
43 | |
44 // Failure to copy the anchor certificates or add the test certificate | |
45 // is non-fatal; SecTrustEvaluate() will use the system anchors instead. | |
46 CFArrayRef anchor_array; | |
47 OSStatus status = SecTrustCopyAnchorCertificates(&anchor_array); | |
48 if (status) | |
49 return NULL; | |
50 ScopedCFTypeRef<CFArrayRef> scoped_anchor_array(anchor_array); | |
51 CFMutableArrayRef merged_array = CFArrayCreateMutableCopy( | |
52 kCFAllocatorDefault, 0, anchor_array); | |
53 if (!merged_array) | |
54 return NULL; | |
55 CFArrayAppendValue(merged_array, test_certificate_->os_cert_handle()); | |
56 | |
57 return merged_array; | |
58 } | |
59 private: | |
60 friend struct DefaultSingletonTraits<MacTrustedCertificates>; | |
61 | |
62 // Obtain an instance of MacTrustedCertificates via the singleton | |
63 // interface. | |
64 MacTrustedCertificates() : test_certificate_(NULL) { } | |
65 | |
66 // An X509Certificate object that may be appended to the list of | |
67 // system trusted anchors. | |
68 scoped_refptr<X509Certificate> test_certificate_; | |
69 | |
70 // The trusted cache may be accessed from multiple threads. | |
71 mutable Lock lock_; | |
72 | |
73 DISALLOW_COPY_AND_ASSIGN(MacTrustedCertificates); | |
74 }; | |
75 | |
76 void SetMacTestCertificate(X509Certificate* cert) { | |
77 Singleton<MacTrustedCertificates>::get()->SetTestCertificate(cert); | |
78 } | |
79 | |
80 namespace { | 25 namespace { |
81 | 26 |
82 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, | 27 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, |
83 CFDictionaryRef*); | 28 CFDictionaryRef*); |
84 | 29 |
85 int NetErrorFromOSStatus(OSStatus status) { | 30 int NetErrorFromOSStatus(OSStatus status) { |
86 switch (status) { | 31 switch (status) { |
87 case noErr: | 32 case noErr: |
88 return OK; | 33 return OK; |
89 case errSecNotAvailable: | 34 case errSecNotAvailable: |
(...skipping 445 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
535 // Apple's cert code, which we suspect are caused by a thread-safety issue. | 480 // Apple's cert code, which we suspect are caused by a thread-safety issue. |
536 // So as a speculative fix allow only one thread to use SecTrust on this cert. | 481 // So as a speculative fix allow only one thread to use SecTrust on this cert. |
537 AutoLock lock(verification_lock_); | 482 AutoLock lock(verification_lock_); |
538 | 483 |
539 SecTrustRef trust_ref = NULL; | 484 SecTrustRef trust_ref = NULL; |
540 status = SecTrustCreateWithCertificates(cert_array, ssl_policy, &trust_ref); | 485 status = SecTrustCreateWithCertificates(cert_array, ssl_policy, &trust_ref); |
541 if (status) | 486 if (status) |
542 return NetErrorFromOSStatus(status); | 487 return NetErrorFromOSStatus(status); |
543 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref); | 488 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref); |
544 | 489 |
545 // Set the trusted anchor certificates for the SecTrustRef by merging the | 490 if (TestRootCerts::HasInstance()) { |
546 // system trust anchors and the test root certificate. | 491 status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref); |
547 CFArrayRef anchor_array = | |
548 Singleton<MacTrustedCertificates>::get()->CopyTrustedCertificateArray(); | |
549 ScopedCFTypeRef<CFArrayRef> scoped_anchor_array(anchor_array); | |
550 if (anchor_array) { | |
551 status = SecTrustSetAnchorCertificates(trust_ref, anchor_array); | |
552 if (status) | 492 if (status) |
553 return NetErrorFromOSStatus(status); | 493 return NetErrorFromOSStatus(status); |
554 } | 494 } |
555 | 495 |
556 if (flags & VERIFY_REV_CHECKING_ENABLED) { | 496 if (flags & VERIFY_REV_CHECKING_ENABLED) { |
557 // When called with VERIFY_REV_CHECKING_ENABLED, we ask SecTrustEvaluate() | 497 // When called with VERIFY_REV_CHECKING_ENABLED, we ask SecTrustEvaluate() |
558 // to apply OCSP and CRL checking, but we're still subject to the global | 498 // to apply OCSP and CRL checking, but we're still subject to the global |
559 // settings, which are configured in the Keychain Access application (in | 499 // settings, which are configured in the Keychain Access application (in |
560 // the Certificates tab of the Preferences dialog). If the user has | 500 // the Certificates tab of the Preferences dialog). If the user has |
561 // revocation disabled (which is the default), then we will get | 501 // revocation disabled (which is the default), then we will get |
(...skipping 442 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1004 } | 944 } |
1005 CFRelease(cert_chain); | 945 CFRelease(cert_chain); |
1006 } | 946 } |
1007 exit: | 947 exit: |
1008 if (result) | 948 if (result) |
1009 LOG(ERROR) << "CreateIdentityCertificateChain error " << result; | 949 LOG(ERROR) << "CreateIdentityCertificateChain error " << result; |
1010 return chain.release(); | 950 return chain.release(); |
1011 } | 951 } |
1012 | 952 |
1013 } // namespace net | 953 } // namespace net |
OLD | NEW |