OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
| 7 #include "base/crypto/scoped_capi_types.h" |
7 #include "base/logging.h" | 8 #include "base/logging.h" |
8 #include "base/pickle.h" | 9 #include "base/pickle.h" |
9 #include "base/string_tokenizer.h" | 10 #include "base/string_tokenizer.h" |
10 #include "base/string_util.h" | 11 #include "base/string_util.h" |
11 #include "base/utf_string_conversions.h" | 12 #include "base/utf_string_conversions.h" |
12 #include "net/base/cert_status_flags.h" | 13 #include "net/base/cert_status_flags.h" |
13 #include "net/base/cert_verify_result.h" | 14 #include "net/base/cert_verify_result.h" |
14 #include "net/base/ev_root_ca_metadata.h" | 15 #include "net/base/ev_root_ca_metadata.h" |
15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
16 #include "net/base/scoped_cert_chain_context.h" | 17 #include "net/base/scoped_cert_chain_context.h" |
| 18 #include "net/base/test_root_certs.h" |
17 | 19 |
18 #pragma comment(lib, "crypt32.lib") | 20 #pragma comment(lib, "crypt32.lib") |
19 | 21 |
20 using base::Time; | 22 using base::Time; |
21 | 23 |
22 namespace net { | 24 namespace net { |
23 | 25 |
24 namespace { | 26 namespace { |
25 | 27 |
| 28 typedef base::ScopedCAPIHandle< |
| 29 HCERTSTORE, |
| 30 base::CAPIDestroyerWithFlags<HCERTSTORE, |
| 31 CertCloseStore, 0> > ScopedHCERTSTORE; |
| 32 |
| 33 struct FreeChainEngineFunctor { |
| 34 void operator()(HCERTCHAINENGINE engine) const { |
| 35 if (engine) |
| 36 CertFreeCertificateChainEngine(engine); |
| 37 } |
| 38 }; |
| 39 |
| 40 typedef base::ScopedCAPIHandle<HCERTCHAINENGINE, FreeChainEngineFunctor> |
| 41 ScopedHCERTCHAINENGINE; |
| 42 |
26 //----------------------------------------------------------------------------- | 43 //----------------------------------------------------------------------------- |
27 | 44 |
28 // TODO(wtc): This is a copy of the MapSecurityError function in | 45 // TODO(wtc): This is a copy of the MapSecurityError function in |
29 // ssl_client_socket_win.cc. Another function that maps Windows error codes | 46 // ssl_client_socket_win.cc. Another function that maps Windows error codes |
30 // to our network error codes is WinInetUtil::OSErrorToNetError. We should | 47 // to our network error codes is WinInetUtil::OSErrorToNetError. We should |
31 // eliminate the code duplication. | 48 // eliminate the code duplication. |
32 int MapSecurityError(SECURITY_STATUS err) { | 49 int MapSecurityError(SECURITY_STATUS err) { |
33 // There are numerous security error codes, but these are the ones we thus | 50 // There are numerous security error codes, but these are the ones we thus |
34 // far find interesting. | 51 // far find interesting. |
35 switch (err) { | 52 switch (err) { |
(...skipping 562 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
598 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 615 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
599 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 616 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
600 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 617 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
601 &ev_policy_oid; | 618 &ev_policy_oid; |
602 break; | 619 break; |
603 } | 620 } |
604 } | 621 } |
605 } | 622 } |
606 } | 623 } |
607 | 624 |
| 625 // For non-test scenarios, use the default HCERTCHAINENGINE, NULL, which |
| 626 // corresponds to HCCE_CURRENT_USER and is is initialized as needed by |
| 627 // crypt32. However, when testing, it is necessary to create a new |
| 628 // HCERTCHAINENGINE and use that instead. This is because each |
| 629 // HCERTCHAINENGINE maintains a cache of information about certificates |
| 630 // encountered, and each test run may modify the trust status of a |
| 631 // certificate. |
| 632 ScopedHCERTCHAINENGINE chain_engine(NULL); |
| 633 if (TestRootCerts::HasInstance()) |
| 634 chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine()); |
| 635 |
608 PCCERT_CHAIN_CONTEXT chain_context; | 636 PCCERT_CHAIN_CONTEXT chain_context; |
609 // IE passes a non-NULL pTime argument that specifies the current system | 637 // IE passes a non-NULL pTime argument that specifies the current system |
610 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the | 638 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the |
611 // chain_flags argument. | 639 // chain_flags argument. |
612 if (!CertGetCertificateChain( | 640 if (!CertGetCertificateChain( |
613 NULL, // default chain engine, HCCE_CURRENT_USER | 641 chain_engine, |
614 cert_handle_, | 642 cert_handle_, |
615 NULL, // current system time | 643 NULL, // current system time |
616 cert_handle_->hCertStore, // search this store | 644 cert_handle_->hCertStore, |
617 &chain_para, | 645 &chain_para, |
618 chain_flags, | 646 chain_flags, |
619 NULL, // reserved | 647 NULL, // reserved |
620 &chain_context)) { | 648 &chain_context)) { |
621 return MapSecurityError(GetLastError()); | 649 return MapSecurityError(GetLastError()); |
622 } | 650 } |
623 if (chain_context->TrustStatus.dwErrorStatus & | 651 if (chain_context->TrustStatus.dwErrorStatus & |
624 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 652 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
625 ev_policy_oid = NULL; | 653 ev_policy_oid = NULL; |
626 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 654 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
627 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 655 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
628 CertFreeCertificateChain(chain_context); | 656 CertFreeCertificateChain(chain_context); |
629 if (!CertGetCertificateChain( | 657 if (!CertGetCertificateChain( |
630 NULL, // default chain engine, HCCE_CURRENT_USER | 658 chain_engine, |
631 cert_handle_, | 659 cert_handle_, |
632 NULL, // current system time | 660 NULL, // current system time |
633 cert_handle_->hCertStore, // search this store | 661 cert_handle_->hCertStore, |
634 &chain_para, | 662 &chain_para, |
635 chain_flags, | 663 chain_flags, |
636 NULL, // reserved | 664 NULL, // reserved |
637 &chain_context)) { | 665 &chain_context)) { |
638 return MapSecurityError(GetLastError()); | 666 return MapSecurityError(GetLastError()); |
639 } | 667 } |
640 } | 668 } |
641 ScopedCertChainContext scoped_chain_context(chain_context); | 669 ScopedCertChainContext scoped_chain_context(chain_context); |
642 | 670 |
643 GetCertChainInfo(chain_context, verify_result); | 671 GetCertChainInfo(chain_context, verify_result); |
644 | |
645 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 672 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
646 chain_context->TrustStatus.dwErrorStatus); | 673 chain_context->TrustStatus.dwErrorStatus); |
647 | 674 |
648 // Treat certificates signed using broken signature algorithms as invalid. | 675 // Treat certificates signed using broken signature algorithms as invalid. |
649 if (verify_result->has_md4) | 676 if (verify_result->has_md4) |
650 verify_result->cert_status |= CERT_STATUS_INVALID; | 677 verify_result->cert_status |= CERT_STATUS_INVALID; |
651 | 678 |
652 // Flag certificates signed using weak signature algorithms. | 679 // Flag certificates signed using weak signature algorithms. |
653 if (verify_result->has_md2) | 680 if (verify_result->has_md2) |
654 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 681 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
856 DWORD sha1_size = sizeof(sha1.data); | 883 DWORD sha1_size = sizeof(sha1.data); |
857 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 884 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
858 cert->cbCertEncoded, sha1.data, &sha1_size); | 885 cert->cbCertEncoded, sha1.data, &sha1_size); |
859 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 886 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
860 if (!rv) | 887 if (!rv) |
861 memset(sha1.data, 0, sizeof(sha1.data)); | 888 memset(sha1.data, 0, sizeof(sha1.data)); |
862 return sha1; | 889 return sha1; |
863 } | 890 } |
864 | 891 |
865 } // namespace net | 892 } // namespace net |
OLD | NEW |