| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/base/test_root_certs.h" |
| 6 |
| 7 #include "base/logging.h" |
| 8 #include "net/base/x509_certificate.h" |
| 9 |
| 10 namespace net { |
| 11 |
| 12 namespace { |
| 13 |
| 14 // Creates a new temporary memory store. |
| 15 HCERTSTORE CreateMemoryStore() { |
| 16 return CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, |
| 17 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL); |
| 18 } |
| 19 |
| 20 } // namespace |
| 21 |
| 22 bool TestRootCerts::Add(X509Certificate* certificate) { |
| 23 BOOL ok = CertAddCertificateContextToStore( |
| 24 temporary_roots_, certificate->os_cert_handle(), |
| 25 CERT_STORE_ADD_NEW, NULL); |
| 26 if (!ok) { |
| 27 // If the certificate is already added, return successfully. |
| 28 return GetLastError() == CRYPT_E_EXISTS; |
| 29 } |
| 30 |
| 31 empty_ = false; |
| 32 return true; |
| 33 } |
| 34 |
| 35 void TestRootCerts::Clear() { |
| 36 CertCloseStore(temporary_roots_, 0); |
| 37 temporary_roots_ = CreateMemoryStore(); |
| 38 DCHECK(temporary_roots_); |
| 39 empty_ = true; |
| 40 } |
| 41 |
| 42 bool TestRootCerts::IsEmpty() const { |
| 43 return empty_; |
| 44 } |
| 45 |
| 46 void TestRootCerts::FixupChainContext( |
| 47 PCERT_CHAIN_CONTEXT chain_context) const { |
| 48 if ((chain_context->TrustStatus.dwErrorStatus & |
| 49 CERT_TRUST_IS_UNTRUSTED_ROOT) == 0) |
| 50 return; // Trusted certificate - nothing to fix. |
| 51 |
| 52 if (IsEmpty()) |
| 53 return; // No need to scan - no temporary trusted certificates. |
| 54 |
| 55 // Until Windows 7, it is not possible for an application to mark |
| 56 // certificates as trusted for only that application, via the |
| 57 // CERT_CHAIN_ENGINE_CONFIG.hExclusiveRoot. Because of this deficiency, |
| 58 // a method similar to the one employed by Outlook and EFS is used, as |
| 59 // described at http://technet.microsoft.com/en-us/library/bb457027.aspx |
| 60 // Unlike the behaviour of Outlook, EFS, and the PeerOrChainTrustValidator |
| 61 // of Windows Communication Foundation, an attempt is made to build a full |
| 62 // certificate chain, rather than merely checking for the presence of the |
| 63 // target certificate in an application-trusted store. If the chain |
| 64 // verification fails due to trust issues, then the individual chains and |
| 65 // certificates are compared with |temporary_roots_|. If a matching |
| 66 // certificate can be found, then the trust-related failure status bits |
| 67 // are unset, causing the certificate to appear as trusted, provided there |
| 68 // were no other verification failures. |
| 69 // |
| 70 // Because of how CryptoAPI is implemented, it is not possible to perform |
| 71 // revocation checking via CRLs or OCSP for a certificate that does not |
| 72 // chain to a certificate in "Trusted Roots", so it is not possible to |
| 73 // test revocation checking. More information about this can be found at |
| 74 // http://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx#BKMK_BC |
| 75 for (DWORD chain_index = 0; chain_index < chain_context->cChain; |
| 76 ++chain_index) { |
| 77 PCERT_SIMPLE_CHAIN chain = chain_context->rgpChain[chain_index]; |
| 78 |
| 79 // Scan through all the certificates, rather than just the root, to match |
| 80 // Windows' behaviour of supporting trust anchors anywhere in the chain, |
| 81 // as described in RFCs 3280/5280. |
| 82 for (DWORD element_index = 0; element_index < chain->cElement; |
| 83 ++element_index) { |
| 84 PCERT_CHAIN_ELEMENT element = chain->rgpElement[element_index]; |
| 85 PCCERT_CONTEXT cert = CertFindCertificateInStore( |
| 86 temporary_roots_, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, |
| 87 CERT_FIND_EXISTING, element->pCertContext, NULL); |
| 88 if (cert != NULL) { |
| 89 // Successfully matched a certificate in one of the chains with a |
| 90 // certificate in |temporary_roots_|. |
| 91 CertFreeCertificateContext(cert); |
| 92 |
| 93 // Unset both the element status and the overall chain status. While |
| 94 // X509Certificate only checks the TrustStatus of the chain_context, |
| 95 // the individual chain and element TrustStatuses are also modified |
| 96 // for subsequent CryptoAPI calls. |
| 97 if (element->TrustStatus.dwErrorStatus & |
| 98 CERT_TRUST_IS_UNTRUSTED_ROOT) { |
| 99 element->TrustStatus.dwErrorStatus &= |
| 100 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | |
| 101 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | |
| 102 CERT_TRUST_IS_OFFLINE_REVOCATION); |
| 103 chain->TrustStatus.dwErrorStatus &= |
| 104 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | |
| 105 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | |
| 106 CERT_TRUST_IS_OFFLINE_REVOCATION); |
| 107 chain_context->TrustStatus.dwErrorStatus &= |
| 108 ~(CERT_TRUST_IS_UNTRUSTED_ROOT | |
| 109 CERT_TRUST_REVOCATION_STATUS_UNKNOWN | |
| 110 CERT_TRUST_IS_OFFLINE_REVOCATION); |
| 111 return; |
| 112 } |
| 113 } |
| 114 } |
| 115 } |
| 116 } |
| 117 |
| 118 TestRootCerts::TestRootCerts() |
| 119 : temporary_roots_(CreateMemoryStore()), |
| 120 empty_(true) { |
| 121 DCHECK(temporary_roots_); |
| 122 } |
| 123 |
| 124 TestRootCerts::~TestRootCerts() { |
| 125 CertCloseStore(temporary_roots_, 0); |
| 126 } |
| 127 |
| 128 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 4646001:
Implement LoadTemporaryRoot for Windows (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/net/base