OLD | NEW |
---|---|
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include "base/crypto/scoped_capi_types.h" | |
7 #include "base/logging.h" | 8 #include "base/logging.h" |
8 #include "base/pickle.h" | 9 #include "base/pickle.h" |
9 #include "base/string_tokenizer.h" | 10 #include "base/string_tokenizer.h" |
10 #include "base/string_util.h" | 11 #include "base/string_util.h" |
11 #include "base/utf_string_conversions.h" | 12 #include "base/utf_string_conversions.h" |
12 #include "net/base/cert_status_flags.h" | 13 #include "net/base/cert_status_flags.h" |
13 #include "net/base/cert_verify_result.h" | 14 #include "net/base/cert_verify_result.h" |
14 #include "net/base/ev_root_ca_metadata.h" | 15 #include "net/base/ev_root_ca_metadata.h" |
15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
16 #include "net/base/scoped_cert_chain_context.h" | 17 #include "net/base/scoped_cert_chain_context.h" |
18 #include "net/base/test_root_certs.h" | |
17 | 19 |
18 #pragma comment(lib, "crypt32.lib") | 20 #pragma comment(lib, "crypt32.lib") |
19 | 21 |
20 using base::Time; | 22 using base::Time; |
21 | 23 |
22 namespace net { | 24 namespace net { |
23 | 25 |
24 namespace { | 26 namespace { |
25 | 27 |
28 typedef base::ScopedCAPIHandle< | |
29 HCERTSTORE, | |
30 base::CAPIDestroyerWithFlags<HCERTSTORE, | |
31 CertCloseStore, 0> > ScopedHCERTSTORE; | |
32 | |
26 //----------------------------------------------------------------------------- | 33 //----------------------------------------------------------------------------- |
27 | 34 |
28 // TODO(wtc): This is a copy of the MapSecurityError function in | 35 // TODO(wtc): This is a copy of the MapSecurityError function in |
29 // ssl_client_socket_win.cc. Another function that maps Windows error codes | 36 // ssl_client_socket_win.cc. Another function that maps Windows error codes |
30 // to our network error codes is WinInetUtil::OSErrorToNetError. We should | 37 // to our network error codes is WinInetUtil::OSErrorToNetError. We should |
31 // eliminate the code duplication. | 38 // eliminate the code duplication. |
32 int MapSecurityError(SECURITY_STATUS err) { | 39 int MapSecurityError(SECURITY_STATUS err) { |
33 // There are numerous security error codes, but these are the ones we thus | 40 // There are numerous security error codes, but these are the ones we thus |
34 // far find interesting. | 41 // far find interesting. |
35 switch (err) { | 42 switch (err) { |
(...skipping 385 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
421 &out_store, NULL, NULL) || out_store == NULL) { | 428 &out_store, NULL, NULL) || out_store == NULL) { |
422 return results; | 429 return results; |
423 } | 430 } |
424 | 431 |
425 AddCertsFromStore(out_store, &results); | 432 AddCertsFromStore(out_store, &results); |
426 CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG); | 433 CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG); |
427 | 434 |
428 return results; | 435 return results; |
429 } | 436 } |
430 | 437 |
438 // Returns a new HCERTSTORE containing both |cert_store| and any temporarily | |
439 // trusted root certificates. If there are no temporarily trusted root | |
440 // certificates, returns NULL. | |
441 HCERTSTORE CreateStoreForTestsIfNeeded(HCERTSTORE cert_store) { | |
442 TestRootCerts* temporary_roots = TestRootCerts::GetInstance(); | |
443 if (temporary_roots->IsEmpty()) | |
444 return NULL; | |
445 if (!cert_store) { | |
446 // If |cert_store| is empty, just return a copy of the temporary store, | |
447 // as no merging is needed. | |
448 return CertDuplicateStore(temporary_roots->temporary_roots()); | |
449 } | |
450 | |
451 HCERTSTORE collection_store = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, | |
452 NULL, 0, NULL); | |
453 if (!collection_store) { | |
454 DPLOG(ERROR) << "Unable to create temporary linked certificate store"; | |
455 return NULL; | |
456 } | |
457 | |
458 // Add the temporary roots with priority 0, so that certificates from the | |
459 // temporary roots will be of a higher priority for chain building. If | |
460 // set to a lower priority, it is possible that the chain building | |
461 // algorithm will prefer a root from |cert_store|, which may be a | |
462 // compatible-but-different certificate than the one in | |
463 // |temporary_roots|. If this happens, FixupChainContext() may fail to | |
464 // override the trust failure. | |
465 BOOL ok = CertAddStoreToCollection(collection_store, | |
466 temporary_roots->temporary_roots(), | |
467 0, 0); | |
468 if (ok) | |
469 ok = CertAddStoreToCollection(collection_store, cert_store, 0, 1); | |
470 if (!ok) { | |
471 DPLOG(ERROR) << "Unable to create temporary linked certificate store"; | |
472 CertCloseStore(collection_store, 0); | |
473 return NULL; | |
474 } | |
475 | |
476 return collection_store; | |
477 } | |
478 | |
431 } // namespace | 479 } // namespace |
432 | 480 |
433 void X509Certificate::Initialize() { | 481 void X509Certificate::Initialize() { |
434 std::wstring subject_info; | 482 std::wstring subject_info; |
435 std::wstring issuer_info; | 483 std::wstring issuer_info; |
436 DWORD name_size; | 484 DWORD name_size; |
437 DCHECK(cert_handle_); | 485 DCHECK(cert_handle_); |
438 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, | 486 name_size = CertNameToStr(cert_handle_->dwCertEncodingType, |
439 &cert_handle_->pCertInfo->Subject, | 487 &cert_handle_->pCertInfo->Subject, |
440 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, | 488 CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, |
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
598 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 646 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
599 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 647 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
600 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 648 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
601 &ev_policy_oid; | 649 &ev_policy_oid; |
602 break; | 650 break; |
603 } | 651 } |
604 } | 652 } |
605 } | 653 } |
606 } | 654 } |
607 | 655 |
656 ScopedHCERTSTORE scoped_test_store( | |
657 CreateStoreForTestsIfNeeded(cert_handle_->hCertStore)); | |
658 HCERTSTORE intermediates_store = scoped_test_store ? | |
659 scoped_test_store : cert_handle_->hCertStore; | |
660 | |
608 PCCERT_CHAIN_CONTEXT chain_context; | 661 PCCERT_CHAIN_CONTEXT chain_context; |
609 // IE passes a non-NULL pTime argument that specifies the current system | 662 // IE passes a non-NULL pTime argument that specifies the current system |
610 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the | 663 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the |
611 // chain_flags argument. | 664 // chain_flags argument. |
665 // TODO(rsleevi): Add support for Windows 7's hExclusiveRoot to work around | |
666 // the issues described in TestRootCerts. | |
612 if (!CertGetCertificateChain( | 667 if (!CertGetCertificateChain( |
613 NULL, // default chain engine, HCCE_CURRENT_USER | 668 NULL, // default chain engine, HCCE_CURRENT_USER |
614 cert_handle_, | 669 cert_handle_, |
615 NULL, // current system time | 670 NULL, // current system time |
616 cert_handle_->hCertStore, // search this store | 671 intermediates_store, |
617 &chain_para, | 672 &chain_para, |
618 chain_flags, | 673 chain_flags, |
619 NULL, // reserved | 674 NULL, // reserved |
620 &chain_context)) { | 675 &chain_context)) { |
621 return MapSecurityError(GetLastError()); | 676 return MapSecurityError(GetLastError()); |
622 } | 677 } |
623 if (chain_context->TrustStatus.dwErrorStatus & | 678 if (chain_context->TrustStatus.dwErrorStatus & |
624 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 679 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
625 ev_policy_oid = NULL; | 680 ev_policy_oid = NULL; |
626 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 681 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
627 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 682 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
628 CertFreeCertificateChain(chain_context); | 683 CertFreeCertificateChain(chain_context); |
629 if (!CertGetCertificateChain( | 684 if (!CertGetCertificateChain( |
630 NULL, // default chain engine, HCCE_CURRENT_USER | 685 NULL, // default chain engine, HCCE_CURRENT_USER |
631 cert_handle_, | 686 cert_handle_, |
632 NULL, // current system time | 687 NULL, // current system time |
633 cert_handle_->hCertStore, // search this store | 688 intermediates_store, |
634 &chain_para, | 689 &chain_para, |
635 chain_flags, | 690 chain_flags, |
636 NULL, // reserved | 691 NULL, // reserved |
637 &chain_context)) { | 692 &chain_context)) { |
638 return MapSecurityError(GetLastError()); | 693 return MapSecurityError(GetLastError()); |
639 } | 694 } |
640 } | 695 } |
641 ScopedCertChainContext scoped_chain_context(chain_context); | 696 ScopedCertChainContext scoped_chain_context(chain_context); |
642 | 697 |
698 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | |
bulach
2010/11/18 12:42:12
nit: test_root_certs, and similar comment to the m
| |
699 root_certs->FixupChainContext( | |
700 const_cast<PCERT_CHAIN_CONTEXT>(chain_context)); | |
701 | |
643 GetCertChainInfo(chain_context, verify_result); | 702 GetCertChainInfo(chain_context, verify_result); |
644 | |
645 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 703 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
646 chain_context->TrustStatus.dwErrorStatus); | 704 chain_context->TrustStatus.dwErrorStatus); |
647 | 705 |
648 // Treat certificates signed using broken signature algorithms as invalid. | 706 // Treat certificates signed using broken signature algorithms as invalid. |
649 if (verify_result->has_md4) | 707 if (verify_result->has_md4) |
650 verify_result->cert_status |= CERT_STATUS_INVALID; | 708 verify_result->cert_status |= CERT_STATUS_INVALID; |
651 | 709 |
652 // Flag certificates signed using weak signature algorithms. | 710 // Flag certificates signed using weak signature algorithms. |
653 if (verify_result->has_md2) | 711 if (verify_result->has_md2) |
654 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 712 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
856 DWORD sha1_size = sizeof(sha1.data); | 914 DWORD sha1_size = sizeof(sha1.data); |
857 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 915 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
858 cert->cbCertEncoded, sha1.data, &sha1_size); | 916 cert->cbCertEncoded, sha1.data, &sha1_size); |
859 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 917 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
860 if (!rv) | 918 if (!rv) |
861 memset(sha1.data, 0, sizeof(sha1.data)); | 919 memset(sha1.data, 0, sizeof(sha1.data)); |
862 return sha1; | 920 return sha1; |
863 } | 921 } |
864 | 922 |
865 } // namespace net | 923 } // namespace net |
OLD | NEW |