OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
9 #include <keyhi.h> | 9 #include <keyhi.h> |
10 #include <nss.h> | 10 #include <nss.h> |
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
196 break; | 196 break; |
197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: | 197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: |
198 verify_result->has_md4 = true; | 198 verify_result->has_md4 = true; |
199 break; | 199 break; |
200 default: | 200 default: |
201 break; | 201 break; |
202 } | 202 } |
203 } | 203 } |
204 } | 204 } |
205 | 205 |
206 // IsBuiltinRoot returns true if the given certificate is one that we believe | |
207 // is a standard (as opposed to user-installed) root. | |
208 bool IsBuiltinRoot(CERTCertificate* root) { | |
wtc
2011/04/07 05:01:54
Please change this back to IsKnownRoot for consist
agl
2011/04/07 15:02:49
Done.
| |
209 if (!root->slot) | |
210 return true; | |
wtc
2011/04/07 05:01:54
BUG: this should still return false.
agl
2011/04/07 15:02:49
I'm not sure that it should. In the event of an er
| |
211 | |
212 // This magic name is taken from | |
213 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 | |
214 return 0 == strcmp(PK11_GetSlotName(root->slot), | |
215 "NSS Builtin Objects"); | |
216 } | |
217 | |
206 typedef char* (*CERTGetNameFunc)(CERTName* name); | 218 typedef char* (*CERTGetNameFunc)(CERTName* name); |
207 | 219 |
208 void ParsePrincipal(CERTName* name, | 220 void ParsePrincipal(CERTName* name, |
209 CertPrincipal* principal) { | 221 CertPrincipal* principal) { |
210 // TODO(jcampan): add business_category and serial_number. | 222 // TODO(jcampan): add business_category and serial_number. |
211 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and | 223 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
212 // CERT_GetDomainComponentName functions, but they return only the most | 224 // CERT_GetDomainComponentName functions, but they return only the most |
213 // general (the first) RDN. NSS doesn't have a function for the street | 225 // general (the first) RDN. NSS doesn't have a function for the street |
214 // address. | 226 // address. |
215 static const SECOidTag kOIDs[] = { | 227 static const SECOidTag kOIDs[] = { |
(...skipping 546 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
762 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 774 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
763 | 775 |
764 // Make sure that the cert is valid now. | 776 // Make sure that the cert is valid now. |
765 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 777 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
766 cert_handle_, PR_Now(), PR_TRUE); | 778 cert_handle_, PR_Now(), PR_TRUE); |
767 if (validity != secCertTimeValid) | 779 if (validity != secCertTimeValid) |
768 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; | 780 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; |
769 | 781 |
770 CERTValOutParam cvout[3]; | 782 CERTValOutParam cvout[3]; |
771 int cvout_index = 0; | 783 int cvout_index = 0; |
772 // We don't need the trust anchor for the first PKIXVerifyCert call. | |
773 cvout[cvout_index].type = cert_po_certList; | 784 cvout[cvout_index].type = cert_po_certList; |
774 cvout[cvout_index].value.pointer.chain = NULL; | 785 cvout[cvout_index].value.pointer.chain = NULL; |
775 int cvout_cert_list_index = cvout_index; | 786 int cvout_cert_list_index = cvout_index; |
776 cvout_index++; | 787 cvout_index++; |
788 cvout[cvout_index].type = cert_po_trustAnchor; | |
789 cvout[cvout_index].value.pointer.cert = NULL; | |
790 int cvout_trust_anchor_index = cvout_index; | |
791 cvout_index++; | |
777 cvout[cvout_index].type = cert_po_end; | 792 cvout[cvout_index].type = cert_po_end; |
778 ScopedCERTValOutParam scoped_cvout(cvout); | 793 ScopedCERTValOutParam scoped_cvout(cvout); |
779 | 794 |
780 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); | 795 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); |
781 if (check_revocation) { | 796 if (check_revocation) { |
782 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 797 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
783 } else { | 798 } else { |
784 // EV requires revocation checking. | 799 // EV requires revocation checking. |
785 flags &= ~VERIFY_EV_CERT; | 800 flags &= ~VERIFY_EV_CERT; |
786 } | 801 } |
(...skipping 14 matching lines...) Expand all Loading... | |
801 } | 816 } |
802 // |err| is not a certificate error. | 817 // |err| is not a certificate error. |
803 return MapSecurityError(err); | 818 return MapSecurityError(err); |
804 } | 819 } |
805 | 820 |
806 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 821 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
807 verify_result); | 822 verify_result); |
808 if (IsCertStatusError(verify_result->cert_status)) | 823 if (IsCertStatusError(verify_result->cert_status)) |
809 return MapCertStatusToNetError(verify_result->cert_status); | 824 return MapCertStatusToNetError(verify_result->cert_status); |
810 | 825 |
826 verify_result->is_issued_by_known_root = | |
827 IsBuiltinRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | |
828 | |
811 if ((flags & VERIFY_EV_CERT) && VerifyEV()) | 829 if ((flags & VERIFY_EV_CERT) && VerifyEV()) |
812 verify_result->cert_status |= CERT_STATUS_IS_EV; | 830 verify_result->cert_status |= CERT_STATUS_IS_EV; |
813 return OK; | 831 return OK; |
814 } | 832 } |
815 | 833 |
816 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 834 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
817 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess; | 835 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess; |
818 } | 836 } |
819 | 837 |
820 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp | 838 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
958 DCHECK(0 != cert->derCert.len); | 976 DCHECK(0 != cert->derCert.len); |
959 | 977 |
960 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 978 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
961 cert->derCert.data, cert->derCert.len); | 979 cert->derCert.data, cert->derCert.len); |
962 DCHECK(rv == SECSuccess); | 980 DCHECK(rv == SECSuccess); |
963 | 981 |
964 return sha1; | 982 return sha1; |
965 } | 983 } |
966 | 984 |
967 } // namespace net | 985 } // namespace net |
OLD | NEW |