Chromium Code Reviews Chromium Code Reviews
Issue 6793041:
net: add ability to distinguish user-added root CAs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include "base/crypto/rsa_private_key.h" | 7 #include "base/crypto/rsa_private_key.h" |
| 8 #include "base/crypto/scoped_capi_types.h" | 8 #include "base/crypto/scoped_capi_types.h" |
| 9 #include "base/lazy_instance.h" | 9 #include "base/lazy_instance.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/pickle.h" | 11 #include "base/pickle.h" |
| 12 #include "base/sha1.h" | |
| 12 #include "base/string_tokenizer.h" | 13 #include "base/string_tokenizer.h" |
| 13 #include "base/string_util.h" | 14 #include "base/string_util.h" |
| 14 #include "base/utf_string_conversions.h" | 15 #include "base/utf_string_conversions.h" |
| 15 #include "net/base/cert_status_flags.h" | 16 #include "net/base/cert_status_flags.h" |
| 16 #include "net/base/cert_verify_result.h" | 17 #include "net/base/cert_verify_result.h" |
| 17 #include "net/base/ev_root_ca_metadata.h" | 18 #include "net/base/ev_root_ca_metadata.h" |
| 18 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 19 #include "net/base/scoped_cert_chain_context.h" | 20 #include "net/base/scoped_cert_chain_context.h" |
| 20 #include "net/base/test_root_certs.h" | 21 #include "net/base/test_root_certs.h" |
| 22 #include "net/base/x509_certificate_win_known_hashes.h" | |
|
wtc
2011/04/07 05:01:54
Typo: hashes => roots
Nit: it may be better to na
agl
2011/04/07 15:02:49
Done.
| |
| 21 | 23 |
| 22 #pragma comment(lib, "crypt32.lib") | 24 #pragma comment(lib, "crypt32.lib") |
| 23 | 25 |
| 24 using base::Time; | 26 using base::Time; |
| 25 | 27 |
| 26 namespace net { | 28 namespace net { |
| 27 | 29 |
| 28 namespace { | 30 namespace { |
| 29 | 31 |
| 30 typedef base::ScopedCAPIHandle< | 32 typedef base::ScopedCAPIHandle< |
| (...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 497 scoped_array<uint8> serial_bytes(new uint8[serial->cbData]); | 499 scoped_array<uint8> serial_bytes(new uint8[serial->cbData]); |
| 498 for (unsigned i = 0; i < serial->cbData; i++) | 500 for (unsigned i = 0; i < serial->cbData; i++) |
| 499 serial_bytes[i] = serial->pbData[serial->cbData - i - 1]; | 501 serial_bytes[i] = serial->pbData[serial->cbData - i - 1]; |
| 500 serial_number_ = std::string( | 502 serial_number_ = std::string( |
| 501 reinterpret_cast<char*>(serial_bytes.get()), serial->cbData); | 503 reinterpret_cast<char*>(serial_bytes.get()), serial->cbData); |
| 502 // Remove leading zeros. | 504 // Remove leading zeros. |
| 503 while (serial_number_.size() > 1 && serial_number_[0] == 0) | 505 while (serial_number_.size() > 1 && serial_number_[0] == 0) |
| 504 serial_number_ = serial_number_.substr(1, serial_number_.size() - 1); | 506 serial_number_ = serial_number_.substr(1, serial_number_.size() - 1); |
| 505 } | 507 } |
| 506 | 508 |
| 509 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA | |
| 510 // which we recognise as a standard root. | |
| 511 bool X509Certificate::IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { | |
| 512 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | |
| 513 int num_elements = first_chain->cElement; | |
| 514 if (num_elements < 1) | |
| 515 return true; | |
| 516 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | |
| 517 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; | |
| 518 | |
| 519 SHA1Fingerprint hash = CalculateFingerprint(cert); | |
| 520 return X509Certificate::IsSHA1HashInSortedArray( | |
| 521 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); | |
| 522 } | |
| 523 | |
| 507 // static | 524 // static |
| 508 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, | 525 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, |
| 509 void** pickle_iter) { | 526 void** pickle_iter) { |
| 510 const char* data; | 527 const char* data; |
| 511 int length; | 528 int length; |
| 512 if (!pickle.ReadData(pickle_iter, &data, &length)) | 529 if (!pickle.ReadData(pickle_iter, &data, &length)) |
| 513 return NULL; | 530 return NULL; |
| 514 | 531 |
| 515 OSCertHandle cert_handle = NULL; | 532 OSCertHandle cert_handle = NULL; |
| 516 if (!CertAddSerializedElementToStore( | 533 if (!CertAddSerializedElementToStore( |
| (...skipping 258 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 775 verify_result->cert_status |= CERT_STATUS_INVALID; | 792 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 776 | 793 |
| 777 // Flag certificates signed using weak signature algorithms. | 794 // Flag certificates signed using weak signature algorithms. |
| 778 if (verify_result->has_md2) | 795 if (verify_result->has_md2) |
| 779 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 796 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
| 780 | 797 |
| 781 // Flag certificates that have a Subject common name with a NULL character. | 798 // Flag certificates that have a Subject common name with a NULL character. |
| 782 if (CertSubjectCommonNameHasNull(cert_handle_)) | 799 if (CertSubjectCommonNameHasNull(cert_handle_)) |
| 783 verify_result->cert_status |= CERT_STATUS_INVALID; | 800 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 784 | 801 |
| 802 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); | |
| 803 | |
| 785 std::wstring wstr_hostname = ASCIIToWide(hostname); | 804 std::wstring wstr_hostname = ASCIIToWide(hostname); |
| 786 | 805 |
| 787 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; | 806 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; |
| 788 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); | 807 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); |
| 789 extra_policy_para.cbSize = sizeof(extra_policy_para); | 808 extra_policy_para.cbSize = sizeof(extra_policy_para); |
| 790 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; | 809 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; |
| 791 extra_policy_para.fdwChecks = 0; | 810 extra_policy_para.fdwChecks = 0; |
| 792 extra_policy_para.pwszServerName = | 811 extra_policy_para.pwszServerName = |
| 793 const_cast<wchar_t*>(wstr_hostname.c_str()); | 812 const_cast<wchar_t*>(wstr_hostname.c_str()); |
| 794 | 813 |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 990 DWORD sha1_size = sizeof(sha1.data); | 1009 DWORD sha1_size = sizeof(sha1.data); |
| 991 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 1010 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
| 992 cert->cbCertEncoded, sha1.data, &sha1_size); | 1011 cert->cbCertEncoded, sha1.data, &sha1_size); |
| 993 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 1012 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
| 994 if (!rv) | 1013 if (!rv) |
| 995 memset(sha1.data, 0, sizeof(sha1.data)); | 1014 memset(sha1.data, 0, sizeof(sha1.data)); |
| 996 return sha1; | 1015 return sha1; |
| 997 } | 1016 } |
| 998 | 1017 |
| 999 } // namespace net | 1018 } // namespace net |
| OLD | NEW |
