OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
9 #include <keyhi.h> | 9 #include <keyhi.h> |
10 #include <nss.h> | 10 #include <nss.h> |
(...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
161 case SEC_ERROR_EXTENSION_VALUE_INVALID: | 161 case SEC_ERROR_EXTENSION_VALUE_INVALID: |
162 return CERT_STATUS_INVALID; | 162 return CERT_STATUS_INVALID; |
163 default: | 163 default: |
164 return 0; | 164 return 0; |
165 } | 165 } |
166 } | 166 } |
167 | 167 |
168 // Saves some information about the certificate chain cert_list in | 168 // Saves some information about the certificate chain cert_list in |
169 // *verify_result. The caller MUST initialize *verify_result before calling | 169 // *verify_result. The caller MUST initialize *verify_result before calling |
170 // this function. | 170 // this function. |
171 // Note that cert_list[0] is the end entity certificate and cert_list doesn't | 171 // Note that cert_list[0] is the end entity certificate. |
172 // contain the root CA certificate. | |
173 void GetCertChainInfo(CERTCertList* cert_list, | 172 void GetCertChainInfo(CERTCertList* cert_list, |
173 CERTCertificate* root_cert, | |
174 CertVerifyResult* verify_result) { | 174 CertVerifyResult* verify_result) { |
175 // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the | 175 // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the |
176 // NSS version currently in use: | 176 // NSS version currently in use: |
177 // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) | 177 // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) |
178 // 2. use ident libnss3.so* for the library's version | 178 // 2. use ident libnss3.so* for the library's version |
179 DCHECK(cert_list); | 179 CERTCertificate* verified_cert = NULL; |
wtc
2011/07/26 19:32:29
Can you resurrect this DCHECK?
| |
180 std::vector<CERTCertificate*> verified_chain; | |
180 int i = 0; | 181 int i = 0; |
181 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 182 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
182 !CERT_LIST_END(node, cert_list); | 183 !CERT_LIST_END(node, cert_list); |
183 node = CERT_LIST_NEXT(node), i++) { | 184 node = CERT_LIST_NEXT(node), ++i) { |
185 if (i == 0) { | |
186 verified_cert = node->cert; | |
187 } else { | |
188 verified_chain.push_back(node->cert); | |
189 } | |
184 SECAlgorithmID& signature = node->cert->signature; | 190 SECAlgorithmID& signature = node->cert->signature; |
185 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); | 191 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); |
186 switch (oid_tag) { | 192 switch (oid_tag) { |
187 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: | 193 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: |
188 verify_result->has_md5 = true; | 194 verify_result->has_md5 = true; |
189 if (i != 0) | 195 if (i != 0) |
190 verify_result->has_md5_ca = true; | 196 verify_result->has_md5_ca = true; |
191 break; | 197 break; |
192 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: | 198 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: |
193 verify_result->has_md2 = true; | 199 verify_result->has_md2 = true; |
194 if (i != 0) | 200 if (i != 0) |
195 verify_result->has_md2_ca = true; | 201 verify_result->has_md2_ca = true; |
196 break; | 202 break; |
197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: | 203 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: |
198 verify_result->has_md4 = true; | 204 verify_result->has_md4 = true; |
199 break; | 205 break; |
200 default: | 206 default: |
201 break; | 207 break; |
202 } | 208 } |
203 } | 209 } |
210 | |
211 if (root_cert) | |
212 verified_chain.push_back(root_cert); | |
213 verify_result->verified_cert = | |
214 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | |
204 } | 215 } |
205 | 216 |
206 // IsKnownRoot returns true if the given certificate is one that we believe | 217 // IsKnownRoot returns true if the given certificate is one that we believe |
207 // is a standard (as opposed to user-installed) root. | 218 // is a standard (as opposed to user-installed) root. |
208 bool IsKnownRoot(CERTCertificate* root) { | 219 bool IsKnownRoot(CERTCertificate* root) { |
209 if (!root->slot) | 220 if (!root->slot) |
210 return false; | 221 return false; |
211 | 222 |
212 // This magic name is taken from | 223 // This magic name is taken from |
213 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 | 224 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 |
(...skipping 590 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
804 int cert_status = MapCertErrorToCertStatus(err); | 815 int cert_status = MapCertErrorToCertStatus(err); |
805 if (cert_status) { | 816 if (cert_status) { |
806 verify_result->cert_status |= cert_status; | 817 verify_result->cert_status |= cert_status; |
807 return MapCertStatusToNetError(verify_result->cert_status); | 818 return MapCertStatusToNetError(verify_result->cert_status); |
808 } | 819 } |
809 // |err| is not a certificate error. | 820 // |err| is not a certificate error. |
810 return MapSecurityError(err); | 821 return MapSecurityError(err); |
811 } | 822 } |
812 | 823 |
813 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 824 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
825 cvout[cvout_trust_anchor_index].value.pointer.cert, | |
814 verify_result); | 826 verify_result); |
815 if (IsCertStatusError(verify_result->cert_status)) | 827 if (IsCertStatusError(verify_result->cert_status)) |
816 return MapCertStatusToNetError(verify_result->cert_status); | 828 return MapCertStatusToNetError(verify_result->cert_status); |
817 | 829 |
818 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, | 830 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, |
819 cvout[cvout_trust_anchor_index].value.pointer.cert, | 831 cvout[cvout_trust_anchor_index].value.pointer.cert, |
820 &verify_result->public_key_hashes); | 832 &verify_result->public_key_hashes); |
821 | 833 |
822 verify_result->is_issued_by_known_root = | 834 verify_result->is_issued_by_known_root = |
823 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | 835 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
995 | 1007 |
996 // static | 1008 // static |
997 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, | 1009 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, |
998 Pickle* pickle) { | 1010 Pickle* pickle) { |
999 return pickle->WriteData( | 1011 return pickle->WriteData( |
1000 reinterpret_cast<const char*>(cert_handle->derCert.data), | 1012 reinterpret_cast<const char*>(cert_handle->derCert.data), |
1001 cert_handle->derCert.len); | 1013 cert_handle->derCert.len); |
1002 } | 1014 } |
1003 | 1015 |
1004 } // namespace net | 1016 } // namespace net |
OLD | NEW |