Chromium Code Reviews Chromium Code Reviews
Issue 6874039:
Return the constructed certificate chain in X509Certificate::Verify() (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <nss.h> | 10 #include <nss.h> |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 161 case SEC_ERROR_EXTENSION_VALUE_INVALID: | 161 case SEC_ERROR_EXTENSION_VALUE_INVALID: |
| 162 return CERT_STATUS_INVALID; | 162 return CERT_STATUS_INVALID; |
| 163 default: | 163 default: |
| 164 return 0; | 164 return 0; |
| 165 } | 165 } |
| 166 } | 166 } |
| 167 | 167 |
| 168 // Saves some information about the certificate chain cert_list in | 168 // Saves some information about the certificate chain cert_list in |
| 169 // *verify_result. The caller MUST initialize *verify_result before calling | 169 // *verify_result. The caller MUST initialize *verify_result before calling |
| 170 // this function. | 170 // this function. |
| 171 // Note that cert_list[0] is the end entity certificate and cert_list doesn't | 171 // Note that cert_list[0] is the end entity certificate. |
| 172 // contain the root CA certificate. | |
| 173 void GetCertChainInfo(CERTCertList* cert_list, | 172 void GetCertChainInfo(CERTCertList* cert_list, |
| 173 CERTCertificate* root_cert, | |
| 174 CertVerifyResult* verify_result) { | 174 CertVerifyResult* verify_result) { |
| 175 // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the | 175 // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the |
| 176 // NSS version currently in use: | 176 // NSS version currently in use: |
| 177 // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) | 177 // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) |
| 178 // 2. use ident libnss3.so* for the library's version | 178 // 2. use ident libnss3.so* for the library's version |
| 179 DCHECK(cert_list); | 179 CERTCertificate* verified_cert = NULL; |
|
wtc
2011/07/26 19:32:29
Can you resurrect this DCHECK?
| |
| 180 std::vector<CERTCertificate*> verified_chain; | |
| 180 int i = 0; | 181 int i = 0; |
| 181 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 182 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 182 !CERT_LIST_END(node, cert_list); | 183 !CERT_LIST_END(node, cert_list); |
| 183 node = CERT_LIST_NEXT(node), i++) { | 184 node = CERT_LIST_NEXT(node), ++i) { |
| 185 if (i == 0) { | |
| 186 verified_cert = node->cert; | |
| 187 } else { | |
| 188 verified_chain.push_back(node->cert); | |
| 189 } | |
| 184 SECAlgorithmID& signature = node->cert->signature; | 190 SECAlgorithmID& signature = node->cert->signature; |
| 185 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); | 191 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); |
| 186 switch (oid_tag) { | 192 switch (oid_tag) { |
| 187 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: | 193 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: |
| 188 verify_result->has_md5 = true; | 194 verify_result->has_md5 = true; |
| 189 if (i != 0) | 195 if (i != 0) |
| 190 verify_result->has_md5_ca = true; | 196 verify_result->has_md5_ca = true; |
| 191 break; | 197 break; |
| 192 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: | 198 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: |
| 193 verify_result->has_md2 = true; | 199 verify_result->has_md2 = true; |
| 194 if (i != 0) | 200 if (i != 0) |
| 195 verify_result->has_md2_ca = true; | 201 verify_result->has_md2_ca = true; |
| 196 break; | 202 break; |
| 197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: | 203 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: |
| 198 verify_result->has_md4 = true; | 204 verify_result->has_md4 = true; |
| 199 break; | 205 break; |
| 200 default: | 206 default: |
| 201 break; | 207 break; |
| 202 } | 208 } |
| 203 } | 209 } |
| 210 | |
| 211 if (root_cert) | |
| 212 verified_chain.push_back(root_cert); | |
| 213 verify_result->verified_cert = | |
| 214 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | |
| 204 } | 215 } |
| 205 | 216 |
| 206 // IsKnownRoot returns true if the given certificate is one that we believe | 217 // IsKnownRoot returns true if the given certificate is one that we believe |
| 207 // is a standard (as opposed to user-installed) root. | 218 // is a standard (as opposed to user-installed) root. |
| 208 bool IsKnownRoot(CERTCertificate* root) { | 219 bool IsKnownRoot(CERTCertificate* root) { |
| 209 if (!root->slot) | 220 if (!root->slot) |
| 210 return false; | 221 return false; |
| 211 | 222 |
| 212 // This magic name is taken from | 223 // This magic name is taken from |
| 213 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 | 224 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 |
| (...skipping 590 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 804 int cert_status = MapCertErrorToCertStatus(err); | 815 int cert_status = MapCertErrorToCertStatus(err); |
| 805 if (cert_status) { | 816 if (cert_status) { |
| 806 verify_result->cert_status |= cert_status; | 817 verify_result->cert_status |= cert_status; |
| 807 return MapCertStatusToNetError(verify_result->cert_status); | 818 return MapCertStatusToNetError(verify_result->cert_status); |
| 808 } | 819 } |
| 809 // |err| is not a certificate error. | 820 // |err| is not a certificate error. |
| 810 return MapSecurityError(err); | 821 return MapSecurityError(err); |
| 811 } | 822 } |
| 812 | 823 |
| 813 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 824 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
| 825 cvout[cvout_trust_anchor_index].value.pointer.cert, | |
| 814 verify_result); | 826 verify_result); |
| 815 if (IsCertStatusError(verify_result->cert_status)) | 827 if (IsCertStatusError(verify_result->cert_status)) |
| 816 return MapCertStatusToNetError(verify_result->cert_status); | 828 return MapCertStatusToNetError(verify_result->cert_status); |
| 817 | 829 |
| 818 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, | 830 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, |
| 819 cvout[cvout_trust_anchor_index].value.pointer.cert, | 831 cvout[cvout_trust_anchor_index].value.pointer.cert, |
| 820 &verify_result->public_key_hashes); | 832 &verify_result->public_key_hashes); |
| 821 | 833 |
| 822 verify_result->is_issued_by_known_root = | 834 verify_result->is_issued_by_known_root = |
| 823 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | 835 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
| (...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 995 | 1007 |
| 996 // static | 1008 // static |
| 997 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, | 1009 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, |
| 998 Pickle* pickle) { | 1010 Pickle* pickle) { |
| 999 return pickle->WriteData( | 1011 return pickle->WriteData( |
| 1000 reinterpret_cast<const char*>(cert_handle->derCert.data), | 1012 reinterpret_cast<const char*>(cert_handle->derCert.data), |
| 1001 cert_handle->derCert.len); | 1013 cert_handle->derCert.len); |
| 1002 } | 1014 } |
| 1003 | 1015 |
| 1004 } // namespace net | 1016 } // namespace net |
| OLD | NEW |
