OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
(...skipping 427 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
438 | 438 |
439 // static | 439 // static |
440 X509_STORE* X509Certificate::cert_store() { | 440 X509_STORE* X509Certificate::cert_store() { |
441 return X509InitSingleton::GetInstance()->store(); | 441 return X509InitSingleton::GetInstance()->store(); |
442 } | 442 } |
443 | 443 |
444 int X509Certificate::Verify(const std::string& hostname, | 444 int X509Certificate::Verify(const std::string& hostname, |
445 int flags, | 445 int flags, |
446 CertVerifyResult* verify_result) const { | 446 CertVerifyResult* verify_result) const { |
447 verify_result->Reset(); | 447 verify_result->Reset(); |
| 448 verify_result->verified_cert = |
| 449 CreateFromHandle(cert_handle_, GetIntermediateCertificates()); |
448 | 450 |
449 if (IsBlacklisted()) { | 451 if (IsBlacklisted()) { |
450 verify_result->cert_status |= CERT_STATUS_REVOKED; | 452 verify_result->cert_status |= CERT_STATUS_REVOKED; |
451 return ERR_CERT_REVOKED; | 453 return ERR_CERT_REVOKED; |
452 } | 454 } |
453 | 455 |
454 // TODO(joth): We should fetch the subjectAltNames directly rather than via | 456 // TODO(joth): We should fetch the subjectAltNames directly rather than via |
455 // GetDNSNames, so we can apply special handling for IP addresses vs DNS | 457 // GetDNSNames, so we can apply special handling for IP addresses vs DNS |
456 // names, etc. See http://crbug.com/62973. | 458 // names, etc. See http://crbug.com/62973. |
457 std::vector<std::string> cert_names; | 459 std::vector<std::string> cert_names; |
(...skipping 26 matching lines...) Expand all Loading... |
484 << " : " << x509_error | 486 << " : " << x509_error |
485 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) | 487 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) |
486 << " : " << cert_status; | 488 << " : " << cert_status; |
487 verify_result->cert_status |= cert_status; | 489 verify_result->cert_status |= cert_status; |
488 } | 490 } |
489 | 491 |
490 if (IsCertStatusError(verify_result->cert_status)) | 492 if (IsCertStatusError(verify_result->cert_status)) |
491 return MapCertStatusToNetError(verify_result->cert_status); | 493 return MapCertStatusToNetError(verify_result->cert_status); |
492 | 494 |
493 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); | 495 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); |
| 496 X509* verified_cert = NULL; |
| 497 std::vector<X509*> verified_chain; |
494 for (int i = 0; i < sk_X509_num(chain); ++i) { | 498 for (int i = 0; i < sk_X509_num(chain); ++i) { |
495 X509* cert = sk_X509_value(chain, i); | 499 X509* cert = sk_X509_value(chain, i); |
| 500 if (i == 0) { |
| 501 verified_cert = cert; |
| 502 } else { |
| 503 verified_chain.push_back(verified_cert); |
| 504 } |
| 505 |
496 DERCache der_cache; | 506 DERCache der_cache; |
497 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) | 507 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) |
498 continue; | 508 continue; |
499 | 509 |
500 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), | 510 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), |
501 der_cache.data_length); | 511 der_cache.data_length); |
502 base::StringPiece spki_bytes; | 512 base::StringPiece spki_bytes; |
503 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 513 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
504 continue; | 514 continue; |
505 | 515 |
506 SHA1Fingerprint hash; | 516 SHA1Fingerprint hash; |
507 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 517 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
508 spki_bytes.size(), hash.data); | 518 spki_bytes.size(), hash.data); |
509 verify_result->public_key_hashes.push_back(hash); | 519 verify_result->public_key_hashes.push_back(hash); |
510 } | 520 } |
511 | 521 |
| 522 if (verified_cert) { |
| 523 verify_result->verified_cert = CreateFromHandle(verified_cert, |
| 524 verified_chain); |
| 525 } |
| 526 |
512 // Currently we only ues OpenSSL's default root CA paths, so treat all | 527 // Currently we only ues OpenSSL's default root CA paths, so treat all |
513 // correctly verified certs as being from a known root. TODO(joth): if the | 528 // correctly verified certs as being from a known root. TODO(joth): if the |
514 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev
ision=80778 | 529 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev
ision=80778 |
515 // become an issue on OpenSSL builds, we will need to embed a hardcoded list | 530 // become an issue on OpenSSL builds, we will need to embed a hardcoded list |
516 // of well known root CAs, as per the _mac and _win versions. | 531 // of well known root CAs, as per the _mac and _win versions. |
517 verify_result->is_issued_by_known_root = true; | 532 verify_result->is_issued_by_known_root = true; |
518 | 533 |
519 return OK; | 534 return OK; |
520 } | 535 } |
521 | 536 |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
564 DERCache der_cache; | 579 DERCache der_cache; |
565 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 580 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) |
566 return false; | 581 return false; |
567 | 582 |
568 return pickle->WriteData( | 583 return pickle->WriteData( |
569 reinterpret_cast<const char*>(der_cache.data), | 584 reinterpret_cast<const char*>(der_cache.data), |
570 der_cache.data_length); | 585 der_cache.data_length); |
571 } | 586 } |
572 | 587 |
573 } // namespace net | 588 } // namespace net |
OLD | NEW |