OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 #include <time.h> | 10 #include <time.h> |
(...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
282 err = SecPolicySetValue(*policy, &options_data); | 282 err = SecPolicySetValue(*policy, &options_data); |
283 if (err) { | 283 if (err) { |
284 CFRelease(*policy); | 284 CFRelease(*policy); |
285 return err; | 285 return err; |
286 } | 286 } |
287 } | 287 } |
288 return noErr; | 288 return noErr; |
289 } | 289 } |
290 | 290 |
291 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to | 291 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to |
292 // validate a certificate for an SSL peer. |hostname| contains the name of | 292 // validate a certificate for an SSL peer. |hostname| contains the name of |
wtc
2011/04/20 23:28:11
Also change the "peer" on this line.
| |
293 // the SSL peer that the certificate should be verified against. |flags| is | 293 // the SSL server that the certificate should be verified against. |flags| is |
294 // a bitwise-OR of VerifyFlags that can further alter how trust is | 294 // a bitwise-OR of VerifyFlags that can further alter how trust is |
295 // validated, such as how revocation is checked. If successful, returns | 295 // validated, such as how revocation is checked. If successful, returns |
296 // noErr, and stores the resultant array of SecPolicyRefs in |policies|. | 296 // noErr, and stores the resultant array of SecPolicyRefs in |policies|. |
297 OSStatus CreateTrustPolicies(const std::string& hostname, int flags, | 297 OSStatus CreateTrustPolicies(const std::string& hostname, int flags, |
298 ScopedCFTypeRef<CFArrayRef>* policies) { | 298 ScopedCFTypeRef<CFArrayRef>* policies) { |
299 // Create an SSL SecPolicyRef, and configure it to perform hostname | 299 // Create an SSL SecPolicyRef, and configure it to perform hostname |
300 // validation. The hostname check does 99% of what we want, with the | 300 // validation. The hostname check does 99% of what we want, with the |
301 // exception of dotted IPv4 addreses, which we handle ourselves below. | 301 // exception of dotted IPv4 addreses, which we handle ourselves below. |
302 CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = { | 302 CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options = { |
303 CSSM_APPLE_TP_SSL_OPTS_VERSION, | 303 CSSM_APPLE_TP_SSL_OPTS_VERSION, |
304 hostname.size(), | 304 hostname.size(), |
305 hostname.data(), | 305 hostname.data(), |
306 0 | 306 0 |
307 }; | 307 }; |
308 SecPolicyRef ssl_policy; | 308 SecPolicyRef ssl_policy; |
309 OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, | 309 OSStatus status = CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, |
310 sizeof(tp_ssl_options), &ssl_policy); | 310 sizeof(tp_ssl_options), &ssl_policy); |
311 if (status) | 311 if (status) |
312 return status; | 312 return status; |
313 ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy); | 313 ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy); |
314 | 314 |
315 // Manually add OCSP and CRL policies. If neither an OCSP or CRL policy is | 315 // Manually add OCSP and CRL policies. If neither an OCSP or CRL policy is |
316 // specified, the Apple TP module will add whatever the system settings | 316 // specified, the Apple TP module will add whatever the system settings |
317 // are, which is not desirable here. | 317 // are, which is not desirable here. |
318 // | |
319 // Note that this causes any locally configured OCSP responder URL to be | |
320 // ignored. | |
321 CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; | 318 CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; |
322 memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); | 319 memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); |
323 tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; | 320 tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; |
324 | 321 |
325 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; | 322 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; |
326 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); | 323 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); |
327 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; | 324 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; |
328 | 325 |
329 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { | 326 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { |
330 // If an OCSP responder is available, use it, and avoid fetching any | 327 // If an OCSP responder is available, use it, and avoid fetching any |
(...skipping 518 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
849 // we'll set our own result to include | 846 // we'll set our own result to include |
850 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are | 847 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are |
851 // present, and a check fails (server unavailable, OCSP retry later, | 848 // present, and a check fails (server unavailable, OCSP retry later, |
852 // signature mismatch), then we'll set our own result to include | 849 // signature mismatch), then we'll set our own result to include |
853 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION. | 850 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION. |
854 tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT; | 851 tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT; |
855 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 852 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
856 } else { | 853 } else { |
857 // EV requires revocation checking. | 854 // EV requires revocation checking. |
858 // Note, under the hood, SecTrustEvaluate() will modify the OCSP options | 855 // Note, under the hood, SecTrustEvaluate() will modify the OCSP options |
859 // so as to attempt OCSP fetching if it believes a certificate may chain | 856 // so as to attempt OCSP checking if it believes a certificate may chain |
860 // to an EV root. However, because network fetches are disabled in | 857 // to an EV root. However, because network fetches are disabled in |
861 // CreateTrustPolicies() when revocation checking is disabled, these | 858 // CreateTrustPolicies() when revocation checking is disabled, these |
862 // will only go against the local cache. | 859 // will only go against the local cache. |
863 flags &= ~VERIFY_EV_CERT; | 860 flags &= ~VERIFY_EV_CERT; |
864 } | 861 } |
865 | 862 |
866 CFDataRef action_data_ref = | 863 CFDataRef action_data_ref = |
867 CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, | 864 CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, |
868 reinterpret_cast<UInt8*>(&tp_action_data), | 865 reinterpret_cast<UInt8*>(&tp_action_data), |
869 sizeof(tp_action_data), kCFAllocatorNull); | 866 sizeof(tp_action_data), kCFAllocatorNull); |
(...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1336 CSSM_DATA cert_data; | 1333 CSSM_DATA cert_data; |
1337 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); | 1334 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); |
1338 if (status) | 1335 if (status) |
1339 return false; | 1336 return false; |
1340 | 1337 |
1341 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), | 1338 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), |
1342 cert_data.Length); | 1339 cert_data.Length); |
1343 } | 1340 } |
1344 | 1341 |
1345 } // namespace net | 1342 } // namespace net |
OLD | NEW |