| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_database.h" | 5 #include "net/base/cert_database.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| 11 #include <secmod.h> | 11 #include <secmod.h> |
| 12 | 12 |
| 13 #include "base/logging.h" | 13 #include "base/logging.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
| 16 #include "crypto/nss_util_internal.h" | 16 #include "crypto/nss_util_internal.h" |
| 17 #include "net/base/crypto_module.h" | 17 #include "net/base/crypto_module.h" |
| 18 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
| 19 #include "net/base/x509_certificate.h" | 19 #include "net/base/x509_certificate.h" |
| 20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 21 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | 21 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" |
| 22 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" | 22 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" |
| 23 | 23 |
| 24 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 25 // the new name of the macro. |
| 26 #if !defined(CERTDB_TERMINAL_RECORD) |
| 27 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 28 #endif |
| 29 |
| 24 // PSM = Mozilla's Personal Security Manager. | 30 // PSM = Mozilla's Personal Security Manager. |
| 25 namespace psm = mozilla_security_manager; | 31 namespace psm = mozilla_security_manager; |
| 26 | 32 |
| 27 namespace net { | 33 namespace net { |
| 28 | 34 |
| 29 CertDatabase::CertDatabase() { | 35 CertDatabase::CertDatabase() { |
| 30 crypto::EnsureNSSInit(); | 36 crypto::EnsureNSSInit(); |
| 31 psm::EnsurePKCS12Init(); | 37 psm::EnsurePKCS12Init(); |
| 32 } | 38 } |
| 33 | 39 |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 235 trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; |
| 230 case SERVER_CERT: | 236 case SERVER_CERT: |
| 231 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + | 237 return trust.HasTrustedPeer(PR_TRUE, PR_FALSE, PR_FALSE) * TRUSTED_SSL + |
| 232 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + | 238 trust.HasTrustedPeer(PR_FALSE, PR_TRUE, PR_FALSE) * TRUSTED_EMAIL + |
| 233 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; | 239 trust.HasTrustedPeer(PR_FALSE, PR_FALSE, PR_TRUE) * TRUSTED_OBJ_SIGN; |
| 234 default: | 240 default: |
| 235 return UNTRUSTED; | 241 return UNTRUSTED; |
| 236 } | 242 } |
| 237 } | 243 } |
| 238 | 244 |
| 245 bool CertDatabase::IsUntrusted(const X509Certificate* cert) const { |
| 246 CERTCertTrust nsstrust; |
| 247 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); |
| 248 if (rv != SECSuccess) { |
| 249 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| 250 return false; |
| 251 } |
| 252 |
| 253 // The CERTCertTrust structure contains three trust records: |
| 254 // sslFlags, emailFlags, and objectSigningFlags. The three |
| 255 // trust records are independent of each other. |
| 256 // |
| 257 // If the CERTDB_TERMINAL_RECORD bit in a trust record is set, |
| 258 // then that trust record is a terminal record. A terminal |
| 259 // record is used for explicit trust and distrust of an |
| 260 // end-entity or intermediate CA cert. |
| 261 // |
| 262 // In a terminal record, if neither CERTDB_TRUSTED_CA nor |
| 263 // CERTDB_TRUSTED is set, then the terminal record means |
| 264 // explicit distrust. On the other hand, if the terminal |
| 265 // record has either CERTDB_TRUSTED_CA or CERTDB_TRUSTED bit |
| 266 // set, then the terminal record means explicit trust. |
| 267 // |
| 268 // For a root CA, the trust record does not have |
| 269 // the CERTDB_TERMINAL_RECORD bit set. |
| 270 |
| 271 static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED; |
| 272 if ((nsstrust.sslFlags & CERTDB_TERMINAL_RECORD) != 0 && |
| 273 (nsstrust.sslFlags & kTrusted) == 0) { |
| 274 return true; |
| 275 } |
| 276 if ((nsstrust.emailFlags & CERTDB_TERMINAL_RECORD) != 0 && |
| 277 (nsstrust.emailFlags & kTrusted) == 0) { |
| 278 return true; |
| 279 } |
| 280 if ((nsstrust.objectSigningFlags & CERTDB_TERMINAL_RECORD) != 0 && |
| 281 (nsstrust.objectSigningFlags & kTrusted) == 0) { |
| 282 return true; |
| 283 } |
| 284 |
| 285 // Self-signed certificates that don't have any trust bits set are untrusted. |
| 286 // Other certificates that don't have any trust bits set may still be trusted |
| 287 // if they chain up to a trust anchor. |
| 288 if (CERT_CompareName(&cert->os_cert_handle()->issuer, |
| 289 &cert->os_cert_handle()->subject) == SECEqual) { |
| 290 return (nsstrust.sslFlags & kTrusted) == 0 && |
| 291 (nsstrust.emailFlags & kTrusted) == 0 && |
| 292 (nsstrust.objectSigningFlags & kTrusted) == 0; |
| 293 } |
| 294 |
| 295 return false; |
| 296 } |
| 297 |
| 239 bool CertDatabase::SetCertTrust(const X509Certificate* cert, | 298 bool CertDatabase::SetCertTrust(const X509Certificate* cert, |
| 240 CertType type, | 299 CertType type, |
| 241 TrustBits trust_bits) { | 300 TrustBits trust_bits) { |
| 242 bool success = psm::SetCertTrust(cert, type, trust_bits); | 301 bool success = psm::SetCertTrust(cert, type, trust_bits); |
| 243 if (success) | 302 if (success) |
| 244 CertDatabase::NotifyObserversOfCertTrustChanged(cert); | 303 CertDatabase::NotifyObserversOfCertTrustChanged(cert); |
| 245 | 304 |
| 246 return success; | 305 return success; |
| 247 } | 306 } |
| 248 | 307 |
| (...skipping 19 matching lines...) Expand all Loading... |
| 268 } | 327 } |
| 269 return true; | 328 return true; |
| 270 } | 329 } |
| 271 | 330 |
| 272 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { | 331 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { |
| 273 PK11SlotInfo* slot = cert->os_cert_handle()->slot; | 332 PK11SlotInfo* slot = cert->os_cert_handle()->slot; |
| 274 return slot && PK11_IsReadOnly(slot); | 333 return slot && PK11_IsReadOnly(slot); |
| 275 } | 334 } |
| 276 | 335 |
| 277 } // namespace net | 336 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7272014:
Mark untrusted certificates as such in Linux UI. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src