Chromium Code Reviews Chromium Code Reviews
Issue 7324039:
Ensure X509Certificate::OSCertHandles are safe to be used on both UI and IO threads on Win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 #include <time.h> | 10 #include <time.h> |
| (...skipping 737 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 748 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const { | 748 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const { |
| 749 dns_names->clear(); | 749 dns_names->clear(); |
| 750 | 750 |
| 751 GetCertGeneralNamesForOID(cert_handle_, CSSMOID_SubjectAltName, GNT_DNSName, | 751 GetCertGeneralNamesForOID(cert_handle_, CSSMOID_SubjectAltName, GNT_DNSName, |
| 752 dns_names); | 752 dns_names); |
| 753 | 753 |
| 754 if (dns_names->empty()) | 754 if (dns_names->empty()) |
| 755 dns_names->push_back(subject_.common_name); | 755 dns_names->push_back(subject_.common_name); |
| 756 } | 756 } |
| 757 | 757 |
| 758 X509Certificate::OSCertListHandle | |
| 759 X509Certificate::CreateOSCertListHandle() const { | |
| 760 CFMutableArrayRef cert_list = | |
| 761 CFArrayCreateMutable(kCFAllocatorDefault, 0, | |
| 762 &kCFTypeArrayCallBacks); | |
| 763 if (!cert_list) | |
| 764 return NULL; | |
| 765 | |
| 766 CFArrayAppendValue(cert_list, cert_handle_); | |
| 767 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { | |
| 768 CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]); | |
| 769 } | |
|
wtc
2011/10/04 00:26:34
Remove curly braces.
A comment like lines 783-786
| |
| 770 | |
| 771 return cert_list; | |
| 772 } | |
| 773 | |
| 758 int X509Certificate::VerifyInternal(const std::string& hostname, | 774 int X509Certificate::VerifyInternal(const std::string& hostname, |
| 759 int flags, | 775 int flags, |
| 760 CertVerifyResult* verify_result) const { | 776 CertVerifyResult* verify_result) const { |
| 761 ScopedCFTypeRef<CFArrayRef> trust_policies; | 777 ScopedCFTypeRef<CFArrayRef> trust_policies; |
| 762 OSStatus status = CreateTrustPolicies(hostname, flags, &trust_policies); | 778 OSStatus status = CreateTrustPolicies(hostname, flags, &trust_policies); |
| 763 if (status) | 779 if (status) |
| 764 return NetErrorFromOSStatus(status); | 780 return NetErrorFromOSStatus(status); |
| 765 | 781 |
| 766 // Create and configure a SecTrustRef, which takes our certificate(s) | 782 // Create and configure a SecTrustRef, which takes our certificate(s) |
| 767 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an | 783 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an |
| 768 // array of certificates, the first of which is the certificate we're | 784 // array of certificates, the first of which is the certificate we're |
| 769 // verifying, and the subsequent (optional) certificates are used for | 785 // verifying, and the subsequent (optional) certificates are used for |
| 770 // chain building. | 786 // chain building. |
| 771 CFMutableArrayRef cert_array = CFArrayCreateMutable(kCFAllocatorDefault, 0, | 787 ScopedCFTypeRef<CFArrayRef> cert_array(CreateOSCertListHandle()); |
| 772 &kCFTypeArrayCallBacks); | |
| 773 if (!cert_array) | |
| 774 return ERR_OUT_OF_MEMORY; | |
| 775 ScopedCFTypeRef<CFArrayRef> scoped_cert_array(cert_array); | |
| 776 CFArrayAppendValue(cert_array, cert_handle_); | |
| 777 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) | |
| 778 CFArrayAppendValue(cert_array, intermediate_ca_certs_[i]); | |
| 779 | 788 |
| 780 // From here on, only one thread can be active at a time. We have had a number | 789 // From here on, only one thread can be active at a time. We have had a number |
| 781 // of sporadic crashes in the SecTrustEvaluate call below, way down inside | 790 // of sporadic crashes in the SecTrustEvaluate call below, way down inside |
| 782 // Apple's cert code, which we suspect are caused by a thread-safety issue. | 791 // Apple's cert code, which we suspect are caused by a thread-safety issue. |
| 783 // So as a speculative fix allow only one thread to use SecTrust on this cert. | 792 // So as a speculative fix allow only one thread to use SecTrust on this cert. |
| 784 base::AutoLock lock(verification_lock_); | 793 base::AutoLock lock(verification_lock_); |
| 785 | 794 |
| 786 SecTrustRef trust_ref = NULL; | 795 SecTrustRef trust_ref = NULL; |
| 787 status = SecTrustCreateWithCertificates(cert_array, trust_policies, | 796 status = SecTrustCreateWithCertificates(cert_array, trust_policies, |
| 788 &trust_ref); | 797 &trust_ref); |
| (...skipping 278 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1067 return NULL; | 1076 return NULL; |
| 1068 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); | 1077 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); |
| 1069 } | 1078 } |
| 1070 | 1079 |
| 1071 // static | 1080 // static |
| 1072 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 1081 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
| 1073 CFRelease(cert_handle); | 1082 CFRelease(cert_handle); |
| 1074 } | 1083 } |
| 1075 | 1084 |
| 1076 // static | 1085 // static |
| 1086 void X509Certificate::FreeOSCertListHandle(OSCertListHandle identity) { | |
|
wtc
2011/10/04 00:26:34
identity => cert_list_handle
| |
| 1087 CFRelease(identity); | |
| 1088 } | |
| 1089 | |
| 1090 // static | |
| 1077 SHA1Fingerprint X509Certificate::CalculateFingerprint( | 1091 SHA1Fingerprint X509Certificate::CalculateFingerprint( |
| 1078 OSCertHandle cert) { | 1092 OSCertHandle cert) { |
| 1079 SHA1Fingerprint sha1; | 1093 SHA1Fingerprint sha1; |
| 1080 memset(sha1.data, 0, sizeof(sha1.data)); | 1094 memset(sha1.data, 0, sizeof(sha1.data)); |
| 1081 | 1095 |
| 1082 CSSM_DATA cert_data; | 1096 CSSM_DATA cert_data; |
| 1083 OSStatus status = SecCertificateGetData(cert, &cert_data); | 1097 OSStatus status = SecCertificateGetData(cert, &cert_data); |
| 1084 if (status) | 1098 if (status) |
| 1085 return sha1; | 1099 return sha1; |
| 1086 | 1100 |
| (...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1379 CSSM_DATA cert_data; | 1393 CSSM_DATA cert_data; |
| 1380 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); | 1394 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); |
| 1381 if (status) | 1395 if (status) |
| 1382 return false; | 1396 return false; |
| 1383 | 1397 |
| 1384 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), | 1398 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), |
| 1385 cert_data.Length); | 1399 cert_data.Length); |
| 1386 } | 1400 } |
| 1387 | 1401 |
| 1388 } // namespace net | 1402 } // namespace net |
| OLD | NEW |
