| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
| 8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
| 9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
| 10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
| (...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 316 } | 316 } |
| 317 | 317 |
| 318 // static | 318 // static |
| 319 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 319 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
| 320 // Decrement the ref-count for the cert and, if all references are gone, | 320 // Decrement the ref-count for the cert and, if all references are gone, |
| 321 // free the memory and any application-specific data associated with the | 321 // free the memory and any application-specific data associated with the |
| 322 // certificate. | 322 // certificate. |
| 323 X509_free(cert_handle); | 323 X509_free(cert_handle); |
| 324 } | 324 } |
| 325 | 325 |
| 326 // static |
| 327 void X509Certificate::FreeOSCertListHandle( |
| 328 OSCertListHandle cert_list_handle) { |
| 329 sk_X509_pop_free(cert_list_handle, X509_free); |
| 330 } |
| 331 |
| 326 void X509Certificate::Initialize() { | 332 void X509Certificate::Initialize() { |
| 327 crypto::EnsureOpenSSLInit(); | 333 crypto::EnsureOpenSSLInit(); |
| 328 fingerprint_ = CalculateFingerprint(cert_handle_); | 334 fingerprint_ = CalculateFingerprint(cert_handle_); |
| 329 | 335 |
| 330 ASN1_INTEGER* num = X509_get_serialNumber(cert_handle_); | 336 ASN1_INTEGER* num = X509_get_serialNumber(cert_handle_); |
| 331 if (num) { | 337 if (num) { |
| 332 serial_number_ = std::string( | 338 serial_number_ = std::string( |
| 333 reinterpret_cast<char*>(num->data), | 339 reinterpret_cast<char*>(num->data), |
| 334 num->length); | 340 num->length); |
| 335 // Remove leading zeros. | 341 // Remove leading zeros. |
| (...skipping 15 matching lines...) Expand all Loading... |
| 351 SHA1Fingerprint X509Certificate::CalculateFingerprint(OSCertHandle cert) { | 357 SHA1Fingerprint X509Certificate::CalculateFingerprint(OSCertHandle cert) { |
| 352 SHA1Fingerprint sha1; | 358 SHA1Fingerprint sha1; |
| 353 unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data)); | 359 unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data)); |
| 354 int ret = X509_digest(cert, EVP_sha1(), sha1.data, &sha1_size); | 360 int ret = X509_digest(cert, EVP_sha1(), sha1.data, &sha1_size); |
| 355 CHECK(ret); | 361 CHECK(ret); |
| 356 CHECK_EQ(sha1_size, sizeof(sha1.data)); | 362 CHECK_EQ(sha1_size, sizeof(sha1.data)); |
| 357 return sha1; | 363 return sha1; |
| 358 } | 364 } |
| 359 | 365 |
| 360 // static | 366 // static |
| 367 X509Certificate::OSCertListHandle |
| 368 X509Certificate::CreateOSCertListHandle() const { |
| 369 STACK_OF(X509)* cert_list_handle = sk_X509_new_null(); |
| 370 if (!cert_list_handle) |
| 371 return NULL; |
| 372 |
| 373 if (!sk_X509_push(cert_list_handle, DupOSCertHandle(cert_handle_))) { |
| 374 FreeOSCertListHandle(cert_list_handle); |
| 375 return NULL; |
| 376 } |
| 377 |
| 378 bool ok = true; |
| 379 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { |
| 380 if (!sk_X509_push(cert_list_handle, |
| 381 DupOSCertHandle(intermediate_ca_certs_[i]))) { |
| 382 ok = false; |
| 383 break; |
| 384 } |
| 385 } |
| 386 if (!ok) { |
| 387 FreeOSCertListHandle(cert_list_handle); |
| 388 return NULL; |
| 389 } |
| 390 |
| 391 return cert_list_handle; |
| 392 } |
| 393 |
| 394 // static |
| 361 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | 395 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( |
| 362 const char* data, int length) { | 396 const char* data, int length) { |
| 363 if (length < 0) | 397 if (length < 0) |
| 364 return NULL; | 398 return NULL; |
| 365 crypto::EnsureOpenSSLInit(); | 399 crypto::EnsureOpenSSLInit(); |
| 366 const unsigned char* d2i_data = | 400 const unsigned char* d2i_data = |
| 367 reinterpret_cast<const unsigned char*>(data); | 401 reinterpret_cast<const unsigned char*>(data); |
| 368 // Don't cache this data via SetDERCache as this wire format may be not be | 402 // Don't cache this data via SetDERCache as this wire format may be not be |
| 369 // identical from the i2d_X509 roundtrip. | 403 // identical from the i2d_X509 roundtrip. |
| 370 X509* cert = d2i_X509(NULL, &d2i_data, length); | 404 X509* cert = d2i_X509(NULL, &d2i_data, length); |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 441 int X509Certificate::VerifyInternal(const std::string& hostname, | 475 int X509Certificate::VerifyInternal(const std::string& hostname, |
| 442 int flags, | 476 int flags, |
| 443 CertVerifyResult* verify_result) const { | 477 CertVerifyResult* verify_result) const { |
| 444 if (!VerifyNameMatch(hostname)) | 478 if (!VerifyNameMatch(hostname)) |
| 445 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 479 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 446 | 480 |
| 447 crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx( | 481 crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx( |
| 448 X509_STORE_CTX_new()); | 482 X509_STORE_CTX_new()); |
| 449 | 483 |
| 450 crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( | 484 crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( |
| 451 sk_X509_new_null()); | 485 CreateOSCertListHandle()); |
| 452 if (!intermediates.get()) | 486 if (!intermediates.get()) |
| 453 return ERR_OUT_OF_MEMORY; | 487 return ERR_OUT_OF_MEMORY; |
| 454 | 488 |
| 455 for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin(); | |
| 456 it != intermediate_ca_certs_.end(); ++it) { | |
| 457 if (!sk_X509_push(intermediates.get(), *it)) | |
| 458 return ERR_OUT_OF_MEMORY; | |
| 459 } | |
| 460 int rv = X509_STORE_CTX_init(ctx.get(), cert_store(), | 489 int rv = X509_STORE_CTX_init(ctx.get(), cert_store(), |
| 461 cert_handle_, intermediates.get()); | 490 cert_handle_, intermediates.get()); |
| 462 CHECK_EQ(1, rv); | 491 CHECK_EQ(1, rv); |
| 463 | 492 |
| 464 if (X509_verify_cert(ctx.get()) != 1) { | 493 if (X509_verify_cert(ctx.get()) != 1) { |
| 465 int x509_error = X509_STORE_CTX_get_error(ctx.get()); | 494 int x509_error = X509_STORE_CTX_get_error(ctx.get()); |
| 466 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); | 495 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); |
| 467 LOG(ERROR) << "X509 Verification error " | 496 LOG(ERROR) << "X509 Verification error " |
| 468 << X509_verify_cert_error_string(x509_error) | 497 << X509_verify_cert_error_string(x509_error) |
| 469 << " : " << x509_error | 498 << " : " << x509_error |
| (...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 564 DERCache der_cache; | 593 DERCache der_cache; |
| 565 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 594 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) |
| 566 return false; | 595 return false; |
| 567 | 596 |
| 568 return pickle->WriteData( | 597 return pickle->WriteData( |
| 569 reinterpret_cast<const char*>(der_cache.data), | 598 reinterpret_cast<const char*>(der_cache.data), |
| 570 der_cache.data_length); | 599 der_cache.data_length); |
| 571 } | 600 } |
| 572 | 601 |
| 573 } // namespace net | 602 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7324039:
Ensure X509Certificate::OSCertHandles are safe to be used on both UI and IO threads on Win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src