OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 #include <time.h> | 10 #include <time.h> |
11 | 11 |
12 #include <vector> | 12 #include <vector> |
13 | 13 |
14 #include "base/lazy_instance.h" | 14 #include "base/lazy_instance.h" |
15 #include "base/logging.h" | 15 #include "base/logging.h" |
16 #include "base/mac/scoped_cftyperef.h" | 16 #include "base/mac/scoped_cftyperef.h" |
17 #include "base/memory/singleton.h" | 17 #include "base/memory/singleton.h" |
18 #include "base/pickle.h" | 18 #include "base/pickle.h" |
19 #include "base/sha1.h" | 19 #include "base/sha1.h" |
20 #include "base/sys_string_conversions.h" | 20 #include "base/sys_string_conversions.h" |
21 #include "crypto/cssm_init.h" | 21 #include "crypto/cssm_init.h" |
22 #include "crypto/nss_util.h" | 22 #include "crypto/nss_util.h" |
23 #include "crypto/rsa_private_key.h" | 23 #include "crypto/rsa_private_key.h" |
24 #include "net/base/asn1_util.h" | 24 #include "net/base/asn1_util.h" |
25 #include "net/base/cert_status_flags.h" | 25 #include "net/base/cert_status_flags.h" |
26 #include "net/base/cert_verify_result.h" | 26 #include "net/base/cert_verify_result.h" |
27 #include "net/base/net_errors.h" | 27 #include "net/base/net_errors.h" |
28 #include "net/base/test_root_certs.h" | 28 #include "net/base/test_root_certs.h" |
29 #include "net/base/x509_certificate_known_roots_mac.h" | 29 #include "net/base/x509_certificate_known_roots_mac.h" |
| 30 #include "net/base/x509_util_mac.h" |
30 #include "third_party/apple_apsl/cssmapplePriv.h" | 31 #include "third_party/apple_apsl/cssmapplePriv.h" |
31 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" | 32 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" |
32 | 33 |
33 using base::mac::ScopedCFTypeRef; | 34 using base::mac::ScopedCFTypeRef; |
34 using base::Time; | 35 using base::Time; |
35 | 36 |
36 namespace net { | 37 namespace net { |
37 | 38 |
38 namespace { | 39 namespace { |
39 | 40 |
(...skipping 721 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
761 ScopedCFTypeRef<CFArrayRef> trust_policies; | 762 ScopedCFTypeRef<CFArrayRef> trust_policies; |
762 OSStatus status = CreateTrustPolicies(hostname, flags, &trust_policies); | 763 OSStatus status = CreateTrustPolicies(hostname, flags, &trust_policies); |
763 if (status) | 764 if (status) |
764 return NetErrorFromOSStatus(status); | 765 return NetErrorFromOSStatus(status); |
765 | 766 |
766 // Create and configure a SecTrustRef, which takes our certificate(s) | 767 // Create and configure a SecTrustRef, which takes our certificate(s) |
767 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an | 768 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an |
768 // array of certificates, the first of which is the certificate we're | 769 // array of certificates, the first of which is the certificate we're |
769 // verifying, and the subsequent (optional) certificates are used for | 770 // verifying, and the subsequent (optional) certificates are used for |
770 // chain building. | 771 // chain building. |
771 CFMutableArrayRef cert_array = CFArrayCreateMutable(kCFAllocatorDefault, 0, | 772 ScopedCFTypeRef<CFArrayRef> cert_array( |
772 &kCFTypeArrayCallBacks); | 773 x509_util::CreateOSCertChainForCert(this)); |
773 if (!cert_array) | |
774 return ERR_OUT_OF_MEMORY; | |
775 ScopedCFTypeRef<CFArrayRef> scoped_cert_array(cert_array); | |
776 CFArrayAppendValue(cert_array, cert_handle_); | |
777 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) | |
778 CFArrayAppendValue(cert_array, intermediate_ca_certs_[i]); | |
779 | 774 |
780 // From here on, only one thread can be active at a time. We have had a number | 775 // From here on, only one thread can be active at a time. We have had a number |
781 // of sporadic crashes in the SecTrustEvaluate call below, way down inside | 776 // of sporadic crashes in the SecTrustEvaluate call below, way down inside |
782 // Apple's cert code, which we suspect are caused by a thread-safety issue. | 777 // Apple's cert code, which we suspect are caused by a thread-safety issue. |
783 // So as a speculative fix allow only one thread to use SecTrust on this cert. | 778 // So as a speculative fix allow only one thread to use SecTrust on this cert. |
784 base::AutoLock lock(verification_lock_); | 779 base::AutoLock lock(verification_lock_); |
785 | 780 |
786 SecTrustRef trust_ref = NULL; | 781 SecTrustRef trust_ref = NULL; |
787 status = SecTrustCreateWithCertificates(cert_array, trust_policies, | 782 status = SecTrustCreateWithCertificates(cert_array, trust_policies, |
788 &trust_ref); | 783 &trust_ref); |
(...skipping 569 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1358 CSSM_DATA cert_data; | 1353 CSSM_DATA cert_data; |
1359 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); | 1354 OSStatus status = SecCertificateGetData(cert_handle, &cert_data); |
1360 if (status) | 1355 if (status) |
1361 return false; | 1356 return false; |
1362 | 1357 |
1363 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), | 1358 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data), |
1364 cert_data.Length); | 1359 cert_data.Length); |
1365 } | 1360 } |
1366 | 1361 |
1367 } // namespace net | 1362 } // namespace net |
OLD | NEW |