| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
| 9 #include <nss.h> | 9 #include <nss.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| 11 #include <prerror.h> | 11 #include <prerror.h> |
| 12 #include <prtime.h> | 12 #include <prtime.h> |
| 13 #include <secder.h> | 13 #include <secder.h> |
| 14 #include <secerr.h> | 14 #include <secerr.h> |
| 15 #include <sechash.h> | 15 #include <sechash.h> |
| 16 #include <sslerr.h> | 16 #include <sslerr.h> |
| 17 | 17 |
| 18 #include "base/logging.h" | 18 #include "base/logging.h" |
| 19 #include "base/memory/scoped_ptr.h" | 19 #include "base/memory/scoped_ptr.h" |
| 20 #include "base/pickle.h" | 20 #include "base/pickle.h" |
| 21 #include "base/time.h" | 21 #include "base/time.h" |
| 22 #include "crypto/nss_util.h" | 22 #include "crypto/nss_util.h" |
| 23 #include "crypto/rsa_private_key.h" | 23 #include "crypto/rsa_private_key.h" |
| 24 #include "net/base/asn1_util.h" |
| 24 #include "net/base/cert_status_flags.h" | 25 #include "net/base/cert_status_flags.h" |
| 25 #include "net/base/cert_verify_result.h" | 26 #include "net/base/cert_verify_result.h" |
| 27 #include "net/base/crl_set.h" |
| 26 #include "net/base/ev_root_ca_metadata.h" | 28 #include "net/base/ev_root_ca_metadata.h" |
| 27 #include "net/base/net_errors.h" | 29 #include "net/base/net_errors.h" |
| 28 #include "net/base/x509_util_nss.h" | 30 #include "net/base/x509_util_nss.h" |
| 29 | 31 |
| 30 namespace net { | 32 namespace net { |
| 31 | 33 |
| 32 namespace { | 34 namespace { |
| 33 | 35 |
| 34 class ScopedCERTCertificatePolicies { | 36 class ScopedCERTCertificatePolicies { |
| 35 public: | 37 public: |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 221 bool IsKnownRoot(CERTCertificate* root) { | 223 bool IsKnownRoot(CERTCertificate* root) { |
| 222 if (!root->slot) | 224 if (!root->slot) |
| 223 return false; | 225 return false; |
| 224 | 226 |
| 225 // This magic name is taken from | 227 // This magic name is taken from |
| 226 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 | 228 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 |
| 227 return 0 == strcmp(PK11_GetSlotName(root->slot), | 229 return 0 == strcmp(PK11_GetSlotName(root->slot), |
| 228 "NSS Builtin Objects"); | 230 "NSS Builtin Objects"); |
| 229 } | 231 } |
| 230 | 232 |
| 233 enum CRLSetResult { |
| 234 kCRLSetRevoked, |
| 235 kCRLSetOk, |
| 236 kCRLSetError, |
| 237 }; |
| 238 |
| 239 // CheckRevocationWithCRLSet attempts to check each element of |cert_list| |
| 240 // against |crl_set|. It returns: |
| 241 // kCRLSetRevoked: if any element of the chain is known to have been revoked. |
| 242 // kCRLSetError: if an error occurs in processing. |
| 243 // kCRLSetOk: if no element in the chain is known to have been revoked. |
| 244 CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list, |
| 245 CERTCertificate* root, |
| 246 CRLSet* crl_set) { |
| 247 std::vector<CERTCertificate*> certs; |
| 248 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 249 !CERT_LIST_END(node, cert_list); |
| 250 node = CERT_LIST_NEXT(node)) { |
| 251 certs.push_back(node->cert); |
| 252 } |
| 253 certs.push_back(root); |
| 254 |
| 255 CERTCertificate* prev = NULL; |
| 256 for (std::vector<CERTCertificate*>::iterator i = certs.begin(); |
| 257 i != certs.end(); ++i) { |
| 258 CERTCertificate* cert = *i; |
| 259 CERTCertificate* child = prev; |
| 260 prev = cert; |
| 261 if (child == NULL) |
| 262 continue; |
| 263 |
| 264 base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), |
| 265 cert->derCert.len); |
| 266 |
| 267 base::StringPiece spki; |
| 268 if (!asn1::ExtractSPKIFromDERCert(der, &spki)) { |
| 269 NOTREACHED(); |
| 270 return kCRLSetError; |
| 271 } |
| 272 |
| 273 std::string serial_number( |
| 274 reinterpret_cast<char*>(child->serialNumber.data), |
| 275 child->serialNumber.len); |
| 276 |
| 277 CRLSet::Result result = crl_set->CheckCertificate(serial_number, spki); |
| 278 |
| 279 switch (result) { |
| 280 case CRLSet::REVOKED: |
| 281 return kCRLSetRevoked; |
| 282 case CRLSet::UNKNOWN: |
| 283 case CRLSet::GOOD: |
| 284 continue; |
| 285 default: |
| 286 NOTREACHED(); |
| 287 return kCRLSetError; |
| 288 } |
| 289 } |
| 290 |
| 291 return kCRLSetOk; |
| 292 } |
| 293 |
| 231 void ParsePrincipal(CERTName* name, | 294 void ParsePrincipal(CERTName* name, |
| 232 CertPrincipal* principal) { | 295 CertPrincipal* principal) { |
| 233 typedef char* (*CERTGetNameFunc)(CERTName* name); | 296 typedef char* (*CERTGetNameFunc)(CERTName* name); |
| 234 | 297 |
| 235 // TODO(jcampan): add business_category and serial_number. | 298 // TODO(jcampan): add business_category and serial_number. |
| 236 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and | 299 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
| 237 // CERT_GetDomainComponentName functions, but they return only the most | 300 // CERT_GetDomainComponentName functions, but they return only the most |
| 238 // general (the first) RDN. NSS doesn't have a function for the street | 301 // general (the first) RDN. NSS doesn't have a function for the street |
| 239 // address. | 302 // address. |
| 240 static const SECOidTag kOIDs[] = { | 303 static const SECOidTag kOIDs[] = { |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 684 } | 747 } |
| 685 name = CERT_GetNextGeneralName(name); | 748 name = CERT_GetNextGeneralName(name); |
| 686 if (name == alt_name_list) | 749 if (name == alt_name_list) |
| 687 break; | 750 break; |
| 688 } | 751 } |
| 689 PORT_FreeArena(arena, PR_FALSE); | 752 PORT_FreeArena(arena, PR_FALSE); |
| 690 } | 753 } |
| 691 | 754 |
| 692 int X509Certificate::VerifyInternal(const std::string& hostname, | 755 int X509Certificate::VerifyInternal(const std::string& hostname, |
| 693 int flags, | 756 int flags, |
| 757 CRLSet* crl_set, |
| 694 CertVerifyResult* verify_result) const { | 758 CertVerifyResult* verify_result) const { |
| 695 // Make sure that the hostname matches with the common name of the cert. | 759 // Make sure that the hostname matches with the common name of the cert. |
| 696 SECStatus status = CERT_VerifyCertName(cert_handle_, hostname.c_str()); | 760 SECStatus status = CERT_VerifyCertName(cert_handle_, hostname.c_str()); |
| 697 if (status != SECSuccess) | 761 if (status != SECSuccess) |
| 698 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 762 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 699 | 763 |
| 700 // Make sure that the cert is valid now. | 764 // Make sure that the cert is valid now. |
| 701 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 765 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
| 702 cert_handle_, PR_Now(), PR_TRUE); | 766 cert_handle_, PR_Now(), PR_TRUE); |
| 703 if (validity != secCertTimeValid) | 767 if (validity != secCertTimeValid) |
| (...skipping 12 matching lines...) Expand all Loading... |
| 716 cvout[cvout_index].type = cert_po_end; | 780 cvout[cvout_index].type = cert_po_end; |
| 717 ScopedCERTValOutParam scoped_cvout(cvout); | 781 ScopedCERTValOutParam scoped_cvout(cvout); |
| 718 | 782 |
| 719 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); | 783 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); |
| 720 if (check_revocation) { | 784 if (check_revocation) { |
| 721 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 785 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 722 } else { | 786 } else { |
| 723 // EV requires revocation checking. | 787 // EV requires revocation checking. |
| 724 flags &= ~VERIFY_EV_CERT; | 788 flags &= ~VERIFY_EV_CERT; |
| 725 } | 789 } |
| 726 status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout); | 790 |
| 791 if (check_revocation && crl_set) { |
| 792 // We have a CRLSet so we build a chain without revocation checking in |
| 793 // order to try and check it ourselves. |
| 794 status = PKIXVerifyCert(cert_handle_, false /* no revocation checking */, |
| 795 NULL, 0, cvout); |
| 796 if (status == SECSuccess) { |
| 797 CRLSetResult crl_set_result = CheckRevocationWithCRLSet( |
| 798 cvout[cvout_cert_list_index].value.pointer.chain, |
| 799 cvout[cvout_trust_anchor_index].value.pointer.cert, |
| 800 crl_set); |
| 801 if (crl_set_result == kCRLSetError) { |
| 802 // An error occured during processing so we fall back to standard |
| 803 // revocation checking. |
| 804 status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout); |
| 805 } else { |
| 806 DCHECK(crl_set_result == kCRLSetRevoked || crl_set_result == kCRLSetOk); |
| 807 if (crl_set_result == kCRLSetRevoked) { |
| 808 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); |
| 809 status = SECFailure; |
| 810 } |
| 811 } |
| 812 } |
| 813 } else { |
| 814 status = PKIXVerifyCert(cert_handle_, check_revocation, |
| 815 NULL, 0, cvout); |
| 816 } |
| 817 |
| 727 if (status != SECSuccess) { | 818 if (status != SECSuccess) { |
| 728 int err = PORT_GetError(); | 819 int err = PORT_GetError(); |
| 729 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname | 820 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname |
| 730 << " failed err=" << err; | 821 << " failed err=" << err; |
| 731 // CERT_PKIXVerifyCert rerports the wrong error code for | 822 // CERT_PKIXVerifyCert rerports the wrong error code for |
| 732 // expired certificates (NSS bug 491174) | 823 // expired certificates (NSS bug 491174) |
| 733 if (err == SEC_ERROR_CERT_NOT_VALID && | 824 if (err == SEC_ERROR_CERT_NOT_VALID && |
| 734 (verify_result->cert_status & CERT_STATUS_DATE_INVALID)) | 825 (verify_result->cert_status & CERT_STATUS_DATE_INVALID)) |
| 735 err = SEC_ERROR_EXPIRED_CERTIFICATE; | 826 err = SEC_ERROR_EXPIRED_CERTIFICATE; |
| 736 CertStatus cert_status = MapCertErrorToCertStatus(err); | 827 CertStatus cert_status = MapCertErrorToCertStatus(err); |
| (...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 928 | 1019 |
| 929 // static | 1020 // static |
| 930 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, | 1021 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, |
| 931 Pickle* pickle) { | 1022 Pickle* pickle) { |
| 932 return pickle->WriteData( | 1023 return pickle->WriteData( |
| 933 reinterpret_cast<const char*>(cert_handle->derCert.data), | 1024 reinterpret_cast<const char*>(cert_handle->derCert.data), |
| 934 cert_handle->derCert.len); | 1025 cert_handle->derCert.len); |
| 935 } | 1026 } |
| 936 | 1027 |
| 937 } // namespace net | 1028 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8342054:
net: enable CRL sets behind a command line flag. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src