OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
(...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
292 if (data_length <= 0 || !data) | 292 if (data_length <= 0 || !data) |
293 return false; | 293 return false; |
294 internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length); | 294 internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length); |
295 if (!internal_cache) | 295 if (!internal_cache) |
296 return false; | 296 return false; |
297 } | 297 } |
298 *der_cache = *internal_cache; | 298 *der_cache = *internal_cache; |
299 return true; | 299 return true; |
300 } | 300 } |
301 | 301 |
302 void GetCertChainInfo(X509_STORE_CTX* store_ctx, | |
joth
2011/11/01 09:31:45
Not sure if more stuff is likely to migrate into h
Ryan Sleevi
2011/11/03 01:52:58
We're currently using this name for [_nss, _win, _
| |
303 CertVerifyResult* verify_result) { | |
304 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); | |
305 X509* verified_cert = NULL; | |
306 std::vector<X509*> verified_chain; | |
307 for (int i = 0; i < sk_X509_num(chain); ++i) { | |
308 X509* cert = sk_X509_value(chain, i); | |
309 if (i == 0) { | |
310 verified_cert = cert; | |
311 } else { | |
312 verified_chain.push_back(cert); | |
313 } | |
314 | |
315 // Only check the algorithm status for certificates that are not in the | |
316 // trust store. | |
317 if (i < store_ctx->last_untrusted) { | |
318 int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); | |
319 if (sig_alg == NID_md2WithRSAEncryption) { | |
320 verify_result->has_md2 = true; | |
321 if (i != 0) | |
322 verify_result->has_md2_ca = true; | |
323 } else if (sig_alg == NID_md4WithRSAEncryption) { | |
324 verify_result->has_md4 = true; | |
325 } else if (sig_alg == NID_md5WithRSAEncryption) { | |
326 verify_result->has_md5 = true; | |
327 if (i != 0) | |
328 verify_result->has_md5_ca = true; | |
329 } | |
330 } | |
331 } | |
332 | |
333 if (verified_cert) { | |
334 verify_result->verified_cert = | |
335 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | |
336 } | |
337 } | |
338 | |
302 } // namespace | 339 } // namespace |
303 | 340 |
304 // static | 341 // static |
305 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( | 342 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( |
306 OSCertHandle cert_handle) { | 343 OSCertHandle cert_handle) { |
307 DCHECK(cert_handle); | 344 DCHECK(cert_handle); |
308 // Using X509_dup causes the entire certificate to be reparsed. This | 345 // Using X509_dup causes the entire certificate to be reparsed. This |
309 // conversion, besides being non-trivial, drops any associated | 346 // conversion, besides being non-trivial, drops any associated |
310 // application-specific data set by X509_set_ex_data. Using CRYPTO_add | 347 // application-specific data set by X509_set_ex_data. Using CRYPTO_add |
311 // just bumps up the ref-count for the cert, without causing any allocations | 348 // just bumps up the ref-count for the cert, without causing any allocations |
(...skipping 161 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
473 int x509_error = X509_STORE_CTX_get_error(ctx.get()); | 510 int x509_error = X509_STORE_CTX_get_error(ctx.get()); |
474 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); | 511 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); |
475 LOG(ERROR) << "X509 Verification error " | 512 LOG(ERROR) << "X509 Verification error " |
476 << X509_verify_cert_error_string(x509_error) | 513 << X509_verify_cert_error_string(x509_error) |
477 << " : " << x509_error | 514 << " : " << x509_error |
478 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) | 515 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) |
479 << " : " << cert_status; | 516 << " : " << cert_status; |
480 verify_result->cert_status |= cert_status; | 517 verify_result->cert_status |= cert_status; |
481 } | 518 } |
482 | 519 |
520 GetCertChainInfo(ctx.get(), verify_result); | |
521 | |
483 if (IsCertStatusError(verify_result->cert_status)) | 522 if (IsCertStatusError(verify_result->cert_status)) |
484 return MapCertStatusToNetError(verify_result->cert_status); | 523 return MapCertStatusToNetError(verify_result->cert_status); |
485 | 524 |
joth
2011/11/01 09:31:45
Maybe it would be as well to extract the next loop
Ryan Sleevi
2011/11/03 01:52:58
Done.
| |
486 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); | 525 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); |
487 X509* verified_cert = NULL; | |
488 std::vector<X509*> verified_chain; | |
489 for (int i = 0; i < sk_X509_num(chain); ++i) { | 526 for (int i = 0; i < sk_X509_num(chain); ++i) { |
490 X509* cert = sk_X509_value(chain, i); | 527 X509* cert = sk_X509_value(chain, i); |
491 if (i == 0) { | |
492 verified_cert = cert; | |
493 } else { | |
494 verified_chain.push_back(cert); | |
495 } | |
496 | 528 |
497 DERCache der_cache; | 529 DERCache der_cache; |
498 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) | 530 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) |
499 continue; | 531 continue; |
500 | 532 |
501 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), | 533 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), |
502 der_cache.data_length); | 534 der_cache.data_length); |
503 base::StringPiece spki_bytes; | 535 base::StringPiece spki_bytes; |
504 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 536 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
505 continue; | 537 continue; |
506 | 538 |
507 SHA1Fingerprint hash; | 539 SHA1Fingerprint hash; |
508 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 540 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
509 spki_bytes.size(), hash.data); | 541 spki_bytes.size(), hash.data); |
510 verify_result->public_key_hashes.push_back(hash); | 542 verify_result->public_key_hashes.push_back(hash); |
511 } | 543 } |
512 | 544 |
513 if (verified_cert) { | |
514 verify_result->verified_cert = CreateFromHandle(verified_cert, | |
515 verified_chain); | |
516 } | |
517 | |
518 // Currently we only ues OpenSSL's default root CA paths, so treat all | 545 // Currently we only ues OpenSSL's default root CA paths, so treat all |
519 // correctly verified certs as being from a known root. TODO(joth): if the | 546 // correctly verified certs as being from a known root. TODO(joth): if the |
520 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev ision=80778 | 547 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev ision=80778 |
521 // become an issue on OpenSSL builds, we will need to embed a hardcoded list | 548 // become an issue on OpenSSL builds, we will need to embed a hardcoded list |
522 // of well known root CAs, as per the _mac and _win versions. | 549 // of well known root CAs, as per the _mac and _win versions. |
523 verify_result->is_issued_by_known_root = true; | 550 verify_result->is_issued_by_known_root = true; |
524 | 551 |
525 return OK; | 552 return OK; |
526 } | 553 } |
527 | 554 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
574 DERCache der_cache; | 601 DERCache der_cache; |
575 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 602 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) |
576 return false; | 603 return false; |
577 | 604 |
578 return pickle->WriteData( | 605 return pickle->WriteData( |
579 reinterpret_cast<const char*>(der_cache.data), | 606 reinterpret_cast<const char*>(der_cache.data), |
580 der_cache.data_length); | 607 der_cache.data_length); |
581 } | 608 } |
582 | 609 |
583 } // namespace net | 610 } // namespace net |
OLD | NEW |