OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
(...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
293 if (data_length <= 0 || !data) | 293 if (data_length <= 0 || !data) |
294 return false; | 294 return false; |
295 internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length); | 295 internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length); |
296 if (!internal_cache) | 296 if (!internal_cache) |
297 return false; | 297 return false; |
298 } | 298 } |
299 *der_cache = *internal_cache; | 299 *der_cache = *internal_cache; |
300 return true; | 300 return true; |
301 } | 301 } |
302 | 302 |
| 303 void GetCertChainInfo(X509_STORE_CTX* store_ctx, |
| 304 CertVerifyResult* verify_result) { |
| 305 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 306 X509* verified_cert = NULL; |
| 307 std::vector<X509*> verified_chain; |
| 308 for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 309 X509* cert = sk_X509_value(chain, i); |
| 310 if (i == 0) { |
| 311 verified_cert = cert; |
| 312 } else { |
| 313 verified_chain.push_back(cert); |
| 314 } |
| 315 |
| 316 // Only check the algorithm status for certificates that are not in the |
| 317 // trust store. |
| 318 if (i < store_ctx->last_untrusted) { |
| 319 int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); |
| 320 if (sig_alg == NID_md2WithRSAEncryption) { |
| 321 verify_result->has_md2 = true; |
| 322 if (i != 0) |
| 323 verify_result->has_md2_ca = true; |
| 324 } else if (sig_alg == NID_md4WithRSAEncryption) { |
| 325 verify_result->has_md4 = true; |
| 326 } else if (sig_alg == NID_md5WithRSAEncryption) { |
| 327 verify_result->has_md5 = true; |
| 328 if (i != 0) |
| 329 verify_result->has_md5_ca = true; |
| 330 } |
| 331 } |
| 332 } |
| 333 |
| 334 if (verified_cert) { |
| 335 verify_result->verified_cert = |
| 336 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 337 } |
| 338 } |
| 339 |
| 340 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, |
| 341 std::vector<SHA1Fingerprint>* hashes) { |
| 342 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 343 for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 344 X509* cert = sk_X509_value(chain, i); |
| 345 |
| 346 DERCache der_cache; |
| 347 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) |
| 348 continue; |
| 349 |
| 350 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), |
| 351 der_cache.data_length); |
| 352 base::StringPiece spki_bytes; |
| 353 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
| 354 continue; |
| 355 |
| 356 SHA1Fingerprint hash; |
| 357 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
| 358 spki_bytes.size(), hash.data); |
| 359 hashes->push_back(hash); |
| 360 } |
| 361 } |
| 362 |
303 } // namespace | 363 } // namespace |
304 | 364 |
305 // static | 365 // static |
306 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( | 366 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( |
307 OSCertHandle cert_handle) { | 367 OSCertHandle cert_handle) { |
308 DCHECK(cert_handle); | 368 DCHECK(cert_handle); |
309 // Using X509_dup causes the entire certificate to be reparsed. This | 369 // Using X509_dup causes the entire certificate to be reparsed. This |
310 // conversion, besides being non-trivial, drops any associated | 370 // conversion, besides being non-trivial, drops any associated |
311 // application-specific data set by X509_set_ex_data. Using CRYPTO_add | 371 // application-specific data set by X509_set_ex_data. Using CRYPTO_add |
312 // just bumps up the ref-count for the cert, without causing any allocations | 372 // just bumps up the ref-count for the cert, without causing any allocations |
(...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
482 int x509_error = X509_STORE_CTX_get_error(ctx.get()); | 542 int x509_error = X509_STORE_CTX_get_error(ctx.get()); |
483 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); | 543 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); |
484 LOG(ERROR) << "X509 Verification error " | 544 LOG(ERROR) << "X509 Verification error " |
485 << X509_verify_cert_error_string(x509_error) | 545 << X509_verify_cert_error_string(x509_error) |
486 << " : " << x509_error | 546 << " : " << x509_error |
487 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) | 547 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) |
488 << " : " << cert_status; | 548 << " : " << cert_status; |
489 verify_result->cert_status |= cert_status; | 549 verify_result->cert_status |= cert_status; |
490 } | 550 } |
491 | 551 |
| 552 GetCertChainInfo(ctx.get(), verify_result); |
| 553 |
492 if (IsCertStatusError(verify_result->cert_status)) | 554 if (IsCertStatusError(verify_result->cert_status)) |
493 return MapCertStatusToNetError(verify_result->cert_status); | 555 return MapCertStatusToNetError(verify_result->cert_status); |
494 | 556 |
495 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); | 557 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); |
496 X509* verified_cert = NULL; | |
497 std::vector<X509*> verified_chain; | |
498 for (int i = 0; i < sk_X509_num(chain); ++i) { | |
499 X509* cert = sk_X509_value(chain, i); | |
500 if (i == 0) { | |
501 verified_cert = cert; | |
502 } else { | |
503 verified_chain.push_back(cert); | |
504 } | |
505 | |
506 DERCache der_cache; | |
507 if (!GetDERAndCacheIfNeeded(cert, &der_cache)) | |
508 continue; | |
509 | |
510 base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), | |
511 der_cache.data_length); | |
512 base::StringPiece spki_bytes; | |
513 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | |
514 continue; | |
515 | |
516 SHA1Fingerprint hash; | |
517 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | |
518 spki_bytes.size(), hash.data); | |
519 verify_result->public_key_hashes.push_back(hash); | |
520 } | |
521 | |
522 if (verified_cert) { | |
523 verify_result->verified_cert = CreateFromHandle(verified_cert, | |
524 verified_chain); | |
525 } | |
526 | |
527 // Currently we only ues OpenSSL's default root CA paths, so treat all | 558 // Currently we only ues OpenSSL's default root CA paths, so treat all |
528 // correctly verified certs as being from a known root. TODO(joth): if the | 559 // correctly verified certs as being from a known root. TODO(joth): if the |
529 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev
ision=80778 | 560 // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&rev
ision=80778 |
530 // become an issue on OpenSSL builds, we will need to embed a hardcoded list | 561 // become an issue on OpenSSL builds, we will need to embed a hardcoded list |
531 // of well known root CAs, as per the _mac and _win versions. | 562 // of well known root CAs, as per the _mac and _win versions. |
532 verify_result->is_issued_by_known_root = true; | 563 verify_result->is_issued_by_known_root = true; |
533 | 564 |
534 return OK; | 565 return OK; |
535 } | 566 } |
536 | 567 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
583 DERCache der_cache; | 614 DERCache der_cache; |
584 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 615 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) |
585 return false; | 616 return false; |
586 | 617 |
587 return pickle->WriteData( | 618 return pickle->WriteData( |
588 reinterpret_cast<const char*>(der_cache.data), | 619 reinterpret_cast<const char*>(der_cache.data), |
589 der_cache.data_length); | 620 der_cache.data_length); |
590 } | 621 } |
591 | 622 |
592 } // namespace net | 623 } // namespace net |
OLD | NEW |