Record when certificates signed with md[2,4,5] are encountered on OS X.

net/base/x509_certificate_mac.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 272 matching lines @@
   status = X509Certificate::CreateRevocationPolicies(
       (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
       local_policies);
   if (status)
     return status;
 
   policies->reset(local_policies.release());
   return noErr;
 }
 
+// Saves some information about the certificate chain |cert_chain| in
+// |*verify_result|. The caller MUST initialize |*verify_result| before
+// calling this function.
+void GetCertChainInfo(CFArrayRef cert_chain,
+                      CertVerifyResult* verify_result) {
+  SecCertificateRef verified_cert = NULL;
+  std::vector<SecCertificateRef> verified_chain;
+  for (CFIndex i = 0, count = CFArrayGetCount(cert_chain);
+       i < count; ++i) {

[wtc, 2011/10/25 18:24:44]

Does this not fit on the previous line?

+    SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
+        const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
+    if (i == 0) {
+      verified_cert = chain_cert;
+    } else {
+      verified_chain.push_back(chain_cert);
+    }
+
+    CSSMFields fields;
+    OSStatus status = GetCertFields(chain_cert, &fields);
+    if (status)
+      continue;
+    for (size_t field = 0; field < fields.num_of_fields; ++field) {
+      if (!CSSMOIDEqual(&fields.fields[field].FieldOid,

[palmer, 2011/10/25 19:53:50]

"fields fields field field oid" is baffling. Are there better names we could
use?

CSSMFields cssmFields;
...
WhateverTheTypeIs fields = cssmFields.fields;
...

for (size_t i = 0; i < cssmFields.num_of_fields; ++i) {
    if (!CSSMOIDEqual(&fields[i].FieldOid, ...
...
...fields[i].FieldValue.Data)...
et c.

It's also a micro-optimization to hoist all those accesses of cssmFields out of
the loop. (Unless the compiler does it anyway, in which case the code might as
well also be more readable to humans.)

+                        &CSSMOID_X509V1SignatureAlgorithm)) {
+        continue;
+      }
+
+      CSSM_X509_ALGORITHM_IDENTIFIER* signature_algorithm =
+          reinterpret_cast<CSSM_X509_ALGORITHM_IDENTIFIER*>(
+              fields.fields[field].FieldValue.Data);
+      if (!signature_algorithm || (fields.fields[field].FieldValue.Length !=
+          sizeof(CSSM_X509_ALGORITHM_IDENTIFIER))) {
+        break;

[wtc, 2011/10/25 18:24:44]

If we get here, it means the Mac OS X certificate library
malfunctioned, right?  So this is defensive programming?
Would be nice to add a comment to make this clear.

+      }
+      CSSM_OID_PTR alg_oid = &signature_algorithm->algorithm;
+      if (CSSMOIDEqual(alg_oid, &CSSMOID_MD2WithRSA)) {
+        verify_result->has_md2 = true;
+        if (i != 0)
+          verify_result->has_md2_ca = true;
+      } else if (CSSMOIDEqual(alg_oid, &CSSMOID_MD4WithRSA)) {
+        verify_result->has_md4 = true;
+      } else if (CSSMOIDEqual(alg_oid, &CSSMOID_MD5WithRSA)) {

[palmer, 2011/10/25 19:53:50]

As in the other CL, we should keep track of MD4 CAs even though we don't think
we'll ever see any.

+        verify_result->has_md5 = true;
+        if (i != 0)
+          verify_result->has_md5_ca = true;
+      }
+      break;
+    }
+  }
+  if (!verified_cert)
+    return;
+
+  verify_result->verified_cert =
+      X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+}
+
 // Gets the issuer for a given cert, starting with the cert itself and
 // including the intermediate and finally root certificates (if any).
 // This function calls SecTrust but doesn't actually pay attention to the trust
 // result: it shouldn't be used to determine trust, just to traverse the chain.
 // Caller is responsible for releasing the value stored into *out_cert_chain.
 OSStatus CopyCertChain(SecCertificateRef cert_handle,
                        CFArrayRef* out_cert_chain) {
   DCHECK(cert_handle);
   DCHECK(out_cert_chain);
   // Create an SSL policy ref configured for client cert evaluation.
@@ skipping 529 matching lines @@
   if (status)
     return NetErrorFromOSStatus(status);
   CFArrayRef completed_chain = NULL;
   CSSM_TP_APPLE_EVIDENCE_INFO* chain_info;
   status = SecTrustGetResult(trust_ref, &trust_result, &completed_chain,
                              &chain_info);
   if (status)
     return NetErrorFromOSStatus(status);
   ScopedCFTypeRef<CFArrayRef> scoped_completed_chain(completed_chain);
 
-  SecCertificateRef verified_cert = NULL;
-  std::vector<SecCertificateRef> verified_chain;
-  for (CFIndex i = 0, count = CFArrayGetCount(completed_chain);
-       i < count; ++i) {
-    SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
-        const_cast<void*>(CFArrayGetValueAtIndex(completed_chain, i)));
-    if (i == 0) {
-      verified_cert = chain_cert;
-    } else {
-      verified_chain.push_back(chain_cert);
-    }
-  }
-  if (verified_cert) {
-    verify_result->verified_cert = CreateFromHandle(verified_cert,
-                                                    verified_chain);
-  }
+  GetCertChainInfo(scoped_completed_chain.get(), verify_result);
 
   // Evaluate the results
   OSStatus cssm_result;
   switch (trust_result) {
     case kSecTrustResultUnspecified:
     case kSecTrustResultProceed:
       // Certificate chain is valid and trusted ("unspecified" indicates that
       // the user has not explicitly set a trust setting)
       break;
 
@@ skipping 471 matching lines @@
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert_handle, &cert_data);
   if (status)
     return false;
 
   return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),
                            cert_data.Length);
 }
 
 }  // namespace net