| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. | 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. |
| 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. | 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. |
| 9 | 9 |
| 10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
| (...skipping 848 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 859 // chain_flags argument. | 859 // chain_flags argument. |
| 860 if (!CertGetCertificateChain( | 860 if (!CertGetCertificateChain( |
| 861 chain_engine, | 861 chain_engine, |
| 862 cert_list.get(), | 862 cert_list.get(), |
| 863 NULL, // current system time | 863 NULL, // current system time |
| 864 cert_list->hCertStore, | 864 cert_list->hCertStore, |
| 865 &chain_para, | 865 &chain_para, |
| 866 chain_flags, | 866 chain_flags, |
| 867 NULL, // reserved | 867 NULL, // reserved |
| 868 &chain_context)) { | 868 &chain_context)) { |
| 869 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 869 return MapSecurityError(GetLastError()); | 870 return MapSecurityError(GetLastError()); |
| 870 } | 871 } |
| 871 | 872 |
| 872 if (chain_context->TrustStatus.dwErrorStatus & | 873 if (chain_context->TrustStatus.dwErrorStatus & |
| 873 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 874 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
| 874 ev_policy_oid = NULL; | 875 ev_policy_oid = NULL; |
| 875 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 876 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
| 876 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 877 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
| 877 CertFreeCertificateChain(chain_context); | 878 CertFreeCertificateChain(chain_context); |
| 878 if (!CertGetCertificateChain( | 879 if (!CertGetCertificateChain( |
| 879 chain_engine, | 880 chain_engine, |
| 880 cert_list.get(), | 881 cert_list.get(), |
| 881 NULL, // current system time | 882 NULL, // current system time |
| 882 cert_list->hCertStore, | 883 cert_list->hCertStore, |
| 883 &chain_para, | 884 &chain_para, |
| 884 chain_flags, | 885 chain_flags, |
| 885 NULL, // reserved | 886 NULL, // reserved |
| 886 &chain_context)) { | 887 &chain_context)) { |
| 888 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 887 return MapSecurityError(GetLastError()); | 889 return MapSecurityError(GetLastError()); |
| 888 } | 890 } |
| 889 } | 891 } |
| 890 | 892 |
| 891 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); | 893 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); |
| 892 | 894 |
| 893 GetCertChainInfo(chain_context, verify_result); | 895 GetCertChainInfo(chain_context, verify_result); |
| 894 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 896 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
| 895 chain_context->TrustStatus.dwErrorStatus); | 897 chain_context->TrustStatus.dwErrorStatus); |
| 896 | 898 |
| 897 // Treat certificates signed using broken signature algorithms as invalid. | |
| 898 if (verify_result->has_md4) | |
| 899 verify_result->cert_status |= CERT_STATUS_INVALID; | |
| 900 | |
| 901 // Flag certificates signed using weak signature algorithms. | |
| 902 if (verify_result->has_md2) | |
| 903 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | |
| 904 | |
| 905 // Flag certificates that have a Subject common name with a NULL character. | 899 // Flag certificates that have a Subject common name with a NULL character. |
| 906 if (CertSubjectCommonNameHasNull(cert_handle_)) | 900 if (CertSubjectCommonNameHasNull(cert_handle_)) |
| 907 verify_result->cert_status |= CERT_STATUS_INVALID; | 901 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 908 | 902 |
| 909 std::wstring wstr_hostname = ASCIIToWide(hostname); | 903 std::wstring wstr_hostname = ASCIIToWide(hostname); |
| 910 | 904 |
| 911 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; | 905 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; |
| 912 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); | 906 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); |
| 913 extra_policy_para.cbSize = sizeof(extra_policy_para); | 907 extra_policy_para.cbSize = sizeof(extra_policy_para); |
| 914 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; | 908 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; |
| (...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1171 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], | 1165 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], |
| 1172 &length)) { | 1166 &length)) { |
| 1173 return false; | 1167 return false; |
| 1174 } | 1168 } |
| 1175 | 1169 |
| 1176 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), | 1170 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), |
| 1177 length); | 1171 length); |
| 1178 } | 1172 } |
| 1179 | 1173 |
| 1180 } // namespace net | 1174 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8374020:
Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src