OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include "base/lazy_instance.h" | 7 #include "base/lazy_instance.h" |
8 #include "base/logging.h" | 8 #include "base/logging.h" |
9 #include "base/pickle.h" | 9 #include "base/pickle.h" |
10 #include "base/sha1.h" | 10 #include "base/sha1.h" |
(...skipping 288 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
299 if (chain_context->cChain == 0) | 299 if (chain_context->cChain == 0) |
300 return; | 300 return; |
301 | 301 |
302 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 302 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
303 int num_elements = first_chain->cElement; | 303 int num_elements = first_chain->cElement; |
304 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 304 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
305 | 305 |
306 PCCERT_CONTEXT verified_cert = NULL; | 306 PCCERT_CONTEXT verified_cert = NULL; |
307 std::vector<PCCERT_CONTEXT> verified_chain; | 307 std::vector<PCCERT_CONTEXT> verified_chain; |
308 | 308 |
309 bool has_root_ca = num_elements > 1 && | |
310 !(chain_context.TrustStatus.dwErrorStatus & | |
311 CERT_TRUST_IS_PARTIAL_CHAIN); | |
312 | |
309 // Each chain starts with the end entity certificate (i = 0) and ends with | 313 // Each chain starts with the end entity certificate (i = 0) and ends with |
310 // the root CA certificate (i = num_elements - 1). Do not inspect the | 314 // either the root CA certificate (i = num_elements - 1) or the last |
311 // signature algorithm of the root CA certificate because the signature on | 315 // available intermediate. If a root CA certificate is present, do not |
wtc
2011/10/25 01:36:46
Move "(i = num_elements - 1)" after "the last avai
| |
312 // the trust anchor is not important. | 316 // inspect the signature algorithm of the root CA certificate because the |
313 for (int i = 0; i < num_elements - 1; ++i) { | 317 // signature on the trust anchor is not important |
318 if (has_root_ca) { | |
319 // If a full chain was constructed, regardless of whether it was trusted, | |
320 // don't inspect the root's signature algorithm. | |
321 num_elements -= 1; | |
322 } | |
323 | |
324 for (int i = 0; i < num_elements; ++i) { | |
314 PCCERT_CONTEXT cert = element[i]->pCertContext; | 325 PCCERT_CONTEXT cert = element[i]->pCertContext; |
315 if (i == 0) { | 326 if (i == 0) { |
316 verified_cert = cert; | 327 verified_cert = cert; |
317 } else { | 328 } else { |
318 verified_chain.push_back(cert); | 329 verified_chain.push_back(cert); |
319 } | 330 } |
320 | 331 |
321 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; | 332 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; |
322 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { | 333 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { |
323 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 | 334 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 |
324 verify_result->has_md5 = true; | 335 verify_result->has_md5 = true; |
325 if (i != 0) | 336 if (i != 0) |
326 verify_result->has_md5_ca = true; | 337 verify_result->has_md5_ca = true; |
327 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { | 338 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { |
328 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 | 339 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 |
329 verify_result->has_md2 = true; | 340 verify_result->has_md2 = true; |
330 if (i != 0) | 341 if (i != 0) |
331 verify_result->has_md2_ca = true; | 342 verify_result->has_md2_ca = true; |
332 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { | 343 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { |
333 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 | 344 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 |
334 verify_result->has_md4 = true; | 345 verify_result->has_md4 = true; |
335 } | 346 } |
336 } | 347 } |
337 | 348 |
338 if (verified_cert) { | 349 if (verified_cert) { |
339 // Add the root certificate, if present, as it was not added above. | 350 // Add the root certificate, if present, as it was not added above. |
340 if (num_elements > 1) | 351 if (has_root_ca) |
341 verified_chain.push_back(element[num_elements - 1]->pCertContext); | 352 verified_chain.push_back(element[num_elements - 1]->pCertContext); |
wtc
2011/10/25 01:36:46
BUG: the array index should be num_elements becaus
| |
342 verify_result->verified_cert = | 353 verify_result->verified_cert = |
343 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 354 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
344 } | 355 } |
345 } | 356 } |
346 | 357 |
347 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | 358 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO |
348 // structure and stores it in *output. | 359 // structure and stores it in *output. |
349 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, | 360 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, |
350 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { | 361 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { |
351 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | 362 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, |
(...skipping 699 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1051 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], | 1062 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], |
1052 &length)) { | 1063 &length)) { |
1053 return false; | 1064 return false; |
1054 } | 1065 } |
1055 | 1066 |
1056 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), | 1067 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), |
1057 length); | 1068 length); |
1058 } | 1069 } |
1059 | 1070 |
1060 } // namespace net | 1071 } // namespace net |
OLD | NEW |