OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. | 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. |
8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. | 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. |
9 | 9 |
10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
(...skipping 312 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
323 if (chain_context->cChain == 0) | 323 if (chain_context->cChain == 0) |
324 return; | 324 return; |
325 | 325 |
326 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 326 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
327 int num_elements = first_chain->cElement; | 327 int num_elements = first_chain->cElement; |
328 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 328 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
329 | 329 |
330 PCCERT_CONTEXT verified_cert = NULL; | 330 PCCERT_CONTEXT verified_cert = NULL; |
331 std::vector<PCCERT_CONTEXT> verified_chain; | 331 std::vector<PCCERT_CONTEXT> verified_chain; |
332 | 332 |
| 333 bool has_root_ca = num_elements > 1 && |
| 334 !(chain_context->TrustStatus.dwErrorStatus & |
| 335 CERT_TRUST_IS_PARTIAL_CHAIN); |
| 336 |
333 // Each chain starts with the end entity certificate (i = 0) and ends with | 337 // Each chain starts with the end entity certificate (i = 0) and ends with |
334 // the root CA certificate (i = num_elements - 1). Do not inspect the | 338 // either the root CA certificate or the last available intermediate. If a |
335 // signature algorithm of the root CA certificate because the signature on | 339 // root CA certificate is present, do not inspect the signature algorithm of |
336 // the trust anchor is not important. | 340 // the root CA certificate because the signature on the trust anchor is not |
337 for (int i = 0; i < num_elements - 1; ++i) { | 341 // important. |
| 342 if (has_root_ca) { |
| 343 // If a full chain was constructed, regardless of whether it was trusted, |
| 344 // don't inspect the root's signature algorithm. |
| 345 num_elements -= 1; |
| 346 } |
| 347 |
| 348 for (int i = 0; i < num_elements; ++i) { |
338 PCCERT_CONTEXT cert = element[i]->pCertContext; | 349 PCCERT_CONTEXT cert = element[i]->pCertContext; |
339 if (i == 0) { | 350 if (i == 0) { |
340 verified_cert = cert; | 351 verified_cert = cert; |
341 } else { | 352 } else { |
342 verified_chain.push_back(cert); | 353 verified_chain.push_back(cert); |
343 } | 354 } |
344 | 355 |
345 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; | 356 const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId; |
346 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { | 357 if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) { |
347 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 | 358 // md5WithRSAEncryption: 1.2.840.113549.1.1.4 |
348 verify_result->has_md5 = true; | 359 verify_result->has_md5 = true; |
349 if (i != 0) | 360 if (i != 0) |
350 verify_result->has_md5_ca = true; | 361 verify_result->has_md5_ca = true; |
351 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { | 362 } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) { |
352 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 | 363 // md2WithRSAEncryption: 1.2.840.113549.1.1.2 |
353 verify_result->has_md2 = true; | 364 verify_result->has_md2 = true; |
354 if (i != 0) | 365 if (i != 0) |
355 verify_result->has_md2_ca = true; | 366 verify_result->has_md2_ca = true; |
356 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { | 367 } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) { |
357 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 | 368 // md4WithRSAEncryption: 1.2.840.113549.1.1.3 |
358 verify_result->has_md4 = true; | 369 verify_result->has_md4 = true; |
359 } | 370 } |
360 } | 371 } |
361 | 372 |
362 if (verified_cert) { | 373 if (verified_cert) { |
363 // Add the root certificate, if present, as it was not added above. | 374 // Add the root certificate, if present, as it was not added above. |
364 if (num_elements > 1) | 375 if (has_root_ca) |
365 verified_chain.push_back(element[num_elements - 1]->pCertContext); | 376 verified_chain.push_back(element[num_elements]->pCertContext); |
366 verify_result->verified_cert = | 377 verify_result->verified_cert = |
367 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 378 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
368 } | 379 } |
369 } | 380 } |
370 | 381 |
371 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | 382 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO |
372 // structure and stores it in *output. | 383 // structure and stores it in *output. |
373 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, | 384 void GetCertPoliciesInfo(PCCERT_CONTEXT cert, |
374 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { | 385 scoped_ptr_malloc<CERT_POLICIES_INFO>* output) { |
375 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | 386 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, |
(...skipping 760 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1136 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], | 1147 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], |
1137 &length)) { | 1148 &length)) { |
1138 return false; | 1149 return false; |
1139 } | 1150 } |
1140 | 1151 |
1141 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), | 1152 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), |
1142 length); | 1153 length); |
1143 } | 1154 } |
1144 | 1155 |
1145 } // namespace net | 1156 } // namespace net |
OLD | NEW |