net/base/x509_certificate_mac.cc - Issue 8400075: Fix the "certificate is not yet valid" error for server certificates

Side by Side Diff: net/base/x509_certificate_mac.cc

Issue 8400075: Fix the "certificate is not yet valid" error for server certificates (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Remove the unrelated sslsock.c from the CL Created 9 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <CoreServices/CoreServices.h>	8 #include <CoreServices/CoreServices.h>

9 #include <Security/Security.h>	9 #include <Security/Security.h>

10 #include <time.h>	10 #include <time.h>

(...skipping 522 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
533 status = SecCertificateGetIssuer(cert_handle_, &name);	533 status = SecCertificateGetIssuer(cert_handle_, &name);

534 if (!status)	534 if (!status)

535 issuer_.Parse(name);	535 issuer_.Parse(name);

536	536

537 GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotBefore,	537 GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotBefore,

538 &valid_start_);	538 &valid_start_);

539 GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotAfter,	539 GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotAfter,

540 &valid_expiry_);	540 &valid_expiry_);

541	541

542 fingerprint_ = CalculateFingerprint(cert_handle_);	542 fingerprint_ = CalculateFingerprint(cert_handle_);

	543 chain_fingerprint_ = CalculateChainFingerprint();

543 serial_number_ = GetCertSerialNumber(cert_handle_);	544 serial_number_ = GetCertSerialNumber(cert_handle_);

544 }	545 }

545	546

546 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA	547 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA

547 // that we recognise as a standard root.	548 // that we recognise as a standard root.

548 // static	549 // static

549 bool X509Certificate::IsIssuedByKnownRoot(CFArrayRef chain) {	550 bool X509Certificate::IsIssuedByKnownRoot(CFArrayRef chain) {

550 int n = CFArrayGetCount(chain);	551 int n = CFArrayGetCount(chain);

551 if (n < 1)	552 if (n < 1)

552 return false;	553 return false;

(...skipping 509 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1062 return sha1;	1063 return sha1;

1063	1064

1064 DCHECK(cert_data.Data);	1065 DCHECK(cert_data.Data);

1065 DCHECK_NE(cert_data.Length, 0U);	1066 DCHECK_NE(cert_data.Length, 0U);

1066	1067

1067 CC_SHA1(cert_data.Data, cert_data.Length, sha1.data);	1068 CC_SHA1(cert_data.Data, cert_data.Length, sha1.data);

1068	1069

1069 return sha1;	1070 return sha1;

1070 }	1071 }

1071	1072

	1073 SHA1Fingerprint X509Certificate::CalculateChainFingerprint() const {

	1074 SHA1Fingerprint sha1;

	1075 memset(sha1.data, 0, sizeof(sha1.data));

	1076

	1077 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so

	1078 // we don't check their return values.

	1079 CC_SHA1_CTX sha1_ctx;

	1080 CC_SHA1_Init(&sha1_ctx);

	1081 CSSM_DATA cert_data;

	1082 OSStatus status = SecCertificateGetData(cert_handle_, &cert_data);

	1083 if (status)

	1084 return sha1;

	1085 CC_SHA1_Update(&sha1_ctx, cert_data.Data, cert_data.Length);

	1086 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {

	1087 status = SecCertificateGetData(intermediate_ca_certs_[i], &cert_data);
	agl 2011/10/28 23:45:47 I note in the OS X documentation that this is list I note in the OS X documentation that this is listed as deprecated as of 10.7. I don't think that it's important right now. Ryan Sleevi 2011/10/28 23:55:03 I would go as far as to say that > 80% of the cert Show quoted text On 2011/10/28 23:45:47, agl wrote: > I note in the OS X documentation that this is listed as deprecated as of 10.7. I > don't think that it's important right now. I would go as far as to say that > 80% of the certificate APIs we use are deprecated on 10.7, many with no suitable equivalents. Which is very unfortunate.
	1088 if (status)

	1089 return sha1;
	Ryan Sleevi 2011/10/28 23:55:03 BUG: \|sha1_ctx\| is improperly cleaned up here. BUG: \|sha1_ctx\| is improperly cleaned up here. wtc 2011/10/29 01:32:03 Thank you for pointing out this issue. Based on h Show quoted text On 2011/10/28 23:55:03, Ryan Sleevi wrote: > BUG: \|sha1_ctx\| is improperly cleaned up here. Thank you for pointing out this issue. Based on how SHA-1 etc. are implemented in NSS, I know a SHA-1 context does not need to allocate memory. So a missing CC_SHA1_Final call should not leak memory. Here is the definition of the CC_SHA1_CTX structure: typedef struct CC_SHA1state_st { CC_LONG h0,h1,h2,h3,h4; CC_LONG Nl,Nh; CC_LONG data[CC_SHA1_BLOCK_LONG]; int num; } CC_SHA1_CTX; Note that there are no pointer members. The only problem is if we hash sensitive info, which may be left behind in the CC_SHA1_CTX. That's not a concern when we hash certificates. OpenSSL's SHA_CTX is defined as typedef struct SHAstate_st { SHA_LONG h0,h1,h2,h3,h4; SHA_LONG Nl,Nh; SHA_LONG data[SHA_LBLOCK]; unsigned int num; } SHA_CTX; So similarly I believe a missing SHA1_Final call should not leak memory.
	1090 CC_SHA1_Update(&sha1_ctx, cert_data.Data, cert_data.Length);

	1091 }

	1092 CC_SHA1_Final(sha1.data, &sha1_ctx);

	1093

	1094 return sha1;

	1095 }

	1096

1072 bool X509Certificate::SupportsSSLClientAuth() const {	1097 bool X509Certificate::SupportsSSLClientAuth() const {

1073 CSSMFields fields;	1098 CSSMFields fields;

1074 if (GetCertFields(cert_handle_, &fields) != noErr)	1099 if (GetCertFields(cert_handle_, &fields) != noErr)

1075 return false;	1100 return false;

1076	1101

1077 // Gather the extensions we care about. We do not support	1102 // Gather the extensions we care about. We do not support

1078 // CSSMOID_NetscapeCertType on OS X.	1103 // CSSMOID_NetscapeCertType on OS X.

1079 const CE_ExtendedKeyUsage* ext_key_usage = NULL;	1104 const CE_ExtendedKeyUsage* ext_key_usage = NULL;

1080 const CE_KeyUsage* key_usage = NULL;	1105 const CE_KeyUsage* key_usage = NULL;

1081 for (unsigned f = 0; f < fields.num_of_fields; ++f) {	1106 for (unsigned f = 0; f < fields.num_of_fields; ++f) {

(...skipping 258 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1340 CSSM_DATA cert_data;	1365 CSSM_DATA cert_data;

1341 OSStatus status = SecCertificateGetData(cert_handle, &cert_data);	1366 OSStatus status = SecCertificateGetData(cert_handle, &cert_data);

1342 if (status)	1367 if (status)

1343 return false;	1368 return false;

1344	1369

1345 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),	1370 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),

1346 cert_data.Length);	1371 cert_data.Length);

1347 }	1372 }

1348	1373

1349 } // namespace net	1374 } // namespace net

OLD	NEW

« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate.cc ('k') | net/base/x509_certificate_nss.cc » ('j') | net/base/x509_certificate_openssl.cc » ('J')