net: allow CRLSets to block specific SPKIs.

net/base/x509_certificate_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prtime.h>
 #include <secder.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/time.h"
 #include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_nss_types.h"
+#include "crypto/sha2.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/crl_set.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_util_nss.h"
 
 namespace net {
 
@@ skipping 215 matching lines @@
   if (cert_list) {
     for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
          !CERT_LIST_END(node, cert_list);
          node = CERT_LIST_NEXT(node)) {
       certs.push_back(node->cert);
     }
   }
   if (root)
     certs.push_back(root);
 
-  CERTCertificate* prev = NULL;
-  for (std::vector<CERTCertificate*>::iterator i = certs.begin();
-       i != certs.end(); ++i) {
+  // We iterate from the root certificate down to the leaf, keeping track of
+  // the issuer's SPKI at each step.
+  std::string issuer_spki_hash;
+  for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();
+       i != certs.rend(); ++i) {
     CERTCertificate* cert = *i;
-    CERTCertificate* child = prev;
-    prev = cert;
-    if (child == NULL)
-      continue;
 
     base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),
                           cert->derCert.len);
 
     base::StringPiece spki;
     if (!asn1::ExtractSPKIFromDERCert(der, &spki)) {
       NOTREACHED();
       return kCRLSetError;
     }
+    const std::string spki_hash = crypto::SHA256HashString(spki);
 
-    std::string serial_number(
-        reinterpret_cast<char*>(child->serialNumber.data),
-        child->serialNumber.len);
+    base::StringPiece serial_number = base::StringPiece(
+        reinterpret_cast<char*>(cert->serialNumber.data),
+        cert->serialNumber.len);
 
-    CRLSet::Result result = crl_set->CheckCertificate(serial_number, spki);
+    CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
+
+    if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
+      result = crl_set->CheckSerial(serial_number, issuer_spki_hash);
+
+    issuer_spki_hash = spki_hash;
 
     switch (result) {
       case CRLSet::REVOKED:
         return kCRLSetRevoked;
       case CRLSet::UNKNOWN:
       case CRLSet::GOOD:
         continue;
       default:
         NOTREACHED();
         return kCRLSetError;
@@ skipping 870 matching lines @@
       *type = kPublicKeyTypeECDSA;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net