OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
9 #include <keyhi.h> | 9 #include <keyhi.h> |
10 #include <nss.h> | 10 #include <nss.h> |
11 #include <pk11pub.h> | 11 #include <pk11pub.h> |
12 #include <prerror.h> | 12 #include <prerror.h> |
13 #include <prtime.h> | 13 #include <prtime.h> |
14 #include <secder.h> | 14 #include <secder.h> |
15 #include <secerr.h> | 15 #include <secerr.h> |
16 #include <sechash.h> | 16 #include <sechash.h> |
17 #include <sslerr.h> | 17 #include <sslerr.h> |
18 | 18 |
19 #include "base/logging.h" | 19 #include "base/logging.h" |
20 #include "base/memory/scoped_ptr.h" | 20 #include "base/memory/scoped_ptr.h" |
21 #include "base/pickle.h" | 21 #include "base/pickle.h" |
22 #include "base/time.h" | 22 #include "base/time.h" |
23 #include "crypto/nss_util.h" | 23 #include "crypto/nss_util.h" |
24 #include "crypto/rsa_private_key.h" | 24 #include "crypto/rsa_private_key.h" |
25 #include "crypto/scoped_nss_types.h" | 25 #include "crypto/scoped_nss_types.h" |
| 26 #include "crypto/sha2.h" |
26 #include "net/base/asn1_util.h" | 27 #include "net/base/asn1_util.h" |
27 #include "net/base/cert_status_flags.h" | 28 #include "net/base/cert_status_flags.h" |
28 #include "net/base/cert_verify_result.h" | 29 #include "net/base/cert_verify_result.h" |
29 #include "net/base/crl_set.h" | 30 #include "net/base/crl_set.h" |
30 #include "net/base/ev_root_ca_metadata.h" | 31 #include "net/base/ev_root_ca_metadata.h" |
31 #include "net/base/net_errors.h" | 32 #include "net/base/net_errors.h" |
32 #include "net/base/x509_util_nss.h" | 33 #include "net/base/x509_util_nss.h" |
33 | 34 |
34 namespace net { | 35 namespace net { |
35 | 36 |
(...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
251 if (cert_list) { | 252 if (cert_list) { |
252 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 253 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
253 !CERT_LIST_END(node, cert_list); | 254 !CERT_LIST_END(node, cert_list); |
254 node = CERT_LIST_NEXT(node)) { | 255 node = CERT_LIST_NEXT(node)) { |
255 certs.push_back(node->cert); | 256 certs.push_back(node->cert); |
256 } | 257 } |
257 } | 258 } |
258 if (root) | 259 if (root) |
259 certs.push_back(root); | 260 certs.push_back(root); |
260 | 261 |
261 CERTCertificate* prev = NULL; | 262 // We iterate from the root certificate down to the leaf, keeping track of |
262 for (std::vector<CERTCertificate*>::iterator i = certs.begin(); | 263 // the issuer's SPKI at each step. |
263 i != certs.end(); ++i) { | 264 std::string issuer_spki_hash; |
| 265 for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin(); |
| 266 i != certs.rend(); ++i) { |
264 CERTCertificate* cert = *i; | 267 CERTCertificate* cert = *i; |
265 CERTCertificate* child = prev; | |
266 prev = cert; | |
267 if (child == NULL) | |
268 continue; | |
269 | 268 |
270 base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), | 269 base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), |
271 cert->derCert.len); | 270 cert->derCert.len); |
272 | 271 |
273 base::StringPiece spki; | 272 base::StringPiece spki; |
274 if (!asn1::ExtractSPKIFromDERCert(der, &spki)) { | 273 if (!asn1::ExtractSPKIFromDERCert(der, &spki)) { |
275 NOTREACHED(); | 274 NOTREACHED(); |
276 return kCRLSetError; | 275 return kCRLSetError; |
277 } | 276 } |
| 277 const std::string spki_hash = crypto::SHA256HashString(spki); |
278 | 278 |
279 std::string serial_number( | 279 base::StringPiece serial_number = base::StringPiece( |
280 reinterpret_cast<char*>(child->serialNumber.data), | 280 reinterpret_cast<char*>(cert->serialNumber.data), |
281 child->serialNumber.len); | 281 cert->serialNumber.len); |
282 | 282 |
283 CRLSet::Result result = crl_set->CheckCertificate(serial_number, spki); | 283 CRLSet::Result result = crl_set->CheckSPKI(spki_hash); |
| 284 |
| 285 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) |
| 286 result = crl_set->CheckSerial(serial_number, issuer_spki_hash); |
| 287 |
| 288 issuer_spki_hash = spki_hash; |
284 | 289 |
285 switch (result) { | 290 switch (result) { |
286 case CRLSet::REVOKED: | 291 case CRLSet::REVOKED: |
287 return kCRLSetRevoked; | 292 return kCRLSetRevoked; |
288 case CRLSet::UNKNOWN: | 293 case CRLSet::UNKNOWN: |
289 case CRLSet::GOOD: | 294 case CRLSet::GOOD: |
290 continue; | 295 continue; |
291 default: | 296 default: |
292 NOTREACHED(); | 297 NOTREACHED(); |
293 return kCRLSetError; | 298 return kCRLSetError; |
(...skipping 870 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1164 *type = kPublicKeyTypeECDSA; | 1169 *type = kPublicKeyTypeECDSA; |
1165 break; | 1170 break; |
1166 default: | 1171 default: |
1167 *type = kPublicKeyTypeUnknown; | 1172 *type = kPublicKeyTypeUnknown; |
1168 *size_bits = 0; | 1173 *size_bits = 0; |
1169 break; | 1174 break; |
1170 } | 1175 } |
1171 } | 1176 } |
1172 | 1177 |
1173 } // namespace net | 1178 } // namespace net |
OLD | NEW |