Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. | 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. |
| 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. | 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. |
| 9 | 9 |
| 10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
| (...skipping 897 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 908 // statuses from the offline checks so we squash this error. | 908 // statuses from the offline checks so we squash this error. |
| 909 verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; | 909 verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; |
| 910 } | 910 } |
| 911 | 911 |
| 912 if (IsCertStatusError(verify_result->cert_status)) | 912 if (IsCertStatusError(verify_result->cert_status)) |
| 913 return MapCertStatusToNetError(verify_result->cert_status); | 913 return MapCertStatusToNetError(verify_result->cert_status); |
| 914 | 914 |
| 915 AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes); | 915 AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes); |
| 916 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); | 916 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); |
| 917 | 917 |
| 918 if (ev_policy_oid && CheckEV(chain_context, ev_policy_oid)) | 918 if (ev_policy_oid && CheckEV(chain_context, flags, ev_policy_oid)) |
| 919 verify_result->cert_status |= CERT_STATUS_IS_EV; | 919 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 920 return OK; | 920 return OK; |
| 921 } | 921 } |
| 922 | 922 |
| 923 // static | 923 // static |
| 924 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, | 924 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, |
| 925 std::string* encoded) { | 925 std::string* encoded) { |
| 926 if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded) | 926 if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded) |
| 927 return false; | 927 return false; |
| 928 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded), | 928 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded), |
| 929 cert_handle->cbCertEncoded); | 929 cert_handle->cbCertEncoded); |
| 930 return true; | 930 return true; |
| 931 } | 931 } |
| 932 | 932 |
| 933 // Returns true if the certificate is an extended-validation certificate. | 933 // Returns true if the certificate is an extended-validation certificate. |
| 934 // | 934 // |
| 935 // This function checks the certificatePolicies extensions of the | 935 // This function checks the certificatePolicies extensions of the |
| 936 // certificates in the certificate chain according to Section 7 (pp. 11-12) | 936 // certificates in the certificate chain according to Section 7 (pp. 11-12) |
| 937 // of the EV Certificate Guidelines Version 1.0 at | 937 // of the EV Certificate Guidelines Version 1.0 at |
| 938 // http://cabforum.org/EV_Certificate_Guidelines.pdf. | 938 // http://cabforum.org/EV_Certificate_Guidelines.pdf. |
| 939 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context, | 939 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context, |
| 940 int flags, | |
| 940 const char* policy_oid) const { | 941 const char* policy_oid) const { |
| 941 DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain); | 942 DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain); |
| 942 // If the cert doesn't match any of the policies, the | 943 // If the cert doesn't match any of the policies, the |
| 943 // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in | 944 // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in |
| 944 // chain_context->TrustStatus.dwErrorStatus is set. | 945 // chain_context->TrustStatus.dwErrorStatus is set. |
| 945 DWORD error_status = chain_context->TrustStatus.dwErrorStatus; | 946 DWORD error_status = chain_context->TrustStatus.dwErrorStatus; |
| 946 DWORD info_status = chain_context->TrustStatus.dwInfoStatus; | 947 |
| 948 if (!(flags & VERIFY_REV_CHECKING_ENABLED)) { | |
| 949 // If online revocation checking is disabled then we will have still | |
| 950 // requested that the revocation cache be checked. However, that will often | |
| 951 // cause the following two error bits to be set. Since they are expected, | |
|
wtc
2012/03/08 00:55:26
It would be nice to say what those two error bits
| |
| 952 // we mask them away. | |
| 953 error_status &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION | | |
| 954 CERT_TRUST_REVOCATION_STATUS_UNKNOWN); | |
| 955 } | |
| 947 if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR) | 956 if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR) |
| 948 return false; | 957 return false; |
| 949 | 958 |
| 950 // Check the end certificate simple chain (chain_context->rgpChain[0]). | 959 // Check the end certificate simple chain (chain_context->rgpChain[0]). |
| 951 // If the end certificate's certificatePolicies extension contains the | 960 // If the end certificate's certificatePolicies extension contains the |
| 952 // EV policy OID of the root CA, return true. | 961 // EV policy OID of the root CA, return true. |
| 953 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; | 962 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; |
| 954 int num_elements = chain_context->rgpChain[0]->cElement; | 963 int num_elements = chain_context->rgpChain[0]->cElement; |
| 955 if (num_elements < 2) | 964 if (num_elements < 2) |
| 956 return false; | 965 return false; |
| (...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1128 *type = kPublicKeyTypeECDH; | 1137 *type = kPublicKeyTypeECDH; |
| 1129 break; | 1138 break; |
| 1130 default: | 1139 default: |
| 1131 *type = kPublicKeyTypeUnknown; | 1140 *type = kPublicKeyTypeUnknown; |
| 1132 *size_bits = 0; | 1141 *size_bits = 0; |
| 1133 break; | 1142 break; |
| 1134 } | 1143 } |
| 1135 } | 1144 } |
| 1136 | 1145 |
| 1137 } // namespace net | 1146 } // namespace net |
| OLD | NEW |