| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "net/cert/crl_set.h" | 26 #include "net/cert/crl_set.h" |
| 27 #include "net/cert/ev_root_ca_metadata.h" | 27 #include "net/cert/ev_root_ca_metadata.h" |
| 28 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
| 29 #include "net/cert/x509_util_nss.h" | 29 #include "net/cert/x509_util_nss.h" |
| 30 | 30 |
| 31 #if defined(OS_IOS) | 31 #if defined(OS_IOS) |
| 32 #include <CommonCrypto/CommonDigest.h> | 32 #include <CommonCrypto/CommonDigest.h> |
| 33 #include "net/cert/x509_util_ios.h" | 33 #include "net/cert/x509_util_ios.h" |
| 34 #endif // defined(OS_IOS) | 34 #endif // defined(OS_IOS) |
| 35 | 35 |
| 36 #if defined(USE_NSS_CERTS) |
| 37 #include <dlfcn.h> |
| 38 #endif |
| 39 |
| 36 namespace net { | 40 namespace net { |
| 37 | 41 |
| 38 namespace { | 42 namespace { |
| 39 | 43 |
| 40 typedef scoped_ptr< | 44 typedef scoped_ptr< |
| 41 CERTCertificatePolicies, | 45 CERTCertificatePolicies, |
| 42 crypto::NSSDestroyer<CERTCertificatePolicies, | 46 crypto::NSSDestroyer<CERTCertificatePolicies, |
| 43 CERT_DestroyCertificatePoliciesExtension> > | 47 CERT_DestroyCertificatePoliciesExtension> > |
| 44 ScopedCERTCertificatePolicies; | 48 ScopedCERTCertificatePolicies; |
| 45 | 49 |
| (...skipping 703 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 749 #else | 753 #else |
| 750 CERTCertificate* cert = list[i]->os_cert_handle(); | 754 CERTCertificate* cert = list[i]->os_cert_handle(); |
| 751 #endif | 755 #endif |
| 752 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); | 756 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); |
| 753 } | 757 } |
| 754 return result; | 758 return result; |
| 755 } | 759 } |
| 756 | 760 |
| 757 } // namespace | 761 } // namespace |
| 758 | 762 |
| 759 CertVerifyProcNSS::CertVerifyProcNSS() {} | 763 CertVerifyProcNSS::CertVerifyProcNSS() { |
| 764 #if defined(USE_NSS_CERTS) |
| 765 cache_ocsp_response_from_side_channel_ = |
| 766 (CacheOCSPResponseFromSideChannelFunction)dlsym( |
| 767 RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel"); |
| 768 #endif |
| 769 } |
| 760 | 770 |
| 761 CertVerifyProcNSS::~CertVerifyProcNSS() {} | 771 CertVerifyProcNSS::~CertVerifyProcNSS() {} |
| 762 | 772 |
| 763 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { | 773 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { |
| 764 return true; | 774 return true; |
| 765 } | 775 } |
| 766 | 776 |
| 777 bool CertVerifyProcNSS::SupportsOCSPStapling() const { |
| 778 #if defined(USE_NSS_CERTS) |
| 779 return cache_ocsp_response_from_side_channel_ != nullptr; |
| 780 #else |
| 781 // TODO(davidben): Support OCSP stapling on iOS. |
| 782 return false; |
| 783 #endif |
| 784 } |
| 785 |
| 767 int CertVerifyProcNSS::VerifyInternalImpl( | 786 int CertVerifyProcNSS::VerifyInternalImpl( |
| 768 X509Certificate* cert, | 787 X509Certificate* cert, |
| 769 const std::string& hostname, | 788 const std::string& hostname, |
| 789 const std::string& ocsp_response, |
| 770 int flags, | 790 int flags, |
| 771 CRLSet* crl_set, | 791 CRLSet* crl_set, |
| 772 const CertificateList& additional_trust_anchors, | 792 const CertificateList& additional_trust_anchors, |
| 773 CERTChainVerifyCallback* chain_verify_callback, | 793 CERTChainVerifyCallback* chain_verify_callback, |
| 774 CertVerifyResult* verify_result) { | 794 CertVerifyResult* verify_result) { |
| 775 #if defined(OS_IOS) | 795 #if defined(OS_IOS) |
| 776 // For iOS, the entire chain must be loaded into NSS's in-memory certificate | 796 // For iOS, the entire chain must be loaded into NSS's in-memory certificate |
| 777 // store. | 797 // store. |
| 778 x509_util_ios::NSSCertChain scoped_chain(cert); | 798 x509_util_ios::NSSCertChain scoped_chain(cert); |
| 779 CERTCertificate* cert_handle = scoped_chain.cert_handle(); | 799 CERTCertificate* cert_handle = scoped_chain.cert_handle(); |
| 780 #else | 800 #else |
| 781 CERTCertificate* cert_handle = cert->os_cert_handle(); | 801 CERTCertificate* cert_handle = cert->os_cert_handle(); |
| 782 #endif // defined(OS_IOS) | 802 #endif // defined(OS_IOS) |
| 783 | 803 |
| 804 #if defined(USE_NSS_CERTS) |
| 805 if (!ocsp_response.empty() && |
| 806 cache_ocsp_response_from_side_channel_ != nullptr) { |
| 807 SECItem ocsp_response_item; |
| 808 ocsp_response_item.data = reinterpret_cast<unsigned char*>( |
| 809 const_cast<char*>(ocsp_response.data())); |
| 810 ocsp_response_item.len = ocsp_response.size(); |
| 811 cache_ocsp_response_from_side_channel_(CERT_GetDefaultCertDB(), cert_handle, |
| 812 PR_Now(), &ocsp_response_item, NULL); |
| 813 } |
| 814 #endif // defined(USE_NSS_CERTS) |
| 815 |
| 784 if (!cert->VerifyNameMatch(hostname, | 816 if (!cert->VerifyNameMatch(hostname, |
| 785 &verify_result->common_name_fallback_used)) { | 817 &verify_result->common_name_fallback_used)) { |
| 786 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 818 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 787 } | 819 } |
| 788 | 820 |
| 789 // Make sure that the cert is valid now. | 821 // Make sure that the cert is valid now. |
| 790 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 822 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
| 791 cert_handle, PR_Now(), PR_TRUE); | 823 cert_handle, PR_Now(), PR_TRUE); |
| 792 if (validity != secCertTimeValid) | 824 if (validity != secCertTimeValid) |
| 793 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; | 825 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; |
| (...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 921 verify_result->cert_status |= CERT_STATUS_IS_EV; | 953 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 922 } | 954 } |
| 923 } | 955 } |
| 924 | 956 |
| 925 return OK; | 957 return OK; |
| 926 } | 958 } |
| 927 | 959 |
| 928 int CertVerifyProcNSS::VerifyInternal( | 960 int CertVerifyProcNSS::VerifyInternal( |
| 929 X509Certificate* cert, | 961 X509Certificate* cert, |
| 930 const std::string& hostname, | 962 const std::string& hostname, |
| 963 const std::string& ocsp_response, |
| 931 int flags, | 964 int flags, |
| 932 CRLSet* crl_set, | 965 CRLSet* crl_set, |
| 933 const CertificateList& additional_trust_anchors, | 966 const CertificateList& additional_trust_anchors, |
| 934 CertVerifyResult* verify_result) { | 967 CertVerifyResult* verify_result) { |
| 935 return VerifyInternalImpl(cert, | 968 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
| 936 hostname, | |
| 937 flags, | |
| 938 crl_set, | |
| 939 additional_trust_anchors, | 969 additional_trust_anchors, |
| 940 NULL, // chain_verify_callback | 970 NULL, // chain_verify_callback |
| 941 verify_result); | 971 verify_result); |
| 942 } | 972 } |
| 943 | 973 |
| 944 } // namespace net | 974 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss