| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "net/cert/crl_set.h" | 26 #include "net/cert/crl_set.h" |
| 27 #include "net/cert/ev_root_ca_metadata.h" | 27 #include "net/cert/ev_root_ca_metadata.h" |
| 28 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
| 29 #include "net/cert/x509_util_nss.h" | 29 #include "net/cert/x509_util_nss.h" |
| 30 | 30 |
| 31 #if defined(OS_IOS) | 31 #if defined(OS_IOS) |
| 32 #include <CommonCrypto/CommonDigest.h> | 32 #include <CommonCrypto/CommonDigest.h> |
| 33 #include "net/cert/x509_util_ios.h" | 33 #include "net/cert/x509_util_ios.h" |
| 34 #endif // defined(OS_IOS) | 34 #endif // defined(OS_IOS) |
| 35 | 35 |
| 36 #if defined(USE_NSS_CERTS) |
| 37 #include <dlfcn.h> |
| 38 #endif |
| 39 |
| 36 namespace net { | 40 namespace net { |
| 37 | 41 |
| 38 namespace { | 42 namespace { |
| 39 | 43 |
| 40 typedef scoped_ptr< | 44 typedef scoped_ptr< |
| 41 CERTCertificatePolicies, | 45 CERTCertificatePolicies, |
| 42 crypto::NSSDestroyer<CERTCertificatePolicies, | 46 crypto::NSSDestroyer<CERTCertificatePolicies, |
| 43 CERT_DestroyCertificatePoliciesExtension> > | 47 CERT_DestroyCertificatePoliciesExtension> > |
| 44 ScopedCERTCertificatePolicies; | 48 ScopedCERTCertificatePolicies; |
| 45 | 49 |
| (...skipping 703 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 749 #else | 753 #else |
| 750 CERTCertificate* cert = list[i]->os_cert_handle(); | 754 CERTCertificate* cert = list[i]->os_cert_handle(); |
| 751 #endif | 755 #endif |
| 752 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); | 756 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); |
| 753 } | 757 } |
| 754 return result; | 758 return result; |
| 755 } | 759 } |
| 756 | 760 |
| 757 } // namespace | 761 } // namespace |
| 758 | 762 |
| 759 CertVerifyProcNSS::CertVerifyProcNSS() {} | 763 CertVerifyProcNSS::CertVerifyProcNSS() |
| 764 #if defined(USE_NSS_CERTS) |
| 765 : cache_ocsp_response_from_side_channel_( |
| 766 reinterpret_cast<CacheOCSPResponseFromSideChannelFunction>( |
| 767 dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel"))) |
| 768 #endif |
| 769 { |
| 770 } |
| 760 | 771 |
| 761 CertVerifyProcNSS::~CertVerifyProcNSS() {} | 772 CertVerifyProcNSS::~CertVerifyProcNSS() {} |
| 762 | 773 |
| 763 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { | 774 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { |
| 764 return true; | 775 return true; |
| 765 } | 776 } |
| 766 | 777 |
| 778 bool CertVerifyProcNSS::SupportsOCSPStapling() const { |
| 779 #if defined(USE_NSS_CERTS) |
| 780 return cache_ocsp_response_from_side_channel_; |
| 781 #else |
| 782 // TODO(davidben): Support OCSP stapling on iOS. |
| 783 return false; |
| 784 #endif |
| 785 } |
| 786 |
| 767 int CertVerifyProcNSS::VerifyInternalImpl( | 787 int CertVerifyProcNSS::VerifyInternalImpl( |
| 768 X509Certificate* cert, | 788 X509Certificate* cert, |
| 769 const std::string& hostname, | 789 const std::string& hostname, |
| 790 const std::string& ocsp_response, |
| 770 int flags, | 791 int flags, |
| 771 CRLSet* crl_set, | 792 CRLSet* crl_set, |
| 772 const CertificateList& additional_trust_anchors, | 793 const CertificateList& additional_trust_anchors, |
| 773 CERTChainVerifyCallback* chain_verify_callback, | 794 CERTChainVerifyCallback* chain_verify_callback, |
| 774 CertVerifyResult* verify_result) { | 795 CertVerifyResult* verify_result) { |
| 775 #if defined(OS_IOS) | 796 #if defined(OS_IOS) |
| 776 // For iOS, the entire chain must be loaded into NSS's in-memory certificate | 797 // For iOS, the entire chain must be loaded into NSS's in-memory certificate |
| 777 // store. | 798 // store. |
| 778 x509_util_ios::NSSCertChain scoped_chain(cert); | 799 x509_util_ios::NSSCertChain scoped_chain(cert); |
| 779 CERTCertificate* cert_handle = scoped_chain.cert_handle(); | 800 CERTCertificate* cert_handle = scoped_chain.cert_handle(); |
| 780 #else | 801 #else |
| 781 CERTCertificate* cert_handle = cert->os_cert_handle(); | 802 CERTCertificate* cert_handle = cert->os_cert_handle(); |
| 782 #endif // defined(OS_IOS) | 803 #endif // defined(OS_IOS) |
| 783 | 804 |
| 805 #if defined(USE_NSS_CERTS) |
| 806 if (!ocsp_response.empty() && cache_ocsp_response_from_side_channel_) { |
| 807 // Note: NSS uses a thread-safe global hash table, so this call will |
| 808 // affect any concurrent verification operations on |cert| or copies of |
| 809 // the same certificate. This is an unavoidable limitation of NSS's OCSP |
| 810 // API. |
| 811 SECItem ocsp_response_item; |
| 812 ocsp_response_item.data = reinterpret_cast<unsigned char*>( |
| 813 const_cast<char*>(ocsp_response.data())); |
| 814 ocsp_response_item.len = ocsp_response.size(); |
| 815 cache_ocsp_response_from_side_channel_(CERT_GetDefaultCertDB(), cert_handle, |
| 816 PR_Now(), &ocsp_response_item, NULL); |
| 817 } |
| 818 #endif // defined(USE_NSS_CERTS) |
| 819 |
| 784 if (!cert->VerifyNameMatch(hostname, | 820 if (!cert->VerifyNameMatch(hostname, |
| 785 &verify_result->common_name_fallback_used)) { | 821 &verify_result->common_name_fallback_used)) { |
| 786 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 822 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 787 } | 823 } |
| 788 | 824 |
| 789 // Make sure that the cert is valid now. | 825 // Make sure that the cert is valid now. |
| 790 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 826 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
| 791 cert_handle, PR_Now(), PR_TRUE); | 827 cert_handle, PR_Now(), PR_TRUE); |
| 792 if (validity != secCertTimeValid) | 828 if (validity != secCertTimeValid) |
| 793 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; | 829 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; |
| (...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 921 verify_result->cert_status |= CERT_STATUS_IS_EV; | 957 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 922 } | 958 } |
| 923 } | 959 } |
| 924 | 960 |
| 925 return OK; | 961 return OK; |
| 926 } | 962 } |
| 927 | 963 |
| 928 int CertVerifyProcNSS::VerifyInternal( | 964 int CertVerifyProcNSS::VerifyInternal( |
| 929 X509Certificate* cert, | 965 X509Certificate* cert, |
| 930 const std::string& hostname, | 966 const std::string& hostname, |
| 967 const std::string& ocsp_response, |
| 931 int flags, | 968 int flags, |
| 932 CRLSet* crl_set, | 969 CRLSet* crl_set, |
| 933 const CertificateList& additional_trust_anchors, | 970 const CertificateList& additional_trust_anchors, |
| 934 CertVerifyResult* verify_result) { | 971 CertVerifyResult* verify_result) { |
| 935 return VerifyInternalImpl(cert, | 972 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
| 936 hostname, | |
| 937 flags, | |
| 938 crl_set, | |
| 939 additional_trust_anchors, | 973 additional_trust_anchors, |
| 940 NULL, // chain_verify_callback | 974 NULL, // chain_verify_callback |
| 941 verify_result); | 975 verify_result); |
| 942 } | 976 } |
| 943 | 977 |
| 944 } // namespace net | 978 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss