| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc_mac.h" | 5 #include "net/base/cert_verify_proc_mac.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 | 10 |
| 11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/mac/mac_logging.h" | 12 #include "base/mac/mac_logging.h" |
| 13 #include "base/mac/scoped_cftyperef.h" | 13 #include "base/mac/scoped_cftyperef.h" |
| 14 #include "base/sha1.h" | 14 #include "base/sha1.h" |
| 15 #include "base/string_piece.h" | 15 #include "base/string_piece.h" |
| 16 #include "crypto/nss_util.h" | 16 #include "crypto/nss_util.h" |
| 17 #include "crypto/sha2.h" | 17 #include "crypto/sha2.h" |
| 18 #include "net/base/asn1_util.h" | 18 #include "net/base/asn1_util.h" |
| 19 #include "net/base/cert_status_flags.h" | 19 #include "net/base/cert_status_flags.h" |
| 20 #include "net/base/cert_verifier.h" |
| 20 #include "net/base/cert_verify_result.h" | 21 #include "net/base/cert_verify_result.h" |
| 21 #include "net/base/crl_set.h" | 22 #include "net/base/crl_set.h" |
| 22 #include "net/base/net_errors.h" | 23 #include "net/base/net_errors.h" |
| 23 #include "net/base/test_root_certs.h" | 24 #include "net/base/test_root_certs.h" |
| 24 #include "net/base/x509_certificate.h" | 25 #include "net/base/x509_certificate.h" |
| 25 #include "net/base/x509_certificate_known_roots_mac.h" | 26 #include "net/base/x509_certificate_known_roots_mac.h" |
| 26 #include "net/base/x509_util_mac.h" | 27 #include "net/base/x509_util_mac.h" |
| 27 | 28 |
| 28 // From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with | 29 // From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with |
| 29 // SecTrustCopyExtendedResult. | 30 // SecTrustCopyExtendedResult. |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 149 OSStatus status = x509_util::CreateSSLServerPolicy(hostname, &ssl_policy); | 150 OSStatus status = x509_util::CreateSSLServerPolicy(hostname, &ssl_policy); |
| 150 if (status) | 151 if (status) |
| 151 return status; | 152 return status; |
| 152 CFArrayAppendValue(local_policies, ssl_policy); | 153 CFArrayAppendValue(local_policies, ssl_policy); |
| 153 CFRelease(ssl_policy); | 154 CFRelease(ssl_policy); |
| 154 | 155 |
| 155 // Explicitly add revocation policies, in order to override system | 156 // Explicitly add revocation policies, in order to override system |
| 156 // revocation checking policies and instead respect the application-level | 157 // revocation checking policies and instead respect the application-level |
| 157 // revocation preference. | 158 // revocation preference. |
| 158 status = x509_util::CreateRevocationPolicies( | 159 status = x509_util::CreateRevocationPolicies( |
| 159 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED), | 160 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies); |
| 160 local_policies); | |
| 161 if (status) | 161 if (status) |
| 162 return status; | 162 return status; |
| 163 | 163 |
| 164 policies->reset(local_policies.release()); | 164 policies->reset(local_policies.release()); |
| 165 return noErr; | 165 return noErr; |
| 166 } | 166 } |
| 167 | 167 |
| 168 // Saves some information about the certificate chain |cert_chain| in | 168 // Saves some information about the certificate chain |cert_chain| in |
| 169 // |*verify_result|. The caller MUST initialize |*verify_result| before | 169 // |*verify_result|. The caller MUST initialize |*verify_result| before |
| 170 // calling this function. | 170 // calling this function. |
| (...skipping 202 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 373 } | 373 } |
| 374 | 374 |
| 375 CSSM_APPLE_TP_ACTION_DATA tp_action_data; | 375 CSSM_APPLE_TP_ACTION_DATA tp_action_data; |
| 376 memset(&tp_action_data, 0, sizeof(tp_action_data)); | 376 memset(&tp_action_data, 0, sizeof(tp_action_data)); |
| 377 tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION; | 377 tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION; |
| 378 // Allow CSSM to download any missing intermediate certificates if an | 378 // Allow CSSM to download any missing intermediate certificates if an |
| 379 // authorityInfoAccess extension or issuerAltName extension is present. | 379 // authorityInfoAccess extension or issuerAltName extension is present. |
| 380 tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET | | 380 tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET | |
| 381 CSSM_TP_ACTION_TRUST_SETTINGS; | 381 CSSM_TP_ACTION_TRUST_SETTINGS; |
| 382 | 382 |
| 383 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) { | 383 if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) { |
| 384 // Require a positive result from an OCSP responder or a CRL (or both) | 384 // Require a positive result from an OCSP responder or a CRL (or both) |
| 385 // for every certificate in the chain. The Apple TP automatically | 385 // for every certificate in the chain. The Apple TP automatically |
| 386 // excludes the self-signed root from this requirement. If a certificate | 386 // excludes the self-signed root from this requirement. If a certificate |
| 387 // is missing both a crlDistributionPoints extension and an | 387 // is missing both a crlDistributionPoints extension and an |
| 388 // authorityInfoAccess extension with an OCSP responder URL, then we | 388 // authorityInfoAccess extension with an OCSP responder URL, then we |
| 389 // will get a kSecTrustResultRecoverableTrustFailure back from | 389 // will get a kSecTrustResultRecoverableTrustFailure back from |
| 390 // SecTrustEvaluate(), with a | 390 // SecTrustEvaluate(), with a |
| 391 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case, | 391 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case, |
| 392 // we'll set our own result to include | 392 // we'll set our own result to include |
| 393 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are | 393 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 526 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 526 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 527 | 527 |
| 528 // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be | 528 // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be |
| 529 // compatible with Windows, which in turn implements this behavior to be | 529 // compatible with Windows, which in turn implements this behavior to be |
| 530 // compatible with WinHTTP, which doesn't report this error (bug 3004). | 530 // compatible with WinHTTP, which doesn't report this error (bug 3004). |
| 531 verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; | 531 verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; |
| 532 | 532 |
| 533 if (IsCertStatusError(verify_result->cert_status)) | 533 if (IsCertStatusError(verify_result->cert_status)) |
| 534 return MapCertStatusToNetError(verify_result->cert_status); | 534 return MapCertStatusToNetError(verify_result->cert_status); |
| 535 | 535 |
| 536 if (flags & X509Certificate::VERIFY_EV_CERT) { | 536 if (flags & CertVerifier::VERIFY_EV_CERT) { |
| 537 // Determine the certificate's EV status using SecTrustCopyExtendedResult(), | 537 // Determine the certificate's EV status using SecTrustCopyExtendedResult(), |
| 538 // which we need to look up because the function wasn't added until | 538 // which we need to look up because the function wasn't added until |
| 539 // Mac OS X 10.5.7. | 539 // Mac OS X 10.5.7. |
| 540 // Note: "ExtendedResult" means extended validation results. | 540 // Note: "ExtendedResult" means extended validation results. |
| 541 CFBundleRef bundle = | 541 CFBundleRef bundle = |
| 542 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security")); | 542 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security")); |
| 543 if (bundle) { | 543 if (bundle) { |
| 544 SecTrustCopyExtendedResultFuncPtr copy_extended_result = | 544 SecTrustCopyExtendedResultFuncPtr copy_extended_result = |
| 545 reinterpret_cast<SecTrustCopyExtendedResultFuncPtr>( | 545 reinterpret_cast<SecTrustCopyExtendedResultFuncPtr>( |
| 546 CFBundleGetFunctionPointerForName(bundle, | 546 CFBundleGetFunctionPointerForName(bundle, |
| (...skipping 23 matching lines...) Expand all Loading... |
| 570 } | 570 } |
| 571 } | 571 } |
| 572 | 572 |
| 573 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); | 573 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); |
| 574 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); | 574 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); |
| 575 | 575 |
| 576 return OK; | 576 return OK; |
| 577 } | 577 } |
| 578 | 578 |
| 579 } // namespace net | 579 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10855168:
Rename X509Certificate::VerifyFlags to CertVerifier::VerifyFlags (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src