| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc_nss.h" | 5 #include "net/base/cert_verify_proc_nss.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <nss.h> | 8 #include <nss.h> |
| 9 #include <prerror.h> | 9 #include <prerror.h> |
| 10 #include <secerr.h> | 10 #include <secerr.h> |
| 11 #include <sechash.h> | 11 #include <sechash.h> |
| 12 #include <sslerr.h> | 12 #include <sslerr.h> |
| 13 | 13 |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "crypto/nss_util.h" | 15 #include "crypto/nss_util.h" |
| 16 #include "crypto/scoped_nss_types.h" | 16 #include "crypto/scoped_nss_types.h" |
| 17 #include "crypto/sha2.h" | 17 #include "crypto/sha2.h" |
| 18 #include "net/base/asn1_util.h" | 18 #include "net/base/asn1_util.h" |
| 19 #include "net/base/cert_status_flags.h" | 19 #include "net/base/cert_status_flags.h" |
| 20 #include "net/base/cert_verifier.h" |
| 20 #include "net/base/cert_verify_result.h" | 21 #include "net/base/cert_verify_result.h" |
| 21 #include "net/base/crl_set.h" | 22 #include "net/base/crl_set.h" |
| 22 #include "net/base/ev_root_ca_metadata.h" | 23 #include "net/base/ev_root_ca_metadata.h" |
| 23 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
| 24 #include "net/base/x509_certificate.h" | 25 #include "net/base/x509_certificate.h" |
| 25 #include "net/base/x509_util_nss.h" | 26 #include "net/base/x509_util_nss.h" |
| 26 | 27 |
| 27 namespace net { | 28 namespace net { |
| 28 | 29 |
| 29 namespace { | 30 namespace { |
| (...skipping 604 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 634 int cvout_cert_list_index = cvout_index; | 635 int cvout_cert_list_index = cvout_index; |
| 635 cvout_index++; | 636 cvout_index++; |
| 636 cvout[cvout_index].type = cert_po_trustAnchor; | 637 cvout[cvout_index].type = cert_po_trustAnchor; |
| 637 cvout[cvout_index].value.pointer.cert = NULL; | 638 cvout[cvout_index].value.pointer.cert = NULL; |
| 638 int cvout_trust_anchor_index = cvout_index; | 639 int cvout_trust_anchor_index = cvout_index; |
| 639 cvout_index++; | 640 cvout_index++; |
| 640 cvout[cvout_index].type = cert_po_end; | 641 cvout[cvout_index].type = cert_po_end; |
| 641 ScopedCERTValOutParam scoped_cvout(cvout); | 642 ScopedCERTValOutParam scoped_cvout(cvout); |
| 642 | 643 |
| 643 bool rev_checking_enabled = | 644 bool rev_checking_enabled = |
| 644 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) || | 645 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) || |
| 645 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY); | 646 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY); |
| 646 | 647 |
| 647 SECStatus status = PKIXVerifyCert( | 648 SECStatus status = PKIXVerifyCert( |
| 648 cert_handle, | 649 cert_handle, |
| 649 rev_checking_enabled, | 650 rev_checking_enabled, |
| 650 flags & X509Certificate::VERIFY_CERT_IO_ENABLED, | 651 flags & CertVerifier::VERIFY_CERT_IO_ENABLED, |
| 651 &ev_policy_oid, | 652 &ev_policy_oid, |
| 652 1, | 653 1, |
| 653 cvout); | 654 cvout); |
| 654 if (status != SECSuccess) | 655 if (status != SECSuccess) |
| 655 return false; | 656 return false; |
| 656 | 657 |
| 657 CERTCertificate* root_ca = | 658 CERTCertificate* root_ca = |
| 658 cvout[cvout_trust_anchor_index].value.pointer.cert; | 659 cvout[cvout_trust_anchor_index].value.pointer.cert; |
| 659 if (root_ca == NULL) | 660 if (root_ca == NULL) |
| 660 return false; | 661 return false; |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 708 cvout[cvout_index].type = cert_po_trustAnchor; | 709 cvout[cvout_index].type = cert_po_trustAnchor; |
| 709 cvout[cvout_index].value.pointer.cert = NULL; | 710 cvout[cvout_index].value.pointer.cert = NULL; |
| 710 int cvout_trust_anchor_index = cvout_index; | 711 int cvout_trust_anchor_index = cvout_index; |
| 711 cvout_index++; | 712 cvout_index++; |
| 712 cvout[cvout_index].type = cert_po_end; | 713 cvout[cvout_index].type = cert_po_end; |
| 713 ScopedCERTValOutParam scoped_cvout(cvout); | 714 ScopedCERTValOutParam scoped_cvout(cvout); |
| 714 | 715 |
| 715 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); | 716 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); |
| 716 SECOidTag ev_policy_oid = SEC_OID_UNKNOWN; | 717 SECOidTag ev_policy_oid = SEC_OID_UNKNOWN; |
| 717 bool is_ev_candidate = | 718 bool is_ev_candidate = |
| 718 (flags & X509Certificate::VERIFY_EV_CERT) && | 719 (flags & CertVerifier::VERIFY_EV_CERT) && |
| 719 IsEVCandidate(metadata, cert_handle, &ev_policy_oid); | 720 IsEVCandidate(metadata, cert_handle, &ev_policy_oid); |
| 720 bool cert_io_enabled = flags & X509Certificate::VERIFY_CERT_IO_ENABLED; | 721 bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED; |
| 721 bool check_revocation = | 722 bool check_revocation = |
| 722 cert_io_enabled && | 723 cert_io_enabled && |
| 723 ((flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) || | 724 ((flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) || |
| 724 ((flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) && | 725 ((flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY) && |
| 725 is_ev_candidate)); | 726 is_ev_candidate)); |
| 726 if (check_revocation) | 727 if (check_revocation) |
| 727 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 728 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 728 | 729 |
| 729 status = PKIXVerifyCert(cert_handle, check_revocation, cert_io_enabled, | 730 status = PKIXVerifyCert(cert_handle, check_revocation, cert_io_enabled, |
| 730 NULL, 0, cvout); | 731 NULL, 0, cvout); |
| 731 | 732 |
| 732 if (crl_set) { | 733 if (crl_set) { |
| 733 CRLSetResult crl_set_result = CheckRevocationWithCRLSet( | 734 CRLSetResult crl_set_result = CheckRevocationWithCRLSet( |
| 734 cvout[cvout_cert_list_index].value.pointer.chain, | 735 cvout[cvout_cert_list_index].value.pointer.chain, |
| (...skipping 29 matching lines...) Expand all Loading... |
| 764 if (IsCertStatusError(verify_result->cert_status)) | 765 if (IsCertStatusError(verify_result->cert_status)) |
| 765 return MapCertStatusToNetError(verify_result->cert_status); | 766 return MapCertStatusToNetError(verify_result->cert_status); |
| 766 | 767 |
| 767 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, | 768 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, |
| 768 cvout[cvout_trust_anchor_index].value.pointer.cert, | 769 cvout[cvout_trust_anchor_index].value.pointer.cert, |
| 769 &verify_result->public_key_hashes); | 770 &verify_result->public_key_hashes); |
| 770 | 771 |
| 771 verify_result->is_issued_by_known_root = | 772 verify_result->is_issued_by_known_root = |
| 772 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | 773 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
| 773 | 774 |
| 774 if ((flags & X509Certificate::VERIFY_EV_CERT) && is_ev_candidate && | 775 if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate && |
| 775 VerifyEV(cert_handle, flags, crl_set, metadata, ev_policy_oid)) { | 776 VerifyEV(cert_handle, flags, crl_set, metadata, ev_policy_oid)) { |
| 776 verify_result->cert_status |= CERT_STATUS_IS_EV; | 777 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 777 } | 778 } |
| 778 | 779 |
| 779 return OK; | 780 return OK; |
| 780 } | 781 } |
| 781 | 782 |
| 782 } // namespace net | 783 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10855168:
Rename X509Certificate::VerifyFlags to CertVerifier::VerifyFlags (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src