OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 3008 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3019 LeaveFunction(result); | 3019 LeaveFunction(result); |
3020 return result; | 3020 return result; |
3021 } | 3021 } |
3022 | 3022 |
3023 int SSLClientSocketNSS::DoVerifyCert(int result) { | 3023 int SSLClientSocketNSS::DoVerifyCert(int result) { |
3024 DCHECK(!core_->state().server_cert_chain.empty()); | 3024 DCHECK(!core_->state().server_cert_chain.empty()); |
3025 DCHECK(core_->state().server_cert_chain[0]); | 3025 DCHECK(core_->state().server_cert_chain[0]); |
3026 | 3026 |
3027 GotoState(STATE_VERIFY_CERT_COMPLETE); | 3027 GotoState(STATE_VERIFY_CERT_COMPLETE); |
3028 | 3028 |
| 3029 // NSS decoded the certificate, but the platform certificate implementation |
| 3030 // could not. This is treated as a fatal SSL-level protocol error rather than |
| 3031 // a certificate error. See https://crbug.com/91341. |
| 3032 if (!core_->state().server_cert.get()) |
| 3033 return ERR_SSL_SERVER_CERT_BAD_FORMAT; |
| 3034 |
3029 // If the certificate is expected to be bad we can use the expectation as | 3035 // If the certificate is expected to be bad we can use the expectation as |
3030 // the cert status. | 3036 // the cert status. |
3031 base::StringPiece der_cert( | 3037 base::StringPiece der_cert( |
3032 reinterpret_cast<char*>( | 3038 reinterpret_cast<char*>( |
3033 core_->state().server_cert_chain[0]->derCert.data), | 3039 core_->state().server_cert_chain[0]->derCert.data), |
3034 core_->state().server_cert_chain[0]->derCert.len); | 3040 core_->state().server_cert_chain[0]->derCert.len); |
3035 CertStatus cert_status; | 3041 CertStatus cert_status; |
3036 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { | 3042 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { |
3037 DCHECK(start_cert_verification_time_.is_null()); | 3043 DCHECK(start_cert_verification_time_.is_null()); |
3038 VLOG(1) << "Received an expected bad cert with status: " << cert_status; | 3044 VLOG(1) << "Received an expected bad cert with status: " << cert_status; |
3039 server_cert_verify_result_.Reset(); | 3045 server_cert_verify_result_.Reset(); |
3040 server_cert_verify_result_.cert_status = cert_status; | 3046 server_cert_verify_result_.cert_status = cert_status; |
3041 server_cert_verify_result_.verified_cert = core_->state().server_cert; | 3047 server_cert_verify_result_.verified_cert = core_->state().server_cert; |
3042 return OK; | 3048 return OK; |
3043 } | 3049 } |
3044 | 3050 |
3045 // We may have failed to create X509Certificate object if we are | |
3046 // running inside sandbox. | |
3047 if (!core_->state().server_cert.get()) { | |
3048 server_cert_verify_result_.Reset(); | |
3049 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; | |
3050 return ERR_CERT_INVALID; | |
3051 } | |
3052 | |
3053 start_cert_verification_time_ = base::TimeTicks::Now(); | 3051 start_cert_verification_time_ = base::TimeTicks::Now(); |
3054 | 3052 |
3055 return cert_verifier_->Verify( | 3053 return cert_verifier_->Verify( |
3056 core_->state().server_cert.get(), host_and_port_.host(), | 3054 core_->state().server_cert.get(), host_and_port_.host(), |
3057 core_->state().stapled_ocsp_response, ssl_config_.GetCertVerifyFlags(), | 3055 core_->state().stapled_ocsp_response, ssl_config_.GetCertVerifyFlags(), |
3058 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, | 3056 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, |
3059 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, | 3057 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, |
3060 base::Unretained(this)), | 3058 base::Unretained(this)), |
3061 &cert_verifier_request_, net_log_); | 3059 &cert_verifier_request_, net_log_); |
3062 } | 3060 } |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3184 return channel_id_service_; | 3182 return channel_id_service_; |
3185 } | 3183 } |
3186 | 3184 |
3187 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3185 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
3188 if (completed_handshake_) | 3186 if (completed_handshake_) |
3189 return SSL_FAILURE_NONE; | 3187 return SSL_FAILURE_NONE; |
3190 return SSL_FAILURE_UNKNOWN; | 3188 return SSL_FAILURE_UNKNOWN; |
3191 } | 3189 } |
3192 | 3190 |
3193 } // namespace net | 3191 } // namespace net |
OLD | NEW |