| Index: net/base/cert_verify_proc_openssl.cc
|
| diff --git a/net/base/cert_verify_proc_openssl.cc b/net/base/cert_verify_proc_openssl.cc
|
| deleted file mode 100644
|
| index 964ba263a030daa387d2116993a84d8f556a9dec..0000000000000000000000000000000000000000
|
| --- a/net/base/cert_verify_proc_openssl.cc
|
| +++ /dev/null
|
| @@ -1,230 +0,0 @@
|
| -// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include "net/base/cert_verify_proc_openssl.h"
|
| -
|
| -#include <openssl/x509v3.h>
|
| -
|
| -#include <string>
|
| -#include <vector>
|
| -
|
| -#include "base/logging.h"
|
| -#include "base/sha1.h"
|
| -#include "crypto/openssl_util.h"
|
| -#include "crypto/sha2.h"
|
| -#include "net/base/asn1_util.h"
|
| -#include "net/base/cert_status_flags.h"
|
| -#include "net/base/cert_verifier.h"
|
| -#include "net/base/cert_verify_result.h"
|
| -#include "net/base/net_errors.h"
|
| -#include "net/base/x509_certificate.h"
|
| -
|
| -namespace net {
|
| -
|
| -namespace {
|
| -
|
| -// Maps X509_STORE_CTX_get_error() return values to our cert status flags.
|
| -CertStatus MapCertErrorToCertStatus(int err) {
|
| - switch (err) {
|
| - case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
|
| - return CERT_STATUS_COMMON_NAME_INVALID;
|
| - case X509_V_ERR_CERT_NOT_YET_VALID:
|
| - case X509_V_ERR_CERT_HAS_EXPIRED:
|
| - case X509_V_ERR_CRL_NOT_YET_VALID:
|
| - case X509_V_ERR_CRL_HAS_EXPIRED:
|
| - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
| - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
| - case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
|
| - case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
|
| - return CERT_STATUS_DATE_INVALID;
|
| - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
| - case X509_V_ERR_UNABLE_TO_GET_CRL:
|
| - case X509_V_ERR_INVALID_CA:
|
| - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
|
| - case X509_V_ERR_INVALID_NON_CA:
|
| - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
| - case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
| - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
| - return CERT_STATUS_AUTHORITY_INVALID;
|
| -#if 0
|
| -// TODO(bulach): what should we map to these status?
|
| - return CERT_STATUS_NO_REVOCATION_MECHANISM;
|
| - return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
|
| -#endif
|
| - case X509_V_ERR_CERT_REVOKED:
|
| - return CERT_STATUS_REVOKED;
|
| - // All these status are mapped to CERT_STATUS_INVALID.
|
| - case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
|
| - case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
|
| - case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
|
| - case X509_V_ERR_CERT_SIGNATURE_FAILURE:
|
| - case X509_V_ERR_CRL_SIGNATURE_FAILURE:
|
| - case X509_V_ERR_OUT_OF_MEM:
|
| - case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
| - case X509_V_ERR_CERT_CHAIN_TOO_LONG:
|
| - case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
| - case X509_V_ERR_INVALID_PURPOSE:
|
| - case X509_V_ERR_CERT_UNTRUSTED:
|
| - case X509_V_ERR_CERT_REJECTED:
|
| - case X509_V_ERR_AKID_SKID_MISMATCH:
|
| - case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
|
| - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
|
| - case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
|
| - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
|
| - case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
|
| - case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
|
| - case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
|
| - case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
|
| - case X509_V_ERR_INVALID_EXTENSION:
|
| - case X509_V_ERR_INVALID_POLICY_EXTENSION:
|
| - case X509_V_ERR_NO_EXPLICIT_POLICY:
|
| - case X509_V_ERR_UNNESTED_RESOURCE:
|
| - case X509_V_ERR_APPLICATION_VERIFICATION:
|
| - return CERT_STATUS_INVALID;
|
| - default:
|
| - NOTREACHED() << "Invalid X509 err " << err;
|
| - return CERT_STATUS_INVALID;
|
| - }
|
| -}
|
| -
|
| -// sk_X509_free is a function-style macro, so can't be used as a template
|
| -// param directly.
|
| -void sk_X509_free_fn(STACK_OF(X509)* st) {
|
| - sk_X509_free(st);
|
| -}
|
| -
|
| -void GetCertChainInfo(X509_STORE_CTX* store_ctx,
|
| - CertVerifyResult* verify_result) {
|
| - STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx);
|
| - X509* verified_cert = NULL;
|
| - std::vector<X509*> verified_chain;
|
| - for (int i = 0; i < sk_X509_num(chain); ++i) {
|
| - X509* cert = sk_X509_value(chain, i);
|
| - if (i == 0) {
|
| - verified_cert = cert;
|
| - } else {
|
| - verified_chain.push_back(cert);
|
| - }
|
| -
|
| - // Only check the algorithm status for certificates that are not in the
|
| - // trust store.
|
| - if (i < store_ctx->last_untrusted) {
|
| - int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm);
|
| - if (sig_alg == NID_md2WithRSAEncryption) {
|
| - verify_result->has_md2 = true;
|
| - if (i != 0)
|
| - verify_result->has_md2_ca = true;
|
| - } else if (sig_alg == NID_md4WithRSAEncryption) {
|
| - verify_result->has_md4 = true;
|
| - } else if (sig_alg == NID_md5WithRSAEncryption) {
|
| - verify_result->has_md5 = true;
|
| - if (i != 0)
|
| - verify_result->has_md5_ca = true;
|
| - }
|
| - }
|
| - }
|
| -
|
| - if (verified_cert) {
|
| - verify_result->verified_cert =
|
| - X509Certificate::CreateFromHandle(verified_cert, verified_chain);
|
| - }
|
| -}
|
| -
|
| -void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx,
|
| - HashValueVector* hashes) {
|
| - STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx);
|
| - for (int i = 0; i < sk_X509_num(chain); ++i) {
|
| - X509* cert = sk_X509_value(chain, i);
|
| -
|
| - std::string der_data;
|
| - if (!X509Certificate::GetDEREncoded(cert, &der_data))
|
| - continue;
|
| -
|
| - base::StringPiece der_bytes(der_data);
|
| - base::StringPiece spki_bytes;
|
| - if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
|
| - continue;
|
| -
|
| - HashValue sha1(HASH_VALUE_SHA1);
|
| - base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
|
| - spki_bytes.size(), sha1.data());
|
| - hashes->push_back(sha1);
|
| -
|
| - HashValue sha256(HASH_VALUE_SHA256);
|
| - crypto::SHA256HashString(spki_bytes, sha1.data(), crypto::kSHA256Length);
|
| - hashes->push_back(sha256);
|
| - }
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -CertVerifyProcOpenSSL::CertVerifyProcOpenSSL() {}
|
| -
|
| -CertVerifyProcOpenSSL::~CertVerifyProcOpenSSL() {}
|
| -
|
| -bool CertVerifyProcOpenSSL::SupportsAdditionalTrustAnchors() const {
|
| - return false;
|
| -}
|
| -
|
| -int CertVerifyProcOpenSSL::VerifyInternal(
|
| - X509Certificate* cert,
|
| - const std::string& hostname,
|
| - int flags,
|
| - CRLSet* crl_set,
|
| - const CertificateList& additional_trust_anchors,
|
| - CertVerifyResult* verify_result) {
|
| - crypto::EnsureOpenSSLInit();
|
| -
|
| - if (!cert->VerifyNameMatch(hostname))
|
| - verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
|
| -
|
| - crypto::ScopedOpenSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(
|
| - X509_STORE_CTX_new());
|
| -
|
| - crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(
|
| - sk_X509_new_null());
|
| - if (!intermediates.get())
|
| - return ERR_OUT_OF_MEMORY;
|
| -
|
| - const X509Certificate::OSCertHandles& os_intermediates =
|
| - cert->GetIntermediateCertificates();
|
| - for (X509Certificate::OSCertHandles::const_iterator it =
|
| - os_intermediates.begin(); it != os_intermediates.end(); ++it) {
|
| - if (!sk_X509_push(intermediates.get(), *it))
|
| - return ERR_OUT_OF_MEMORY;
|
| - }
|
| - if (X509_STORE_CTX_init(ctx.get(), X509Certificate::cert_store(),
|
| - cert->os_cert_handle(), intermediates.get()) != 1) {
|
| - NOTREACHED();
|
| - return ERR_FAILED;
|
| - }
|
| -
|
| - if (X509_verify_cert(ctx.get()) != 1) {
|
| - int x509_error = X509_STORE_CTX_get_error(ctx.get());
|
| - CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
|
| - LOG(ERROR) << "X509 Verification error "
|
| - << X509_verify_cert_error_string(x509_error)
|
| - << " : " << x509_error
|
| - << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
|
| - << " : " << cert_status;
|
| - verify_result->cert_status |= cert_status;
|
| - }
|
| -
|
| - GetCertChainInfo(ctx.get(), verify_result);
|
| - AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
|
| - if (IsCertStatusError(verify_result->cert_status))
|
| - return MapCertStatusToNetError(verify_result->cert_status);
|
| -
|
| - // Currently we only ues OpenSSL's default root CA paths, so treat all
|
| - // correctly verified certs as being from a known root.
|
| - // TODO(joth): if the motivations described in
|
| - // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an
|
| - // issue on OpenSSL builds, we will need to embed a hardcoded list of well
|
| - // known root CAs, as per the _mac and _win versions.
|
| - verify_result->is_issued_by_known_root = true;
|
| -
|
| - return OK;
|
| -}
|
| -
|
| -} // namespace net
|
|
|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src