| Index: net/base/x509_util_mac.cc
|
| diff --git a/net/base/x509_util_mac.cc b/net/base/x509_util_mac.cc
|
| deleted file mode 100644
|
| index a53b5ac37ab70712d496665a5df595babb860eb2..0000000000000000000000000000000000000000
|
| --- a/net/base/x509_util_mac.cc
|
| +++ /dev/null
|
| @@ -1,231 +0,0 @@
|
| -// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include "net/base/x509_util_mac.h"
|
| -
|
| -#include "base/logging.h"
|
| -#include "third_party/apple_apsl/cssmapplePriv.h"
|
| -
|
| -namespace net {
|
| -
|
| -namespace x509_util {
|
| -
|
| -namespace {
|
| -
|
| -// Creates a SecPolicyRef for the given OID, with optional value.
|
| -OSStatus CreatePolicy(const CSSM_OID* policy_oid,
|
| - void* option_data,
|
| - size_t option_length,
|
| - SecPolicyRef* policy) {
|
| - SecPolicySearchRef search;
|
| - OSStatus err = SecPolicySearchCreate(CSSM_CERT_X_509v3, policy_oid, NULL,
|
| - &search);
|
| - if (err)
|
| - return err;
|
| - err = SecPolicySearchCopyNext(search, policy);
|
| - CFRelease(search);
|
| - if (err)
|
| - return err;
|
| -
|
| - if (option_data) {
|
| - CSSM_DATA options_data = {
|
| - option_length,
|
| - reinterpret_cast<uint8_t*>(option_data)
|
| - };
|
| - err = SecPolicySetValue(*policy, &options_data);
|
| - if (err) {
|
| - CFRelease(*policy);
|
| - return err;
|
| - }
|
| - }
|
| - return noErr;
|
| -}
|
| -
|
| -} // namespace
|
| -
|
| -
|
| -OSStatus CreateSSLClientPolicy(SecPolicyRef* policy) {
|
| - CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options;
|
| - memset(&tp_ssl_options, 0, sizeof(tp_ssl_options));
|
| - tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
|
| - tp_ssl_options.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
|
| -
|
| - return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
|
| - sizeof(tp_ssl_options), policy);
|
| -}
|
| -
|
| -OSStatus CreateSSLServerPolicy(const std::string& hostname,
|
| - SecPolicyRef* policy) {
|
| - CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options;
|
| - memset(&tp_ssl_options, 0, sizeof(tp_ssl_options));
|
| - tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
|
| - if (!hostname.empty()) {
|
| - tp_ssl_options.ServerName = hostname.data();
|
| - tp_ssl_options.ServerNameLen = hostname.size();
|
| - }
|
| -
|
| - return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
|
| - sizeof(tp_ssl_options), policy);
|
| -}
|
| -
|
| -OSStatus CreateBasicX509Policy(SecPolicyRef* policy) {
|
| - return CreatePolicy(&CSSMOID_APPLE_X509_BASIC, NULL, 0, policy);
|
| -}
|
| -
|
| -OSStatus CreateRevocationPolicies(bool enable_revocation_checking,
|
| - bool enable_ev_checking,
|
| - CFMutableArrayRef policies) {
|
| - OSStatus status = noErr;
|
| -
|
| - // In order to bypass the system revocation checking settings, the
|
| - // SecTrustRef must have at least one revocation policy associated with it.
|
| - // Since it is not known prior to verification whether the Apple TP will
|
| - // consider a certificate as an EV candidate, the default policy used is a
|
| - // CRL policy, since it does not communicate over the network.
|
| - // If the TP believes the leaf is an EV cert, it will explicitly add an
|
| - // OCSP policy to perform the online checking, and if it doesn't believe
|
| - // that the leaf is EV, then the default CRL policy will effectively no-op.
|
| - // This behaviour is used to implement EV-only revocation checking.
|
| - if (enable_ev_checking || enable_revocation_checking) {
|
| - CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options;
|
| - memset(&tp_crl_options, 0, sizeof(tp_crl_options));
|
| - tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
|
| - // Only allow network CRL fetches if the caller explicitly requests
|
| - // online revocation checking. Note that, as of OS X 10.7.2, the system
|
| - // will set force this flag on according to system policies, so
|
| - // online revocation checks cannot be completely disabled.
|
| - if (enable_revocation_checking)
|
| - tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
|
| -
|
| - SecPolicyRef crl_policy;
|
| - status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options,
|
| - sizeof(tp_crl_options), &crl_policy);
|
| - if (status)
|
| - return status;
|
| - CFArrayAppendValue(policies, crl_policy);
|
| - CFRelease(crl_policy);
|
| - }
|
| -
|
| - // If revocation checking is explicitly enabled, then add an OCSP policy
|
| - // and allow network access. If both revocation checking and EV checking
|
| - // are disabled, then the added OCSP policy will be prevented from
|
| - // accessing the network. This is done because the TP will force an OCSP
|
| - // policy to be present when it believes the certificate is EV. If network
|
| - // fetching was not explicitly disabled, then it would be as if
|
| - // enable_ev_checking was always set to true.
|
| - if (enable_revocation_checking || !enable_ev_checking) {
|
| - CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options;
|
| - memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options));
|
| - tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
|
| -
|
| - if (enable_revocation_checking) {
|
| - // The default for the OCSP policy is to fetch responses via the network,
|
| - // unlike the CRL policy default. The policy is further modified to
|
| - // prefer OCSP over CRLs, if both are specified on the certificate. This
|
| - // is because an OCSP response is both sufficient and typically
|
| - // significantly smaller than the CRL counterpart.
|
| - tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
|
| - } else {
|
| - // Effectively disable OCSP checking by making it impossible to get an
|
| - // OCSP response. Even if the Apple TP forces OCSP, no checking will
|
| - // be able to succeed. If this happens, the Apple TP will report an error
|
| - // that OCSP was unavailable, but this will be handled and suppressed in
|
| - // X509Certificate::Verify().
|
| - tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET |
|
| - CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE;
|
| - }
|
| -
|
| - SecPolicyRef ocsp_policy;
|
| - status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options,
|
| - sizeof(tp_ocsp_options), &ocsp_policy);
|
| - if (status)
|
| - return status;
|
| - CFArrayAppendValue(policies, ocsp_policy);
|
| - CFRelease(ocsp_policy);
|
| - }
|
| -
|
| - return status;
|
| -}
|
| -
|
| -CSSMFieldValue::CSSMFieldValue()
|
| - : cl_handle_(CSSM_INVALID_HANDLE),
|
| - oid_(NULL),
|
| - field_(NULL) {
|
| -}
|
| -CSSMFieldValue::CSSMFieldValue(CSSM_CL_HANDLE cl_handle,
|
| - const CSSM_OID* oid,
|
| - CSSM_DATA_PTR field)
|
| - : cl_handle_(cl_handle),
|
| - oid_(const_cast<CSSM_OID_PTR>(oid)),
|
| - field_(field) {
|
| -}
|
| -
|
| -CSSMFieldValue::~CSSMFieldValue() {
|
| - Reset(CSSM_INVALID_HANDLE, NULL, NULL);
|
| -}
|
| -
|
| -void CSSMFieldValue::Reset(CSSM_CL_HANDLE cl_handle,
|
| - CSSM_OID_PTR oid,
|
| - CSSM_DATA_PTR field) {
|
| - if (cl_handle_ && oid_ && field_)
|
| - CSSM_CL_FreeFieldValue(cl_handle_, oid_, field_);
|
| - cl_handle_ = cl_handle;
|
| - oid_ = oid;
|
| - field_ = field;
|
| -}
|
| -
|
| -CSSMCachedCertificate::CSSMCachedCertificate()
|
| - : cl_handle_(CSSM_INVALID_HANDLE),
|
| - cached_cert_handle_(CSSM_INVALID_HANDLE) {
|
| -}
|
| -CSSMCachedCertificate::~CSSMCachedCertificate() {
|
| - if (cl_handle_ && cached_cert_handle_)
|
| - CSSM_CL_CertAbortCache(cl_handle_, cached_cert_handle_);
|
| -}
|
| -
|
| -OSStatus CSSMCachedCertificate::Init(SecCertificateRef os_cert_handle) {
|
| - DCHECK(!cl_handle_ && !cached_cert_handle_);
|
| - DCHECK(os_cert_handle);
|
| - CSSM_DATA cert_data;
|
| - OSStatus status = SecCertificateGetData(os_cert_handle, &cert_data);
|
| - if (status)
|
| - return status;
|
| - status = SecCertificateGetCLHandle(os_cert_handle, &cl_handle_);
|
| - if (status) {
|
| - DCHECK(!cl_handle_);
|
| - return status;
|
| - }
|
| -
|
| - status = CSSM_CL_CertCache(cl_handle_, &cert_data, &cached_cert_handle_);
|
| - if (status)
|
| - DCHECK(!cached_cert_handle_);
|
| - return status;
|
| -}
|
| -
|
| -OSStatus CSSMCachedCertificate::GetField(const CSSM_OID* field_oid,
|
| - CSSMFieldValue* field) const {
|
| - DCHECK(cl_handle_);
|
| - DCHECK(cached_cert_handle_);
|
| -
|
| - CSSM_OID_PTR oid = const_cast<CSSM_OID_PTR>(field_oid);
|
| - CSSM_DATA_PTR field_ptr = NULL;
|
| - CSSM_HANDLE results_handle = CSSM_INVALID_HANDLE;
|
| - uint32 field_value_count = 0;
|
| - CSSM_RETURN status = CSSM_CL_CertGetFirstCachedFieldValue(
|
| - cl_handle_, cached_cert_handle_, oid, &results_handle,
|
| - &field_value_count, &field_ptr);
|
| - if (status)
|
| - return status;
|
| -
|
| - // Note: |field_value_count| may be > 1, indicating that more than one
|
| - // value is present. This may happen with extensions, but for current
|
| - // usages, only the first value is returned.
|
| - CSSM_CL_CertAbortQuery(cl_handle_, results_handle);
|
| - field->Reset(cl_handle_, oid, field_ptr);
|
| - return CSSM_OK;
|
| -}
|
| -
|
| -} // namespace x509_util
|
| -
|
| -} // namespace net
|
|
|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src