| OLD | NEW |
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" |
| 6 |
| 7 #include "net/cert/test_root_certs.h" |
| 8 |
| 9 // NSS doesn't currently define CERT_LIST_TAIL. |
| 10 // See https://bugzilla.mozilla.org/show_bug.cgi?id=962413 |
| 11 // Can be removed once chrome requires NSS version 3.16 to build. |
| 12 #ifndef CERT_LIST_TAIL |
| 13 #define CERT_LIST_TAIL(l) ((CERTCertListNode *)PR_LIST_TAIL(&l->list)) |
| 14 #endif |
| 15 |
| 16 namespace chromeos { |
| 17 |
| 18 namespace { |
| 19 |
| 20 struct ChainVerifyArgs { |
| 21 CertVerifyProcChromeOS* cert_verify_proc; |
| 22 const net::CertificateList& additional_trust_anchors; |
| 23 }; |
| 24 |
| 25 } // namespace |
| 26 |
| 27 CertVerifyProcChromeOS::CertVerifyProcChromeOS() {} |
| 28 |
| 29 CertVerifyProcChromeOS::CertVerifyProcChromeOS( |
| 30 crypto::ScopedPK11Slot public_slot) { |
| 31 profile_filter_.Init(public_slot.Pass(), crypto::ScopedPK11Slot()); |
| 32 } |
| 33 |
| 34 CertVerifyProcChromeOS::~CertVerifyProcChromeOS() {} |
| 35 |
| 36 int CertVerifyProcChromeOS::VerifyInternal( |
| 37 net::X509Certificate* cert, |
| 38 const std::string& hostname, |
| 39 int flags, |
| 40 net::CRLSet* crl_set, |
| 41 const net::CertificateList& additional_trust_anchors, |
| 42 net::CertVerifyResult* verify_result) { |
| 43 ChainVerifyArgs chain_verify_args = {this, additional_trust_anchors}; |
| 44 |
| 45 CERTChainVerifyCallback chain_verify_callback; |
| 46 chain_verify_callback.isChainValid = |
| 47 &CertVerifyProcChromeOS::IsChainValidFunc; |
| 48 chain_verify_callback.isChainValidArg = |
| 49 static_cast<void*>(&chain_verify_args); |
| 50 |
| 51 return VerifyInternalImpl(cert, |
| 52 hostname, |
| 53 flags, |
| 54 crl_set, |
| 55 additional_trust_anchors, |
| 56 &chain_verify_callback, |
| 57 verify_result); |
| 58 } |
| 59 |
| 60 // static |
| 61 SECStatus CertVerifyProcChromeOS::IsChainValidFunc( |
| 62 void* is_chain_valid_arg, |
| 63 const CERTCertList* current_chain, |
| 64 PRBool* chain_ok) { |
| 65 ChainVerifyArgs* args = static_cast<ChainVerifyArgs*>(is_chain_valid_arg); |
| 66 CERTCertificate* cert = CERT_LIST_TAIL(current_chain)->cert; |
| 67 |
| 68 if (net::TestRootCerts::HasInstance()) { |
| 69 if (net::TestRootCerts::GetInstance()->Contains(cert)) { |
| 70 // Certs in the TestRootCerts are not stored in any slot, and thus would |
| 71 // not be allowed by the profile_filter. This should only be hit in tests. |
| 72 DVLOG(3) << cert->subjectName << " is a TestRootCert"; |
| 73 *chain_ok = PR_TRUE; |
| 74 return SECSuccess; |
| 75 } |
| 76 } |
| 77 |
| 78 for (net::CertificateList::const_iterator i = |
| 79 args->additional_trust_anchors.begin(); |
| 80 i != args->additional_trust_anchors.end(); |
| 81 ++i) { |
| 82 if (net::X509Certificate::IsSameOSCert(cert, (*i)->os_cert_handle())) { |
| 83 // Certs in the additional_trust_anchors should always be allowed, even if |
| 84 // they aren't stored in a slot that would be allowed by the |
| 85 // profile_filter. |
| 86 DVLOG(3) << cert->subjectName << " is an additional_trust_anchor"; |
| 87 *chain_ok = PR_TRUE; |
| 88 return SECSuccess; |
| 89 } |
| 90 } |
| 91 |
| 92 // TODO(mattm): If crbug.com/334384 is fixed to allow setting trust |
| 93 // properly when the same cert is in multiple slots, this would also need |
| 94 // updating to check the per-slot trust values. |
| 95 *chain_ok = args->cert_verify_proc->profile_filter_.IsCertAllowed(cert) |
| 96 ? PR_TRUE |
| 97 : PR_FALSE; |
| 98 DVLOG(3) << cert->subjectName << " is " << (*chain_ok ? "ok" : "not ok"); |
| 99 return SECSuccess; |
| 100 } |
| 101 |
| 102 } // namespace chromeos |
| OLD | NEW |