Chromium Code Reviews Chromium Code Reviews
Issue 165117:
Fix build break with uninitialized variable 'ev_policy_tag'.... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 |
| 8 // until NSS 3.12.2 comes out and we update to it. | 8 // until NSS 3.12.2 comes out and we update to it. |
| 9 #define Lock FOO_NSS_Lock | 9 #define Lock FOO_NSS_Lock |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 312 result->push_back(value); | 312 result->push_back(value); |
| 313 } | 313 } |
| 314 name = CERT_GetNextGeneralName(name); | 314 name = CERT_GetNextGeneralName(name); |
| 315 if (name == alt_name_list) | 315 if (name == alt_name_list) |
| 316 break; | 316 break; |
| 317 } | 317 } |
| 318 PORT_FreeArena(arena, PR_FALSE); | 318 PORT_FreeArena(arena, PR_FALSE); |
| 319 PORT_Free(alt_name.data); | 319 PORT_Free(alt_name.data); |
| 320 } | 320 } |
| 321 | 321 |
| 322 // TODO(ukai): make a Linux-only method of the EVRootCAMetadata. | 322 // TODO(ukai): this should be a Linux-only method of EVRootCAMetadata class. |
| 323 void GetPolicyOidTags(net::EVRootCAMetadata* metadata, | 323 void GetPolicyOidTags(net::EVRootCAMetadata* metadata, |
| 324 std::vector<SECOidTag>* policies) { | 324 std::vector<SECOidTag>* policies) { |
| 325 const char* const* policy_oids = metadata->GetPolicyOIDs(); | 325 const char* const* policy_oids = metadata->GetPolicyOIDs(); |
| 326 for (int i = 0; i < metadata->NumPolicyOIDs(); i++) { | 326 for (int i = 0; i < metadata->NumPolicyOIDs(); i++) { |
| 327 PRUint8 buf[1024]; | 327 PRUint8 buf[1024]; |
| 328 SECItem oid_item; | 328 SECItem oid_item; |
| 329 oid_item.data = buf; | 329 oid_item.data = buf; |
| 330 oid_item.len = sizeof(buf); | 330 oid_item.len = sizeof(buf); |
| 331 SECStatus status = SEC_StringToOID(NULL, &oid_item, policy_oids[i], 0); | 331 SECStatus status = SEC_StringToOID(NULL, &oid_item, policy_oids[i], 0); |
| 332 if (status != SECSuccess) { | 332 if (status != SECSuccess) { |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 346 policy = SECOID_AddEntry(&od); | 346 policy = SECOID_AddEntry(&od); |
| 347 DCHECK(policy != SEC_OID_UNKNOWN); | 347 DCHECK(policy != SEC_OID_UNKNOWN); |
| 348 } | 348 } |
| 349 policies->push_back(policy); | 349 policies->push_back(policy); |
| 350 } | 350 } |
| 351 return; | 351 return; |
| 352 } | 352 } |
| 353 | 353 |
| 354 // Call CERT_PKIXVerifyCert for the cert_handle. | 354 // Call CERT_PKIXVerifyCert for the cert_handle. |
| 355 // Verification results are stored in an array of CERTValOutParam. | 355 // Verification results are stored in an array of CERTValOutParam. |
| 356 // If metadata is not NULL, policies are also checked. | 356 // If policy_oids is not NULL and num_policy_oids is positive, policies |
| 357 // are also checked. | |
| 357 // Caller must initialize cvout before calling this function. | 358 // Caller must initialize cvout before calling this function. |
| 358 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, | 359 SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, |
| 359 const SECOidTag* policy_oids, | 360 const SECOidTag* policy_oids, |
| 360 int num_policy_oids, | 361 int num_policy_oids, |
| 361 CERTValOutParam* cvout) { | 362 CERTValOutParam* cvout) { |
| 362 PRUint64 revocation_method_flags = | 363 PRUint64 revocation_method_flags = |
| 363 CERT_REV_M_TEST_USING_THIS_METHOD | | 364 CERT_REV_M_TEST_USING_THIS_METHOD | |
| 364 CERT_REV_M_ALLOW_NETWORK_FETCHING | | 365 CERT_REV_M_ALLOW_NETWORK_FETCHING | |
| 365 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | | 366 CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | |
| 366 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE | | 367 CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE | |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 453 } | 454 } |
| 454 CERTCertificatePolicies* policies = | 455 CERTCertificatePolicies* policies = |
| 455 CERT_DecodeCertificatePoliciesExtension(&policy_ext); | 456 CERT_DecodeCertificatePoliciesExtension(&policy_ext); |
| 456 if (!policies) { | 457 if (!policies) { |
| 457 LOG(ERROR) << "Failed to decode certificate policy."; | 458 LOG(ERROR) << "Failed to decode certificate policy."; |
| 458 return false; | 459 return false; |
| 459 } | 460 } |
| 460 CERTPolicyInfo** policy_infos = policies->policyInfos; | 461 CERTPolicyInfo** policy_infos = policies->policyInfos; |
| 461 while (*policy_infos != NULL) { | 462 while (*policy_infos != NULL) { |
| 462 CERTPolicyInfo* policy_info = *policy_infos++; | 463 CERTPolicyInfo* policy_info = *policy_infos++; |
| 463 SECOidTag oid_tag = SECOID_FindOIDTag(&policy_info->policyID); | 464 SECOidTag oid_tag = policy_info->oid; |
| 464 if (oid_tag == SEC_OID_UNKNOWN) | 465 if (oid_tag == SEC_OID_UNKNOWN) |
| 465 continue; | 466 continue; |
| 466 if (oid_tag == ev_policy_tag) | 467 if (oid_tag == ev_policy_tag) |
| 467 return true; | 468 return true; |
| 468 } | 469 } |
| 469 LOG(ERROR) << "No EV Policy Tag"; | 470 LOG(ERROR) << "No EV Policy Tag"; |
| 470 return false; | 471 return false; |
| 471 } | 472 } |
| 472 | 473 |
| 473 } // namespace | 474 } // namespace |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 553 err = SEC_ERROR_EXPIRED_CERTIFICATE; | 554 err = SEC_ERROR_EXPIRED_CERTIFICATE; |
| 554 verify_result->cert_status |= MapCertErrorToCertStatus(err); | 555 verify_result->cert_status |= MapCertErrorToCertStatus(err); |
| 555 return MapCertStatusToNetError(verify_result->cert_status); | 556 return MapCertStatusToNetError(verify_result->cert_status); |
| 556 } | 557 } |
| 557 | 558 |
| 558 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 559 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
| 559 verify_result); | 560 verify_result); |
| 560 if (IsCertStatusError(verify_result->cert_status)) | 561 if (IsCertStatusError(verify_result->cert_status)) |
| 561 return MapCertStatusToNetError(verify_result->cert_status); | 562 return MapCertStatusToNetError(verify_result->cert_status); |
| 562 | 563 |
| 563 if (flags & VERIFY_EV_CERT) { | 564 if ((flags & VERIFY_EV_CERT) && VerifyEV()) |
| 564 if (VerifyEV()) | 565 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 565 verify_result->cert_status |= CERT_STATUS_IS_EV; | |
| 566 } | |
| 567 return OK; | 566 return OK; |
| 568 } | 567 } |
| 569 | 568 |
| 570 // Studied Mozilla's code (esp. security/manager/ssl/src/nsNSSCertHelper.cpp) | 569 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp |
| 571 // to learn how to verify EV certificate. | 570 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate. |
| 572 // TODO(wtc): We may be able to request cert_po_policyOID and just | 571 // TODO(wtc): We may be able to request cert_po_policyOID and just |
| 573 // check if any of the returned policies is the EV policy of the trust anchor. | 572 // check if any of the returned policies is the EV policy of the trust anchor. |
| 574 // Another possible optimization is that we get the trust anchor from | 573 // Another possible optimization is that we get the trust anchor from |
| 575 // the first PKIXVerifyCert call. We look up the EV policy for the trust | 574 // the first PKIXVerifyCert call. We look up the EV policy for the trust |
| 576 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. | 575 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. |
| 577 // Otherwise, we pass just that EV policy (as opposed to all the EV policies) | 576 // Otherwise, we pass just that EV policy (as opposed to all the EV policies) |
| 578 // to the second PKIXVerifyCert call. | 577 // to the second PKIXVerifyCert call. |
| 579 bool X509Certificate::VerifyEV() const { | 578 bool X509Certificate::VerifyEV() const { |
| 580 net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance(); | 579 net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance(); |
| 581 | 580 |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 594 &policies[0], policies.size(), cvout); | 593 &policies[0], policies.size(), cvout); |
| 595 if (status != SECSuccess) | 594 if (status != SECSuccess) |
| 596 return false; | 595 return false; |
| 597 | 596 |
| 598 CERTCertificate* root_ca = | 597 CERTCertificate* root_ca = |
| 599 cvout[cvout_trust_anchor_index].value.pointer.cert; | 598 cvout[cvout_trust_anchor_index].value.pointer.cert; |
| 600 if (root_ca == NULL) | 599 if (root_ca == NULL) |
| 601 return false; | 600 return false; |
| 602 X509Certificate::Fingerprint fingerprint = | 601 X509Certificate::Fingerprint fingerprint = |
| 603 X509Certificate::CalculateFingerprint(root_ca); | 602 X509Certificate::CalculateFingerprint(root_ca); |
| 604 SECOidTag ev_policy_tag; | 603 SECOidTag ev_policy_tag = SEC_OID_UNKNOWN; |
|
wtc
2009/08/07 18:07:48
Does the compiler warn about this? We're passing
ukai
2009/08/10 04:09:20
Yes, it caused the build break.
| |
| 605 if (!GetEvPolicyOidTag(metadata, fingerprint, &ev_policy_tag)) | 604 if (!GetEvPolicyOidTag(metadata, fingerprint, &ev_policy_tag)) |
| 606 return false; | 605 return false; |
| 607 | 606 |
| 608 if (!CheckCertPolicies(cert_handle_, ev_policy_tag)) | 607 if (!CheckCertPolicies(cert_handle_, ev_policy_tag)) |
| 609 return false; | 608 return false; |
| 610 | 609 |
| 611 return true; | 610 return true; |
| 612 } | 611 } |
| 613 | 612 |
| 614 // static | 613 // static |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 638 DCHECK(0 != cert->derCert.len); | 637 DCHECK(0 != cert->derCert.len); |
| 639 | 638 |
| 640 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 639 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
| 641 cert->derCert.data, cert->derCert.len); | 640 cert->derCert.data, cert->derCert.len); |
| 642 DCHECK(rv == SECSuccess); | 641 DCHECK(rv == SECSuccess); |
| 643 | 642 |
| 644 return sha1; | 643 return sha1; |
| 645 } | 644 } |
| 646 | 645 |
| 647 } // namespace net | 646 } // namespace net |
| OLD | NEW |
