| Index: net/cert/cert_verify_proc_openssl_ios.cc
|
| diff --git a/net/cert/cert_verify_proc_openssl_ios.cc b/net/cert/cert_verify_proc_openssl_ios.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..f14abdcfa831ee3d0d0a0d6a98001f8af8c2b6c1
|
| --- /dev/null
|
| +++ b/net/cert/cert_verify_proc_openssl_ios.cc
|
| @@ -0,0 +1,305 @@
|
| +// Copyright (c) 2016 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "net/cert/cert_verify_proc_openssl_ios.h"
|
| +
|
| +#include <CommonCrypto/CommonDigest.h>
|
| +#include <Security/Security.h>
|
| +
|
| +#include "base/logging.h"
|
| +#include "base/mac/scoped_cftyperef.h"
|
| +#include "base/strings/sys_string_conversions.h"
|
| +#include "crypto/sha2.h"
|
| +#include "net/base/net_errors.h"
|
| +#include "net/cert/asn1_util.h"
|
| +#include "net/cert/cert_verify_result.h"
|
| +#include "net/cert/crl_set.h"
|
| +#include "net/cert/test_root_certs.h"
|
| +#include "net/cert/x509_certificate.h"
|
| +#include "net/ssl/openssl_ssl_util.h"
|
| +
|
| +using base::ScopedCFTypeRef;
|
| +
|
| +namespace net {
|
| +
|
| +namespace {
|
| +
|
| +typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef,
|
| + CFDictionaryRef*);
|
| +
|
| +int NetErrorFromOSStatus(OSStatus status) {
|
| + switch (status) {
|
| + case noErr:
|
| + return OK;
|
| + case errSecNotAvailable:
|
| + return ERR_NOT_IMPLEMENTED;
|
| + case errSecAuthFailed:
|
| + return ERR_ACCESS_DENIED;
|
| + default:
|
| + return ERR_FAILED;
|
| + }
|
| +}
|
| +
|
| +// Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
|
| +// validate a certificate for an SSL server. |hostname| contains the name of
|
| +// the SSL server that the certificate should be verified against. If
|
| +// successful, returns noErr, and stores the resultant array of SecPolicyRefs
|
| +// in |policies|.
|
| +OSStatus CreateTrustPolicies(const std::string& hostname,
|
| + ScopedCFTypeRef<CFArrayRef>* policies) {
|
| + ScopedCFTypeRef<CFMutableArrayRef> local_policies(
|
| + CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
|
| + if (!local_policies)
|
| + return errSecAllocate;
|
| +
|
| + SecPolicyRef ssl_policy = SecPolicyCreateBasicX509();
|
| + CFArrayAppendValue(local_policies, ssl_policy);
|
| + CFRelease(ssl_policy);
|
| + ssl_policy = SecPolicyCreateSSL(true, base::SysUTF8ToCFStringRef(hostname));
|
| + CFArrayAppendValue(local_policies, ssl_policy);
|
| + CFRelease(ssl_policy);
|
| +
|
| + policies->reset(local_policies.release());
|
| + return noErr;
|
| +}
|
| +
|
| +// Builds and evaluates a SecTrustRef for the certificate chain contained
|
| +// in |cert_array|, using the verification policies in |trust_policies|. On
|
| +// success, returns OK, and updates |trust_ref| and |trust_result|. On failure,
|
| +// no output parameters are modified.
|
| +//
|
| +// Note: An OK return does not mean that |cert_array| is trusted, merely that
|
| +// verification was performed successfully.
|
| +int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| + CFArrayRef trust_policies,
|
| + ScopedCFTypeRef<SecTrustRef>* trust_ref,
|
| + ScopedCFTypeRef<CFArrayRef>* verified_chain,
|
| + SecTrustResultType* trust_result) {
|
| + SecTrustRef tmp_trust = NULL;
|
| + OSStatus status =
|
| + SecTrustCreateWithCertificates(cert_array, trust_policies, &tmp_trust);
|
| + if (status)
|
| + return NetErrorFromOSStatus(status);
|
| + ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust);
|
| +
|
| + if (TestRootCerts::HasInstance()) {
|
| + status = TestRootCerts::GetInstance()->FixupSecTrustRef(tmp_trust);
|
| + if (status)
|
| + return NetErrorFromOSStatus(status);
|
| + }
|
| +
|
| + SecTrustResultType tmp_trust_result;
|
| + status = SecTrustEvaluate(tmp_trust, &tmp_trust_result);
|
| + if (status)
|
| + return NetErrorFromOSStatus(status);
|
| +
|
| + ScopedCFTypeRef<CFMutableArrayRef> tmp_verified_chain(
|
| + CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
|
| + const CFIndex chain_length = SecTrustGetCertificateCount(tmp_trust);
|
| + for (CFIndex i = 0; i < chain_length; ++i) {
|
| + SecCertificateRef chain_cert = SecTrustGetCertificateAtIndex(tmp_trust, i);
|
| + CFArrayAppendValue(tmp_verified_chain, chain_cert);
|
| + CFRelease(chain_cert);
|
| + }
|
| +
|
| + trust_ref->swap(scoped_tmp_trust);
|
| + *trust_result = tmp_trust_result;
|
| + verified_chain->reset(tmp_verified_chain.release());
|
| + return OK;
|
| +}
|
| +
|
| +void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
|
| + DCHECK_LT(0, CFArrayGetCount(cert_chain));
|
| +
|
| + verify_result->has_md2 = false;
|
| + verify_result->has_md4 = false;
|
| + verify_result->has_md5 = false;
|
| + verify_result->has_sha1 = false;
|
| + verify_result->has_sha1_leaf = false;
|
| +
|
| + SecCertificateRef verified_cert = NULL;
|
| + std::vector<SecCertificateRef> verified_chain;
|
| + for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {
|
| + SecCertificateRef chain_cert =
|
| + X509Certificate::DupOSCertHandle(reinterpret_cast<SecCertificateRef>(
|
| + const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))));
|
| + if (i == 0) {
|
| + verified_cert = chain_cert;
|
| + } else {
|
| + verified_chain.push_back(chain_cert);
|
| + }
|
| +
|
| + ScopedX509 x509_cert = OSCertHandleToOpenSSL(chain_cert);
|
| + int sig_alg = OBJ_obj2nid(x509_cert->sig_alg->algorithm);
|
| + if (sig_alg == NID_md2WithRSAEncryption) {
|
| + verify_result->has_md2 = true;
|
| + } else if (sig_alg == NID_md4WithRSAEncryption) {
|
| + verify_result->has_md4 = true;
|
| + } else if (sig_alg == NID_md5WithRSAEncryption ||
|
| + sig_alg == NID_md5WithRSA) {
|
| + verify_result->has_md5 = true;
|
| + } else if (sig_alg == NID_sha1WithRSAEncryption ||
|
| + sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 ||
|
| + sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA ||
|
| + sig_alg == NID_ecdsa_with_SHA1) {
|
| + verify_result->has_sha1 = true;
|
| + if (i == 0)
|
| + verify_result->has_sha1_leaf = true;
|
| + }
|
| + }
|
| + if (!verified_cert) {
|
| + NOTREACHED();
|
| + return;
|
| + }
|
| +
|
| + verify_result->verified_cert =
|
| + X509Certificate::CreateFromHandle(verified_cert, verified_chain);
|
| +}
|
| +
|
| +void AppendPublicKeyHashes(CFArrayRef chain, HashValueVector* hashes) {
|
| + const CFIndex n = CFArrayGetCount(chain);
|
| + for (CFIndex i = 0; i < n; i++) {
|
| + SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
|
| + const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
|
| +
|
| + std::string der_bytes;
|
| + if (!X509Certificate::GetDEREncoded(cert, &der_bytes))
|
| + return;
|
| + base::StringPiece spki_bytes;
|
| + if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
|
| + continue;
|
| +
|
| + HashValue sha1(HASH_VALUE_SHA1);
|
| + CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
|
| + hashes->push_back(sha1);
|
| +
|
| + HashValue sha256(HASH_VALUE_SHA256);
|
| + CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
|
| + hashes->push_back(sha256);
|
| + }
|
| +}
|
| +
|
| +bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
|
| + if (CFArrayGetCount(chain) == 0)
|
| + return true;
|
| +
|
| + // We iterate from the root certificate down to the leaf, keeping track of
|
| + // the issuer's SPKI at each step.
|
| + std::string issuer_spki_hash;
|
| + for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {
|
| + SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
|
| + const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
|
| +
|
| + std::string der_bytes;
|
| + if (!X509Certificate::GetDEREncoded(cert, &der_bytes))
|
| + return false;
|
| + base::StringPiece spki;
|
| + if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) {
|
| + NOTREACHED();
|
| + continue;
|
| + }
|
| +
|
| + const std::string spki_hash = crypto::SHA256HashString(spki);
|
| + scoped_refptr<X509Certificate::X509Certificate> x509_cert =
|
| + X509Certificate::CreateFromHandle(cert,
|
| + X509Certificate::OSCertHandles());
|
| +
|
| + CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
|
| +
|
| + if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) {
|
| + result =
|
| + crl_set->CheckSerial(x509_cert->serial_number(), issuer_spki_hash);
|
| + }
|
| +
|
| + issuer_spki_hash = spki_hash;
|
| +
|
| + switch (result) {
|
| + case CRLSet::REVOKED:
|
| + return false;
|
| + case CRLSet::UNKNOWN:
|
| + case CRLSet::GOOD:
|
| + continue;
|
| + default:
|
| + NOTREACHED();
|
| + return false;
|
| + }
|
| + }
|
| +
|
| + return true;
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +CertVerifyProcOpenSSLIOS::CertVerifyProcOpenSSLIOS() {}
|
| +
|
| +CertVerifyProcOpenSSLIOS::~CertVerifyProcOpenSSLIOS() {}
|
| +
|
| +bool CertVerifyProcOpenSSLIOS::SupportsAdditionalTrustAnchors() const {
|
| + return false;
|
| +}
|
| +
|
| +bool CertVerifyProcOpenSSLIOS::SupportsOCSPStapling() const {
|
| + return false;
|
| +}
|
| +
|
| +int CertVerifyProcOpenSSLIOS::VerifyInternal(
|
| + X509Certificate* cert,
|
| + const std::string& hostname,
|
| + const std::string& ocsp_response,
|
| + int flags,
|
| + CRLSet* crl_set,
|
| + const CertificateList& additional_trust_anchors,
|
| + CertVerifyResult* verify_result) {
|
| + ScopedCFTypeRef<CFArrayRef> trust_policies;
|
| + OSStatus status = CreateTrustPolicies(hostname, &trust_policies);
|
| + if (status)
|
| + return NetErrorFromOSStatus(status);
|
| +
|
| + ScopedCFTypeRef<CFMutableArrayRef> cert_array(
|
| + cert->CreateOSCertChainForCert());
|
| + ScopedCFTypeRef<SecTrustRef> trust_ref;
|
| + SecTrustResultType trust_result = kSecTrustResultDeny;
|
| + ScopedCFTypeRef<CFArrayRef> final_chain;
|
| +
|
| + status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref,
|
| + &final_chain, &trust_result);
|
| + if (status)
|
| + return NetErrorFromOSStatus(status);
|
| +
|
| + if (CFArrayGetCount(final_chain) > 0) {
|
| + GetCertChainInfo(final_chain, verify_result);
|
| + }
|
| +
|
| + if (crl_set && !CheckRevocationWithCRLSet(final_chain, crl_set))
|
| + verify_result->cert_status |= CERT_STATUS_REVOKED;
|
| +
|
| + switch (trust_result) {
|
| + case kSecTrustResultUnspecified:
|
| + case kSecTrustResultProceed:
|
| + break;
|
| + case kSecTrustResultDeny:
|
| + verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
|
| + default:
|
| + verify_result->cert_status |= CERT_STATUS_INVALID;
|
| + }
|
| +
|
| + // Perform hostname verification independent of SecTrustEvaluate. In order to
|
| + // do so, mask off any reported name errors first.
|
| + verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
|
| + if (!cert->VerifyNameMatch(hostname,
|
| + &verify_result->common_name_fallback_used)) {
|
| + verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
|
| + }
|
| +
|
| + verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
|
| + AppendPublicKeyHashes(final_chain, &verify_result->public_key_hashes);
|
| + verify_result->is_issued_by_known_root = true;
|
| +
|
| + if (IsCertStatusError(verify_result->cert_status))
|
| + return MapCertStatusToNetError(verify_result->cert_status);
|
| +
|
| + return OK;
|
| +}
|
| +
|
| +} // namespace net
|
|
|
Chromium Code Reviews
Issue 1810153002:
Adding iOS OpenSSL Implementation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master