| Index: extensions/common/cast/cast_cert_validator.cc
|
| diff --git a/extensions/common/cast/cast_cert_validator.cc b/extensions/common/cast/cast_cert_validator.cc
|
| index 2211bb653cf0525be8f80c236140a43317732415..085bef128c741668f6de2b5e76e6f3d20a142ba7 100644
|
| --- a/extensions/common/cast/cast_cert_validator.cc
|
| +++ b/extensions/common/cast/cast_cert_validator.cc
|
| @@ -119,32 +119,6 @@ unsigned char kEurekaRootCaSpkiDer[294] = {
|
| 0x45, 0x02, 0x03, 0x01, 0x00, 0x01,
|
| };
|
|
|
| -// Helper function that creates and initializes a TrustAnchor struct given
|
| -// arrays for the subject's DER and the SPKI's DER.
|
| -template <size_t SubjectSize, size_t SpkiSize>
|
| -net::TrustAnchor CreateTrustAnchor(const uint8_t (&subject)[SubjectSize],
|
| - const uint8_t (&spki)[SpkiSize]) {
|
| - net::TrustAnchor anchor;
|
| - anchor.name = std::string(subject, subject + SubjectSize);
|
| - anchor.spki = std::string(spki, spki + SpkiSize);
|
| - return anchor;
|
| -}
|
| -
|
| -// Creates a trust store with the two Cast roots.
|
| -//
|
| -// TODO(eroman): The root certificates themselves are not included in the trust
|
| -// store (just their subject/SPKI). The problem with this approach is any
|
| -// restrictions encoded in their (like path length, or policy) are not known
|
| -// when verifying, and hence not enforced.
|
| -net::TrustStore CreateCastTrustStore() {
|
| - net::TrustStore store;
|
| - store.anchors.push_back(
|
| - CreateTrustAnchor(kEurekaRootCaSubjectDer, kEurekaRootCaSpkiDer));
|
| - store.anchors.push_back(
|
| - CreateTrustAnchor(kCastRootCaSubjectDer, kCastRootCaSpkiDer));
|
| - return store;
|
| -}
|
| -
|
| using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>;
|
|
|
| // Helper that looks up an extension by OID given a map of extensions.
|
| @@ -336,6 +310,19 @@ net::der::GeneralizedTime ConvertExplodedTime(
|
|
|
| } // namespace
|
|
|
| +// TODO(eroman): The root certificates themselves are not included in the trust
|
| +// store (just their subject/SPKI). The problem with this approach is any
|
| +// restrictions encoded in their (like path length, or policy) are not known
|
| +// when verifying, and hence not enforced.
|
| +net::TrustStore CreateCastTrustStore() {
|
| + net::TrustStore store;
|
| + store.anchors.push_back(
|
| + CreateTrustAnchor(kEurekaRootCaSubjectDer, kEurekaRootCaSpkiDer));
|
| + store.anchors.push_back(
|
| + CreateTrustAnchor(kCastRootCaSubjectDer, kCastRootCaSpkiDer));
|
| + return store;
|
| +}
|
| +
|
| bool VerifyDeviceCert(const std::vector<std::string>& certs,
|
| const base::Time::Exploded& time,
|
| scoped_ptr<CertVerificationContext>* context,
|
| @@ -347,7 +334,14 @@ bool VerifyDeviceCert(const std::vector<std::string>& certs,
|
| // time a chain needs to be verified rather than caching it, to
|
| // avoid memory bloat.
|
| auto trust_store = CreateCastTrustStore();
|
| + return VerifyDeviceCert(certs, time, context, policy, trust_store);
|
| +}
|
|
|
| +bool VerifyDeviceCert(const std::vector<std::string>& certs,
|
| + const base::Time::Exploded& time,
|
| + scoped_ptr<CertVerificationContext>* context,
|
| + CastDeviceCertPolicy* policy,
|
| + net::TrustStore trust_store) {
|
| // The underlying verification function expects a sequence of
|
| // der::Input, so wrap the data in it (cheap).
|
| std::vector<net::der::Input> input_chain;
|
|
|
Chromium Code Reviews
Issue 1888913005:
Add a hook to inject trusted Cast roots for testing purposes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master