OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
11 #include <memory> | 11 #include <memory> |
12 #include <utility> | 12 #include <utility> |
13 | 13 |
14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
16 #include "net/cert/internal/cert_issuer_source_static.h" | |
16 #include "net/cert/internal/certificate_policies.h" | 17 #include "net/cert/internal/certificate_policies.h" |
17 #include "net/cert/internal/extended_key_usage.h" | 18 #include "net/cert/internal/extended_key_usage.h" |
18 #include "net/cert/internal/parse_certificate.h" | 19 #include "net/cert/internal/parse_certificate.h" |
19 #include "net/cert/internal/parse_name.h" | 20 #include "net/cert/internal/parse_name.h" |
20 #include "net/cert/internal/parsed_certificate.h" | 21 #include "net/cert/internal/parsed_certificate.h" |
22 #include "net/cert/internal/path_builder.h" | |
21 #include "net/cert/internal/signature_algorithm.h" | 23 #include "net/cert/internal/signature_algorithm.h" |
22 #include "net/cert/internal/signature_policy.h" | 24 #include "net/cert/internal/signature_policy.h" |
23 #include "net/cert/internal/trust_store.h" | 25 #include "net/cert/internal/trust_store.h" |
24 #include "net/cert/internal/verify_certificate_chain.h" | |
25 #include "net/cert/internal/verify_signed_data.h" | 26 #include "net/cert/internal/verify_signed_data.h" |
26 #include "net/der/input.h" | 27 #include "net/der/input.h" |
27 | 28 |
28 namespace cast_certificate { | 29 namespace cast_certificate { |
29 namespace { | 30 namespace { |
30 | 31 |
31 // ------------------------------------------------------------------------- | 32 // ------------------------------------------------------------------------- |
32 // Cast trust anchors. | 33 // Cast trust anchors. |
33 // ------------------------------------------------------------------------- | 34 // ------------------------------------------------------------------------- |
34 | 35 |
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
275 // No reference to the ParsedCertificate is kept past the end of this | 276 // No reference to the ParsedCertificate is kept past the end of this |
276 // function, so using EXTERNAL_REFERENCE here is safe. | 277 // function, so using EXTERNAL_REFERENCE here is safe. |
277 if (!net::ParsedCertificate::CreateAndAddToVector( | 278 if (!net::ParsedCertificate::CreateAndAddToVector( |
278 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | 279 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), |
279 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 280 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
280 &input_chain)) { | 281 &input_chain)) { |
281 return false; | 282 return false; |
282 } | 283 } |
283 } | 284 } |
284 | 285 |
286 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | |
287 for (size_t i = 1; i < input_chain.size(); ++i) | |
eroman
2016/06/17 01:03:22
Given how this works now, I think we should probab
mattm
2016/06/18 04:28:55
Done.
| |
288 intermediate_cert_issuer_source.AddCert(input_chain[i]); | |
289 | |
285 // Use a signature policy compatible with Cast's PKI. | 290 // Use a signature policy compatible with Cast's PKI. |
286 auto signature_policy = CreateCastSignaturePolicy(); | 291 auto signature_policy = CreateCastSignaturePolicy(); |
287 | 292 |
288 // Do RFC 5280 compatible certificate verification using the two Cast | 293 // Do RFC 5280 compatible certificate verification using the two Cast |
289 // trust anchors and Cast signature policy. | 294 // trust anchors and Cast signature policy. |
290 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), | 295 net::CertPathBuilder::Result result; |
291 signature_policy.get(), | 296 net::CertPathBuilder path_builder(input_chain.front(), &CastTrustStore::Get(), |
eroman
2016/06/17 01:03:21
There needs to also ensure somewhere that !input_c
mattm
2016/06/18 04:28:55
Done.
| |
292 ConvertExplodedTime(time))) { | 297 signature_policy.get(), |
298 ConvertExplodedTime(time), &result); | |
299 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | |
300 net::CompletionStatus rv = path_builder.Run(base::Closure()); | |
301 DCHECK(rv == net::CompletionStatus::SYNC); | |
eroman
2016/06/17 01:03:21
nit: DCHECK_EQ()
mattm
2016/06/18 04:28:55
Done.
| |
302 if (result.result() != net::OK) | |
eroman
2016/06/17 01:03:22
How about abstracting this with result.IsSuccess()
mattm
2016/06/18 04:28:55
Done.
| |
293 return false; | 303 return false; |
294 } | |
295 | 304 |
296 // Check properties of the leaf certificate (key usage, policy), and construct | 305 // Check properties of the leaf certificate (key usage, policy), and construct |
297 // a CertVerificationContext that uses its public key. | 306 // a CertVerificationContext that uses its public key. |
298 return CheckTargetCertificate(input_chain[0].get(), context, policy); | 307 return CheckTargetCertificate(input_chain[0].get(), context, policy); |
299 } | 308 } |
300 | 309 |
301 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 310 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
302 const base::StringPiece& spki) { | 311 const base::StringPiece& spki) { |
303 // Use a bogus CommonName, since this is just exposed for testing signature | 312 // Use a bogus CommonName, since this is just exposed for testing signature |
304 // verification by unittests. | 313 // verification by unittests. |
305 return base::WrapUnique( | 314 return base::WrapUnique( |
306 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 315 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
307 } | 316 } |
308 | 317 |
309 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 318 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { |
310 scoped_refptr<net::ParsedCertificate> anchor( | 319 scoped_refptr<net::ParsedCertificate> anchor( |
311 net::ParsedCertificate::CreateFromCertificateData( | 320 net::ParsedCertificate::CreateFromCertificateData( |
312 data, length, | 321 data, length, |
313 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE)); | 322 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE)); |
314 if (!anchor) | 323 if (!anchor) |
315 return false; | 324 return false; |
316 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 325 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
317 return true; | 326 return true; |
318 } | 327 } |
319 | 328 |
320 } // namespace cast_certificate | 329 } // namespace cast_certificate |
OLD | NEW |