Chromium Code Reviews Chromium Code Reviews
Issue 1923433002:
Certificate path builder for new certificate verification library (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> | 11 #include <memory> |
| 12 #include <utility> | 12 #include <utility> |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 16 #include "net/cert/internal/cert_issuer_source_static.h" | |
| 16 #include "net/cert/internal/certificate_policies.h" | 17 #include "net/cert/internal/certificate_policies.h" |
| 17 #include "net/cert/internal/extended_key_usage.h" | 18 #include "net/cert/internal/extended_key_usage.h" |
| 18 #include "net/cert/internal/parse_certificate.h" | 19 #include "net/cert/internal/parse_certificate.h" |
| 19 #include "net/cert/internal/parse_name.h" | 20 #include "net/cert/internal/parse_name.h" |
| 20 #include "net/cert/internal/parsed_certificate.h" | 21 #include "net/cert/internal/parsed_certificate.h" |
| 22 #include "net/cert/internal/path_builder.h" | |
| 21 #include "net/cert/internal/signature_algorithm.h" | 23 #include "net/cert/internal/signature_algorithm.h" |
| 22 #include "net/cert/internal/signature_policy.h" | 24 #include "net/cert/internal/signature_policy.h" |
| 23 #include "net/cert/internal/trust_store.h" | 25 #include "net/cert/internal/trust_store.h" |
| 24 #include "net/cert/internal/verify_certificate_chain.h" | |
| 25 #include "net/cert/internal/verify_signed_data.h" | 26 #include "net/cert/internal/verify_signed_data.h" |
| 26 #include "net/der/input.h" | 27 #include "net/der/input.h" |
| 27 | 28 |
| 28 namespace cast_certificate { | 29 namespace cast_certificate { |
| 29 namespace { | 30 namespace { |
| 30 | 31 |
| 31 // ------------------------------------------------------------------------- | 32 // ------------------------------------------------------------------------- |
| 32 // Cast trust anchors. | 33 // Cast trust anchors. |
| 33 // ------------------------------------------------------------------------- | 34 // ------------------------------------------------------------------------- |
| 34 | 35 |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 275 // No reference to the ParsedCertificate is kept past the end of this | 276 // No reference to the ParsedCertificate is kept past the end of this |
| 276 // function, so using EXTERNAL_REFERENCE here is safe. | 277 // function, so using EXTERNAL_REFERENCE here is safe. |
| 277 if (!net::ParsedCertificate::CreateAndAddToVector( | 278 if (!net::ParsedCertificate::CreateAndAddToVector( |
| 278 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | 279 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), |
| 279 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 280 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
| 280 &input_chain)) { | 281 &input_chain)) { |
| 281 return false; | 282 return false; |
| 282 } | 283 } |
| 283 } | 284 } |
| 284 | 285 |
| 286 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | |
| 287 for (size_t i = 1; i < input_chain.size(); ++i) | |
|
eroman
2016/06/17 01:03:22
Given how this works now, I think we should probab
mattm
2016/06/18 04:28:55
Done.
| |
| 288 intermediate_cert_issuer_source.AddCert(input_chain[i]); | |
| 289 | |
| 285 // Use a signature policy compatible with Cast's PKI. | 290 // Use a signature policy compatible with Cast's PKI. |
| 286 auto signature_policy = CreateCastSignaturePolicy(); | 291 auto signature_policy = CreateCastSignaturePolicy(); |
| 287 | 292 |
| 288 // Do RFC 5280 compatible certificate verification using the two Cast | 293 // Do RFC 5280 compatible certificate verification using the two Cast |
| 289 // trust anchors and Cast signature policy. | 294 // trust anchors and Cast signature policy. |
| 290 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), | 295 net::CertPathBuilder::Result result; |
| 291 signature_policy.get(), | 296 net::CertPathBuilder path_builder(input_chain.front(), &CastTrustStore::Get(), |
|
eroman
2016/06/17 01:03:21
There needs to also ensure somewhere that !input_c
mattm
2016/06/18 04:28:55
Done.
| |
| 292 ConvertExplodedTime(time))) { | 297 signature_policy.get(), |
| 298 ConvertExplodedTime(time), &result); | |
| 299 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | |
| 300 net::CompletionStatus rv = path_builder.Run(base::Closure()); | |
| 301 DCHECK(rv == net::CompletionStatus::SYNC); | |
|
eroman
2016/06/17 01:03:21
nit: DCHECK_EQ()
mattm
2016/06/18 04:28:55
Done.
| |
| 302 if (result.result() != net::OK) | |
|
eroman
2016/06/17 01:03:22
How about abstracting this with result.IsSuccess()
mattm
2016/06/18 04:28:55
Done.
| |
| 293 return false; | 303 return false; |
| 294 } | |
| 295 | 304 |
| 296 // Check properties of the leaf certificate (key usage, policy), and construct | 305 // Check properties of the leaf certificate (key usage, policy), and construct |
| 297 // a CertVerificationContext that uses its public key. | 306 // a CertVerificationContext that uses its public key. |
| 298 return CheckTargetCertificate(input_chain[0].get(), context, policy); | 307 return CheckTargetCertificate(input_chain[0].get(), context, policy); |
| 299 } | 308 } |
| 300 | 309 |
| 301 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 310 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 302 const base::StringPiece& spki) { | 311 const base::StringPiece& spki) { |
| 303 // Use a bogus CommonName, since this is just exposed for testing signature | 312 // Use a bogus CommonName, since this is just exposed for testing signature |
| 304 // verification by unittests. | 313 // verification by unittests. |
| 305 return base::WrapUnique( | 314 return base::WrapUnique( |
| 306 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 315 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 307 } | 316 } |
| 308 | 317 |
| 309 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 318 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { |
| 310 scoped_refptr<net::ParsedCertificate> anchor( | 319 scoped_refptr<net::ParsedCertificate> anchor( |
| 311 net::ParsedCertificate::CreateFromCertificateData( | 320 net::ParsedCertificate::CreateFromCertificateData( |
| 312 data, length, | 321 data, length, |
| 313 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE)); | 322 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE)); |
| 314 if (!anchor) | 323 if (!anchor) |
| 315 return false; | 324 return false; |
| 316 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 325 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
| 317 return true; | 326 return true; |
| 318 } | 327 } |
| 319 | 328 |
| 320 } // namespace cast_certificate | 329 } // namespace cast_certificate |
| OLD | NEW |
