Index: components/cast_certificate/cast_cert_validator.cc |
diff --git a/components/cast_certificate/cast_cert_validator.cc b/components/cast_certificate/cast_cert_validator.cc |
index 5fb0ea162c46d496650d187c2b5480d02abc2685..d91b7930e7c53364bffd85c54928f5c5248d91d8 100644 |
--- a/components/cast_certificate/cast_cert_validator.cc |
+++ b/components/cast_certificate/cast_cert_validator.cc |
@@ -13,15 +13,16 @@ |
#include "base/memory/ptr_util.h" |
#include "base/memory/singleton.h" |
+#include "net/cert/internal/cert_issuer_source_static.h" |
#include "net/cert/internal/certificate_policies.h" |
#include "net/cert/internal/extended_key_usage.h" |
#include "net/cert/internal/parse_certificate.h" |
#include "net/cert/internal/parse_name.h" |
#include "net/cert/internal/parsed_certificate.h" |
+#include "net/cert/internal/path_builder.h" |
#include "net/cert/internal/signature_algorithm.h" |
#include "net/cert/internal/signature_policy.h" |
#include "net/cert/internal/trust_store.h" |
-#include "net/cert/internal/verify_certificate_chain.h" |
#include "net/cert/internal/verify_signed_data.h" |
#include "net/der/input.h" |
@@ -282,16 +283,24 @@ bool VerifyDeviceCert(const std::vector<std::string>& certs, |
} |
} |
+ net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
+ for (size_t i = 1; i < input_chain.size(); ++i) |
eroman
2016/06/17 01:03:22
Given how this works now, I think we should probab
mattm
2016/06/18 04:28:55
Done.
|
+ intermediate_cert_issuer_source.AddCert(input_chain[i]); |
+ |
// Use a signature policy compatible with Cast's PKI. |
auto signature_policy = CreateCastSignaturePolicy(); |
// Do RFC 5280 compatible certificate verification using the two Cast |
// trust anchors and Cast signature policy. |
- if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), |
- signature_policy.get(), |
- ConvertExplodedTime(time))) { |
+ net::CertPathBuilder::Result result; |
+ net::CertPathBuilder path_builder(input_chain.front(), &CastTrustStore::Get(), |
eroman
2016/06/17 01:03:21
There needs to also ensure somewhere that !input_c
mattm
2016/06/18 04:28:55
Done.
|
+ signature_policy.get(), |
+ ConvertExplodedTime(time), &result); |
+ path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
+ net::CompletionStatus rv = path_builder.Run(base::Closure()); |
+ DCHECK(rv == net::CompletionStatus::SYNC); |
eroman
2016/06/17 01:03:21
nit: DCHECK_EQ()
mattm
2016/06/18 04:28:55
Done.
|
+ if (result.result() != net::OK) |
eroman
2016/06/17 01:03:22
How about abstracting this with result.IsSuccess()
mattm
2016/06/18 04:28:55
Done.
|
return false; |
- } |
// Check properties of the leaf certificate (key usage, policy), and construct |
// a CertVerificationContext that uses its public key. |