OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "expect_staple_report.h" | |
6 | |
estark
2016/06/15 23:51:46
missing a bunch of #includes here
dadrian
2016/06/16 03:27:23
Done.
| |
7 namespace net { | |
8 | |
9 namespace { | |
10 | |
11 der::GeneralizedTime ConvertBaseTime(const base::Time& time) { | |
12 base::Time::Exploded exploded; | |
13 time.UTCExplode(&exploded); | |
14 | |
15 der::GeneralizedTime result; | |
16 result.year = exploded.year; | |
17 result.month = exploded.month; | |
18 result.day = exploded.day_of_month; | |
19 result.hours = exploded.hour; | |
20 result.minutes = exploded.minute; | |
21 result.seconds = exploded.second; | |
22 return result; | |
23 } | |
24 | |
25 bool CheckOCSPDateValid(const OCSPSingleResponse& response, | |
26 const base::Time& verify_time, | |
27 const base::TimeDelta& max_age) { | |
28 if (response.has_next_update && | |
29 !(response.this_update < response.next_update)) | |
30 return false; | |
31 | |
32 // Place |verify_time| in the bounds. | |
33 der::GeneralizedTime verify_time_der = ConvertBaseTime(verify_time); | |
34 if (!(response.this_update < verify_time_der)) | |
35 return false; | |
36 if (response.has_next_update && !(verify_time_der < response.next_update)) | |
37 return false; | |
38 | |
39 // Enforce |max_age|. | |
40 der::GeneralizedTime lower_bound = ConvertBaseTime(verify_time - max_age); | |
41 if (response.this_update < lower_bound) | |
42 return false; | |
43 return true; | |
44 } | |
45 | |
46 bool CompareCertIDToCertificate(const OCSPCertID& cert_id, | |
47 const X509Certificate& certificate) { | |
48 // TODO(dadrian): Verify name and key hashes. https://crbug.com/620005 | |
49 der::Input serial(&certificate.serial_number()); | |
50 return serial == cert_id.serial_number; | |
51 } | |
52 | |
53 } // namespace | |
54 | |
55 ExpectStapleReport::ExpectStapleReport() : staple_error_(StapleError::OK) {} | |
56 | |
57 ExpectStapleReport::~ExpectStapleReport() {} | |
58 | |
59 std::unique_ptr<ExpectStapleReport> ExpectStapleReport::FromRawOCSPResponse( | |
60 const std::string& raw_response, | |
61 const base::Time& verify_time, | |
62 const base::TimeDelta& max_age, | |
63 const X509Certificate& verified_certificate) { | |
64 std::unique_ptr<ExpectStapleReport> out(new ExpectStapleReport); | |
65 out->verify_time_ = verify_time; | |
66 der::Input response_der(&raw_response); | |
67 | |
68 OCSPResponse response; | |
69 if (!ParseOCSPResponse(response_der, &response)) { | |
70 out->staple_error_ = StapleError::PARSE_RESPONSE; | |
71 return out; | |
72 } | |
73 | |
74 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the | |
75 // data. | |
76 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) { | |
77 out->staple_error_ = StapleError::BAD_RESPONSE; | |
78 return out; | |
79 } | |
80 | |
81 OCSPResponseData response_data; | |
82 if (!ParseOCSPResponseData(response.data, &response_data)) { | |
83 out->staple_error_ = StapleError::PARSE_RESPONSE_DATA; | |
84 return out; | |
85 } | |
86 | |
87 bool contains_correct_response = false; | |
88 for (const auto& single_response_der : response_data.responses) { | |
89 OCSPSingleResponse single_response; | |
90 if (!ParseOCSPSingleResponse(single_response_der, &single_response)) | |
91 continue; | |
92 SingleResult single_result; | |
93 single_result.status = single_response.cert_status.status; | |
94 single_result.is_date_valid = | |
95 CheckOCSPDateValid(single_response, verify_time, max_age); | |
96 OCSPCertID cert_id; | |
97 if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) { | |
98 single_result.is_correct_certificate = | |
99 CompareCertIDToCertificate(cert_id, verified_certificate); | |
100 } | |
101 if (single_result.is_date_valid && single_result.is_correct_certificate && | |
102 single_result.status == OCSPCertStatus::Status::GOOD) { | |
103 contains_correct_response = true; | |
104 } | |
105 out->stapled_responses_.push_back(single_result); | |
106 } | |
107 | |
108 if (!contains_correct_response) { | |
109 out->staple_error_ = StapleError::NO_MATCHING_RESPONSE; | |
110 return out; | |
estark
2016/06/15 23:51:46
unnecessary
dadrian
2016/06/16 03:27:23
Done.
| |
111 } | |
112 return out; | |
113 } | |
114 | |
115 } // namespace net | |
OLD | NEW |