OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 | 10 |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
175 bool IsPastSHA1DeprecationDate(const X509Certificate& cert) { | 175 bool IsPastSHA1DeprecationDate(const X509Certificate& cert) { |
176 const base::Time& start = cert.valid_start(); | 176 const base::Time& start = cert.valid_start(); |
177 if (start.is_max() || start.is_null()) | 177 if (start.is_max() || start.is_null()) |
178 return true; | 178 return true; |
179 // 2016-01-01 00:00:00 UTC. | 179 // 2016-01-01 00:00:00 UTC. |
180 const base::Time kSHA1DeprecationDate = | 180 const base::Time kSHA1DeprecationDate = |
181 base::Time::FromInternalValue(INT64_C(13096080000000000)); | 181 base::Time::FromInternalValue(INT64_C(13096080000000000)); |
182 return start >= kSHA1DeprecationDate; | 182 return start >= kSHA1DeprecationDate; |
183 } | 183 } |
184 | 184 |
185 bool CompareCertIDToCertificate(const OCSPCertID& cert_id, | |
186 const X509Certificate& certificate) { | |
187 // TODO(dadrian): Verify name and key hashes. https://crbug.com/620005 | |
188 der::Input serial(&certificate.serial_number()); | |
189 return serial == cert_id.serial_number; | |
190 } | |
191 | |
192 void CheckOCSP(const std::string& raw_response, | |
193 CertVerifyResult* verify_result) { | |
194 verify_result->ocsp.Reset(); | |
195 | |
196 if (raw_response.empty()) { | |
197 verify_result->ocsp.response_status = OCSPVerifyResult::MISSING; | |
198 return; | |
199 } | |
200 der::Input response_der(&raw_response); | |
201 | |
202 OCSPResponse response; | |
203 if (!ParseOCSPResponse(response_der, &response)) { | |
204 verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE; | |
205 return; | |
206 } | |
207 | |
208 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the | |
209 // data. | |
210 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) { | |
211 verify_result->ocsp.response_status = OCSPVerifyResult::BAD_RESPONSE; | |
212 return; | |
213 } | |
214 | |
215 OCSPResponseData response_data; | |
216 if (!ParseOCSPResponseData(response.data, &response_data)) { | |
217 verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE_DATA; | |
218 return; | |
219 } | |
220 | |
221 // TODO(svaldez): Unify with GetOCSPCertStatus. | |
222 bool contains_correct_response = false; | |
223 verify_result->ocsp.response_status = OCSPVerifyResult::NO_MATCHING_RESPONSE; | |
224 base::Time verify_time = base::Time::Now(); | |
225 base::TimeDelta max_age = base::TimeDelta::FromDays(7); | |
226 for (const auto& single_response_der : response_data.responses) { | |
227 OCSPSingleResponse single_response; | |
228 OCSPVerifyResult::SingleResult single_result; | |
229 if (ParseOCSPSingleResponse(single_response_der, &single_response)) { | |
230 single_result.did_parse = true; | |
231 single_result.status = single_response.cert_status.status; | |
232 single_result.is_date_valid = | |
233 CheckOCSPDateValid(single_response, verify_time, max_age); | |
234 OCSPCertID cert_id; | |
235 if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) { | |
236 single_result.is_correct_certificate = | |
237 CompareCertIDToCertificate(cert_id, *verify_result->verified_cert); | |
238 } | |
239 if (single_result.is_date_valid && single_result.is_correct_certificate) { | |
240 contains_correct_response = true; | |
241 if (single_response.cert_status.status >= | |
242 verify_result->ocsp.cert_status.value_or( | |
243 OCSPCertStatus::Status::GOOD)) { | |
244 verify_result->ocsp.cert_status = single_response.cert_status.status; | |
245 } | |
246 } | |
247 } | |
248 verify_result->ocsp.stapled_responses.push_back(single_result); | |
249 } | |
250 | |
251 if (contains_correct_response) { | |
252 verify_result->ocsp.response_status = OCSPVerifyResult::PROVIDED; | |
253 } | |
254 return; | |
svaldez
2016/06/23 14:03:15
nit: omit.
| |
255 } | |
256 | |
185 // Comparison functor used for binary searching whether a given HashValue, | 257 // Comparison functor used for binary searching whether a given HashValue, |
186 // which MUST be a SHA-256 hash, is contained with an array of SHA-256 | 258 // which MUST be a SHA-256 hash, is contained with an array of SHA-256 |
187 // hashes. | 259 // hashes. |
188 struct HashToArrayComparator { | 260 struct HashToArrayComparator { |
189 template <size_t N> | 261 template <size_t N> |
190 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const { | 262 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const { |
191 static_assert(N == crypto::kSHA256Length, | 263 static_assert(N == crypto::kSHA256Length, |
192 "Only SHA-256 hashes are supported"); | 264 "Only SHA-256 hashes are supported"); |
193 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0; | 265 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0; |
194 } | 266 } |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
251 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set, | 323 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set, |
252 additional_trust_anchors, verify_result); | 324 additional_trust_anchors, verify_result); |
253 | 325 |
254 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback", | 326 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback", |
255 verify_result->common_name_fallback_used); | 327 verify_result->common_name_fallback_used); |
256 if (!verify_result->is_issued_by_known_root) { | 328 if (!verify_result->is_issued_by_known_root) { |
257 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA", | 329 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA", |
258 verify_result->common_name_fallback_used); | 330 verify_result->common_name_fallback_used); |
259 } | 331 } |
260 | 332 |
333 // Check OCSP information | |
334 CheckOCSP(ocsp_response, verify_result); | |
svaldez
2016/06/23 14:03:15
Should this be done even for blacklisted keys?
| |
335 | |
261 // This check is done after VerifyInternal so that VerifyInternal can fill | 336 // This check is done after VerifyInternal so that VerifyInternal can fill |
262 // in the list of public key hashes. | 337 // in the list of public key hashes. |
263 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 338 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
264 verify_result->cert_status |= CERT_STATUS_REVOKED; | 339 verify_result->cert_status |= CERT_STATUS_REVOKED; |
265 rv = MapCertStatusToNetError(verify_result->cert_status); | 340 rv = MapCertStatusToNetError(verify_result->cert_status); |
266 } | 341 } |
267 | 342 |
268 std::vector<std::string> dns_names, ip_addrs; | 343 std::vector<std::string> dns_names, ip_addrs; |
269 cert->GetSubjectAltName(&dns_names, &ip_addrs); | 344 cert->GetSubjectAltName(&dns_names, &ip_addrs); |
270 if (HasNameConstraintsViolation(verify_result->public_key_hashes, | 345 if (HasNameConstraintsViolation(verify_result->public_key_hashes, |
(...skipping 305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
576 return true; | 651 return true; |
577 | 652 |
578 // For certificates issued after 1 April 2015: 39 months. | 653 // For certificates issued after 1 April 2015: 39 months. |
579 if (start >= time_2015_04_01 && month_diff > 39) | 654 if (start >= time_2015_04_01 && month_diff > 39) |
580 return true; | 655 return true; |
581 | 656 |
582 return false; | 657 return false; |
583 } | 658 } |
584 | 659 |
585 } // namespace net | 660 } // namespace net |
OLD | NEW |