OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "ocsp_staple.h" | |
6 namespace net { | |
7 | |
8 namespace { | |
9 | |
10 der::GeneralizedTime ConvertBaseTime(const base::Time& time) { | |
11 base::Time::Exploded exploded; | |
12 time.UTCExplode(&exploded); | |
13 | |
14 der::GeneralizedTime result; | |
15 result.year = exploded.year; | |
16 result.month = exploded.month; | |
17 result.day = exploded.day_of_month; | |
18 result.hours = exploded.hour; | |
19 result.minutes = exploded.minute; | |
20 result.seconds = exploded.second; | |
21 return result; | |
22 } | |
23 | |
24 bool CheckOCSPDateValid(const OCSPSingleResponse& response, | |
25 const base::Time verify_time, | |
estark
2016/06/14 02:10:27
nit: pass by reference (and the next arg too)
dadrian
2016/06/14 18:40:00
Done. (Whoops)
| |
26 const base::TimeDelta max_age) { | |
27 if (response.has_next_update && | |
28 !(response.this_update < response.next_update)) | |
29 return false; | |
30 | |
31 // Place verify_time in the bounds | |
estark
2016/06/14 02:10:27
nits: period and pipes around verify_time
dadrian
2016/06/14 18:40:00
Done.
| |
32 der::GeneralizedTime verify_time_der = ConvertBaseTime(verify_time); | |
33 if (!(response.this_update < verify_time_der)) | |
34 return false; | |
35 if (response.has_next_update && !(verify_time_der < response.next_update)) | |
36 return false; | |
37 | |
38 // Enforce max age | |
estark
2016/06/14 02:10:27
nit: period
dadrian
2016/06/14 18:40:00
Done.
| |
39 der::GeneralizedTime lower_bound = ConvertBaseTime(verify_time - max_age); | |
40 if (response.this_update < lower_bound) | |
41 return false; | |
42 return true; | |
43 } | |
44 | |
45 bool CompareCertIDToCertificate(const OCSPCertID& cert_id, | |
46 const X509Certificate& certificate) { | |
47 // TODO(dadrian): Verify name and key hashes | |
48 der::Input serial(&certificate.serial_number()); | |
49 return serial == cert_id.serial_number; | |
50 } | |
51 | |
52 } // namespace | |
53 | |
54 ExpectStapleReport::ExpectStapleReport() : staple_error_(StapleError::OK) {} | |
55 | |
56 ExpectStapleReport::~ExpectStapleReport() {} | |
57 | |
58 std::unique_ptr<ExpectStapleReport> ExpectStapleReport::FromRawOCSPResponse( | |
59 const std::string raw_response, | |
60 const base::Time& verify_time, | |
61 const base::TimeDelta& max_age, | |
62 const X509Certificate& verified_certificate) { | |
63 std::unique_ptr<ExpectStapleReport> out(new ExpectStapleReport); | |
64 out->verify_time_ = verify_time; | |
65 der::Input response_der(&raw_response); | |
66 | |
67 OCSPResponse response; | |
68 if (!ParseOCSPResponse(response_der, &response)) { | |
69 out->staple_error_ = StapleError::PARSE_RESPONSE; | |
70 return out; | |
71 } | |
72 | |
73 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the | |
74 // data. | |
75 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) { | |
76 out->staple_error_ = StapleError::BAD_RESPONSE; | |
77 return out; | |
78 } | |
79 | |
80 OCSPResponseData response_data; | |
81 if (!ParseOCSPResponseData(response.data, &response_data)) { | |
82 out->staple_error_ = StapleError::PARSE_RESPONSE_DATA; | |
83 return out; | |
84 } | |
85 | |
86 bool contains_correct_response = false; | |
87 for (const auto& single_response_der : response_data.responses) { | |
88 OCSPSingleResponse single_response; | |
89 if (!ParseOCSPSingleResponse(single_response_der, &single_response)) | |
90 continue; | |
91 SingleResult single_result; | |
92 single_result.status = single_response.cert_status.status; | |
93 single_result.is_date_valid = | |
94 CheckOCSPDateValid(single_response, verify_time, max_age); | |
95 OCSPCertID cert_id; | |
96 if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) { | |
97 single_result.is_correct_certificate = | |
98 CompareCertIDToCertificate(cert_id, verified_certificate); | |
99 } | |
100 if (single_result.is_date_valid && single_result.is_correct_certificate && | |
101 single_result.status == OCSPCertStatus::Status::GOOD) { | |
102 contains_correct_response = true; | |
103 } | |
104 out->stapled_responses_.push_back(single_result); | |
105 } | |
106 | |
107 if (!contains_correct_response) { | |
108 out->staple_error_ = StapleError::NO_MATCHING_RESPONSE; | |
109 return out; | |
110 } | |
111 return out; | |
112 } | |
113 | |
114 } // namespace net | |
OLD | NEW |