| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> | 11 #include <memory> |
| 12 #include <utility> | 12 #include <utility> |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 16 #include "components/cast_certificate/cast_crl.h" |
| 16 #include "net/cert/internal/certificate_policies.h" | 17 #include "net/cert/internal/certificate_policies.h" |
| 17 #include "net/cert/internal/extended_key_usage.h" | 18 #include "net/cert/internal/extended_key_usage.h" |
| 18 #include "net/cert/internal/parse_certificate.h" | 19 #include "net/cert/internal/parse_certificate.h" |
| 19 #include "net/cert/internal/parse_name.h" | 20 #include "net/cert/internal/parse_name.h" |
| 20 #include "net/cert/internal/parsed_certificate.h" | 21 #include "net/cert/internal/parsed_certificate.h" |
| 21 #include "net/cert/internal/signature_algorithm.h" | 22 #include "net/cert/internal/signature_algorithm.h" |
| 22 #include "net/cert/internal/signature_policy.h" | 23 #include "net/cert/internal/signature_policy.h" |
| 23 #include "net/cert/internal/trust_store.h" | 24 #include "net/cert/internal/trust_store.h" |
| 24 #include "net/cert/internal/verify_certificate_chain.h" | 25 #include "net/cert/internal/verify_certificate_chain.h" |
| 25 #include "net/cert/internal/verify_signed_data.h" | 26 #include "net/cert/internal/verify_signed_data.h" |
| (...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 273 // necessary. Should revisit this for removal in 2017 if not earlier. | 274 // necessary. Should revisit this for removal in 2017 if not earlier. |
| 274 options.allow_invalid_serial_numbers = true; | 275 options.allow_invalid_serial_numbers = true; |
| 275 return options; | 276 return options; |
| 276 } | 277 } |
| 277 | 278 |
| 278 } // namespace | 279 } // namespace |
| 279 | 280 |
| 280 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 281 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 281 const base::Time::Exploded& time, | 282 const base::Time::Exploded& time, |
| 282 std::unique_ptr<CertVerificationContext>* context, | 283 std::unique_ptr<CertVerificationContext>* context, |
| 283 CastDeviceCertPolicy* policy) { | 284 CastDeviceCertPolicy* policy, |
| 285 const CastCRL* crl, |
| 286 CRLOptions crl_options) { |
| 284 // The underlying verification function expects a sequence of | 287 // The underlying verification function expects a sequence of |
| 285 // ParsedCertificate. | 288 // ParsedCertificate. |
| 286 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | 289 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; |
| 287 // Verify that nothing saves a reference to the input certs, since the backing | 290 // Verify that nothing saves a reference to the input certs, since the backing |
| 288 // data will go out of scope when the function finishes. | 291 // data will go out of scope when the function finishes. |
| 289 ScopedCheckUnreferencedCerts ref_checker(&input_chain); | 292 ScopedCheckUnreferencedCerts ref_checker(&input_chain); |
| 290 | 293 |
| 291 for (const auto& cert_der : certs) { | 294 for (const auto& cert_der : certs) { |
| 292 // No reference to the ParsedCertificate is kept past the end of this | 295 // No reference to the ParsedCertificate is kept past the end of this |
| 293 // function, so using EXTERNAL_REFERENCE here is safe. | 296 // function, so using EXTERNAL_REFERENCE here is safe. |
| 294 if (!net::ParsedCertificate::CreateAndAddToVector( | 297 if (!net::ParsedCertificate::CreateAndAddToVector( |
| 295 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), | 298 reinterpret_cast<const uint8_t*>(cert_der.data()), cert_der.size(), |
| 296 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 299 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
| 297 GetCertParsingOptions(), &input_chain)) { | 300 GetCertParsingOptions(), &input_chain)) { |
| 298 return false; | 301 return false; |
| 299 } | 302 } |
| 300 } | 303 } |
| 301 | 304 |
| 302 // Use a signature policy compatible with Cast's PKI. | 305 // Use a signature policy compatible with Cast's PKI. |
| 303 auto signature_policy = CreateCastSignaturePolicy(); | 306 auto signature_policy = CreateCastSignaturePolicy(); |
| 304 | 307 |
| 305 // Do RFC 5280 compatible certificate verification using the two Cast | 308 // Do RFC 5280 compatible certificate verification using the two Cast |
| 306 // trust anchors and Cast signature policy. | 309 // trust anchors and Cast signature policy. |
| 310 std::vector<scoped_refptr<net::ParsedCertificate>> trusted_chain; |
| 307 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), | 311 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), |
| 308 signature_policy.get(), | 312 signature_policy.get(), |
| 309 ConvertExplodedTime(time), nullptr)) { | 313 ConvertExplodedTime(time), &trusted_chain)) { |
| 310 return false; | 314 return false; |
| 311 } | 315 } |
| 312 | 316 |
| 313 // Check properties of the leaf certificate (key usage, policy), and construct | 317 // Check properties of the leaf certificate (key usage, policy), and construct |
| 314 // a CertVerificationContext that uses its public key. | 318 // a CertVerificationContext that uses its public key. |
| 315 return CheckTargetCertificate(input_chain[0].get(), context, policy); | 319 if (!CheckTargetCertificate(input_chain[0].get(), context, policy)) |
| 320 return false; |
| 321 |
| 322 // Check if a CRL is available. |
| 323 if (!crl) { |
| 324 if (crl_options.crl_required) { |
| 325 return false; |
| 326 } |
| 327 return true; |
| 328 } |
| 329 return crl->CheckRevocation(trusted_chain, time); |
| 316 } | 330 } |
| 317 | 331 |
| 318 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 332 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 319 const base::StringPiece& spki) { | 333 const base::StringPiece& spki) { |
| 320 // Use a bogus CommonName, since this is just exposed for testing signature | 334 // Use a bogus CommonName, since this is just exposed for testing signature |
| 321 // verification by unittests. | 335 // verification by unittests. |
| 322 return base::WrapUnique( | 336 return base::WrapUnique( |
| 323 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 337 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 324 } | 338 } |
| 325 | 339 |
| 326 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 340 bool SetTrustAnchorForTest(const uint8_t* data, size_t length) { |
| 327 scoped_refptr<net::ParsedCertificate> anchor( | 341 scoped_refptr<net::ParsedCertificate> anchor( |
| 328 net::ParsedCertificate::CreateFromCertificateData( | 342 net::ParsedCertificate::CreateFromCertificateData( |
| 329 data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 343 data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
| 330 GetCertParsingOptions())); | 344 GetCertParsingOptions())); |
| 331 if (!anchor) | 345 if (!anchor) |
| 332 return false; | 346 return false; |
| 347 CastTrustStore::Get().Clear(); |
| 333 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 348 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
| 334 return true; | 349 return true; |
| 335 } | 350 } |
| 336 | 351 |
| 337 } // namespace cast_certificate | 352 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2050983002:
Cast device revocation checking. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master