Chromium Code Reviews Chromium Code Reviews
Issue 2050983002:
Cast device revocation checking. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> | 11 #include <memory> |
| 12 #include <utility> | 12 #include <utility> |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 16 #include "net/cert/internal/cert_issuer_source_static.h" | 16 #include "net/cert/internal/cert_issuer_source_static.h" |
| 17 #include "components/cast_certificate/cast_crl.h" | |
| 17 #include "net/cert/internal/certificate_policies.h" | 18 #include "net/cert/internal/certificate_policies.h" |
| 18 #include "net/cert/internal/extended_key_usage.h" | 19 #include "net/cert/internal/extended_key_usage.h" |
| 19 #include "net/cert/internal/parse_certificate.h" | 20 #include "net/cert/internal/parse_certificate.h" |
| 20 #include "net/cert/internal/parse_name.h" | 21 #include "net/cert/internal/parse_name.h" |
| 21 #include "net/cert/internal/parsed_certificate.h" | 22 #include "net/cert/internal/parsed_certificate.h" |
| 22 #include "net/cert/internal/path_builder.h" | 23 #include "net/cert/internal/path_builder.h" |
| 23 #include "net/cert/internal/signature_algorithm.h" | 24 #include "net/cert/internal/signature_algorithm.h" |
| 24 #include "net/cert/internal/signature_policy.h" | 25 #include "net/cert/internal/signature_policy.h" |
| 25 #include "net/cert/internal/trust_store.h" | 26 #include "net/cert/internal/trust_store.h" |
| 26 #include "net/cert/internal/verify_signed_data.h" | 27 #include "net/cert/internal/verify_signed_data.h" |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 260 // necessary. Should revisit this for removal in 2017 if not earlier. | 261 // necessary. Should revisit this for removal in 2017 if not earlier. |
| 261 options.allow_invalid_serial_numbers = true; | 262 options.allow_invalid_serial_numbers = true; |
| 262 return options; | 263 return options; |
| 263 } | 264 } |
| 264 | 265 |
| 265 } // namespace | 266 } // namespace |
| 266 | 267 |
| 267 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 268 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 268 const base::Time::Exploded& time, | 269 const base::Time::Exploded& time, |
| 269 std::unique_ptr<CertVerificationContext>* context, | 270 std::unique_ptr<CertVerificationContext>* context, |
| 270 CastDeviceCertPolicy* policy) { | 271 CastDeviceCertPolicy* policy, |
| 272 const CastCRL* crl, | |
| 273 CRLPolicy crl_policy) { | |
| 271 if (certs.empty()) | 274 if (certs.empty()) |
| 272 return false; | 275 return false; |
| 273 | 276 |
| 274 // No reference to these ParsedCertificates is kept past the end of this | 277 // No reference to these ParsedCertificates is kept past the end of this |
| 275 // function, so using EXTERNAL_REFERENCE here is safe. | 278 // function, so using EXTERNAL_REFERENCE here is safe. |
| 276 scoped_refptr<net::ParsedCertificate> target_cert; | 279 scoped_refptr<net::ParsedCertificate> target_cert; |
| 277 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | 280 net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
| 278 for (size_t i = 0; i < certs.size(); ++i) { | 281 for (size_t i = 0; i < certs.size(); ++i) { |
| 279 scoped_refptr<net::ParsedCertificate> cert( | 282 scoped_refptr<net::ParsedCertificate> cert( |
| 280 net::ParsedCertificate::CreateFromCertificateData( | 283 net::ParsedCertificate::CreateFromCertificateData( |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 300 signature_policy.get(), | 303 signature_policy.get(), |
| 301 ConvertExplodedTime(time), &result); | 304 ConvertExplodedTime(time), &result); |
| 302 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 305 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 303 net::CompletionStatus rv = path_builder.Run(base::Closure()); | 306 net::CompletionStatus rv = path_builder.Run(base::Closure()); |
| 304 DCHECK_EQ(rv, net::CompletionStatus::SYNC); | 307 DCHECK_EQ(rv, net::CompletionStatus::SYNC); |
| 305 if (!result.is_success()) | 308 if (!result.is_success()) |
| 306 return false; | 309 return false; |
| 307 | 310 |
| 308 // Check properties of the leaf certificate (key usage, policy), and construct | 311 // Check properties of the leaf certificate (key usage, policy), and construct |
| 309 // a CertVerificationContext that uses its public key. | 312 // a CertVerificationContext that uses its public key. |
| 310 return CheckTargetCertificate(target_cert.get(), context, policy); | 313 if (!CheckTargetCertificate(target_cert.get(), context, policy)) |
| 314 return false; | |
| 315 | |
| 316 // Check if a CRL is available. | |
| 317 if (!crl) { | |
| 318 if (crl_policy == CRLPolicy::CRL_REQUIRED) { | |
| 319 return false; | |
| 320 } | |
| 321 } else { | |
| 322 if (result.paths.empty() || | |
|
eroman
2016/07/15 22:52:48
I'll see about simplifying these checks later, kin
| |
| 323 !result.paths[result.best_result_index]->is_success()) | |
| 324 return false; | |
| 325 | |
| 326 if (!crl->CheckRevocation(result.paths[result.best_result_index]->path, | |
| 327 time)) | |
| 328 return false; | |
| 329 } | |
| 330 return true; | |
| 311 } | 331 } |
| 312 | 332 |
| 313 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 333 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 314 const base::StringPiece& spki) { | 334 const base::StringPiece& spki) { |
| 315 // Use a bogus CommonName, since this is just exposed for testing signature | 335 // Use a bogus CommonName, since this is just exposed for testing signature |
| 316 // verification by unittests. | 336 // verification by unittests. |
| 317 return base::WrapUnique( | 337 return base::WrapUnique( |
| 318 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 338 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 319 } | 339 } |
| 320 | 340 |
| 321 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 341 bool SetTrustAnchorForTest(const std::string& cert) { |
| 322 scoped_refptr<net::ParsedCertificate> anchor( | 342 scoped_refptr<net::ParsedCertificate> anchor( |
| 323 net::ParsedCertificate::CreateFromCertificateData( | 343 net::ParsedCertificate::CreateFromCertificateCopy( |
| 324 data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 344 cert, GetCertParsingOptions())); |
| 325 GetCertParsingOptions())); | 345 CastTrustStore::Get().Clear(); |
| 326 if (!anchor) | 346 if (!anchor) |
| 327 return false; | 347 return false; |
| 328 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 348 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
| 329 return true; | 349 return true; |
| 330 } | 350 } |
| 331 | 351 |
| 332 } // namespace cast_certificate | 352 } // namespace cast_certificate |
| OLD | NEW |
