| Index: components/cast_certificate/cast_cert_validator.cc
|
| diff --git a/components/cast_certificate/cast_cert_validator.cc b/components/cast_certificate/cast_cert_validator.cc
|
| index 6a81c84d562b56aa48c2fcbcc3e7d9e1e312578b..0611209b11a9860331f905512c0415c1932a443b 100644
|
| --- a/components/cast_certificate/cast_cert_validator.cc
|
| +++ b/components/cast_certificate/cast_cert_validator.cc
|
| @@ -13,6 +13,7 @@
|
|
|
| #include "base/memory/ptr_util.h"
|
| #include "base/memory/singleton.h"
|
| +#include "components/cast_certificate/cast_crl.h"
|
| #include "net/cert/internal/certificate_policies.h"
|
| #include "net/cert/internal/extended_key_usage.h"
|
| #include "net/cert/internal/parse_certificate.h"
|
| @@ -280,7 +281,9 @@ net::ParseCertificateOptions GetCertParsingOptions() {
|
| bool VerifyDeviceCert(const std::vector<std::string>& certs,
|
| const base::Time::Exploded& time,
|
| std::unique_ptr<CertVerificationContext>* context,
|
| - CastDeviceCertPolicy* policy) {
|
| + CastDeviceCertPolicy* policy,
|
| + const CastCRL* crl,
|
| + CRLOptions crl_options) {
|
| // The underlying verification function expects a sequence of
|
| // ParsedCertificate.
|
| std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
|
| @@ -304,15 +307,26 @@ bool VerifyDeviceCert(const std::vector<std::string>& certs,
|
|
|
| // Do RFC 5280 compatible certificate verification using the two Cast
|
| // trust anchors and Cast signature policy.
|
| + std::vector<scoped_refptr<net::ParsedCertificate>> trusted_chain;
|
| if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(),
|
| signature_policy.get(),
|
| - ConvertExplodedTime(time), nullptr)) {
|
| + ConvertExplodedTime(time), &trusted_chain)) {
|
| return false;
|
| }
|
|
|
| // Check properties of the leaf certificate (key usage, policy), and construct
|
| // a CertVerificationContext that uses its public key.
|
| - return CheckTargetCertificate(input_chain[0].get(), context, policy);
|
| + if (!CheckTargetCertificate(input_chain[0].get(), context, policy))
|
| + return false;
|
| +
|
| + // Check if a CRL is available.
|
| + if (!crl) {
|
| + if (crl_options.crl_required) {
|
| + return false;
|
| + }
|
| + return true;
|
| + }
|
| + return crl->CheckRevocation(trusted_chain, time);
|
| }
|
|
|
| std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
|
| @@ -323,13 +337,14 @@ std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
|
| new CertVerificationContextImpl(net::der::Input(spki), "CommonName"));
|
| }
|
|
|
| -bool AddTrustAnchorForTest(const uint8_t* data, size_t length) {
|
| +bool SetTrustAnchorForTest(const uint8_t* data, size_t length) {
|
| scoped_refptr<net::ParsedCertificate> anchor(
|
| net::ParsedCertificate::CreateFromCertificateData(
|
| data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
|
| GetCertParsingOptions()));
|
| if (!anchor)
|
| return false;
|
| + CastTrustStore::Get().Clear();
|
| CastTrustStore::Get().AddTrustedCertificate(std::move(anchor));
|
| return true;
|
| }
|
|
|
Chromium Code Reviews
Issue 2050983002:
Cast device revocation checking. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master