| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <algorithm> | 5 #include <algorithm> |
| 6 | 6 |
| 7 #include "base/sha1.h" | 7 #include "base/sha1.h" |
| 8 #include "crypto/sha2.h" | 8 #include "crypto/sha2.h" |
| 9 #include "net/cert/internal/parse_ocsp.h" | 9 #include "net/cert/internal/parse_ocsp.h" |
| 10 #include "net/der/encode_values.h" | 10 #include "net/der/encode_values.h" |
| (...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 121 // UnknownInfo ::= NULL | 121 // UnknownInfo ::= NULL |
| 122 bool ParseCertStatus(const der::Input& raw_tlv, OCSPCertStatus* out) { | 122 bool ParseCertStatus(const der::Input& raw_tlv, OCSPCertStatus* out) { |
| 123 der::Parser parser(raw_tlv); | 123 der::Parser parser(raw_tlv); |
| 124 der::Tag status_tag; | 124 der::Tag status_tag; |
| 125 der::Input status; | 125 der::Input status; |
| 126 if (!parser.ReadTagAndValue(&status_tag, &status)) | 126 if (!parser.ReadTagAndValue(&status_tag, &status)) |
| 127 return false; | 127 return false; |
| 128 | 128 |
| 129 out->has_reason = false; | 129 out->has_reason = false; |
| 130 if (status_tag == der::ContextSpecificPrimitive(0)) { | 130 if (status_tag == der::ContextSpecificPrimitive(0)) { |
| 131 out->status = OCSPCertStatus::Status::GOOD; | 131 out->status = OCSPRevocationStatus::GOOD; |
| 132 } else if (status_tag == der::ContextSpecificConstructed(1)) { | 132 } else if (status_tag == der::ContextSpecificConstructed(1)) { |
| 133 out->status = OCSPCertStatus::Status::REVOKED; | 133 out->status = OCSPRevocationStatus::REVOKED; |
| 134 if (!ParseRevokedInfo(status, out)) | 134 if (!ParseRevokedInfo(status, out)) |
| 135 return false; | 135 return false; |
| 136 } else if (status_tag == der::ContextSpecificPrimitive(2)) { | 136 } else if (status_tag == der::ContextSpecificPrimitive(2)) { |
| 137 out->status = OCSPCertStatus::Status::UNKNOWN; | 137 out->status = OCSPRevocationStatus::UNKNOWN; |
| 138 } else { | 138 } else { |
| 139 return false; | 139 return false; |
| 140 } | 140 } |
| 141 | 141 |
| 142 return !parser.HasMore(); | 142 return !parser.HasMore(); |
| 143 } | 143 } |
| 144 | 144 |
| 145 } // namespace | 145 } // namespace |
| 146 | 146 |
| 147 // SingleResponse ::= SEQUENCE { | 147 // SingleResponse ::= SEQUENCE { |
| (...skipping 342 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 490 | 490 |
| 491 return id.serial_number == serial_number; | 491 return id.serial_number == serial_number; |
| 492 } | 492 } |
| 493 | 493 |
| 494 } // namespace | 494 } // namespace |
| 495 | 495 |
| 496 bool GetOCSPCertStatus(const OCSPResponseData& response_data, | 496 bool GetOCSPCertStatus(const OCSPResponseData& response_data, |
| 497 const der::Input& issuer_tbs_certificate_tlv, | 497 const der::Input& issuer_tbs_certificate_tlv, |
| 498 const der::Input& cert_tbs_certificate_tlv, | 498 const der::Input& cert_tbs_certificate_tlv, |
| 499 OCSPCertStatus* out) { | 499 OCSPCertStatus* out) { |
| 500 out->status = OCSPCertStatus::Status::GOOD; | 500 out->status = OCSPRevocationStatus::GOOD; |
| 501 | 501 |
| 502 ParsedTbsCertificate tbs_cert; | 502 ParsedTbsCertificate tbs_cert; |
| 503 if (!ParseTbsCertificate(cert_tbs_certificate_tlv, {}, &tbs_cert)) | 503 if (!ParseTbsCertificate(cert_tbs_certificate_tlv, {}, &tbs_cert)) |
| 504 return false; | 504 return false; |
| 505 ParsedTbsCertificate issuer_tbs_cert; | 505 ParsedTbsCertificate issuer_tbs_cert; |
| 506 if (!ParseTbsCertificate(issuer_tbs_certificate_tlv, {}, &issuer_tbs_cert)) | 506 if (!ParseTbsCertificate(issuer_tbs_certificate_tlv, {}, &issuer_tbs_cert)) |
| 507 return false; | 507 return false; |
| 508 | 508 |
| 509 bool found = false; | 509 bool found = false; |
| 510 for (const auto& response : response_data.responses) { | 510 for (const auto& response : response_data.responses) { |
| 511 OCSPSingleResponse single_response; | 511 OCSPSingleResponse single_response; |
| 512 if (!ParseOCSPSingleResponse(response, &single_response)) | 512 if (!ParseOCSPSingleResponse(response, &single_response)) |
| 513 return false; | 513 return false; |
| 514 if (CheckCertID(single_response.cert_id_tlv, tbs_cert, issuer_tbs_cert, | 514 if (CheckCertID(single_response.cert_id_tlv, tbs_cert, issuer_tbs_cert, |
| 515 tbs_cert.serial_number)) { | 515 tbs_cert.serial_number)) { |
| 516 OCSPCertStatus new_status = single_response.cert_status; | 516 OCSPCertStatus new_status = single_response.cert_status; |
| 517 found = true; | 517 found = true; |
| 518 // In the case that we receive multiple responses, we keep only the | 518 // In the case that we receive multiple responses, we keep only the |
| 519 // strictest status (REVOKED > UNKNOWN > GOOD). | 519 // strictest status (REVOKED > UNKNOWN > GOOD). |
| 520 if (out->status == OCSPCertStatus::Status::GOOD || | 520 if (out->status == OCSPRevocationStatus::GOOD || |
| 521 new_status.status == OCSPCertStatus::Status::REVOKED) { | 521 new_status.status == OCSPRevocationStatus::REVOKED) { |
| 522 *out = new_status; | 522 *out = new_status; |
| 523 } | 523 } |
| 524 } | 524 } |
| 525 } | 525 } |
| 526 | 526 |
| 527 if (!found) | 527 if (!found) |
| 528 out->status = OCSPCertStatus::Status::UNKNOWN; | 528 out->status = OCSPRevocationStatus::UNKNOWN; |
| 529 | 529 |
| 530 return found; | 530 return found; |
| 531 } | 531 } |
| 532 | 532 |
| 533 bool CheckOCSPDateValid(const OCSPSingleResponse& response, | 533 bool CheckOCSPDateValid(const OCSPSingleResponse& response, |
| 534 const base::Time& verify_time, | 534 const base::Time& verify_time, |
| 535 const base::TimeDelta& max_age) { | 535 const base::TimeDelta& max_age) { |
| 536 der::GeneralizedTime verify_time_der; | 536 der::GeneralizedTime verify_time_der; |
| 537 if (!der::EncodeTimeAsGeneralizedTime(verify_time, &verify_time_der)) | 537 if (!der::EncodeTimeAsGeneralizedTime(verify_time, &verify_time_der)) |
| 538 return false; | 538 return false; |
| 539 | 539 |
| 540 if (response.this_update > verify_time_der) | 540 if (response.this_update > verify_time_der) |
| 541 return false; // Response is not yet valid. | 541 return false; // Response is not yet valid. |
| 542 | 542 |
| 543 if (response.has_next_update && (response.next_update <= verify_time_der)) | 543 if (response.has_next_update && (response.next_update <= verify_time_der)) |
| 544 return false; // Response is no longer valid. | 544 return false; // Response is no longer valid. |
| 545 | 545 |
| 546 der::GeneralizedTime earliest_this_update; | 546 der::GeneralizedTime earliest_this_update; |
| 547 if (!der::EncodeTimeAsGeneralizedTime(verify_time - max_age, | 547 if (!der::EncodeTimeAsGeneralizedTime(verify_time - max_age, |
| 548 &earliest_this_update)) { | 548 &earliest_this_update)) { |
| 549 return false; | 549 return false; |
| 550 } | 550 } |
| 551 if (response.this_update < earliest_this_update) | 551 if (response.this_update < earliest_this_update) |
| 552 return false; // Response is too old. | 552 return false; // Response is too old. |
| 553 | 553 |
| 554 return true; | 554 return true; |
| 555 } | 555 } |
| 556 | 556 |
| 557 } // namespace net | 557 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2100303002:
Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check