| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> | 11 #include <memory> |
| 12 #include <utility> | 12 #include <utility> |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 16 #include "net/cert/internal/cert_issuer_source_static.h" | 16 #include "net/cert/internal/cert_issuer_source_static.h" |
| 17 #include "components/cast_certificate/cast_crl.h" | 17 #include "components/cast_certificate/cast_crl.h" |
| 18 #include "net/cert/internal/certificate_policies.h" | 18 #include "net/cert/internal/certificate_policies.h" |
| 19 #include "net/cert/internal/extended_key_usage.h" | 19 #include "net/cert/internal/extended_key_usage.h" |
| 20 #include "net/cert/internal/parse_certificate.h" | 20 #include "net/cert/internal/parse_certificate.h" |
| 21 #include "net/cert/internal/parse_name.h" | 21 #include "net/cert/internal/parse_name.h" |
| 22 #include "net/cert/internal/parsed_certificate.h" | 22 #include "net/cert/internal/parsed_certificate.h" |
| 23 #include "net/cert/internal/path_builder.h" | 23 #include "net/cert/internal/path_builder.h" |
| 24 #include "net/cert/internal/signature_algorithm.h" | 24 #include "net/cert/internal/signature_algorithm.h" |
| 25 #include "net/cert/internal/signature_policy.h" | 25 #include "net/cert/internal/signature_policy.h" |
| 26 #include "net/cert/internal/trust_store.h" | 26 #include "net/cert/internal/trust_store_static.h" |
| 27 #include "net/cert/internal/verify_signed_data.h" | 27 #include "net/cert/internal/verify_signed_data.h" |
| 28 #include "net/der/encode_values.h" | 28 #include "net/der/encode_values.h" |
| 29 #include "net/der/input.h" | 29 #include "net/der/input.h" |
| 30 | 30 |
| 31 namespace cast_certificate { | 31 namespace cast_certificate { |
| 32 namespace { | 32 namespace { |
| 33 | 33 |
| 34 // ------------------------------------------------------------------------- | 34 // ------------------------------------------------------------------------- |
| 35 // Cast trust anchors. | 35 // Cast trust anchors. |
| 36 // ------------------------------------------------------------------------- | 36 // ------------------------------------------------------------------------- |
| 37 | 37 |
| 38 // There are two trusted roots for Cast certificate chains: | 38 // There are two trusted roots for Cast certificate chains: |
| 39 // | 39 // |
| 40 // (1) CN=Cast Root CA (kCastRootCaDer) | 40 // (1) CN=Cast Root CA (kCastRootCaDer) |
| 41 // (2) CN=Eureka Root CA (kEurekaRootCaDer) | 41 // (2) CN=Eureka Root CA (kEurekaRootCaDer) |
| 42 // | 42 // |
| 43 // These constants are defined by the files included next: | 43 // These constants are defined by the files included next: |
| 44 | 44 |
| 45 #include "components/cast_certificate/cast_root_ca_cert_der-inc.h" | 45 #include "components/cast_certificate/cast_root_ca_cert_der-inc.h" |
| 46 #include "components/cast_certificate/eureka_root_ca_der-inc.h" | 46 #include "components/cast_certificate/eureka_root_ca_der-inc.h" |
| 47 | 47 |
| 48 // Singleton for the Cast trust store. | 48 // Singleton for the Cast trust store. |
| 49 class CastTrustStore { | 49 class CastTrustStore { |
| 50 public: | 50 public: |
| 51 static CastTrustStore* GetInstance() { | 51 static CastTrustStore* GetInstance() { |
| 52 return base::Singleton<CastTrustStore, | 52 return base::Singleton<CastTrustStore, |
| 53 base::LeakySingletonTraits<CastTrustStore>>::get(); | 53 base::LeakySingletonTraits<CastTrustStore>>::get(); |
| 54 } | 54 } |
| 55 | 55 |
| 56 static net::TrustStore& Get() { return GetInstance()->store_; } | 56 static net::TrustStoreStatic& Get() { return GetInstance()->trust_store_; } |
| 57 | 57 |
| 58 private: | 58 private: |
| 59 friend struct base::DefaultSingletonTraits<CastTrustStore>; | 59 friend struct base::DefaultSingletonTraits<CastTrustStore>; |
| 60 | 60 |
| 61 CastTrustStore() { | 61 CastTrustStore() { |
| 62 AddAnchor(kCastRootCaDer); | 62 AddAnchor(kCastRootCaDer); |
| 63 AddAnchor(kEurekaRootCaDer); | 63 AddAnchor(kEurekaRootCaDer); |
| 64 } | 64 } |
| 65 | 65 |
| 66 // Adds a trust anchor given a DER-encoded certificate from static | 66 // Adds a trust anchor given a DER-encoded certificate from static |
| 67 // storage. | 67 // storage. |
| 68 template <size_t N> | 68 template <size_t N> |
| 69 void AddAnchor(const uint8_t (&data)[N]) { | 69 void AddAnchor(const uint8_t (&data)[N]) { |
| 70 scoped_refptr<net::ParsedCertificate> root = | 70 scoped_refptr<net::ParsedCertificate> root = |
| 71 net::ParsedCertificate::CreateFromCertificateData( | 71 net::ParsedCertificate::CreateFromCertificateData( |
| 72 data, N, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 72 data, N, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
| 73 {}); | 73 {}); |
| 74 CHECK(root); | 74 CHECK(root); |
| 75 store_.AddTrustedCertificate(std::move(root)); | 75 trust_store_.AddTrustedCertificate(std::move(root)); |
| 76 } | 76 } |
| 77 | 77 |
| 78 net::TrustStore store_; | 78 net::TrustStoreStatic trust_store_; |
| 79 DISALLOW_COPY_AND_ASSIGN(CastTrustStore); | 79 DISALLOW_COPY_AND_ASSIGN(CastTrustStore); |
| 80 }; | 80 }; |
| 81 | 81 |
| 82 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; | 82 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; |
| 83 | 83 |
| 84 // Helper that looks up an extension by OID given a map of extensions. | 84 // Helper that looks up an extension by OID given a map of extensions. |
| 85 bool GetExtensionValue(const ExtensionsMap& extensions, | 85 bool GetExtensionValue(const ExtensionsMap& extensions, |
| 86 const net::der::Input& oid, | 86 const net::der::Input& oid, |
| 87 net::der::Input* value) { | 87 net::der::Input* value) { |
| 88 auto it = extensions.find(oid); | 88 auto it = extensions.find(oid); |
| (...skipping 194 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 283 | 283 |
| 284 // Use a signature policy compatible with Cast's PKI. | 284 // Use a signature policy compatible with Cast's PKI. |
| 285 auto signature_policy = CreateCastSignaturePolicy(); | 285 auto signature_policy = CreateCastSignaturePolicy(); |
| 286 | 286 |
| 287 // Do path building and RFC 5280 compatible certificate verification using the | 287 // Do path building and RFC 5280 compatible certificate verification using the |
| 288 // two Cast trust anchors and Cast signature policy. | 288 // two Cast trust anchors and Cast signature policy. |
| 289 net::der::GeneralizedTime verification_time; | 289 net::der::GeneralizedTime verification_time; |
| 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) | 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) |
| 291 return false; | 291 return false; |
| 292 net::CertPathBuilder::Result result; | 292 net::CertPathBuilder::Result result; |
| 293 net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(), | 293 net::CertPathBuilder path_builder(target_cert.get(), signature_policy.get(), |
| 294 signature_policy.get(), verification_time, | 294 verification_time, &result); |
| 295 &result); | 295 path_builder.AddTrustStore(&CastTrustStore::Get()); |
| 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); | 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); |
| 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); | 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); |
| 299 if (!result.is_success()) | 299 if (!result.is_success()) |
| 300 return false; | 300 return false; |
| 301 | 301 |
| 302 // Check properties of the leaf certificate (key usage, policy), and construct | 302 // Check properties of the leaf certificate (key usage, policy), and construct |
| 303 // a CertVerificationContext that uses its public key. | 303 // a CertVerificationContext that uses its public key. |
| 304 if (!CheckTargetCertificate(target_cert.get(), context, policy)) | 304 if (!CheckTargetCertificate(target_cert.get(), context, policy)) |
| 305 return false; | 305 return false; |
| (...skipping 29 matching lines...) Expand all Loading... |
| 335 net::ParsedCertificate::CreateFromCertificateCopy( | 335 net::ParsedCertificate::CreateFromCertificateCopy( |
| 336 cert, GetCertParsingOptions())); | 336 cert, GetCertParsingOptions())); |
| 337 if (!anchor) | 337 if (!anchor) |
| 338 return false; | 338 return false; |
| 339 CastTrustStore::Get().Clear(); | 339 CastTrustStore::Get().Clear(); |
| 340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
| 341 return true; | 341 return true; |
| 342 } | 342 } |
| 343 | 343 |
| 344 } // namespace cast_certificate | 344 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2126803004:
WIP: NSS trust store integration for path builder. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert-command-line-path-builder-add_certpathbuilder