OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
11 #include <memory> | 11 #include <memory> |
12 #include <utility> | 12 #include <utility> |
13 | 13 |
14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
16 #include "net/cert/internal/cert_issuer_source_static.h" | 16 #include "net/cert/internal/cert_issuer_source_static.h" |
17 #include "components/cast_certificate/cast_crl.h" | 17 #include "components/cast_certificate/cast_crl.h" |
18 #include "net/cert/internal/certificate_policies.h" | 18 #include "net/cert/internal/certificate_policies.h" |
19 #include "net/cert/internal/extended_key_usage.h" | 19 #include "net/cert/internal/extended_key_usage.h" |
20 #include "net/cert/internal/parse_certificate.h" | 20 #include "net/cert/internal/parse_certificate.h" |
21 #include "net/cert/internal/parse_name.h" | 21 #include "net/cert/internal/parse_name.h" |
22 #include "net/cert/internal/parsed_certificate.h" | 22 #include "net/cert/internal/parsed_certificate.h" |
23 #include "net/cert/internal/path_builder.h" | 23 #include "net/cert/internal/path_builder.h" |
24 #include "net/cert/internal/signature_algorithm.h" | 24 #include "net/cert/internal/signature_algorithm.h" |
25 #include "net/cert/internal/signature_policy.h" | 25 #include "net/cert/internal/signature_policy.h" |
26 #include "net/cert/internal/trust_store.h" | 26 #include "net/cert/internal/trust_store_static.h" |
27 #include "net/cert/internal/verify_signed_data.h" | 27 #include "net/cert/internal/verify_signed_data.h" |
28 #include "net/der/encode_values.h" | 28 #include "net/der/encode_values.h" |
29 #include "net/der/input.h" | 29 #include "net/der/input.h" |
30 | 30 |
31 namespace cast_certificate { | 31 namespace cast_certificate { |
32 namespace { | 32 namespace { |
33 | 33 |
34 // ------------------------------------------------------------------------- | 34 // ------------------------------------------------------------------------- |
35 // Cast trust anchors. | 35 // Cast trust anchors. |
36 // ------------------------------------------------------------------------- | 36 // ------------------------------------------------------------------------- |
37 | 37 |
38 // There are two trusted roots for Cast certificate chains: | 38 // There are two trusted roots for Cast certificate chains: |
39 // | 39 // |
40 // (1) CN=Cast Root CA (kCastRootCaDer) | 40 // (1) CN=Cast Root CA (kCastRootCaDer) |
41 // (2) CN=Eureka Root CA (kEurekaRootCaDer) | 41 // (2) CN=Eureka Root CA (kEurekaRootCaDer) |
42 // | 42 // |
43 // These constants are defined by the files included next: | 43 // These constants are defined by the files included next: |
44 | 44 |
45 #include "components/cast_certificate/cast_root_ca_cert_der-inc.h" | 45 #include "components/cast_certificate/cast_root_ca_cert_der-inc.h" |
46 #include "components/cast_certificate/eureka_root_ca_der-inc.h" | 46 #include "components/cast_certificate/eureka_root_ca_der-inc.h" |
47 | 47 |
48 // Singleton for the Cast trust store. | 48 // Singleton for the Cast trust store. |
49 class CastTrustStore { | 49 class CastTrustStore { |
50 public: | 50 public: |
51 static CastTrustStore* GetInstance() { | 51 static CastTrustStore* GetInstance() { |
52 return base::Singleton<CastTrustStore, | 52 return base::Singleton<CastTrustStore, |
53 base::LeakySingletonTraits<CastTrustStore>>::get(); | 53 base::LeakySingletonTraits<CastTrustStore>>::get(); |
54 } | 54 } |
55 | 55 |
56 static net::TrustStore& Get() { return GetInstance()->store_; } | 56 static net::TrustStoreStatic& Get() { return GetInstance()->trust_store_; } |
57 | 57 |
58 private: | 58 private: |
59 friend struct base::DefaultSingletonTraits<CastTrustStore>; | 59 friend struct base::DefaultSingletonTraits<CastTrustStore>; |
60 | 60 |
61 CastTrustStore() { | 61 CastTrustStore() { |
62 AddAnchor(kCastRootCaDer); | 62 AddAnchor(kCastRootCaDer); |
63 AddAnchor(kEurekaRootCaDer); | 63 AddAnchor(kEurekaRootCaDer); |
64 } | 64 } |
65 | 65 |
66 // Adds a trust anchor given a DER-encoded certificate from static | 66 // Adds a trust anchor given a DER-encoded certificate from static |
67 // storage. | 67 // storage. |
68 template <size_t N> | 68 template <size_t N> |
69 void AddAnchor(const uint8_t (&data)[N]) { | 69 void AddAnchor(const uint8_t (&data)[N]) { |
70 scoped_refptr<net::ParsedCertificate> root = | 70 scoped_refptr<net::ParsedCertificate> root = |
71 net::ParsedCertificate::CreateFromCertificateData( | 71 net::ParsedCertificate::CreateFromCertificateData( |
72 data, N, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 72 data, N, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
73 {}); | 73 {}); |
74 CHECK(root); | 74 CHECK(root); |
75 store_.AddTrustedCertificate(std::move(root)); | 75 trust_store_.AddTrustedCertificate(std::move(root)); |
76 } | 76 } |
77 | 77 |
78 net::TrustStore store_; | 78 net::TrustStoreStatic trust_store_; |
79 DISALLOW_COPY_AND_ASSIGN(CastTrustStore); | 79 DISALLOW_COPY_AND_ASSIGN(CastTrustStore); |
80 }; | 80 }; |
81 | 81 |
82 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; | 82 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; |
83 | 83 |
84 // Helper that looks up an extension by OID given a map of extensions. | 84 // Helper that looks up an extension by OID given a map of extensions. |
85 bool GetExtensionValue(const ExtensionsMap& extensions, | 85 bool GetExtensionValue(const ExtensionsMap& extensions, |
86 const net::der::Input& oid, | 86 const net::der::Input& oid, |
87 net::der::Input* value) { | 87 net::der::Input* value) { |
88 auto it = extensions.find(oid); | 88 auto it = extensions.find(oid); |
(...skipping 194 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
283 | 283 |
284 // Use a signature policy compatible with Cast's PKI. | 284 // Use a signature policy compatible with Cast's PKI. |
285 auto signature_policy = CreateCastSignaturePolicy(); | 285 auto signature_policy = CreateCastSignaturePolicy(); |
286 | 286 |
287 // Do path building and RFC 5280 compatible certificate verification using the | 287 // Do path building and RFC 5280 compatible certificate verification using the |
288 // two Cast trust anchors and Cast signature policy. | 288 // two Cast trust anchors and Cast signature policy. |
289 net::der::GeneralizedTime verification_time; | 289 net::der::GeneralizedTime verification_time; |
290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) | 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) |
291 return false; | 291 return false; |
292 net::CertPathBuilder::Result result; | 292 net::CertPathBuilder::Result result; |
293 net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(), | 293 net::CertPathBuilder path_builder(target_cert.get(), signature_policy.get(), |
294 signature_policy.get(), verification_time, | 294 verification_time, &result); |
295 &result); | 295 path_builder.AddTrustStore(&CastTrustStore::Get()); |
296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
297 net::CompletionStatus rv = path_builder.Run(base::Closure()); | 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); |
298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); | 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); |
299 if (!result.is_success()) | 299 if (!result.is_success()) |
300 return false; | 300 return false; |
301 | 301 |
302 // Check properties of the leaf certificate (key usage, policy), and construct | 302 // Check properties of the leaf certificate (key usage, policy), and construct |
303 // a CertVerificationContext that uses its public key. | 303 // a CertVerificationContext that uses its public key. |
304 if (!CheckTargetCertificate(target_cert.get(), context, policy)) | 304 if (!CheckTargetCertificate(target_cert.get(), context, policy)) |
305 return false; | 305 return false; |
(...skipping 29 matching lines...) Expand all Loading... |
335 net::ParsedCertificate::CreateFromCertificateCopy( | 335 net::ParsedCertificate::CreateFromCertificateCopy( |
336 cert, GetCertParsingOptions())); | 336 cert, GetCertParsingOptions())); |
337 if (!anchor) | 337 if (!anchor) |
338 return false; | 338 return false; |
339 CastTrustStore::Get().Clear(); | 339 CastTrustStore::Get().Clear(); |
340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
341 return true; | 341 return true; |
342 } | 342 } |
343 | 343 |
344 } // namespace cast_certificate | 344 } // namespace cast_certificate |
OLD | NEW |