OLD | NEW |
---|---|
(Empty) | |
1 /* | |
2 * NSS utility functions | |
3 * | |
4 * This Source Code Form is subject to the terms of the Mozilla Public | |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
7 | |
8 #include "net/third_party/nss/ssl/cmpcert.h" | |
9 | |
10 #include <secder.h> | |
11 #include <secitem.h> | |
12 | |
13 #include "base/logging.h" | |
14 #include "base/strings/string_piece.h" | |
15 | |
16 namespace net { | |
17 | |
18 bool MatchClientCertificateIssuers( | |
19 CERTCertificate* cert, | |
20 const std::vector<std::string>& cert_authorities, | |
21 std::vector<ScopedCERTCertificate>* chain) { | |
22 // Bound how many iterations to try. | |
23 static const int kMaxDepth = 20; | |
24 | |
25 // Retain the full certificate chain. Some deployments expect the client to | |
26 // supply intermediates out of the local store. https://crbug.com/548631 | |
27 chain->clear(); | |
28 chain->emplace_back(CERT_DupCertificate(cert)); | |
29 | |
30 // If no authorities are supplied, everything matches. | |
31 if (cert_authorities.empty()) | |
32 return true; | |
33 | |
34 while (chain->size() < kMaxDepth) { | |
35 CERTCertificate* curcert = chain->back().get(); | |
36 | |
37 base::StringPiece issuer( | |
38 reinterpret_cast<const char*>(curcert->derIssuer.data), | |
39 curcert->derIssuer.len); | |
40 | |
41 // Compute an alternate issuer name for compatibility with 2.0 enterprise | |
42 // server, which send the CA names without the outer layer of DER header. | |
43 // | |
44 // TODO(davidben): Can this be removed? | |
Ryan Sleevi
2016/07/29 00:37:44
Yup. No other platforms have this.
davidben
2016/07/29 15:14:11
Removed.
At this point this function can only pas
| |
45 base::StringPiece compat_issuer; | |
46 int header_len; | |
47 PRUint32 content_len; | |
48 if (DER_Lengths(&curcert->derIssuer, &header_len, &content_len) == | |
49 SECSuccess) | |
50 compat_issuer = issuer.substr(header_len); | |
51 | |
52 // Check if |curcert| is signed by a valid CA. | |
53 for (const std::string& ca : cert_authorities) { | |
54 if (issuer == ca || (!compat_issuer.empty() && compat_issuer == ca)) | |
55 return true; | |
56 } | |
57 | |
58 // Stop at self-issued certificates. | |
59 if (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) == | |
60 SECEqual) { | |
61 return false; | |
62 } | |
63 | |
64 // Look the parent up in the database and keep searching. | |
65 CERTCertificate* parent = | |
66 CERT_FindCertByName(curcert->dbhandle, &curcert->derIssuer); | |
67 if (!parent) | |
68 return false; | |
69 chain->emplace_back(parent); | |
70 } | |
71 | |
72 return false; | |
73 } | |
74 | |
75 } // namespace net | |
OLD | NEW |