OLD | NEW |
---|---|
(Empty) | |
1 /* | |
2 * NSS utility functions | |
3 * | |
4 * This Source Code Form is subject to the terms of the Mozilla Public | |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
7 | |
8 #include "net/third_party/nss/ssl/cmpcert.h" | |
9 | |
10 #include <secder.h> | |
11 #include <secitem.h> | |
12 | |
13 #include "base/logging.h" | |
davidben
2016/07/29 16:38:44
Oops. Left this in here while debugging. I'll uplo
| |
14 #include "base/strings/string_piece.h" | |
15 | |
16 namespace net { | |
17 | |
18 bool MatchClientCertificateIssuers( | |
19 CERTCertificate* cert, | |
20 const std::vector<std::string>& cert_authorities, | |
21 std::vector<ScopedCERTCertificate>* intermediates) { | |
22 // Bound how many iterations to try. | |
23 static const int kMaxDepth = 20; | |
24 | |
25 intermediates->clear(); | |
26 | |
27 // If no authorities are supplied, everything matches. | |
28 if (cert_authorities.empty()) | |
29 return true; | |
30 | |
31 CERTCertificate* curcert = cert; | |
32 while (intermediates->size() < kMaxDepth) { | |
33 base::StringPiece issuer( | |
34 reinterpret_cast<const char*>(curcert->derIssuer.data), | |
35 curcert->derIssuer.len); | |
36 | |
37 // Check if |curcert| is signed by a valid CA. | |
38 for (const std::string& ca : cert_authorities) { | |
39 if (issuer == ca) | |
40 return true; | |
41 } | |
42 | |
43 // Stop at self-issued certificates. | |
44 if (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) == | |
45 SECEqual) { | |
46 return false; | |
47 } | |
48 | |
49 // Look the parent up in the database and keep searching. | |
50 curcert = CERT_FindCertByName(curcert->dbhandle, &curcert->derIssuer); | |
51 if (!curcert) | |
52 return false; | |
53 intermediates->emplace_back(curcert); | |
54 } | |
55 | |
56 return false; | |
57 } | |
58 | |
59 } // namespace net | |
OLD | NEW |