| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 244 // INTEGER (non-minimal encoding). | 244 // INTEGER (non-minimal encoding). |
| 245 // | 245 // |
| 246 // Allow these sorts of serial numbers. | 246 // Allow these sorts of serial numbers. |
| 247 // | 247 // |
| 248 // TODO(eroman): At some point in the future this workaround will no longer be | 248 // TODO(eroman): At some point in the future this workaround will no longer be |
| 249 // necessary. Should revisit this for removal in 2017 if not earlier. | 249 // necessary. Should revisit this for removal in 2017 if not earlier. |
| 250 options.allow_invalid_serial_numbers = true; | 250 options.allow_invalid_serial_numbers = true; |
| 251 return options; | 251 return options; |
| 252 } | 252 } |
| 253 | 253 |
| 254 } // namespace | 254 // Verifies a cast device certficate given a chain of DER-encoded certificates. |
| 255 | |
| 256 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 255 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 257 const base::Time& time, | 256 const base::Time& time, |
| 258 std::unique_ptr<CertVerificationContext>* context, | 257 std::unique_ptr<CertVerificationContext>* context, |
| 259 CastDeviceCertPolicy* policy, | 258 CastDeviceCertPolicy* policy, |
| 260 const CastCRL* crl, | 259 const CastCRL* crl, |
| 261 CRLPolicy crl_policy) { | 260 CRLPolicy crl_policy, |
| 261 net::TrustStore* trust_store) { |
| 262 if (certs.empty()) | 262 if (certs.empty()) |
| 263 return false; | 263 return false; |
| 264 | 264 |
| 265 // No reference to these ParsedCertificates is kept past the end of this | 265 // No reference to these ParsedCertificates is kept past the end of this |
| 266 // function, so using EXTERNAL_REFERENCE here is safe. | 266 // function, so using EXTERNAL_REFERENCE here is safe. |
| 267 scoped_refptr<net::ParsedCertificate> target_cert; | 267 scoped_refptr<net::ParsedCertificate> target_cert; |
| 268 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | 268 net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
| 269 for (size_t i = 0; i < certs.size(); ++i) { | 269 for (size_t i = 0; i < certs.size(); ++i) { |
| 270 scoped_refptr<net::ParsedCertificate> cert( | 270 scoped_refptr<net::ParsedCertificate> cert( |
| 271 net::ParsedCertificate::CreateFromCertificateData( | 271 net::ParsedCertificate::CreateFromCertificateData( |
| (...skipping 11 matching lines...) Expand all Loading... |
| 283 | 283 |
| 284 // Use a signature policy compatible with Cast's PKI. | 284 // Use a signature policy compatible with Cast's PKI. |
| 285 auto signature_policy = CreateCastSignaturePolicy(); | 285 auto signature_policy = CreateCastSignaturePolicy(); |
| 286 | 286 |
| 287 // Do path building and RFC 5280 compatible certificate verification using the | 287 // Do path building and RFC 5280 compatible certificate verification using the |
| 288 // two Cast trust anchors and Cast signature policy. | 288 // two Cast trust anchors and Cast signature policy. |
| 289 net::der::GeneralizedTime verification_time; | 289 net::der::GeneralizedTime verification_time; |
| 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) | 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) |
| 291 return false; | 291 return false; |
| 292 net::CertPathBuilder::Result result; | 292 net::CertPathBuilder::Result result; |
| 293 net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(), | 293 net::CertPathBuilder path_builder(target_cert.get(), trust_store, |
| 294 signature_policy.get(), verification_time, | 294 signature_policy.get(), verification_time, |
| 295 &result); | 295 &result); |
| 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); | 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); |
| 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); | 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); |
| 299 if (!result.is_success()) | 299 if (!result.is_success()) |
| 300 return false; | 300 return false; |
| 301 | 301 |
| 302 // Check properties of the leaf certificate (key usage, policy), and construct | 302 // Check properties of the leaf certificate (key usage, policy), and construct |
| 303 // a CertVerificationContext that uses its public key. | 303 // a CertVerificationContext that uses its public key. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 315 return false; | 315 return false; |
| 316 | 316 |
| 317 if (!crl->CheckRevocation(result.paths[result.best_result_index]->path, | 317 if (!crl->CheckRevocation(result.paths[result.best_result_index]->path, |
| 318 time)) { | 318 time)) { |
| 319 return false; | 319 return false; |
| 320 } | 320 } |
| 321 } | 321 } |
| 322 return true; | 322 return true; |
| 323 } | 323 } |
| 324 | 324 |
| 325 } // namespace |
| 326 |
| 327 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 328 const base::Time& time, |
| 329 std::unique_ptr<CertVerificationContext>* context, |
| 330 CastDeviceCertPolicy* policy, |
| 331 const CastCRL* crl, |
| 332 CRLPolicy crl_policy) { |
| 333 return VerifyDeviceCert(certs, time, context, policy, crl, crl_policy, |
| 334 &CastTrustStore::Get()); |
| 335 } |
| 336 |
| 337 bool VerifyDeviceCertForTest(const std::vector<std::string>& certs, |
| 338 const base::Time& time, |
| 339 std::unique_ptr<CertVerificationContext>* context, |
| 340 CastDeviceCertPolicy* policy, |
| 341 const CastCRL* crl, |
| 342 CRLPolicy crl_policy, |
| 343 net::TrustStore* trust_store) { |
| 344 return VerifyDeviceCert(certs, time, context, policy, crl, crl_policy, |
| 345 trust_store); |
| 346 } |
| 347 |
| 325 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 348 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 326 const base::StringPiece& spki) { | 349 const base::StringPiece& spki) { |
| 327 // Use a bogus CommonName, since this is just exposed for testing signature | 350 // Use a bogus CommonName, since this is just exposed for testing signature |
| 328 // verification by unittests. | 351 // verification by unittests. |
| 329 return base::WrapUnique( | 352 return base::WrapUnique( |
| 330 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 353 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 331 } | 354 } |
| 332 | 355 |
| 333 bool SetTrustAnchorForTest(const std::string& cert) { | |
| 334 scoped_refptr<net::ParsedCertificate> anchor( | |
| 335 net::ParsedCertificate::CreateFromCertificateCopy( | |
| 336 cert, GetCertParsingOptions())); | |
| 337 if (!anchor) | |
| 338 return false; | |
| 339 CastTrustStore::Get().Clear(); | |
| 340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | |
| 341 return true; | |
| 342 } | |
| 343 | |
| 344 } // namespace cast_certificate | 356 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2205403002:
Add production Cast CRL certificate. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master