Chromium Code Reviews Chromium Code Reviews
Issue 2225483002:
[ios] Removed CertVerifierBlockAdapter. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_ios.h" | 5 #include "net/cert/cert_verify_proc_ios.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | |
| 9 | 8 |
| 10 #include "base/logging.h" | 9 #include "base/logging.h" |
| 11 #include "base/mac/scoped_cftyperef.h" | 10 #include "base/mac/scoped_cftyperef.h" |
| 12 #include "crypto/sha2.h" | 11 #include "crypto/sha2.h" |
| 13 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
| 14 #include "net/cert/asn1_util.h" | 13 #include "net/cert/asn1_util.h" |
| 15 #include "net/cert/cert_verify_result.h" | 14 #include "net/cert/cert_verify_result.h" |
| 16 #include "net/cert/test_root_certs.h" | 15 #include "net/cert/test_root_certs.h" |
| 17 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
| 18 #include "net/ssl/openssl_ssl_util.h" | 17 #include "net/ssl/openssl_ssl_util.h" |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 165 } | 164 } |
| 166 if (!verified_cert) { | 165 if (!verified_cert) { |
| 167 NOTREACHED(); | 166 NOTREACHED(); |
| 168 return; | 167 return; |
| 169 } | 168 } |
| 170 | 169 |
| 171 verify_result->verified_cert = | 170 verify_result->verified_cert = |
| 172 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 171 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 173 } | 172 } |
| 174 | 173 |
| 174 } // namespace | |
| 175 | |
| 176 CertVerifyProcIOS::CertVerifyProcIOS() {} | |
| 177 | |
| 178 CertVerifyProcIOS::~CertVerifyProcIOS() {} | |
|
Ryan Sleevi
2016/08/12 00:16:23
This (the dtor) should not be moved. Declaration a
Eugene But (OOO till 7-30)
2016/08/12 16:16:40
Moved to the bottom.
| |
| 179 | |
| 175 // The iOS APIs don't expose an API-stable set of reasons for certificate | 180 // The iOS APIs don't expose an API-stable set of reasons for certificate |
| 176 // validation failures. However, internally, the reason is tracked, and it's | 181 // validation failures. However, internally, the reason is tracked, and it's |
| 177 // converted to user-facing localized strings. | 182 // converted to user-facing localized strings. |
| 178 // | 183 // |
| 179 // In the absence of a consistent API, convert the English strings to their | 184 // In the absence of a consistent API, convert the English strings to their |
| 180 // localized counterpart, and then compare that with the error properties. If | 185 // localized counterpart, and then compare that with the error properties. If |
| 181 // they're equal, it's a strong sign that this was the cause for the error. | 186 // they're equal, it's a strong sign that this was the cause for the error. |
| 182 // While this will break if/when iOS changes the contents of these strings, | 187 // While this will break if/when iOS changes the contents of these strings, |
| 183 // it's sufficient enough for now. | 188 // it's sufficient enough for now. |
| 184 // | 189 // |
| 185 // TODO(rsleevi): https://crbug.com/601915 - Use a less brittle solution when | 190 // TODO(rsleevi): https://crbug.com/601915 - Use a less brittle solution when |
| 186 // possible. | 191 // possible. |
| 187 CertStatus GetFailureFromTrustProperties(CFArrayRef properties) { | 192 // static |
| 193 CertStatus CertVerifyProcIOS::GetCertFailureStatusFromTrust(SecTrustRef trust) { | |
| 188 CertStatus reason = 0; | 194 CertStatus reason = 0; |
| 189 | 195 |
| 196 base::ScopedCFTypeRef<CFArrayRef> properties(SecTrustCopyProperties(trust)); | |
| 190 if (!properties) | 197 if (!properties) |
| 191 return CERT_STATUS_INVALID; | 198 return CERT_STATUS_INVALID; |
| 192 | 199 |
| 193 const CFIndex properties_length = CFArrayGetCount(properties); | 200 const CFIndex properties_length = CFArrayGetCount(properties); |
| 194 if (properties_length == 0) | 201 if (properties_length == 0) |
| 195 return CERT_STATUS_INVALID; | 202 return CERT_STATUS_INVALID; |
| 196 | 203 |
| 197 CFBundleRef bundle = | 204 CFBundleRef bundle = |
| 198 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.Security")); | 205 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.Security")); |
| 199 CFStringRef date_string = | 206 CFStringRef date_string = |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 221 } else if (CFEqual(error, weak_error)) { | 228 } else if (CFEqual(error, weak_error)) { |
| 222 reason |= CERT_STATUS_WEAK_KEY; | 229 reason |= CERT_STATUS_WEAK_KEY; |
| 223 } else { | 230 } else { |
| 224 reason |= CERT_STATUS_INVALID; | 231 reason |= CERT_STATUS_INVALID; |
| 225 } | 232 } |
| 226 } | 233 } |
| 227 | 234 |
| 228 return reason; | 235 return reason; |
| 229 } | 236 } |
| 230 | 237 |
| 231 } // namespace | |
| 232 | |
| 233 CertVerifyProcIOS::CertVerifyProcIOS() {} | |
| 234 | |
| 235 CertVerifyProcIOS::~CertVerifyProcIOS() {} | |
| 236 | |
| 237 bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const { | 238 bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const { |
| 238 return false; | 239 return false; |
| 239 } | 240 } |
| 240 | 241 |
| 241 bool CertVerifyProcIOS::SupportsOCSPStapling() const { | 242 bool CertVerifyProcIOS::SupportsOCSPStapling() const { |
| 242 return false; | 243 return false; |
| 243 } | 244 } |
| 244 | 245 |
| 245 int CertVerifyProcIOS::VerifyInternal( | 246 int CertVerifyProcIOS::VerifyInternal( |
| 246 X509Certificate* cert, | 247 X509Certificate* cert, |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 271 | 272 |
| 272 // TODO(sleevi): Support CRLSet revocation. | 273 // TODO(sleevi): Support CRLSet revocation. |
| 273 switch (trust_result) { | 274 switch (trust_result) { |
| 274 case kSecTrustResultUnspecified: | 275 case kSecTrustResultUnspecified: |
| 275 case kSecTrustResultProceed: | 276 case kSecTrustResultProceed: |
| 276 break; | 277 break; |
| 277 case kSecTrustResultDeny: | 278 case kSecTrustResultDeny: |
| 278 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | 279 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
| 279 break; | 280 break; |
| 280 default: | 281 default: |
| 281 ScopedCFTypeRef<CFArrayRef> properties(SecTrustCopyProperties(trust_ref)); | 282 verify_result->cert_status |= GetCertFailureStatusFromTrust(trust_ref); |
| 282 verify_result->cert_status |= GetFailureFromTrustProperties(properties); | |
| 283 } | 283 } |
| 284 | 284 |
| 285 GetCertChainInfo(final_chain, verify_result); | 285 GetCertChainInfo(final_chain, verify_result); |
| 286 | 286 |
| 287 // Perform hostname verification independent of SecTrustEvaluate. | 287 // Perform hostname verification independent of SecTrustEvaluate. |
| 288 if (!verify_result->verified_cert->VerifyNameMatch( | 288 if (!verify_result->verified_cert->VerifyNameMatch( |
| 289 hostname, &verify_result->common_name_fallback_used)) { | 289 hostname, &verify_result->common_name_fallback_used)) { |
| 290 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 290 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 291 } | 291 } |
| 292 | 292 |
| 293 verify_result->is_issued_by_known_root = false; | 293 verify_result->is_issued_by_known_root = false; |
| 294 | 294 |
| 295 if (IsCertStatusError(verify_result->cert_status)) | 295 if (IsCertStatusError(verify_result->cert_status)) |
| 296 return MapCertStatusToNetError(verify_result->cert_status); | 296 return MapCertStatusToNetError(verify_result->cert_status); |
| 297 | 297 |
| 298 return OK; | 298 return OK; |
| 299 } | 299 } |
| 300 | 300 |
| 301 } // namespace net | 301 } // namespace net |
| OLD | NEW |
