| OLD | NEW |
|---|
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_ios.h" | 5 #include "net/cert/cert_verify_proc_ios.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/mac/scoped_cftyperef.h" | 11 #include "base/mac/scoped_cftyperef.h" |
| 12 #include "crypto/sha2.h" | 12 #include "crypto/sha2.h" |
| 13 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
| 14 #include "net/cert/asn1_util.h" | 14 #include "net/cert/asn1_util.h" |
| 15 #include "net/cert/cert_verify_result.h" | 15 #include "net/cert/cert_verify_result.h" |
| 16 #include "net/cert/sec_trust_util.h" |
| 16 #include "net/cert/test_root_certs.h" | 17 #include "net/cert/test_root_certs.h" |
| 17 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
| 18 #include "net/ssl/openssl_ssl_util.h" | 19 #include "net/ssl/openssl_ssl_util.h" |
| 19 | 20 |
| 20 using base::ScopedCFTypeRef; | 21 using base::ScopedCFTypeRef; |
| 21 | 22 |
| 22 namespace net { | 23 namespace net { |
| 23 | 24 |
| 24 namespace { | 25 namespace { |
| 25 | 26 |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 165 } | 166 } |
| 166 if (!verified_cert) { | 167 if (!verified_cert) { |
| 167 NOTREACHED(); | 168 NOTREACHED(); |
| 168 return; | 169 return; |
| 169 } | 170 } |
| 170 | 171 |
| 171 verify_result->verified_cert = | 172 verify_result->verified_cert = |
| 172 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 173 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 173 } | 174 } |
| 174 | 175 |
| 175 // The iOS APIs don't expose an API-stable set of reasons for certificate | |
| 176 // validation failures. However, internally, the reason is tracked, and it's | |
| 177 // converted to user-facing localized strings. | |
| 178 // | |
| 179 // In the absence of a consistent API, convert the English strings to their | |
| 180 // localized counterpart, and then compare that with the error properties. If | |
| 181 // they're equal, it's a strong sign that this was the cause for the error. | |
| 182 // While this will break if/when iOS changes the contents of these strings, | |
| 183 // it's sufficient enough for now. | |
| 184 // | |
| 185 // TODO(rsleevi): https://crbug.com/601915 - Use a less brittle solution when | |
| 186 // possible. | |
| 187 CertStatus GetFailureFromTrustProperties(CFArrayRef properties) { | |
| 188 CertStatus reason = 0; | |
| 189 | |
| 190 if (!properties) | |
| 191 return CERT_STATUS_INVALID; | |
| 192 | |
| 193 const CFIndex properties_length = CFArrayGetCount(properties); | |
| 194 if (properties_length == 0) | |
| 195 return CERT_STATUS_INVALID; | |
| 196 | |
| 197 CFBundleRef bundle = | |
| 198 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.Security")); | |
| 199 CFStringRef date_string = | |
| 200 CFSTR("One or more certificates have expired or are not valid yet."); | |
| 201 ScopedCFTypeRef<CFStringRef> date_error(CFBundleCopyLocalizedString( | |
| 202 bundle, date_string, date_string, CFSTR("SecCertificate"))); | |
| 203 CFStringRef trust_string = CFSTR("Root certificate is not trusted."); | |
| 204 ScopedCFTypeRef<CFStringRef> trust_error(CFBundleCopyLocalizedString( | |
| 205 bundle, trust_string, trust_string, CFSTR("SecCertificate"))); | |
| 206 CFStringRef weak_string = | |
| 207 CFSTR("One or more certificates is using a weak key size."); | |
| 208 ScopedCFTypeRef<CFStringRef> weak_error(CFBundleCopyLocalizedString( | |
| 209 bundle, weak_string, weak_string, CFSTR("SecCertificate"))); | |
| 210 | |
| 211 for (CFIndex i = 0; i < properties_length; ++i) { | |
| 212 CFDictionaryRef dict = reinterpret_cast<CFDictionaryRef>( | |
| 213 const_cast<void*>(CFArrayGetValueAtIndex(properties, i))); | |
| 214 CFStringRef error = reinterpret_cast<CFStringRef>( | |
| 215 const_cast<void*>(CFDictionaryGetValue(dict, CFSTR("value")))); | |
| 216 | |
| 217 if (CFEqual(error, date_error)) { | |
| 218 reason |= CERT_STATUS_DATE_INVALID; | |
| 219 } else if (CFEqual(error, trust_error)) { | |
| 220 reason |= CERT_STATUS_AUTHORITY_INVALID; | |
| 221 } else if (CFEqual(error, weak_error)) { | |
| 222 reason |= CERT_STATUS_WEAK_KEY; | |
| 223 } else { | |
| 224 reason |= CERT_STATUS_INVALID; | |
| 225 } | |
| 226 } | |
| 227 | |
| 228 return reason; | |
| 229 } | |
| 230 | |
| 231 } // namespace | 176 } // namespace |
| 232 | 177 |
| 233 CertVerifyProcIOS::CertVerifyProcIOS() {} | 178 CertVerifyProcIOS::CertVerifyProcIOS() {} |
| 234 | 179 |
| 235 CertVerifyProcIOS::~CertVerifyProcIOS() {} | 180 CertVerifyProcIOS::~CertVerifyProcIOS() {} |
| 236 | 181 |
| 237 bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const { | 182 bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const { |
| 238 return false; | 183 return false; |
| 239 } | 184 } |
| 240 | 185 |
| (...skipping 30 matching lines...) Expand all Loading... |
| 271 | 216 |
| 272 // TODO(sleevi): Support CRLSet revocation. | 217 // TODO(sleevi): Support CRLSet revocation. |
| 273 switch (trust_result) { | 218 switch (trust_result) { |
| 274 case kSecTrustResultUnspecified: | 219 case kSecTrustResultUnspecified: |
| 275 case kSecTrustResultProceed: | 220 case kSecTrustResultProceed: |
| 276 break; | 221 break; |
| 277 case kSecTrustResultDeny: | 222 case kSecTrustResultDeny: |
| 278 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | 223 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
| 279 break; | 224 break; |
| 280 default: | 225 default: |
| 281 ScopedCFTypeRef<CFArrayRef> properties(SecTrustCopyProperties(trust_ref)); | 226 verify_result->cert_status |= GetCertFailureStatusFromTrust(trust_ref); |
| 282 verify_result->cert_status |= GetFailureFromTrustProperties(properties); | |
| 283 } | 227 } |
| 284 | 228 |
| 285 GetCertChainInfo(final_chain, verify_result); | 229 GetCertChainInfo(final_chain, verify_result); |
| 286 | 230 |
| 287 // Perform hostname verification independent of SecTrustEvaluate. | 231 // Perform hostname verification independent of SecTrustEvaluate. |
| 288 if (!verify_result->verified_cert->VerifyNameMatch( | 232 if (!verify_result->verified_cert->VerifyNameMatch( |
| 289 hostname, &verify_result->common_name_fallback_used)) { | 233 hostname, &verify_result->common_name_fallback_used)) { |
| 290 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 234 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 291 } | 235 } |
| 292 | 236 |
| 293 verify_result->is_issued_by_known_root = false; | 237 verify_result->is_issued_by_known_root = false; |
| 294 | 238 |
| 295 if (IsCertStatusError(verify_result->cert_status)) | 239 if (IsCertStatusError(verify_result->cert_status)) |
| 296 return MapCertStatusToNetError(verify_result->cert_status); | 240 return MapCertStatusToNetError(verify_result->cert_status); |
| 297 | 241 |
| 298 return OK; | 242 return OK; |
| 299 } | 243 } |
| 300 | 244 |
| 301 } // namespace net | 245 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2225483002:
[ios] Removed CertVerifierBlockAdapter. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master