Chromium Code Reviews Chromium Code Reviews
Issue 2225493003:
Don't treat trust anchors as certificates during path building. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
| 6 | 6 |
| 7 #include "net/cert/internal/parsed_certificate.h" | 7 #include "net/cert/internal/parsed_certificate.h" |
| 8 #include "net/cert/internal/signature_policy.h" | 8 #include "net/cert/internal/signature_policy.h" |
| 9 #include "net/cert/internal/trust_store.h" | 9 #include "net/cert/internal/trust_store.h" |
| 10 #include "net/der/input.h" | 10 #include "net/der/input.h" |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 46 | 46 |
| 47 class VerifyCertificateChainPkitsTestDelegate { | 47 class VerifyCertificateChainPkitsTestDelegate { |
| 48 public: | 48 public: |
| 49 static bool Verify(std::vector<std::string> cert_ders, | 49 static bool Verify(std::vector<std::string> cert_ders, |
| 50 std::vector<std::string> crl_ders) { | 50 std::vector<std::string> crl_ders) { |
| 51 if (cert_ders.empty()) { | 51 if (cert_ders.empty()) { |
| 52 ADD_FAILURE() << "cert_ders is empty"; | 52 ADD_FAILURE() << "cert_ders is empty"; |
| 53 return false; | 53 return false; |
| 54 } | 54 } |
| 55 | 55 |
| 56 // PKITS lists chains from trust anchor to target, VerifyCertificateChain | 56 // PKITS lists chains from trust anchor to target, VerifyCertificateChainXXX |
|
mattm
2016/08/09 00:59:21
?
eroman
2016/08/09 01:37:20
Fixed
(Left over note, thanks for spotting).
| |
| 57 // takes them starting with the target and not including the trust anchor. | 57 // takes them starting with the target and not including the trust anchor. |
| 58 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; | 58 std::vector<scoped_refptr<net::ParsedCertificate>> input_chain; |
| 59 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { | 59 for (auto i = cert_ders.rbegin(); i != cert_ders.rend(); ++i) { |
| 60 if (!net::ParsedCertificate::CreateAndAddToVector( | 60 if (!net::ParsedCertificate::CreateAndAddToVector( |
| 61 reinterpret_cast<const uint8_t*>(i->data()), i->size(), | 61 reinterpret_cast<const uint8_t*>(i->data()), i->size(), |
| 62 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}, | 62 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}, |
| 63 &input_chain)) { | 63 &input_chain)) { |
| 64 ADD_FAILURE() << "cert failed to parse"; | 64 ADD_FAILURE() << "cert failed to parse"; |
| 65 return false; | 65 return false; |
| 66 } | 66 } |
| 67 } | 67 } |
| 68 | 68 |
| 69 TrustStore trust_store; | 69 auto trust_anchor = |
| 70 trust_store.AddTrustedCertificate(input_chain.back()); | 70 TrustAnchor::CreateFromCertificateNoConstraints(input_chain.back()); |
| 71 input_chain.pop_back(); | |
| 71 | 72 |
| 72 SimpleSignaturePolicy signature_policy(1024); | 73 SimpleSignaturePolicy signature_policy(1024); |
| 73 | 74 |
| 74 // Run all tests at the time the PKITS was published. | 75 // Run all tests at the time the PKITS was published. |
| 75 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; | 76 der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0}; |
| 76 | 77 |
| 77 return VerifyCertificateChainAssumingTrustedRoot(input_chain, trust_store, | 78 return VerifyCertificateChain(input_chain, trust_anchor.get(), |
| 78 &signature_policy, time); | 79 &signature_policy, time); |
| 79 } | 80 } |
| 80 }; | 81 }; |
| 81 | 82 |
| 82 } // namespace | 83 } // namespace |
| 83 | 84 |
| 84 class PkitsTest01SignatureVerificationCustom | 85 class PkitsTest01SignatureVerificationCustom |
| 85 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; | 86 : public PkitsTest<VerifyCertificateChainPkitsTestDelegate> {}; |
| 86 | 87 |
| 87 // Modified version of 4.1.4 Valid DSA Signatures Test4 | 88 // Modified version of 4.1.4 Valid DSA Signatures Test4 |
| 88 TEST_F(PkitsTest01SignatureVerificationCustom, | 89 TEST_F(PkitsTest01SignatureVerificationCustom, |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 204 | 205 |
| 205 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, | 206 // TODO(mattm): CRL support: PkitsTest04BasicCertificateRevocationTests, |
| 206 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, | 207 // PkitsTest05VerifyingPathswithSelfIssuedCertificates, |
| 207 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs | 208 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs |
| 208 | 209 |
| 209 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, | 210 // TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies, |
| 210 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, | 211 // PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings, |
| 211 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy | 212 // PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy |
| 212 | 213 |
| 213 } // namespace net | 214 } // namespace net |
| OLD | NEW |
