| Index: net/cert/internal/verify_certificate_chain.cc
|
| diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc
|
| index ee379fd75b1473f7e0bb4a143519fdd67727a6d2..7bd928bc0c6696adb18ae4606e0dc7668cb3f0cc 100644
|
| --- a/net/cert/internal/verify_certificate_chain.cc
|
| +++ b/net/cert/internal/verify_certificate_chain.cc
|
| @@ -103,15 +103,9 @@ WARN_UNUSED_RESULT bool VerifySignatureAlgorithmsMatch(
|
|
|
| // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
|
| // Processing" procedure.
|
| -//
|
| -// |skip_issuer_checks| controls whether the function will skip:
|
| -// - Checking that |cert|'s signature using |working_spki|
|
| -// - Checkinging that |cert|'s issuer matches |working_normalized_issuer_name|
|
| -// This should be set to true only when verifying a trusted root certificate.
|
| WARN_UNUSED_RESULT bool BasicCertificateProcessing(
|
| const ParsedCertificate& cert,
|
| bool is_target_cert,
|
| - bool skip_issuer_checks,
|
| const SignaturePolicy* signature_policy,
|
| const der::GeneralizedTime& time,
|
| const der::Input& working_spki,
|
| @@ -125,13 +119,11 @@ WARN_UNUSED_RESULT bool BasicCertificateProcessing(
|
|
|
| // Verify the digital signature using the previous certificate's key (RFC
|
| // 5280 section 6.1.3 step a.1).
|
| - if (!skip_issuer_checks) {
|
| - if (!cert.has_valid_supported_signature_algorithm() ||
|
| - !VerifySignedData(cert.signature_algorithm(),
|
| - cert.tbs_certificate_tlv(), cert.signature_value(),
|
| - working_spki, signature_policy)) {
|
| - return false;
|
| - }
|
| + if (!cert.has_valid_supported_signature_algorithm() ||
|
| + !VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
|
| + cert.signature_value(), working_spki,
|
| + signature_policy)) {
|
| + return false;
|
| }
|
|
|
| // Check the time range for the certificate's validity, ensuring it is valid
|
| @@ -144,10 +136,8 @@ WARN_UNUSED_RESULT bool BasicCertificateProcessing(
|
|
|
| // Verify the certificate's issuer name matches the issuing certificate's
|
| // subject name. (RFC 5280 section 6.1.3 step a.4)
|
| - if (!skip_issuer_checks) {
|
| - if (cert.normalized_issuer() != working_normalized_issuer_name)
|
| - return false;
|
| - }
|
| + if (cert.normalized_issuer() != working_normalized_issuer_name)
|
| + return false;
|
|
|
| // Name constraints (RFC 5280 section 6.1.3 step b & c)
|
| // If certificate i is self-issued and it is not the final certificate in the
|
| @@ -337,24 +327,15 @@ WARN_UNUSED_RESULT bool WrapUp(const ParsedCertificate& cert) {
|
|
|
| // This implementation is structured to mimic the description of certificate
|
| // path verification given by RFC 5280 section 6.1.
|
| -//
|
| -// Unlike RFC 5280, the trust anchor is specified as the root certificate in
|
| -// the chain. This root certificate is assumed to be trusted, and neither its
|
| -// signature nor issuer name are verified. (It needn't be self-signed).
|
| -bool VerifyCertificateChainAssumingTrustedRoot(
|
| - const ParsedCertificateList& certs,
|
| - // The trust store is only used for assertions.
|
| - const TrustStore& trust_store,
|
| - const SignaturePolicy* signature_policy,
|
| - const der::GeneralizedTime& time) {
|
| +bool VerifyCertificateChain(const ParsedCertificateList& certs,
|
| + const TrustAnchor* trust_anchor,
|
| + const SignaturePolicy* signature_policy,
|
| + const der::GeneralizedTime& time) {
|
| // An empty chain is necessarily invalid.
|
| if (certs.empty())
|
| return false;
|
|
|
| - // IMPORTANT: the assumption being made is that the root certificate in
|
| - // the given path is the trust anchor (and has already been verified as
|
| - // such).
|
| - DCHECK(trust_store.IsTrustedCertificate(certs.back().get()));
|
| + // TODO(crbug.com/635200): Support anchor constraints.
|
|
|
| // Will contain a NameConstraints for each previous cert in the chain which
|
| // had nameConstraints. This corresponds to the permitted_subtrees and
|
| @@ -375,14 +356,15 @@ bool VerifyCertificateChainAssumingTrustedRoot(
|
| //
|
| // working_public_key: the public key used to verify the
|
| // signature of a certificate.
|
| - der::Input working_spki;
|
| + der::Input working_spki = trust_anchor->spki();
|
|
|
| // |working_normalized_issuer_name| is the normalized value of the
|
| // working_issuer_name variable in RFC 5280 section 6.1.2:
|
| //
|
| // working_issuer_name: the issuer distinguished name expected
|
| // in the next certificate in the chain.
|
| - der::Input working_normalized_issuer_name;
|
| + der::Input working_normalized_issuer_name =
|
| + trust_anchor->normalized_subject();
|
|
|
| // |max_path_length| corresponds with the same named variable in RFC 5280
|
| // section 6.1.2:
|
| @@ -395,11 +377,12 @@ bool VerifyCertificateChainAssumingTrustedRoot(
|
| size_t max_path_length = certs.size();
|
|
|
| // Iterate over all the certificates in the reverse direction: starting from
|
| - // the trust anchor and progressing towards the target certificate.
|
| + // the certificate signed by trust anchor and progressing towards the target
|
| + // certificate.
|
| //
|
| // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
|
| //
|
| - // * i=0 : Trust anchor.
|
| + // * i=0 : Certificated signed by trust anchor.
|
| // * i=N-1 : Target certificate.
|
| for (size_t i = 0; i < certs.size(); ++i) {
|
| const size_t index_into_certs = certs.size() - i - 1;
|
| @@ -409,10 +392,6 @@ bool VerifyCertificateChainAssumingTrustedRoot(
|
| // end-entity certificate.
|
| const bool is_target_cert = index_into_certs == 0;
|
|
|
| - // |is_trust_anchor| is true if the current certificate is the trust
|
| - // anchor. This certificate is implicitly trusted.
|
| - const bool is_trust_anchor = i == 0;
|
| -
|
| const ParsedCertificate& cert = *certs[index_into_certs];
|
|
|
| // Per RFC 5280 section 6.1:
|
| @@ -420,10 +399,9 @@ bool VerifyCertificateChainAssumingTrustedRoot(
|
| // * If it is the last certificate in the path (target certificate)
|
| // - Then run "Wrap up"
|
| // - Otherwise run "Prepare for Next cert"
|
| - if (!BasicCertificateProcessing(cert, is_target_cert, is_trust_anchor,
|
| - signature_policy, time, working_spki,
|
| - working_normalized_issuer_name,
|
| - name_constraints_list)) {
|
| + if (!BasicCertificateProcessing(
|
| + cert, is_target_cert, signature_policy, time, working_spki,
|
| + working_normalized_issuer_name, name_constraints_list)) {
|
| return false;
|
| }
|
| if (!is_target_cert) {
|
|
|
Chromium Code Reviews
Issue 2225493003:
Don't treat trust anchors as certificates during path building. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master