Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(253)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/tools/cert_verify_tool/verify_using_path_builder.cc

Issue 2225493003: Don't treat trust anchors as certificates during path building. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: address moar feedback Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/data/verify_certificate_chain_unittest/violates-pathlen-1-root.pem ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/tools/cert_verify_tool/verify_using_path_builder.cc
diff --git a/net/tools/cert_verify_tool/verify_using_path_builder.cc b/net/tools/cert_verify_tool/verify_using_path_builder.cc
index 2520e6d0a5308762ad86b9fcfb9f04b6957bbace..bdfa120b2e94b4d151fe49901969e27ab9d828a6 100644
--- a/net/tools/cert_verify_tool/verify_using_path_builder.cc
+++ b/net/tools/cert_verify_tool/verify_using_path_builder.cc
@@ -49,21 +49,34 @@ net::der::GeneralizedTime ConvertExplodedTime(
return result;
}
+bool AddPemEncodedCert(const net::ParsedCertificate* cert,
+ std::vector<std::string>* pem_encoded_chain) {
+ std::string der_cert;
+ cert->der_cert().AsStringPiece().CopyToString(&der_cert);
+ std::string pem;
+ if (!net::X509Certificate::GetPEMEncodedFromDER(der_cert, &pem)) {
+ std::cerr << "ERROR: GetPEMEncodedFromDER failed\n";
+ return false;
+ }
+ pem_encoded_chain->push_back(pem);
+ return true;
+}
+
// Dumps a chain of ParsedCertificate objects to a PEM file.
-bool DumpParsedCertificateChain(
- const base::FilePath& file_path,
- const std::vector<scoped_refptr<net::ParsedCertificate>>& chain) {
+bool DumpParsedCertificateChain(const base::FilePath& file_path,
+ const net::CertPath& chain) {
std::vector<std::string> pem_encoded_chain;
- for (const auto& cert : chain) {
- std::string der_cert;
- cert->der_cert().AsStringPiece().CopyToString(&der_cert);
- std::string pem;
- if (!net::X509Certificate::GetPEMEncodedFromDER(der_cert, &pem)) {
- std::cerr << "ERROR: GetPEMEncodedFromDER failed\n";
+ for (const auto& cert : chain.certs) {
+ if (!AddPemEncodedCert(cert.get(), &pem_encoded_chain))
return false;
- }
- pem_encoded_chain.push_back(pem);
}
+
+ if (chain.trust_anchor && chain.trust_anchor->cert()) {
+ if (!AddPemEncodedCert(chain.trust_anchor->cert().get(),
+ &pem_encoded_chain))
+ return false;
+ }
+
return WriteToFile(file_path, base::JoinString(pem_encoded_chain, ""));
}
@@ -73,10 +86,9 @@ std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) {
return base::HexEncode(hash.data(), hash.size());
}
-// Returns a textual representation of the Subject of |cert|.
-std::string SubjectFromParsedCertificate(const net::ParsedCertificate* cert) {
+std::string SubjectToString(const net::der::Input& subject_tlv) {
net::RDNSequence subject, issuer;
- if (!net::ParseName(cert->tbs().subject_tlv, &subject))
+ if (!net::ParseName(subject_tlv, &subject))
return std::string();
std::string subject_str;
if (!net::ConvertToRFC2253(subject, &subject_str))
@@ -84,6 +96,11 @@ std::string SubjectFromParsedCertificate(const net::ParsedCertificate* cert) {
return subject_str;
}
+// Returns a textual representation of the Subject of |cert|.
+std::string SubjectFromParsedCertificate(const net::ParsedCertificate* cert) {
+ return SubjectToString(cert->tbs().subject_tlv);
+}
+
} // namespace
// Verifies |target_der_cert| using CertPathBuilder.
@@ -108,8 +125,10 @@ bool VerifyUsingPathBuilder(
{});
if (!cert)
PrintCertError("ERROR: ParsedCertificate failed:", der_cert);
- else
- trust_store.AddTrustedCertificate(cert);
+ else {
+ trust_store.AddTrustAnchor(
+ net::TrustAnchor::CreateFromCertificateNoConstraints(cert));
+ }
}
net::CertIssuerSourceStatic intermediate_cert_issuer_source;
@@ -172,10 +191,21 @@ bool VerifyUsingPathBuilder(
std::cout << "path " << i << " "
<< net::ErrorToShortString(result.paths[i]->error)
<< ((result.best_result_index == i) ? " (best)" : "") << "\n";
- for (const auto& cert : result.paths[i]->path) {
+ for (const auto& cert : result.paths[i]->path.certs) {
std::cout << " " << FingerPrintParsedCertificate(cert.get()) << " "
<< SubjectFromParsedCertificate(cert.get()) << "\n";
}
+
+ const auto& trust_anchor = result.paths[i]->path.trust_anchor;
+ if (trust_anchor) {
+ std::string trust_anchor_cert_fingerprint = "<no cert>";
+ if (trust_anchor->cert()) {
+ trust_anchor_cert_fingerprint =
+ FingerPrintParsedCertificate(trust_anchor->cert().get());
+ }
+ std::cout << " " << trust_anchor_cert_fingerprint << " "
+ << SubjectToString(trust_anchor->normalized_subject()) << "\n";
+ }
}
// TODO(mattm): add flag to dump all paths, not just the final one?
« no previous file with comments | « net/data/verify_certificate_chain_unittest/violates-pathlen-1-root.pem ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698