| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include <cert.h> | 10 #include <cert.h> |
| (...skipping 746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 757 #if defined(OS_IOS) | 757 #if defined(OS_IOS) |
| 758 // For iOS, the entire chain must be loaded into NSS's in-memory certificate | 758 // For iOS, the entire chain must be loaded into NSS's in-memory certificate |
| 759 // store. | 759 // store. |
| 760 x509_util_ios::NSSCertChain scoped_chain(cert); | 760 x509_util_ios::NSSCertChain scoped_chain(cert); |
| 761 CERTCertificate* cert_handle = scoped_chain.cert_handle(); | 761 CERTCertificate* cert_handle = scoped_chain.cert_handle(); |
| 762 #else | 762 #else |
| 763 CERTCertificate* cert_handle = cert->os_cert_handle(); | 763 CERTCertificate* cert_handle = cert->os_cert_handle(); |
| 764 #endif // defined(OS_IOS) | 764 #endif // defined(OS_IOS) |
| 765 | 765 |
| 766 // Make sure that the hostname matches with the common name of the cert. | 766 // Make sure that the hostname matches with the common name of the cert. |
| 767 SECStatus status = CERT_VerifyCertName(cert_handle, hostname.c_str()); | 767 if (!cert->VerifyNameMatch(hostname)) |
| 768 if (status != SECSuccess) | |
| 769 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 768 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 770 | 769 |
| 771 // Make sure that the cert is valid now. | 770 // Make sure that the cert is valid now. |
| 772 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 771 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
| 773 cert_handle, PR_Now(), PR_TRUE); | 772 cert_handle, PR_Now(), PR_TRUE); |
| 774 if (validity != secCertTimeValid) | 773 if (validity != secCertTimeValid) |
| 775 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; | 774 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; |
| 776 | 775 |
| 777 CERTValOutParam cvout[3]; | 776 CERTValOutParam cvout[3]; |
| 778 int cvout_index = 0; | 777 int cvout_index = 0; |
| (...skipping 19 matching lines...) Expand all Loading... |
| 798 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); | 797 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); |
| 799 if (check_revocation) | 798 if (check_revocation) |
| 800 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 799 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 801 | 800 |
| 802 ScopedCERTCertList trust_anchors; | 801 ScopedCERTCertList trust_anchors; |
| 803 if (SupportsAdditionalTrustAnchors() && !additional_trust_anchors.empty()) { | 802 if (SupportsAdditionalTrustAnchors() && !additional_trust_anchors.empty()) { |
| 804 trust_anchors.reset( | 803 trust_anchors.reset( |
| 805 CertificateListToCERTCertList(additional_trust_anchors)); | 804 CertificateListToCERTCertList(additional_trust_anchors)); |
| 806 } | 805 } |
| 807 | 806 |
| 808 status = PKIXVerifyCert(cert_handle, check_revocation, false, | 807 SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false, |
| 809 cert_io_enabled, NULL, 0, trust_anchors.get(), | 808 cert_io_enabled, NULL, 0, |
| 810 cvout); | 809 trust_anchors.get(), cvout); |
| 811 | 810 |
| 812 if (status == SECSuccess && | 811 if (status == SECSuccess && |
| 813 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) && | 812 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) && |
| 814 !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) { | 813 !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) { |
| 815 // TODO(rsleevi): Optimize this by supplying the constructed chain to | 814 // TODO(rsleevi): Optimize this by supplying the constructed chain to |
| 816 // libpkix via cvin. Omitting for now, due to lack of coverage in upstream | 815 // libpkix via cvin. Omitting for now, due to lack of coverage in upstream |
| 817 // NSS tests for that feature. | 816 // NSS tests for that feature. |
| 818 scoped_cvout.Clear(); | 817 scoped_cvout.Clear(); |
| 819 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 818 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 820 status = PKIXVerifyCert(cert_handle, true, true, | 819 status = PKIXVerifyCert(cert_handle, true, true, |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 883 if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata, | 882 if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata, |
| 884 ev_policy_oid, trust_anchors.get())) { | 883 ev_policy_oid, trust_anchors.get())) { |
| 885 verify_result->cert_status |= CERT_STATUS_IS_EV; | 884 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 886 } | 885 } |
| 887 } | 886 } |
| 888 | 887 |
| 889 return OK; | 888 return OK; |
| 890 } | 889 } |
| 891 | 890 |
| 892 } // namespace net | 891 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 22893021:
Normalize certificate name verification across all platforms (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src