Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(167)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2289363004: Add error information to VerifySignedData(). (Closed)
Patch Set: rebase onto origin/master Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/verify_certificate_chain.h ('k') | net/cert/internal/verify_signed_data.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/verify_certificate_chain.h" 5 #include "net/cert/internal/verify_certificate_chain.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "net/cert/internal/cert_errors.h" 10 #include "net/cert/internal/cert_errors.h"
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after
153 153
154 // Verify the digital signature using the previous certificate's key (RFC 154 // Verify the digital signature using the previous certificate's key (RFC
155 // 5280 section 6.1.3 step a.1). 155 // 5280 section 6.1.3 step a.1).
156 if (!cert.has_valid_supported_signature_algorithm()) { 156 if (!cert.has_valid_supported_signature_algorithm()) {
157 errors->AddWith1DerParam(kInvalidOrUnsupportedAlgorithm, 157 errors->AddWith1DerParam(kInvalidOrUnsupportedAlgorithm,
158 cert.signature_algorithm_tlv()); 158 cert.signature_algorithm_tlv());
159 return false; 159 return false;
160 } 160 }
161 161
162 if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(), 162 if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
163 cert.signature_value(), working_spki, 163 cert.signature_value(), working_spki, signature_policy,
164 signature_policy)) { 164 errors)) {
165 errors->Add(kSignatureVerificationFailed); 165 errors->Add(kVerifySignedDataFailed);
166 return false; 166 return false;
167 } 167 }
168 168
169 // Check the time range for the certificate's validity, ensuring it is valid 169 // Check the time range for the certificate's validity, ensuring it is valid
170 // at |time|. 170 // at |time|.
171 // (RFC 5280 section 6.1.3 step a.2) 171 // (RFC 5280 section 6.1.3 step a.2)
172 if (!VerifyTimeValidity(cert, time, errors)) 172 if (!VerifyTimeValidity(cert, time, errors))
173 return false; 173 return false;
174 174
175 // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3) 175 // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
(...skipping 401 matching lines...) Expand 10 before | Expand all | Expand 10 after
577 DEFINE_CERT_ERROR_TYPE(kKeyCertSignBitNotSet, "keyCertSign bit is not set"); 577 DEFINE_CERT_ERROR_TYPE(kKeyCertSignBitNotSet, "keyCertSign bit is not set");
578 DEFINE_CERT_ERROR_TYPE(kMaxPathLengthViolated, "max_path_length reached"); 578 DEFINE_CERT_ERROR_TYPE(kMaxPathLengthViolated, "max_path_length reached");
579 DEFINE_CERT_ERROR_TYPE(kBasicConstraintsIndicatesNotCa, 579 DEFINE_CERT_ERROR_TYPE(kBasicConstraintsIndicatesNotCa,
580 "Basic Constraints indicates not a CA"); 580 "Basic Constraints indicates not a CA");
581 DEFINE_CERT_ERROR_TYPE(kMissingBasicConstraints, 581 DEFINE_CERT_ERROR_TYPE(kMissingBasicConstraints,
582 "Does not have Basic Constraints"); 582 "Does not have Basic Constraints");
583 DEFINE_CERT_ERROR_TYPE(kNotPermittedByNameConstraints, 583 DEFINE_CERT_ERROR_TYPE(kNotPermittedByNameConstraints,
584 "Not permitted by name constraints"); 584 "Not permitted by name constraints");
585 DEFINE_CERT_ERROR_TYPE(kSubjectDoesNotMatchIssuer, 585 DEFINE_CERT_ERROR_TYPE(kSubjectDoesNotMatchIssuer,
586 "subject does not match issuer"); 586 "subject does not match issuer");
587 DEFINE_CERT_ERROR_TYPE(kSignatureVerificationFailed, 587 DEFINE_CERT_ERROR_TYPE(kVerifySignedDataFailed, "VerifySignedData failed");
588 "Signature verification failed");
589 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotAfter, "Time is after notAfter"); 588 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotAfter, "Time is after notAfter");
590 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotBefore, "Time is before notBefore"); 589 DEFINE_CERT_ERROR_TYPE(kValidityFailedNotBefore, "Time is before notBefore");
591 DEFINE_CERT_ERROR_TYPE(kSignatureAlgorithmsDifferentEncoding, 590 DEFINE_CERT_ERROR_TYPE(kSignatureAlgorithmsDifferentEncoding,
592 "Certificate.signatureAlgorithm is encoded differently " 591 "Certificate.signatureAlgorithm is encoded differently "
593 "than TBSCertificate.signature"); 592 "than TBSCertificate.signature");
594 593
595 } // verify_certificate_chain_errors 594 } // verify_certificate_chain_errors
596 595
597 } // namespace net 596 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/verify_certificate_chain.h ('k') | net/cert/internal/verify_signed_data.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698