| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/ev_root_ca_metadata.h" | 5 #include "net/cert/ev_root_ca_metadata.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS_CERTS) | 7 #if defined(USE_NSS_CERTS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pkcs11n.h> | 9 #include <pkcs11n.h> |
| 10 #include <secerr.h> | 10 #include <secerr.h> |
| 11 #include <secoid.h> | 11 #include <secoid.h> |
| 12 #elif defined(OS_WIN) | 12 #elif defined(OS_WIN) |
| 13 #include <stdlib.h> | 13 #include <stdlib.h> |
| 14 #endif | 14 #endif |
| 15 | 15 |
| 16 #include "base/lazy_instance.h" | 16 #include "base/lazy_instance.h" |
| 17 #include "base/logging.h" | 17 #include "base/logging.h" |
| 18 #if defined(USE_NSS_CERTS) | 18 #if defined(USE_NSS_CERTS) |
| 19 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 20 #elif defined(OS_MACOSX) |
| 21 #include "net/der/input.h" |
| 22 #include "third_party/boringssl/src/include/openssl/asn1.h" |
| 23 #include "third_party/boringssl/src/include/openssl/obj.h" |
| 20 #endif | 24 #endif |
| 21 | 25 |
| 22 namespace net { | 26 namespace net { |
| 23 | 27 |
| 24 #if defined(USE_NSS_CERTS) || defined(OS_WIN) | 28 #if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) |
| 25 // Raw metadata. | 29 // Raw metadata. |
| 26 struct EVMetadata { | 30 struct EVMetadata { |
| 27 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At | 31 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At |
| 28 // least one CA has different EV policies for business vs government | 32 // least one CA has different EV policies for business vs government |
| 29 // entities and, in the case of cross-signing, we might need to list another | 33 // entities and, in the case of cross-signing, we might need to list another |
| 30 // CA's policy OID under the cross-signing root. | 34 // CA's policy OID under the cross-signing root. |
| 31 static const size_t kMaxOIDsPerCA = 2; | 35 static const size_t kMaxOIDsPerCA = 2; |
| 32 // This is the maximum length of an OID string (including the trailing NUL). | 36 // This is the maximum length of an OID string (including the trailing NUL). |
| 33 static const size_t kMaxOIDLength = 32; | 37 static const size_t kMaxOIDLength = 32; |
| 34 | 38 |
| (...skipping 666 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 701 } | 705 } |
| 702 | 706 |
| 703 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { | 707 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 704 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); | 708 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); |
| 705 if (it == extra_cas_.end()) | 709 if (it == extra_cas_.end()) |
| 706 return false; | 710 return false; |
| 707 extra_cas_.erase(it); | 711 extra_cas_.erase(it); |
| 708 return true; | 712 return true; |
| 709 } | 713 } |
| 710 | 714 |
| 715 #elif defined(OS_MACOSX) |
| 716 |
| 717 namespace { |
| 718 |
| 719 std::string OIDStringToDER(const char* policy) { |
| 720 bssl::UniquePtr<ASN1_OBJECT> obj( |
| 721 OBJ_txt2obj(policy, 1 /* dont_search_names */)); |
| 722 if (!obj) |
| 723 return std::string(); |
| 724 |
| 725 return std::string(reinterpret_cast<const char*>(obj->data), obj->length); |
| 726 } |
| 727 |
| 728 } // namespace |
| 729 |
| 730 bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { |
| 731 return policy_oids_.find(policy_oid.AsString()) != policy_oids_.end(); |
| 732 } |
| 733 |
| 734 bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint, |
| 735 PolicyOID policy_oid) const { |
| 736 PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); |
| 737 if (iter == ev_policy_.end()) |
| 738 return false; |
| 739 for (const std::string& ev_oid : iter->second) { |
| 740 if (der::Input(&ev_oid) == policy_oid) |
| 741 return true; |
| 742 } |
| 743 return false; |
| 744 } |
| 745 |
| 746 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 747 const char* policy) { |
| 748 if (ev_policy_.find(fingerprint) != ev_policy_.end()) |
| 749 return false; |
| 750 |
| 751 std::string der_policy = OIDStringToDER(policy); |
| 752 if (der_policy.empty()) |
| 753 return false; |
| 754 |
| 755 ev_policy_[fingerprint].push_back(der_policy); |
| 756 policy_oids_.insert(der_policy); |
| 757 return true; |
| 758 } |
| 759 |
| 760 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 761 PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); |
| 762 if (it == ev_policy_.end()) |
| 763 return false; |
| 764 std::string oid = it->second[0]; |
| 765 ev_policy_.erase(it); |
| 766 policy_oids_.erase(oid); |
| 767 return true; |
| 768 } |
| 769 |
| 711 #else | 770 #else |
| 712 | 771 |
| 713 // These are just stub functions for platforms where we don't use this EV | 772 // These are just stub functions for platforms where we don't use this EV |
| 714 // metadata. | 773 // metadata. |
| 715 | 774 |
| 716 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, | 775 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 717 const char* policy) { | 776 const char* policy) { |
| 718 return true; | 777 return true; |
| 719 } | 778 } |
| 720 | 779 |
| (...skipping 18 matching lines...) Expand all Loading... |
| 739 PolicyOID policy; | 798 PolicyOID policy; |
| 740 if (!RegisterOID(policy_oid, &policy)) { | 799 if (!RegisterOID(policy_oid, &policy)) { |
| 741 LOG(ERROR) << "Failed to register OID: " << policy_oid; | 800 LOG(ERROR) << "Failed to register OID: " << policy_oid; |
| 742 continue; | 801 continue; |
| 743 } | 802 } |
| 744 | 803 |
| 745 ev_policy_[metadata.fingerprint].push_back(policy); | 804 ev_policy_[metadata.fingerprint].push_back(policy); |
| 746 policy_oids_.insert(policy); | 805 policy_oids_.insert(policy); |
| 747 } | 806 } |
| 748 } | 807 } |
| 808 #elif defined(OS_MACOSX) |
| 809 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { |
| 810 const EVMetadata& metadata = ev_root_ca_metadata[i]; |
| 811 for (size_t j = 0; j < arraysize(metadata.policy_oids); j++) { |
| 812 if (metadata.policy_oids[j][0] == '\0') |
| 813 break; |
| 814 const char* policy_oid = metadata.policy_oids[j]; |
| 815 |
| 816 PolicyOID policy; |
| 817 std::string policy_der = OIDStringToDER(policy_oid); |
| 818 if (policy_der.empty()) { |
| 819 LOG(ERROR) << "Failed to register OID: " << policy_oid; |
| 820 continue; |
| 821 } |
| 822 |
| 823 ev_policy_[metadata.fingerprint].push_back(policy_der); |
| 824 policy_oids_.insert(policy_der); |
| 825 } |
| 826 } |
| 749 #endif | 827 #endif |
| 750 } | 828 } |
| 751 | 829 |
| 752 EVRootCAMetadata::~EVRootCAMetadata() { } | 830 EVRootCAMetadata::~EVRootCAMetadata() { } |
| 753 | 831 |
| 754 } // namespace net | 832 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2499083003:
Mac EV verification using Chrome methods rather than OS methods. (Closed)
