| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util_mac.h" | 5 #include "net/cert/x509_util_mac.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/mac/mac_util.h" | 8 #include "base/mac/mac_util.h" |
| 9 #include "base/mac/scoped_cftyperef.h" | 9 #include "base/mac/scoped_cftyperef.h" |
| 10 #include "base/strings/sys_string_conversions.h" | 10 #include "base/strings/sys_string_conversions.h" |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 70 *policy = SecPolicyCreateSSL(true /* server */, hostname_cfstring.get()); | 70 *policy = SecPolicyCreateSSL(true /* server */, hostname_cfstring.get()); |
| 71 return *policy ? noErr : errSecNoPolicyModule; | 71 return *policy ? noErr : errSecNoPolicyModule; |
| 72 } | 72 } |
| 73 | 73 |
| 74 OSStatus CreateBasicX509Policy(SecPolicyRef* policy) { | 74 OSStatus CreateBasicX509Policy(SecPolicyRef* policy) { |
| 75 *policy = SecPolicyCreateBasicX509(); | 75 *policy = SecPolicyCreateBasicX509(); |
| 76 return *policy ? noErr : errSecNoPolicyModule; | 76 return *policy ? noErr : errSecNoPolicyModule; |
| 77 } | 77 } |
| 78 | 78 |
| 79 OSStatus CreateRevocationPolicies(bool enable_revocation_checking, | 79 OSStatus CreateRevocationPolicies(bool enable_revocation_checking, |
| 80 bool enable_ev_checking, | |
| 81 CFMutableArrayRef policies) { | 80 CFMutableArrayRef policies) { |
| 81 if (base::mac::IsAtLeastOS10_12()) { |
| 82 // SecPolicyCreateRevocation is only on 10.9 or newer. This pragma stops |
| 83 // clang from complaining about it. |
| 84 #pragma clang diagnostic push |
| 85 #pragma clang diagnostic ignored "-Wunguarded-availability" |
| 86 // On Sierra, it's not possible to disable network revocation checking |
| 87 // without also breaking AIA. If revocation checking isn't explicitly |
| 88 // enabled, just don't add a revocation policy. |
| 89 if (!enable_revocation_checking) |
| 90 return noErr; |
| 91 |
| 92 // If revocation checking is requested, enable checking and require positive |
| 93 // results. Note that this will fail if there are certs with no |
| 94 // CRLDistributionPoints or OCSP AIA urls, which differs from the behavior |
| 95 // of |enable_revocation_checking| on pre-10.12. There does not appear to be |
| 96 // a way around this, but it shouldn't matter much in practice since |
| 97 // revocation checking is generally used with EV certs, where it is expected |
| 98 // that all certs include revocation mechanisms. |
| 99 SecPolicyRef revocation_policy = |
| 100 SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod | |
| 101 kSecRevocationRequirePositiveResponse); |
| 102 |
| 103 if (!revocation_policy) |
| 104 return errSecNoPolicyModule; |
| 105 CFArrayAppendValue(policies, revocation_policy); |
| 106 CFRelease(revocation_policy); |
| 107 #pragma clang diagnostic pop |
| 108 return noErr; |
| 109 } |
| 82 OSStatus status = noErr; | 110 OSStatus status = noErr; |
| 83 | 111 |
| 84 // In order to bypass the system revocation checking settings, the | 112 // In order to bypass the system revocation checking settings, the |
| 85 // SecTrustRef must have at least one revocation policy associated with it. | 113 // SecTrustRef must have at least one revocation policy associated with it. |
| 86 // Since it is not known prior to verification whether the Apple TP will | 114 // Since it is not known prior to verification whether the Apple TP will |
| 87 // consider a certificate as an EV candidate, the default policy used is a | 115 // consider a certificate as an EV candidate, the default policy used is a |
| 88 // CRL policy, since it does not communicate over the network. | 116 // CRL policy, since it does not communicate over the network. |
| 89 // If the TP believes the leaf is an EV cert, it will explicitly add an | 117 // If the TP believes the leaf is an EV cert, it will explicitly add an |
| 90 // OCSP policy to perform the online checking, and if it doesn't believe | 118 // OCSP policy to perform the online checking, and if it doesn't believe |
| 91 // that the leaf is EV, then the default CRL policy will effectively no-op. | 119 // that the leaf is EV, then the default CRL policy will effectively no-op. |
| 92 // This behaviour is used to implement EV-only revocation checking. | 120 // This behaviour is used to implement EV-only revocation checking. |
| 93 if (enable_ev_checking || enable_revocation_checking) { | 121 if (enable_revocation_checking) { |
| 94 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; | 122 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; |
| 95 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); | 123 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); |
| 96 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; | 124 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; |
| 97 // Only allow network CRL fetches if the caller explicitly requests | 125 // Only allow network CRL fetches if the caller explicitly requests |
| 98 // online revocation checking. Note that, as of OS X 10.7.2, the system | 126 // online revocation checking. Note that, as of OS X 10.7.2, the system |
| 99 // will set force this flag on according to system policies, so | 127 // will set force this flag on according to system policies, so |
| 100 // online revocation checks cannot be completely disabled. | 128 // online revocation checks cannot be completely disabled. |
| 101 // Starting with OS X 10.12, if a CRL policy is added without the | 129 // Starting with OS X 10.12, if a CRL policy is added without the |
| 102 // FETCH_CRL_FROM_NET flag, AIA fetching is disabled. | 130 // FETCH_CRL_FROM_NET flag, AIA fetching is disabled. |
| 103 if (enable_revocation_checking || base::mac::IsAtLeastOS10_12()) | 131 tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; |
| 104 tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; | |
| 105 | 132 |
| 106 SecPolicyRef crl_policy; | 133 SecPolicyRef crl_policy; |
| 107 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, | 134 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, |
| 108 sizeof(tp_crl_options), &crl_policy); | 135 sizeof(tp_crl_options), &crl_policy); |
| 109 if (status) | 136 if (status) |
| 110 return status; | 137 return status; |
| 111 CFArrayAppendValue(policies, crl_policy); | 138 CFArrayAppendValue(policies, crl_policy); |
| 112 CFRelease(crl_policy); | 139 CFRelease(crl_policy); |
| 113 } | 140 } |
| 114 | 141 |
| 115 // If revocation checking is explicitly enabled, then add an OCSP policy | 142 // If revocation checking is explicitly enabled, then add an OCSP policy |
| 116 // and allow network access. If both revocation checking and EV checking | 143 // and allow network access. If both revocation checking is |
| 117 // are disabled, then the added OCSP policy will be prevented from | 144 // disabled, then the added OCSP policy will be prevented from |
| 118 // accessing the network. This is done because the TP will force an OCSP | 145 // accessing the network. This is done because the TP will force an OCSP |
| 119 // policy to be present when it believes the certificate is EV. If network | 146 // policy to be present when it believes the certificate is EV. |
| 120 // fetching was not explicitly disabled, then it would be as if | 147 CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; |
| 121 // enable_ev_checking was always set to true. | 148 memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); |
| 122 if (enable_revocation_checking || !enable_ev_checking) { | 149 tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; |
| 123 CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; | |
| 124 memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); | |
| 125 tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; | |
| 126 | 150 |
| 127 if (enable_revocation_checking) { | 151 if (enable_revocation_checking) { |
| 128 // The default for the OCSP policy is to fetch responses via the network, | 152 // The default for the OCSP policy is to fetch responses via the network, |
| 129 // unlike the CRL policy default. The policy is further modified to | 153 // unlike the CRL policy default. The policy is further modified to |
| 130 // prefer OCSP over CRLs, if both are specified on the certificate. This | 154 // prefer OCSP over CRLs, if both are specified on the certificate. This |
| 131 // is because an OCSP response is both sufficient and typically | 155 // is because an OCSP response is both sufficient and typically |
| 132 // significantly smaller than the CRL counterpart. | 156 // significantly smaller than the CRL counterpart. |
| 133 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; | 157 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; |
| 134 } else { | 158 } else { |
| 135 // Effectively disable OCSP checking by making it impossible to get an | 159 // Effectively disable OCSP checking by making it impossible to get an |
| 136 // OCSP response. Even if the Apple TP forces OCSP, no checking will | 160 // OCSP response. Even if the Apple TP forces OCSP, no checking will |
| 137 // be able to succeed. If this happens, the Apple TP will report an error | 161 // be able to succeed. If this happens, the Apple TP will report an error |
| 138 // that OCSP was unavailable, but this will be handled and suppressed in | 162 // that OCSP was unavailable, but this will be handled and suppressed in |
| 139 // X509Certificate::Verify(). | 163 // X509Certificate::Verify(). |
| 140 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET | | 164 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET | |
| 141 CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE; | 165 CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE; |
| 142 } | 166 } |
| 143 | 167 |
| 144 SecPolicyRef ocsp_policy; | 168 SecPolicyRef ocsp_policy; |
| 145 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options, | 169 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options, |
| 146 sizeof(tp_ocsp_options), &ocsp_policy); | 170 sizeof(tp_ocsp_options), &ocsp_policy); |
| 147 if (status) | 171 if (status) |
| 148 return status; | 172 return status; |
| 149 CFArrayAppendValue(policies, ocsp_policy); | 173 CFArrayAppendValue(policies, ocsp_policy); |
| 150 CFRelease(ocsp_policy); | 174 CFRelease(ocsp_policy); |
| 151 } | |
| 152 | 175 |
| 153 return status; | 176 return status; |
| 154 } | 177 } |
| 155 | 178 |
| 156 CSSMFieldValue::CSSMFieldValue() | 179 CSSMFieldValue::CSSMFieldValue() |
| 157 : cl_handle_(CSSM_INVALID_HANDLE), | 180 : cl_handle_(CSSM_INVALID_HANDLE), |
| 158 oid_(NULL), | 181 oid_(NULL), |
| 159 field_(NULL) { | 182 field_(NULL) { |
| 160 } | 183 } |
| 161 CSSMFieldValue::CSSMFieldValue(CSSM_CL_HANDLE cl_handle, | 184 CSSMFieldValue::CSSMFieldValue(CSSM_CL_HANDLE cl_handle, |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 229 CSSM_CL_CertAbortQuery(cl_handle_, results_handle); | 252 CSSM_CL_CertAbortQuery(cl_handle_, results_handle); |
| 230 field->Reset(cl_handle_, oid, field_ptr); | 253 field->Reset(cl_handle_, oid, field_ptr); |
| 231 return CSSM_OK; | 254 return CSSM_OK; |
| 232 } | 255 } |
| 233 | 256 |
| 234 } // namespace x509_util | 257 } // namespace x509_util |
| 235 | 258 |
| 236 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 259 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| 237 | 260 |
| 238 } // namespace net | 261 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2499083003:
Mac EV verification using Chrome methods rather than OS methods. (Closed)
