| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_openssl.h" | 5 #include "net/cert/cert_verify_proc_openssl.h" |
| 6 | 6 |
| 7 #include <openssl/x509v3.h> | 7 #include <openssl/x509v3.h> |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 case X509_V_ERR_APPLICATION_VERIFICATION: | 84 case X509_V_ERR_APPLICATION_VERIFICATION: |
| 85 return CERT_STATUS_INVALID; | 85 return CERT_STATUS_INVALID; |
| 86 default: | 86 default: |
| 87 NOTREACHED() << "Invalid X509 err " << err; | 87 NOTREACHED() << "Invalid X509 err " << err; |
| 88 return CERT_STATUS_INVALID; | 88 return CERT_STATUS_INVALID; |
| 89 } | 89 } |
| 90 } | 90 } |
| 91 | 91 |
| 92 // sk_X509_free is a function-style macro, so can't be used as a template | 92 // sk_X509_free is a function-style macro, so can't be used as a template |
| 93 // param directly. | 93 // param directly. |
| 94 void sk_X509_free_fn(STACK_OF(X509)* st) { | 94 void sk_X509_free_fn(STACK_OF(X509) * st) { |
| 95 sk_X509_free(st); | 95 sk_X509_free(st); |
| 96 } | 96 } |
| 97 | 97 |
| 98 void GetCertChainInfo(X509_STORE_CTX* store_ctx, | 98 void GetCertChainInfo(X509_STORE_CTX* store_ctx, |
| 99 CertVerifyResult* verify_result) { | 99 CertVerifyResult* verify_result) { |
| 100 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); | 100 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 101 X509* verified_cert = NULL; | 101 X509* verified_cert = NULL; |
| 102 std::vector<X509*> verified_chain; | 102 std::vector<X509*> verified_chain; |
| 103 for (int i = 0; i < sk_X509_num(chain); ++i) { | 103 for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 104 X509* cert = sk_X509_value(chain, i); | 104 X509* cert = sk_X509_value(chain, i); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 135 verify_result->is_issued_by_known_root = true; | 135 verify_result->is_issued_by_known_root = true; |
| 136 if (TestRootCerts::HasInstance()) { | 136 if (TestRootCerts::HasInstance()) { |
| 137 X509* root = NULL; | 137 X509* root = NULL; |
| 138 if (verified_chain.empty()) { | 138 if (verified_chain.empty()) { |
| 139 root = verified_cert; | 139 root = verified_cert; |
| 140 } else { | 140 } else { |
| 141 root = verified_chain.back(); | 141 root = verified_chain.back(); |
| 142 } | 142 } |
| 143 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | 143 TestRootCerts* root_certs = TestRootCerts::GetInstance(); |
| 144 if (root_certs->Contains(root)) | 144 if (root_certs->Contains(root)) |
| 145 verify_result->is_issued_by_known_root = false; | 145 verify_result->is_issued_by_known_root = false; |
| 146 } | 146 } |
| 147 } | 147 } |
| 148 } | 148 } |
| 149 | 149 |
| 150 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, | 150 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, HashValueVector* hashes) { |
| 151 HashValueVector* hashes) { | |
| 152 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); | 151 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 153 for (int i = 0; i < sk_X509_num(chain); ++i) { | 152 for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 154 X509* cert = sk_X509_value(chain, i); | 153 X509* cert = sk_X509_value(chain, i); |
| 155 | 154 |
| 156 std::string der_data; | 155 std::string der_data; |
| 157 if (!X509Certificate::GetDEREncoded(cert, &der_data)) | 156 if (!X509Certificate::GetDEREncoded(cert, &der_data)) |
| 158 continue; | 157 continue; |
| 159 | 158 |
| 160 base::StringPiece der_bytes(der_data); | 159 base::StringPiece der_bytes(der_data); |
| 161 base::StringPiece spki_bytes; | 160 base::StringPiece spki_bytes; |
| 162 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 161 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
| 163 continue; | 162 continue; |
| 164 | 163 |
| 165 HashValue sha1(HASH_VALUE_SHA1); | 164 HashValue sha1(HASH_VALUE_SHA1); |
| 166 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 165 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
| 167 spki_bytes.size(), sha1.data()); | 166 spki_bytes.size(), |
| 167 sha1.data()); |
| 168 hashes->push_back(sha1); | 168 hashes->push_back(sha1); |
| 169 | 169 |
| 170 HashValue sha256(HASH_VALUE_SHA256); | 170 HashValue sha256(HASH_VALUE_SHA256); |
| 171 crypto::SHA256HashString(spki_bytes, sha256.data(), crypto::kSHA256Length); | 171 crypto::SHA256HashString(spki_bytes, sha256.data(), crypto::kSHA256Length); |
| 172 hashes->push_back(sha256); | 172 hashes->push_back(sha256); |
| 173 } | 173 } |
| 174 } | 174 } |
| 175 | 175 |
| 176 } // namespace | 176 } // namespace |
| 177 | 177 |
| 178 CertVerifyProcOpenSSL::CertVerifyProcOpenSSL() {} | 178 CertVerifyProcOpenSSL::CertVerifyProcOpenSSL() { |
| 179 } |
| 179 | 180 |
| 180 CertVerifyProcOpenSSL::~CertVerifyProcOpenSSL() {} | 181 CertVerifyProcOpenSSL::~CertVerifyProcOpenSSL() { |
| 182 } |
| 181 | 183 |
| 182 bool CertVerifyProcOpenSSL::SupportsAdditionalTrustAnchors() const { | 184 bool CertVerifyProcOpenSSL::SupportsAdditionalTrustAnchors() const { |
| 183 return false; | 185 return false; |
| 184 } | 186 } |
| 185 | 187 |
| 186 int CertVerifyProcOpenSSL::VerifyInternal( | 188 int CertVerifyProcOpenSSL::VerifyInternal( |
| 187 X509Certificate* cert, | 189 X509Certificate* cert, |
| 188 const std::string& hostname, | 190 const std::string& hostname, |
| 189 int flags, | 191 int flags, |
| 190 CRLSet* crl_set, | 192 CRLSet* crl_set, |
| (...skipping 10 matching lines...) Expand all Loading... |
| 201 X509_STORE_CTX_new()); | 203 X509_STORE_CTX_new()); |
| 202 | 204 |
| 203 crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( | 205 crypto::ScopedOpenSSL<STACK_OF(X509), sk_X509_free_fn> intermediates( |
| 204 sk_X509_new_null()); | 206 sk_X509_new_null()); |
| 205 if (!intermediates.get()) | 207 if (!intermediates.get()) |
| 206 return ERR_OUT_OF_MEMORY; | 208 return ERR_OUT_OF_MEMORY; |
| 207 | 209 |
| 208 const X509Certificate::OSCertHandles& os_intermediates = | 210 const X509Certificate::OSCertHandles& os_intermediates = |
| 209 cert->GetIntermediateCertificates(); | 211 cert->GetIntermediateCertificates(); |
| 210 for (X509Certificate::OSCertHandles::const_iterator it = | 212 for (X509Certificate::OSCertHandles::const_iterator it = |
| 211 os_intermediates.begin(); it != os_intermediates.end(); ++it) { | 213 os_intermediates.begin(); |
| 214 it != os_intermediates.end(); |
| 215 ++it) { |
| 212 if (!sk_X509_push(intermediates.get(), *it)) | 216 if (!sk_X509_push(intermediates.get(), *it)) |
| 213 return ERR_OUT_OF_MEMORY; | 217 return ERR_OUT_OF_MEMORY; |
| 214 } | 218 } |
| 215 if (X509_STORE_CTX_init(ctx.get(), X509Certificate::cert_store(), | 219 if (X509_STORE_CTX_init(ctx.get(), |
| 216 cert->os_cert_handle(), intermediates.get()) != 1) { | 220 X509Certificate::cert_store(), |
| 221 cert->os_cert_handle(), |
| 222 intermediates.get()) != 1) { |
| 217 NOTREACHED(); | 223 NOTREACHED(); |
| 218 return ERR_FAILED; | 224 return ERR_FAILED; |
| 219 } | 225 } |
| 220 | 226 |
| 221 if (X509_verify_cert(ctx.get()) != 1) { | 227 if (X509_verify_cert(ctx.get()) != 1) { |
| 222 int x509_error = X509_STORE_CTX_get_error(ctx.get()); | 228 int x509_error = X509_STORE_CTX_get_error(ctx.get()); |
| 223 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); | 229 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); |
| 224 LOG(ERROR) << "X509 Verification error " | 230 LOG(ERROR) << "X509 Verification error " |
| 225 << X509_verify_cert_error_string(x509_error) | 231 << X509_verify_cert_error_string(x509_error) << " : " |
| 226 << " : " << x509_error | 232 << x509_error << " : " |
| 227 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) | 233 << X509_STORE_CTX_get_error_depth(ctx.get()) << " : " |
| 228 << " : " << cert_status; | 234 << cert_status; |
| 229 verify_result->cert_status |= cert_status; | 235 verify_result->cert_status |= cert_status; |
| 230 } | 236 } |
| 231 | 237 |
| 232 GetCertChainInfo(ctx.get(), verify_result); | 238 GetCertChainInfo(ctx.get(), verify_result); |
| 233 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); | 239 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); |
| 234 if (IsCertStatusError(verify_result->cert_status)) | 240 if (IsCertStatusError(verify_result->cert_status)) |
| 235 return MapCertStatusToNetError(verify_result->cert_status); | 241 return MapCertStatusToNetError(verify_result->cert_status); |
| 236 | 242 |
| 237 return OK; | 243 return OK; |
| 238 } | 244 } |
| 239 | 245 |
| 240 } // namespace net | 246 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
