| Index: net/cert/cert_verify_proc_nss.cc
|
| diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
|
| index 9d3652b8c593bfe3f4472046778dba6bc77c50e7..432346ea9c4ac7cace92aff54e4cf97f7c61b7ad 100644
|
| --- a/net/cert/cert_verify_proc_nss.cc
|
| +++ b/net/cert/cert_verify_proc_nss.cc
|
| @@ -43,9 +43,8 @@ typedef scoped_ptr<
|
| CERT_DestroyCertificatePoliciesExtension> >
|
| ScopedCERTCertificatePolicies;
|
|
|
| -typedef scoped_ptr<
|
| - CERTCertList,
|
| - crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
|
| +typedef scoped_ptr<CERTCertList,
|
| + crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
|
| ScopedCERTCertList;
|
|
|
| // ScopedCERTValOutParam manages destruction of values in the CERTValOutParam
|
| @@ -58,15 +57,13 @@ class ScopedCERTValOutParam {
|
| public:
|
| explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {}
|
|
|
| - ~ScopedCERTValOutParam() {
|
| - Clear();
|
| - }
|
| + ~ScopedCERTValOutParam() { Clear(); }
|
|
|
| // Free the internal resources, but do not release the array itself.
|
| void Clear() {
|
| if (cvout_ == NULL)
|
| return;
|
| - for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) {
|
| + for (CERTValOutParam* p = cvout_; p->type != cert_po_end; p++) {
|
| switch (p->type) {
|
| case cert_po_trustAnchor:
|
| if (p->value.pointer.cert) {
|
| @@ -227,8 +224,7 @@ bool IsKnownRoot(CERTCertificate* root) {
|
|
|
| // This magic name is taken from
|
| // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
|
| - return 0 == strcmp(PK11_GetSlotName(root->slot),
|
| - "NSS Builtin Objects");
|
| + return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects");
|
| }
|
|
|
| // Returns true if the given certificate is one of the additional trust anchors.
|
| @@ -279,7 +275,8 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
|
| // the issuer's SPKI at each step.
|
| std::string issuer_spki_hash;
|
| for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();
|
| - i != certs.rend(); ++i) {
|
| + i != certs.rend();
|
| + ++i) {
|
| CERTCertificate* cert = *i;
|
|
|
| base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),
|
| @@ -293,9 +290,9 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
|
| }
|
| const std::string spki_hash = crypto::SHA256HashString(spki);
|
|
|
| - base::StringPiece serial_number = base::StringPiece(
|
| - reinterpret_cast<char*>(cert->serialNumber.data),
|
| - cert->serialNumber.len);
|
| + base::StringPiece serial_number =
|
| + base::StringPiece(reinterpret_cast<char*>(cert->serialNumber.data),
|
| + cert->serialNumber.len);
|
|
|
| CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
|
|
|
| @@ -325,10 +322,11 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
|
| }
|
|
|
| // Forward declarations.
|
| -SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| - CERTCertificate* cert_handle, int num_policy_oids,
|
| - bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
|
| - CERTValOutParam* cvout);
|
| +SECStatus RetryPKIXVerifyCertWithWorkarounds(CERTCertificate* cert_handle,
|
| + int num_policy_oids,
|
| + bool cert_io_enabled,
|
| + std::vector<CERTValInParam>* cvin,
|
| + CERTValOutParam* cvout);
|
| SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
|
|
|
| // Call CERT_PKIXVerifyCert for the cert_handle.
|
| @@ -356,12 +354,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
|
| bool use_crl = check_revocation;
|
| bool use_ocsp = check_revocation;
|
|
|
| - PRUint64 revocation_method_flags =
|
| - CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
|
| - CERT_REV_M_ALLOW_NETWORK_FETCHING |
|
| - CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
|
| - CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
|
| - CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
|
| + PRUint64 revocation_method_flags = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
|
| + CERT_REV_M_ALLOW_NETWORK_FETCHING |
|
| + CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
|
| + CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
|
| + CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
|
| PRUint64 revocation_method_independent_flags =
|
| CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
|
| if (check_revocation && policy_oids && num_policy_oids > 0) {
|
| @@ -420,7 +417,6 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
|
| revocation_flags.chainTests.cert_rev_method_independent_flags =
|
| revocation_method_independent_flags;
|
|
|
| -
|
| std::vector<CERTValInParam> cvin;
|
| cvin.reserve(7);
|
| CERTValInParam in_param;
|
| @@ -449,11 +445,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
|
| in_param.type = cert_pi_end;
|
| cvin.push_back(in_param);
|
|
|
| - SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
|
| - &cvin[0], cvout, NULL);
|
| + SECStatus rv = CERT_PKIXVerifyCert(
|
| + cert_handle, certificateUsageSSLServer, &cvin[0], cvout, NULL);
|
| if (rv != SECSuccess) {
|
| - rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
|
| - cert_io_enabled, &cvin, cvout);
|
| + rv = RetryPKIXVerifyCertWithWorkarounds(
|
| + cert_handle, num_policy_oids, cert_io_enabled, &cvin, cvout);
|
| }
|
| return rv;
|
| }
|
| @@ -461,10 +457,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
|
| // PKIXVerifyCert calls this function to work around some bugs in
|
| // CERT_PKIXVerifyCert. All the arguments of this function are either the
|
| // arguments or local variables of PKIXVerifyCert.
|
| -SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| - CERTCertificate* cert_handle, int num_policy_oids,
|
| - bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
|
| - CERTValOutParam* cvout) {
|
| +SECStatus RetryPKIXVerifyCertWithWorkarounds(CERTCertificate* cert_handle,
|
| + int num_policy_oids,
|
| + bool cert_io_enabled,
|
| + std::vector<CERTValInParam>* cvin,
|
| + CERTValOutParam* cvout) {
|
| // We call this function when the first CERT_PKIXVerifyCert call in
|
| // PKIXVerifyCert failed, so we initialize |rv| to SECFailure.
|
| SECStatus rv = SECFailure;
|
| @@ -480,18 +477,17 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| // missing intermediate CA certificate, and fail with the
|
| // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with
|
| // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE.
|
| - if (cert_io_enabled &&
|
| - (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
|
| - nss_error == SEC_ERROR_BAD_SIGNATURE)) {
|
| - DCHECK_EQ(cvin->back().type, cert_pi_end);
|
| + if (cert_io_enabled && (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
|
| + nss_error == SEC_ERROR_BAD_SIGNATURE)) {
|
| + DCHECK_EQ(cvin->back().type, cert_pi_end);
|
| cvin->pop_back();
|
| in_param.type = cert_pi_useAIACertFetch;
|
| in_param.value.scalar.b = PR_TRUE;
|
| cvin->push_back(in_param);
|
| in_param.type = cert_pi_end;
|
| cvin->push_back(in_param);
|
| - rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
|
| - &(*cvin)[0], cvout, NULL);
|
| + rv = CERT_PKIXVerifyCert(
|
| + cert_handle, certificateUsageSSLServer, &(*cvin)[0], cvout, NULL);
|
| if (rv == SECSuccess)
|
| return rv;
|
| int new_nss_error = PORT_GetError();
|
| @@ -514,11 +510,10 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any
|
| // certificate policy (NSS bug 552775). So we retry with the certificate
|
| // policy found in the server certificate.
|
| - if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED &&
|
| - num_policy_oids == 0) {
|
| + if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED && num_policy_oids == 0) {
|
| SECOidTag policy = GetFirstCertPolicy(cert_handle);
|
| if (policy != SEC_OID_UNKNOWN) {
|
| - DCHECK_EQ(cvin->back().type, cert_pi_end);
|
| + DCHECK_EQ(cvin->back().type, cert_pi_end);
|
| cvin->pop_back();
|
| in_param.type = cert_pi_policyOID;
|
| in_param.value.arraySize = 1;
|
| @@ -526,8 +521,8 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| cvin->push_back(in_param);
|
| in_param.type = cert_pi_end;
|
| cvin->push_back(in_param);
|
| - rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
|
| - &(*cvin)[0], cvout, NULL);
|
| + rv = CERT_PKIXVerifyCert(
|
| + cert_handle, certificateUsageSSLServer, &(*cvin)[0], cvout, NULL);
|
| if (rv != SECSuccess) {
|
| // Use the original error code.
|
| PORT_SetError(nss_error);
|
| @@ -542,12 +537,10 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| // NULL if the certificate doesn't have the extension or the extension can't
|
| // be decoded. The returned value must be freed with a
|
| // CERT_DestroyCertificatePoliciesExtension call.
|
| -CERTCertificatePolicies* DecodeCertPolicies(
|
| - CERTCertificate* cert_handle) {
|
| +CERTCertificatePolicies* DecodeCertPolicies(CERTCertificate* cert_handle) {
|
| SECItem policy_ext;
|
| - SECStatus rv = CERT_FindCertExtension(cert_handle,
|
| - SEC_OID_X509_CERTIFICATE_POLICIES,
|
| - &policy_ext);
|
| + SECStatus rv = CERT_FindCertExtension(
|
| + cert_handle, SEC_OID_X509_CERTIFICATE_POLICIES, &policy_ext);
|
| if (rv != SECSuccess)
|
| return NULL;
|
| CERTCertificatePolicies* policies =
|
| @@ -590,8 +583,10 @@ HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
|
| #if defined(OS_IOS)
|
| CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
|
| #else
|
| - SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
|
| - cert->derPublicKey.data, cert->derPublicKey.len);
|
| + SECStatus rv = HASH_HashBuf(HASH_AlgSHA1,
|
| + hash.data(),
|
| + cert->derPublicKey.data,
|
| + cert->derPublicKey.len);
|
| DCHECK_EQ(SECSuccess, rv);
|
| #endif
|
| return hash;
|
| @@ -602,8 +597,10 @@ HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
|
| #if defined(OS_IOS)
|
| CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
|
| #else
|
| - SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
|
| - cert->derPublicKey.data, cert->derPublicKey.len);
|
| + SECStatus rv = HASH_HashBuf(HASH_AlgSHA256,
|
| + hash.data(),
|
| + cert->derPublicKey.data,
|
| + cert->derPublicKey.len);
|
| DCHECK_EQ(rv, SECSuccess);
|
| #endif
|
| return hash;
|
| @@ -681,21 +678,20 @@ bool VerifyEV(CERTCertificate* cert_handle,
|
| cvout[cvout_index].type = cert_po_end;
|
| ScopedCERTValOutParam scoped_cvout(cvout);
|
|
|
| - SECStatus status = PKIXVerifyCert(
|
| - cert_handle,
|
| - rev_checking_enabled,
|
| - true, /* hard fail is implied in EV. */
|
| - flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
|
| - &ev_policy_oid,
|
| - 1,
|
| - additional_trust_anchors,
|
| - chain_verify_callback,
|
| - cvout);
|
| + SECStatus status =
|
| + PKIXVerifyCert(cert_handle,
|
| + rev_checking_enabled,
|
| + true, /* hard fail is implied in EV. */
|
| + flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
|
| + &ev_policy_oid,
|
| + 1,
|
| + additional_trust_anchors,
|
| + chain_verify_callback,
|
| + cvout);
|
| if (status != SECSuccess)
|
| return false;
|
|
|
| - CERTCertificate* root_ca =
|
| - cvout[cvout_trust_anchor_index].value.pointer.cert;
|
| + CERTCertificate* root_ca = cvout[cvout_trust_anchor_index].value.pointer.cert;
|
| if (root_ca == NULL)
|
| return false;
|
|
|
| @@ -714,8 +710,7 @@ bool VerifyEV(CERTCertificate* cert_handle,
|
| #if defined(OS_IOS)
|
| SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
|
| #else
|
| - SHA1HashValue fingerprint =
|
| - X509Certificate::CalculateFingerprint(root_ca);
|
| + SHA1HashValue fingerprint = X509Certificate::CalculateFingerprint(root_ca);
|
| #endif
|
| return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
|
| }
|
| @@ -738,9 +733,11 @@ CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
|
|
|
| } // namespace
|
|
|
| -CertVerifyProcNSS::CertVerifyProcNSS() {}
|
| +CertVerifyProcNSS::CertVerifyProcNSS() {
|
| +}
|
|
|
| -CertVerifyProcNSS::~CertVerifyProcNSS() {}
|
| +CertVerifyProcNSS::~CertVerifyProcNSS() {
|
| +}
|
|
|
| bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
|
| return true;
|
| @@ -769,8 +766,8 @@ int CertVerifyProcNSS::VerifyInternalImpl(
|
| }
|
|
|
| // Make sure that the cert is valid now.
|
| - SECCertTimeValidity validity = CERT_CheckCertValidTimes(
|
| - cert_handle, PR_Now(), PR_TRUE);
|
| + SECCertTimeValidity validity =
|
| + CERT_CheckCertValidTimes(cert_handle, PR_Now(), PR_TRUE);
|
| if (validity != secCertTimeValid)
|
| verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
|
|
|
| @@ -789,13 +786,11 @@ int CertVerifyProcNSS::VerifyInternalImpl(
|
|
|
| EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
|
| SECOidTag ev_policy_oid = SEC_OID_UNKNOWN;
|
| - bool is_ev_candidate =
|
| - (flags & CertVerifier::VERIFY_EV_CERT) &&
|
| - IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
|
| + bool is_ev_candidate = (flags & CertVerifier::VERIFY_EV_CERT) &&
|
| + IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
|
| bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED;
|
| bool check_revocation =
|
| - cert_io_enabled &&
|
| - (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
|
| + cert_io_enabled && (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
|
| if (check_revocation)
|
| verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
|
|
|
| @@ -886,8 +881,7 @@ int CertVerifyProcNSS::VerifyInternalImpl(
|
|
|
| if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) {
|
| check_revocation |=
|
| - crl_set_result != kCRLSetOk &&
|
| - cert_io_enabled &&
|
| + crl_set_result != kCRLSetOk && cert_io_enabled &&
|
| (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
|
| if (check_revocation)
|
| verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
|
|
|
Chromium Code Reviews
