| Index: net/cert/cert_verify_proc_mac.cc
|
| diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc
|
| index 97c0bf13de63aa81d39a77790a233eb90426aa3c..bac36a20d3e26797ee2416369528fb2b39a06d27 100644
|
| --- a/net/cert/cert_verify_proc_mac.cc
|
| +++ b/net/cert/cert_verify_proc_mac.cc
|
| @@ -236,8 +236,7 @@ void GetCertChainInfo(CFArrayRef cert_chain,
|
| X509Certificate::CreateFromHandle(verified_cert, verified_chain);
|
| }
|
|
|
| -void AppendPublicKeyHashes(CFArrayRef chain,
|
| - HashValueVector* hashes) {
|
| +void AppendPublicKeyHashes(CFArrayRef chain, HashValueVector* hashes) {
|
| const CFIndex n = CFArrayGetCount(chain);
|
| for (CFIndex i = 0; i < n; i++) {
|
| SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
|
| @@ -247,7 +246,7 @@ void AppendPublicKeyHashes(CFArrayRef chain,
|
| OSStatus err = SecCertificateGetData(cert, &cert_data);
|
| DCHECK_EQ(err, noErr);
|
| base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
|
| - cert_data.Length);
|
| + cert_data.Length);
|
| base::StringPiece spki_bytes;
|
| if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
|
| continue;
|
| @@ -359,8 +358,8 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| ScopedCFTypeRef<CFArrayRef>* verified_chain,
|
| CSSM_TP_APPLE_EVIDENCE_INFO** chain_info) {
|
| SecTrustRef tmp_trust = NULL;
|
| - OSStatus status = SecTrustCreateWithCertificates(cert_array, trust_policies,
|
| - &tmp_trust);
|
| + OSStatus status =
|
| + SecTrustCreateWithCertificates(cert_array, trust_policies, &tmp_trust);
|
| if (status)
|
| return NetErrorFromOSStatus(status);
|
| ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust);
|
| @@ -376,8 +375,8 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION;
|
| // Allow CSSM to download any missing intermediate certificates if an
|
| // authorityInfoAccess extension or issuerAltName extension is present.
|
| - tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
|
| - CSSM_TP_ACTION_TRUST_SETTINGS;
|
| + tp_action_data.ActionFlags =
|
| + CSSM_TP_ACTION_FETCH_CERT_FROM_NET | CSSM_TP_ACTION_TRUST_SETTINGS;
|
|
|
| // Note: For EV certificates, the Apple TP will handle setting these flags
|
| // as part of EV evaluation.
|
| @@ -407,12 +406,13 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| CFDataRef action_data_ref =
|
| CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
|
| reinterpret_cast<UInt8*>(&tp_action_data),
|
| - sizeof(tp_action_data), kCFAllocatorNull);
|
| + sizeof(tp_action_data),
|
| + kCFAllocatorNull);
|
| if (!action_data_ref)
|
| return ERR_OUT_OF_MEMORY;
|
| ScopedCFTypeRef<CFDataRef> scoped_action_data_ref(action_data_ref);
|
| - status = SecTrustSetParameters(tmp_trust, CSSM_TP_ACTION_DEFAULT,
|
| - action_data_ref);
|
| + status =
|
| + SecTrustSetParameters(tmp_trust, CSSM_TP_ACTION_DEFAULT, action_data_ref);
|
| if (status)
|
| return NetErrorFromOSStatus(status);
|
|
|
| @@ -426,8 +426,8 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| return NetErrorFromOSStatus(status);
|
| CFArrayRef tmp_verified_chain = NULL;
|
| CSSM_TP_APPLE_EVIDENCE_INFO* tmp_chain_info;
|
| - status = SecTrustGetResult(tmp_trust, &tmp_trust_result, &tmp_verified_chain,
|
| - &tmp_chain_info);
|
| + status = SecTrustGetResult(
|
| + tmp_trust, &tmp_trust_result, &tmp_verified_chain, &tmp_chain_info);
|
| if (status)
|
| return NetErrorFromOSStatus(status);
|
|
|
| @@ -455,14 +455,14 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
| bool IsBadBaltimoreGTECertificate(SecCertificateRef cert) {
|
| // Matches the GTE-signed Baltimore CyberTrust Root
|
| // https://cacert.omniroot.com/Baltimore-to-GTE-04-12.pem
|
| - static const SHA1HashValue kBadBaltimoreHashNew =
|
| - { { 0x4D, 0x34, 0xEA, 0x92, 0x76, 0x4B, 0x3A, 0x31, 0x49, 0x11,
|
| - 0x99, 0x52, 0xF4, 0x19, 0x30, 0xCA, 0x11, 0x34, 0x83, 0x61 } };
|
| + static const SHA1HashValue kBadBaltimoreHashNew = {
|
| + {0x4D, 0x34, 0xEA, 0x92, 0x76, 0x4B, 0x3A, 0x31, 0x49, 0x11, 0x99, 0x52,
|
| + 0xF4, 0x19, 0x30, 0xCA, 0x11, 0x34, 0x83, 0x61}};
|
| // Matches the legacy GTE-signed Baltimore CyberTrust Root
|
| // https://cacert.omniroot.com/gte-2-2025.pem
|
| - static const SHA1HashValue kBadBaltimoreHashOld =
|
| - { { 0x54, 0xD8, 0xCB, 0x49, 0x1F, 0xA1, 0x6D, 0xF8, 0x87, 0xDC,
|
| - 0x94, 0xA9, 0x34, 0xCC, 0x83, 0x6B, 0xDA, 0xA8, 0xA3, 0x69 } };
|
| + static const SHA1HashValue kBadBaltimoreHashOld = {
|
| + {0x54, 0xD8, 0xCB, 0x49, 0x1F, 0xA1, 0x6D, 0xF8, 0x87, 0xDC, 0x94, 0xA9,
|
| + 0x34, 0xCC, 0x83, 0x6B, 0xDA, 0xA8, 0xA3, 0x69}};
|
|
|
| SHA1HashValue fingerprint = X509Certificate::CalculateFingerprint(cert);
|
|
|
| @@ -504,20 +504,26 @@ void RetrySecTrustEvaluateWithAdjustedChain(
|
| ScopedCFTypeRef<CFMutableArrayRef> adjusted_cert_array(
|
| CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks));
|
| // Note: This excludes the certificate at |slice_point|.
|
| - CFArrayAppendArray(adjusted_cert_array, cert_array,
|
| - CFRangeMake(0, slice_point));
|
| + CFArrayAppendArray(
|
| + adjusted_cert_array, cert_array, CFRangeMake(0, slice_point));
|
|
|
| // Ignore the result; failure will preserve the old verification results.
|
| - BuildAndEvaluateSecTrustRef(
|
| - adjusted_cert_array, trust_policies, flags, trust_ref, trust_result,
|
| - verified_chain, chain_info);
|
| + BuildAndEvaluateSecTrustRef(adjusted_cert_array,
|
| + trust_policies,
|
| + flags,
|
| + trust_ref,
|
| + trust_result,
|
| + verified_chain,
|
| + chain_info);
|
| }
|
|
|
| } // namespace
|
|
|
| -CertVerifyProcMac::CertVerifyProcMac() {}
|
| +CertVerifyProcMac::CertVerifyProcMac() {
|
| +}
|
|
|
| -CertVerifyProcMac::~CertVerifyProcMac() {}
|
| +CertVerifyProcMac::~CertVerifyProcMac() {
|
| +}
|
|
|
| bool CertVerifyProcMac::SupportsAdditionalTrustAnchors() const {
|
| return false;
|
| @@ -551,16 +557,24 @@ int CertVerifyProcMac::VerifyInternal(
|
| ScopedCFTypeRef<CFArrayRef> completed_chain;
|
| CSSM_TP_APPLE_EVIDENCE_INFO* chain_info = NULL;
|
|
|
| - int rv = BuildAndEvaluateSecTrustRef(
|
| - cert_array, trust_policies, flags, &trust_ref, &trust_result,
|
| - &completed_chain, &chain_info);
|
| + int rv = BuildAndEvaluateSecTrustRef(cert_array,
|
| + trust_policies,
|
| + flags,
|
| + &trust_ref,
|
| + &trust_result,
|
| + &completed_chain,
|
| + &chain_info);
|
| if (rv != OK)
|
| return rv;
|
| if (trust_result != kSecTrustResultUnspecified &&
|
| trust_result != kSecTrustResultProceed) {
|
| - RetrySecTrustEvaluateWithAdjustedChain(
|
| - cert_array, trust_policies, flags, &trust_ref, &trust_result,
|
| - &completed_chain, &chain_info);
|
| + RetrySecTrustEvaluateWithAdjustedChain(cert_array,
|
| + trust_policies,
|
| + flags,
|
| + &trust_ref,
|
| + &trust_result,
|
| + &completed_chain,
|
| + &chain_info);
|
| }
|
|
|
| if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)
|
| @@ -608,15 +622,16 @@ int CertVerifyProcMac::VerifyInternal(
|
| // Walk the chain of error codes in the CSSM_TP_APPLE_EVIDENCE_INFO
|
| // structure which can catch multiple errors from each certificate.
|
| for (CFIndex index = 0, chain_count = CFArrayGetCount(completed_chain);
|
| - index < chain_count; ++index) {
|
| + index < chain_count;
|
| + ++index) {
|
| if (chain_info[index].StatusBits & CSSM_CERT_STATUS_EXPIRED ||
|
| chain_info[index].StatusBits & CSSM_CERT_STATUS_NOT_VALID_YET)
|
| verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
|
| if (!IsCertStatusError(verify_result->cert_status) &&
|
| chain_info[index].NumStatusCodes == 0) {
|
| LOG(WARNING) << "chain_info[" << index << "].NumStatusCodes is 0"
|
| - ", chain_info[" << index << "].StatusBits is "
|
| - << chain_info[index].StatusBits;
|
| + ", chain_info[" << index
|
| + << "].StatusBits is " << chain_info[index].StatusBits;
|
| }
|
| for (uint32 status_code_index = 0;
|
| status_code_index < chain_info[index].NumStatusCodes;
|
| @@ -634,13 +649,13 @@ int CertVerifyProcMac::VerifyInternal(
|
| if (policy_failed &&
|
| chain_info[index].StatusCodes[status_code_index] ==
|
| CSSMERR_TP_INVALID_CERTIFICATE) {
|
| - mapped_status = CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
|
| - weak_key_or_signature_algorithm = true;
|
| + mapped_status = CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
|
| + weak_key_or_signature_algorithm = true;
|
| } else {
|
| - mapped_status = CertStatusFromOSStatus(
|
| - chain_info[index].StatusCodes[status_code_index]);
|
| - if (mapped_status == CERT_STATUS_WEAK_KEY)
|
| - weak_key_or_signature_algorithm = true;
|
| + mapped_status = CertStatusFromOSStatus(
|
| + chain_info[index].StatusCodes[status_code_index]);
|
| + if (mapped_status == CERT_STATUS_WEAK_KEY)
|
| + weak_key_or_signature_algorithm = true;
|
| }
|
| verify_result->cert_status |= mapped_status;
|
| }
|
| @@ -697,8 +712,8 @@ int CertVerifyProcMac::VerifyInternal(
|
| if (bundle) {
|
| SecTrustCopyExtendedResultFuncPtr copy_extended_result =
|
| reinterpret_cast<SecTrustCopyExtendedResultFuncPtr>(
|
| - CFBundleGetFunctionPointerForName(bundle,
|
| - CFSTR("SecTrustCopyExtendedResult")));
|
| + CFBundleGetFunctionPointerForName(
|
| + bundle, CFSTR("SecTrustCopyExtendedResult")));
|
| if (copy_extended_result) {
|
| CFDictionaryRef ev_dict_temp = NULL;
|
| status = copy_extended_result(trust_ref, &ev_dict_temp);
|
| @@ -715,8 +730,7 @@ int CertVerifyProcMac::VerifyInternal(
|
| // The actual organization name is unneeded here and can be accessed
|
| // through other means. All that matters here is the OS' conception
|
| // of whether or not the certificate is EV.
|
| - if (CFDictionaryContainsKey(ev_dict,
|
| - kSecEVOrganizationName)) {
|
| + if (CFDictionaryContainsKey(ev_dict, kSecEVOrganizationName)) {
|
| verify_result->cert_status |= CERT_STATUS_IS_EV;
|
| if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)
|
| verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
|
|
|
Chromium Code Reviews
