OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
(...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
195 verified_chain.push_back(chain_cert); | 195 verified_chain.push_back(chain_cert); |
196 } | 196 } |
197 } | 197 } |
198 if (!verified_cert) { | 198 if (!verified_cert) { |
199 NOTREACHED(); | 199 NOTREACHED(); |
200 verify_result->cert_status |= CERT_STATUS_INVALID; | 200 verify_result->cert_status |= CERT_STATUS_INVALID; |
201 return; | 201 return; |
202 } | 202 } |
203 | 203 |
204 scoped_refptr<X509Certificate> verified_cert_with_chain = | 204 scoped_refptr<X509Certificate> verified_cert_with_chain = |
205 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 205 x509_util::CreateX509CertificateFromSecCertificate(verified_cert, |
| 206 verified_chain); |
206 if (verified_cert_with_chain) | 207 if (verified_cert_with_chain) |
207 verify_result->verified_cert = std::move(verified_cert_with_chain); | 208 verify_result->verified_cert = std::move(verified_cert_with_chain); |
208 else | 209 else |
209 verify_result->cert_status |= CERT_STATUS_INVALID; | 210 verify_result->cert_status |= CERT_STATUS_INVALID; |
210 } | 211 } |
211 | 212 |
212 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false | 213 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
213 // otherwise. A return of false also includes the case where the signature | 214 // otherwise. A return of false also includes the case where the signature |
214 // algorithm couldn't be conclusively labeled as weak. | 215 // algorithm couldn't be conclusively labeled as weak. |
215 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { | 216 bool CertUsesWeakHash(SecCertificateRef cert_handle) { |
216 x509_util::CSSMCachedCertificate cached_cert; | 217 x509_util::CSSMCachedCertificate cached_cert; |
217 OSStatus status = cached_cert.Init(cert_handle); | 218 OSStatus status = cached_cert.Init(cert_handle); |
218 if (status) | 219 if (status) |
219 return false; | 220 return false; |
220 | 221 |
221 x509_util::CSSMFieldValue signature_field; | 222 x509_util::CSSMFieldValue signature_field; |
222 status = | 223 status = |
223 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); | 224 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); |
224 if (status || !signature_field.field()) | 225 if (status || !signature_field.field()) |
225 return false; | 226 return false; |
(...skipping 406 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
632 // If there are no known roots, then an API failure occurred. For safety, | 633 // If there are no known roots, then an API failure occurred. For safety, |
633 // assume that all certificates are issued by known roots. | 634 // assume that all certificates are issued by known roots. |
634 if (known_roots_.empty()) | 635 if (known_roots_.empty()) |
635 return true; | 636 return true; |
636 | 637 |
637 CFIndex n = CFArrayGetCount(chain); | 638 CFIndex n = CFArrayGetCount(chain); |
638 if (n < 1) | 639 if (n < 1) |
639 return false; | 640 return false; |
640 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( | 641 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( |
641 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); | 642 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); |
642 SHA256HashValue hash = X509Certificate::CalculateFingerprint256(root_ref); | 643 SHA256HashValue hash = x509_util::CalculateFingerprint256(root_ref); |
643 return known_roots_.find(hash) != known_roots_.end(); | 644 return known_roots_.find(hash) != known_roots_.end(); |
644 } | 645 } |
645 | 646 |
646 private: | 647 private: |
647 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; | 648 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; |
648 | 649 |
649 OSXKnownRootHelper() { | 650 OSXKnownRootHelper() { |
650 CFArrayRef cert_array = NULL; | 651 CFArrayRef cert_array = NULL; |
651 OSStatus rv = SecTrustSettingsCopyCertificates( | 652 OSStatus rv = SecTrustSettingsCopyCertificates( |
652 kSecTrustSettingsDomainSystem, &cert_array); | 653 kSecTrustSettingsDomainSystem, &cert_array); |
653 if (rv != noErr) { | 654 if (rv != noErr) { |
654 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " | 655 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " |
655 << "trusted! Error " << rv; | 656 << "trusted! Error " << rv; |
656 return; | 657 return; |
657 } | 658 } |
658 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); | 659 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); |
659 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { | 660 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { |
660 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | 661 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
661 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); | 662 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); |
662 known_roots_.insert(X509Certificate::CalculateFingerprint256(cert)); | 663 known_roots_.insert(x509_util::CalculateFingerprint256(cert)); |
663 } | 664 } |
664 } | 665 } |
665 | 666 |
666 ~OSXKnownRootHelper() {} | 667 ~OSXKnownRootHelper() {} |
667 | 668 |
668 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; | 669 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; |
669 }; | 670 }; |
670 | 671 |
671 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = | 672 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = |
672 LAZY_INSTANCE_INITIALIZER; | 673 LAZY_INSTANCE_INITIALIZER; |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
798 "/System/Library/Keychains/SystemRootCertificates.keychain", | 799 "/System/Library/Keychains/SystemRootCertificates.keychain", |
799 &keychain); | 800 &keychain); |
800 if (status) | 801 if (status) |
801 return NetErrorFromOSStatus(status); | 802 return NetErrorFromOSStatus(status); |
802 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); | 803 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); |
803 | 804 |
804 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); | 805 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); |
805 } | 806 } |
806 | 807 |
807 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | 808 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
808 cert->CreateOSCertChainForCert()); | 809 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); |
| 810 if (!cert_array) |
| 811 return ERR_CERT_INVALID; |
809 | 812 |
810 // Beginning with the certificate chain as supplied by the server, attempt | 813 // Beginning with the certificate chain as supplied by the server, attempt |
811 // to verify the chain. If a failure is encountered, trim a certificate | 814 // to verify the chain. If a failure is encountered, trim a certificate |
812 // from the end (so long as one remains) and retry, in the hope of forcing | 815 // from the end (so long as one remains) and retry, in the hope of forcing |
813 // OS X to find a better path. | 816 // OS X to find a better path. |
814 while (CFArrayGetCount(cert_array) > 0) { | 817 while (CFArrayGetCount(cert_array) > 0) { |
815 ScopedCFTypeRef<SecTrustRef> temp_ref; | 818 ScopedCFTypeRef<SecTrustRef> temp_ref; |
816 SecTrustResultType temp_trust_result = kSecTrustResultDeny; | 819 SecTrustResultType temp_trust_result = kSecTrustResultDeny; |
817 ScopedCFTypeRef<CFArrayRef> temp_chain; | 820 ScopedCFTypeRef<CFArrayRef> temp_chain; |
818 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; | 821 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; |
(...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1101 // EV cert and it was covered by CRLSets or revocation checking passed. | 1104 // EV cert and it was covered by CRLSets or revocation checking passed. |
1102 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1105 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1103 } | 1106 } |
1104 | 1107 |
1105 return OK; | 1108 return OK; |
1106 } | 1109 } |
1107 | 1110 |
1108 } // namespace net | 1111 } // namespace net |
1109 | 1112 |
1110 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1113 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
OLD | NEW |