| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 | 10 |
| (...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 195 verified_chain.push_back(chain_cert); | 195 verified_chain.push_back(chain_cert); |
| 196 } | 196 } |
| 197 } | 197 } |
| 198 if (!verified_cert) { | 198 if (!verified_cert) { |
| 199 NOTREACHED(); | 199 NOTREACHED(); |
| 200 verify_result->cert_status |= CERT_STATUS_INVALID; | 200 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 201 return; | 201 return; |
| 202 } | 202 } |
| 203 | 203 |
| 204 scoped_refptr<X509Certificate> verified_cert_with_chain = | 204 scoped_refptr<X509Certificate> verified_cert_with_chain = |
| 205 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 205 x509_util::CreateX509CertificateFromSecCertificate(verified_cert, |
| 206 verified_chain); |
| 206 if (verified_cert_with_chain) | 207 if (verified_cert_with_chain) |
| 207 verify_result->verified_cert = std::move(verified_cert_with_chain); | 208 verify_result->verified_cert = std::move(verified_cert_with_chain); |
| 208 else | 209 else |
| 209 verify_result->cert_status |= CERT_STATUS_INVALID; | 210 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 210 } | 211 } |
| 211 | 212 |
| 212 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false | 213 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
| 213 // otherwise. A return of false also includes the case where the signature | 214 // otherwise. A return of false also includes the case where the signature |
| 214 // algorithm couldn't be conclusively labeled as weak. | 215 // algorithm couldn't be conclusively labeled as weak. |
| 215 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { | 216 bool CertUsesWeakHash(SecCertificateRef cert_handle) { |
| 216 x509_util::CSSMCachedCertificate cached_cert; | 217 x509_util::CSSMCachedCertificate cached_cert; |
| 217 OSStatus status = cached_cert.Init(cert_handle); | 218 OSStatus status = cached_cert.Init(cert_handle); |
| 218 if (status) | 219 if (status) |
| 219 return false; | 220 return false; |
| 220 | 221 |
| 221 x509_util::CSSMFieldValue signature_field; | 222 x509_util::CSSMFieldValue signature_field; |
| 222 status = | 223 status = |
| 223 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); | 224 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); |
| 224 if (status || !signature_field.field()) | 225 if (status || !signature_field.field()) |
| 225 return false; | 226 return false; |
| (...skipping 406 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 632 // If there are no known roots, then an API failure occurred. For safety, | 633 // If there are no known roots, then an API failure occurred. For safety, |
| 633 // assume that all certificates are issued by known roots. | 634 // assume that all certificates are issued by known roots. |
| 634 if (known_roots_.empty()) | 635 if (known_roots_.empty()) |
| 635 return true; | 636 return true; |
| 636 | 637 |
| 637 CFIndex n = CFArrayGetCount(chain); | 638 CFIndex n = CFArrayGetCount(chain); |
| 638 if (n < 1) | 639 if (n < 1) |
| 639 return false; | 640 return false; |
| 640 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( | 641 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( |
| 641 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); | 642 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); |
| 642 SHA256HashValue hash = X509Certificate::CalculateFingerprint256(root_ref); | 643 SHA256HashValue hash = x509_util::CalculateFingerprint256(root_ref); |
| 643 return known_roots_.find(hash) != known_roots_.end(); | 644 return known_roots_.find(hash) != known_roots_.end(); |
| 644 } | 645 } |
| 645 | 646 |
| 646 private: | 647 private: |
| 647 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; | 648 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; |
| 648 | 649 |
| 649 OSXKnownRootHelper() { | 650 OSXKnownRootHelper() { |
| 650 CFArrayRef cert_array = NULL; | 651 CFArrayRef cert_array = NULL; |
| 651 OSStatus rv = SecTrustSettingsCopyCertificates( | 652 OSStatus rv = SecTrustSettingsCopyCertificates( |
| 652 kSecTrustSettingsDomainSystem, &cert_array); | 653 kSecTrustSettingsDomainSystem, &cert_array); |
| 653 if (rv != noErr) { | 654 if (rv != noErr) { |
| 654 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " | 655 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " |
| 655 << "trusted! Error " << rv; | 656 << "trusted! Error " << rv; |
| 656 return; | 657 return; |
| 657 } | 658 } |
| 658 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); | 659 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); |
| 659 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { | 660 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { |
| 660 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | 661 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
| 661 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); | 662 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); |
| 662 known_roots_.insert(X509Certificate::CalculateFingerprint256(cert)); | 663 known_roots_.insert(x509_util::CalculateFingerprint256(cert)); |
| 663 } | 664 } |
| 664 } | 665 } |
| 665 | 666 |
| 666 ~OSXKnownRootHelper() {} | 667 ~OSXKnownRootHelper() {} |
| 667 | 668 |
| 668 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; | 669 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; |
| 669 }; | 670 }; |
| 670 | 671 |
| 671 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = | 672 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = |
| 672 LAZY_INSTANCE_INITIALIZER; | 673 LAZY_INSTANCE_INITIALIZER; |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 798 "/System/Library/Keychains/SystemRootCertificates.keychain", | 799 "/System/Library/Keychains/SystemRootCertificates.keychain", |
| 799 &keychain); | 800 &keychain); |
| 800 if (status) | 801 if (status) |
| 801 return NetErrorFromOSStatus(status); | 802 return NetErrorFromOSStatus(status); |
| 802 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); | 803 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); |
| 803 | 804 |
| 804 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); | 805 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); |
| 805 } | 806 } |
| 806 | 807 |
| 807 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | 808 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
| 808 cert->CreateOSCertChainForCert()); | 809 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); |
| 810 if (!cert_array) |
| 811 return ERR_CERT_INVALID; |
| 809 | 812 |
| 810 // Beginning with the certificate chain as supplied by the server, attempt | 813 // Beginning with the certificate chain as supplied by the server, attempt |
| 811 // to verify the chain. If a failure is encountered, trim a certificate | 814 // to verify the chain. If a failure is encountered, trim a certificate |
| 812 // from the end (so long as one remains) and retry, in the hope of forcing | 815 // from the end (so long as one remains) and retry, in the hope of forcing |
| 813 // OS X to find a better path. | 816 // OS X to find a better path. |
| 814 while (CFArrayGetCount(cert_array) > 0) { | 817 while (CFArrayGetCount(cert_array) > 0) { |
| 815 ScopedCFTypeRef<SecTrustRef> temp_ref; | 818 ScopedCFTypeRef<SecTrustRef> temp_ref; |
| 816 SecTrustResultType temp_trust_result = kSecTrustResultDeny; | 819 SecTrustResultType temp_trust_result = kSecTrustResultDeny; |
| 817 ScopedCFTypeRef<CFArrayRef> temp_chain; | 820 ScopedCFTypeRef<CFArrayRef> temp_chain; |
| 818 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; | 821 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; |
| (...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1101 // EV cert and it was covered by CRLSets or revocation checking passed. | 1104 // EV cert and it was covered by CRLSets or revocation checking passed. |
| 1102 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1105 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 1103 } | 1106 } |
| 1104 | 1107 |
| 1105 return OK; | 1108 return OK; |
| 1106 } | 1109 } |
| 1107 | 1110 |
| 1108 } // namespace net | 1111 } // namespace net |
| 1109 | 1112 |
| 1110 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1113 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2746103003:
Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types. (Closed)
