OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/trust_store_mac.h" | 5 #include "net/cert/internal/trust_store_mac.h" |
6 | 6 |
7 #include <Security/Security.h> | 7 #include <Security/Security.h> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/mac/foundation_util.h" | 10 #include "base/mac/foundation_util.h" |
11 #include "base/mac/mac_logging.h" | 11 #include "base/mac/mac_logging.h" |
12 #include "base/memory/ptr_util.h" | 12 #include "base/memory/ptr_util.h" |
13 #include "base/synchronization/lock.h" | 13 #include "base/synchronization/lock.h" |
14 #include "crypto/mac_security_services_lock.h" | 14 #include "crypto/mac_security_services_lock.h" |
15 #include "net/cert/internal/cert_errors.h" | 15 #include "net/cert/internal/cert_errors.h" |
16 #include "net/cert/internal/parse_name.h" | 16 #include "net/cert/internal/parse_name.h" |
17 #include "net/cert/internal/parsed_certificate.h" | 17 #include "net/cert/internal/parsed_certificate.h" |
18 #include "net/cert/test_keychain_search_list_mac.h" | 18 #include "net/cert/test_keychain_search_list_mac.h" |
19 #include "net/cert/x509_certificate.h" | |
20 #include "net/cert/x509_util.h" | 19 #include "net/cert/x509_util.h" |
| 20 #include "net/cert/x509_util_mac.h" |
21 | 21 |
22 namespace net { | 22 namespace net { |
23 | 23 |
24 namespace { | 24 namespace { |
25 | 25 |
26 // The rules for interpreting trust settings are documented at: | 26 // The rules for interpreting trust settings are documented at: |
27 // https://developer.apple.com/reference/security/1400261-sectrustsettingscopytr
ustsetting?language=objc | 27 // https://developer.apple.com/reference/security/1400261-sectrustsettingscopytr
ustsetting?language=objc |
28 | 28 |
29 // Indicates the trust status of a certificate. | 29 // Indicates the trust status of a certificate. |
30 enum class TrustStatus { | 30 enum class TrustStatus { |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
139 if (trust != TrustStatus::UNSPECIFIED) | 139 if (trust != TrustStatus::UNSPECIFIED) |
140 return trust; | 140 return trust; |
141 } | 141 } |
142 return TrustStatus::UNSPECIFIED; | 142 return TrustStatus::UNSPECIFIED; |
143 } | 143 } |
144 | 144 |
145 // Returns true if the certificate |cert_handle| is trusted for the policy | 145 // Returns true if the certificate |cert_handle| is trusted for the policy |
146 // |policy_oid|. | 146 // |policy_oid|. |
147 TrustStatus IsSecCertificateTrustedForPolicy(SecCertificateRef cert_handle, | 147 TrustStatus IsSecCertificateTrustedForPolicy(SecCertificateRef cert_handle, |
148 const CFStringRef policy_oid) { | 148 const CFStringRef policy_oid) { |
149 const bool is_self_signed = X509Certificate::IsSelfSigned(cert_handle); | 149 const bool is_self_signed = x509_util::IsSelfSigned(cert_handle); |
150 // Evaluate trust domains in user, admin, system order. Admin settings can | 150 // Evaluate trust domains in user, admin, system order. Admin settings can |
151 // override system ones, and user settings can override both admin and system. | 151 // override system ones, and user settings can override both admin and system. |
152 for (const auto& trust_domain : | 152 for (const auto& trust_domain : |
153 {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, | 153 {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, |
154 kSecTrustSettingsDomainSystem}) { | 154 kSecTrustSettingsDomainSystem}) { |
155 base::ScopedCFTypeRef<CFArrayRef> trust_settings; | 155 base::ScopedCFTypeRef<CFArrayRef> trust_settings; |
156 OSStatus err; | 156 OSStatus err; |
157 { | 157 { |
158 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | 158 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); |
159 err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain, | 159 err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain, |
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
313 return matching_items; | 313 return matching_items; |
314 } | 314 } |
315 | 315 |
316 // static | 316 // static |
317 base::ScopedCFTypeRef<CFDataRef> TrustStoreMac::GetMacNormalizedIssuer( | 317 base::ScopedCFTypeRef<CFDataRef> TrustStoreMac::GetMacNormalizedIssuer( |
318 const scoped_refptr<ParsedCertificate>& cert) { | 318 const scoped_refptr<ParsedCertificate>& cert) { |
319 base::ScopedCFTypeRef<CFDataRef> name_data; | 319 base::ScopedCFTypeRef<CFDataRef> name_data; |
320 // There does not appear to be any public API to get the normalized version | 320 // There does not appear to be any public API to get the normalized version |
321 // of a Name without creating a SecCertificate. | 321 // of a Name without creating a SecCertificate. |
322 base::ScopedCFTypeRef<SecCertificateRef> cert_handle( | 322 base::ScopedCFTypeRef<SecCertificateRef> cert_handle( |
323 X509Certificate::CreateOSCertHandleFromBytes( | 323 x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(), |
324 cert->der_cert().AsStringPiece().data(), cert->der_cert().Length())); | 324 cert->der_cert().Length())); |
325 if (!cert_handle) { | 325 if (!cert_handle) { |
326 LOG(ERROR) << "CreateOSCertHandleFromBytes"; | 326 LOG(ERROR) << "CreateOSCertHandleFromBytes"; |
327 return name_data; | 327 return name_data; |
328 } | 328 } |
329 { | 329 { |
330 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | 330 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); |
331 name_data.reset( | 331 name_data.reset( |
332 SecCertificateCopyNormalizedIssuerContent(cert_handle, nullptr)); | 332 SecCertificateCopyNormalizedIssuerContent(cert_handle, nullptr)); |
333 } | 333 } |
334 if (!name_data) | 334 if (!name_data) |
335 LOG(ERROR) << "SecCertificateCopyNormalizedIssuerContent"; | 335 LOG(ERROR) << "SecCertificateCopyNormalizedIssuerContent"; |
336 return name_data; | 336 return name_data; |
337 } | 337 } |
338 | 338 |
339 void TrustStoreMac::FindTrustAnchorsByMacNormalizedSubject( | 339 void TrustStoreMac::FindTrustAnchorsByMacNormalizedSubject( |
340 CFDataRef name_data, | 340 CFDataRef name_data, |
341 TrustAnchors* out_anchors) const { | 341 TrustAnchors* out_anchors) const { |
342 base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items = | 342 base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items = |
343 FindMatchingCertificatesForMacNormalizedSubject(name_data); | 343 FindMatchingCertificatesForMacNormalizedSubject(name_data); |
344 if (!scoped_matching_items) | 344 if (!scoped_matching_items) |
345 return; | 345 return; |
346 | 346 |
347 FilterTrustedCertificates(scoped_matching_items.get(), policy_oid_, | 347 FilterTrustedCertificates(scoped_matching_items.get(), policy_oid_, |
348 out_anchors); | 348 out_anchors); |
349 } | 349 } |
350 | 350 |
351 } // namespace net | 351 } // namespace net |
OLD | NEW |