| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 | 10 |
| (...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 195 verified_chain.push_back(chain_cert); | 195 verified_chain.push_back(chain_cert); |
| 196 } | 196 } |
| 197 } | 197 } |
| 198 if (!verified_cert) { | 198 if (!verified_cert) { |
| 199 NOTREACHED(); | 199 NOTREACHED(); |
| 200 verify_result->cert_status |= CERT_STATUS_INVALID; | 200 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 201 return; | 201 return; |
| 202 } | 202 } |
| 203 | 203 |
| 204 scoped_refptr<X509Certificate> verified_cert_with_chain = | 204 scoped_refptr<X509Certificate> verified_cert_with_chain = |
| 205 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 205 x509_util::CreateX509CertificateFromSecCertificate(verified_cert, |
| 206 verified_chain); |
| 206 if (verified_cert_with_chain) | 207 if (verified_cert_with_chain) |
| 207 verify_result->verified_cert = std::move(verified_cert_with_chain); | 208 verify_result->verified_cert = std::move(verified_cert_with_chain); |
| 208 else | 209 else |
| 209 verify_result->cert_status |= CERT_STATUS_INVALID; | 210 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 210 } | 211 } |
| 211 | 212 |
| 212 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false | 213 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
| 213 // otherwise. A return of false also includes the case where the signature | 214 // otherwise. A return of false also includes the case where the signature |
| 214 // algorithm couldn't be conclusively labeled as weak. | 215 // algorithm couldn't be conclusively labeled as weak. |
| 215 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { | 216 bool CertUsesWeakHash(SecCertificateRef cert_handle) { |
| 216 x509_util::CSSMCachedCertificate cached_cert; | 217 x509_util::CSSMCachedCertificate cached_cert; |
| 217 OSStatus status = cached_cert.Init(cert_handle); | 218 OSStatus status = cached_cert.Init(cert_handle); |
| 218 if (status) | 219 if (status) |
| 219 return false; | 220 return false; |
| 220 | 221 |
| 221 x509_util::CSSMFieldValue signature_field; | 222 x509_util::CSSMFieldValue signature_field; |
| 222 status = | 223 status = |
| 223 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); | 224 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); |
| 224 if (status || !signature_field.field()) | 225 if (status || !signature_field.field()) |
| 225 return false; | 226 return false; |
| (...skipping 383 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 609 // If there are no known roots, then an API failure occurred. For safety, | 610 // If there are no known roots, then an API failure occurred. For safety, |
| 610 // assume that all certificates are issued by known roots. | 611 // assume that all certificates are issued by known roots. |
| 611 if (known_roots_.empty()) | 612 if (known_roots_.empty()) |
| 612 return true; | 613 return true; |
| 613 | 614 |
| 614 CFIndex n = CFArrayGetCount(chain); | 615 CFIndex n = CFArrayGetCount(chain); |
| 615 if (n < 1) | 616 if (n < 1) |
| 616 return false; | 617 return false; |
| 617 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( | 618 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( |
| 618 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); | 619 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); |
| 619 SHA256HashValue hash = X509Certificate::CalculateFingerprint256(root_ref); | 620 SHA256HashValue hash = x509_util::CalculateFingerprint256(root_ref); |
| 620 return known_roots_.find(hash) != known_roots_.end(); | 621 return known_roots_.find(hash) != known_roots_.end(); |
| 621 } | 622 } |
| 622 | 623 |
| 623 private: | 624 private: |
| 624 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; | 625 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; |
| 625 | 626 |
| 626 OSXKnownRootHelper() { | 627 OSXKnownRootHelper() { |
| 627 CFArrayRef cert_array = NULL; | 628 CFArrayRef cert_array = NULL; |
| 628 OSStatus rv = SecTrustSettingsCopyCertificates( | 629 OSStatus rv = SecTrustSettingsCopyCertificates( |
| 629 kSecTrustSettingsDomainSystem, &cert_array); | 630 kSecTrustSettingsDomainSystem, &cert_array); |
| 630 if (rv != noErr) { | 631 if (rv != noErr) { |
| 631 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " | 632 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " |
| 632 << "trusted! Error " << rv; | 633 << "trusted! Error " << rv; |
| 633 return; | 634 return; |
| 634 } | 635 } |
| 635 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); | 636 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); |
| 636 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { | 637 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { |
| 637 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | 638 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
| 638 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); | 639 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); |
| 639 known_roots_.insert(X509Certificate::CalculateFingerprint256(cert)); | 640 known_roots_.insert(x509_util::CalculateFingerprint256(cert)); |
| 640 } | 641 } |
| 641 } | 642 } |
| 642 | 643 |
| 643 ~OSXKnownRootHelper() {} | 644 ~OSXKnownRootHelper() {} |
| 644 | 645 |
| 645 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; | 646 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; |
| 646 }; | 647 }; |
| 647 | 648 |
| 648 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = | 649 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = |
| 649 LAZY_INSTANCE_INITIALIZER; | 650 LAZY_INSTANCE_INITIALIZER; |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 775 "/System/Library/Keychains/SystemRootCertificates.keychain", | 776 "/System/Library/Keychains/SystemRootCertificates.keychain", |
| 776 &keychain); | 777 &keychain); |
| 777 if (status) | 778 if (status) |
| 778 return NetErrorFromOSStatus(status); | 779 return NetErrorFromOSStatus(status); |
| 779 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); | 780 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); |
| 780 | 781 |
| 781 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); | 782 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); |
| 782 } | 783 } |
| 783 | 784 |
| 784 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | 785 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
| 785 cert->CreateOSCertChainForCert()); | 786 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); |
| 787 if (!cert_array) |
| 788 return ERR_CERT_INVALID; |
| 786 | 789 |
| 787 // Beginning with the certificate chain as supplied by the server, attempt | 790 // Beginning with the certificate chain as supplied by the server, attempt |
| 788 // to verify the chain. If a failure is encountered, trim a certificate | 791 // to verify the chain. If a failure is encountered, trim a certificate |
| 789 // from the end (so long as one remains) and retry, in the hope of forcing | 792 // from the end (so long as one remains) and retry, in the hope of forcing |
| 790 // OS X to find a better path. | 793 // OS X to find a better path. |
| 791 while (CFArrayGetCount(cert_array) > 0) { | 794 while (CFArrayGetCount(cert_array) > 0) { |
| 792 ScopedCFTypeRef<SecTrustRef> temp_ref; | 795 ScopedCFTypeRef<SecTrustRef> temp_ref; |
| 793 SecTrustResultType temp_trust_result = kSecTrustResultDeny; | 796 SecTrustResultType temp_trust_result = kSecTrustResultDeny; |
| 794 ScopedCFTypeRef<CFArrayRef> temp_chain; | 797 ScopedCFTypeRef<CFArrayRef> temp_chain; |
| 795 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; | 798 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; |
| (...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1078 // EV cert and it was covered by CRLSets or revocation checking passed. | 1081 // EV cert and it was covered by CRLSets or revocation checking passed. |
| 1079 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1082 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 1080 } | 1083 } |
| 1081 | 1084 |
| 1082 return OK; | 1085 return OK; |
| 1083 } | 1086 } |
| 1084 | 1087 |
| 1085 } // namespace net | 1088 } // namespace net |
| 1086 | 1089 |
| 1087 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1090 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2746103003:
Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types. (Closed)
