OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
(...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
195 verified_chain.push_back(chain_cert); | 195 verified_chain.push_back(chain_cert); |
196 } | 196 } |
197 } | 197 } |
198 if (!verified_cert) { | 198 if (!verified_cert) { |
199 NOTREACHED(); | 199 NOTREACHED(); |
200 verify_result->cert_status |= CERT_STATUS_INVALID; | 200 verify_result->cert_status |= CERT_STATUS_INVALID; |
201 return; | 201 return; |
202 } | 202 } |
203 | 203 |
204 scoped_refptr<X509Certificate> verified_cert_with_chain = | 204 scoped_refptr<X509Certificate> verified_cert_with_chain = |
205 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 205 x509_util::CreateX509CertificateFromSecCertificate(verified_cert, |
| 206 verified_chain); |
206 if (verified_cert_with_chain) | 207 if (verified_cert_with_chain) |
207 verify_result->verified_cert = std::move(verified_cert_with_chain); | 208 verify_result->verified_cert = std::move(verified_cert_with_chain); |
208 else | 209 else |
209 verify_result->cert_status |= CERT_STATUS_INVALID; | 210 verify_result->cert_status |= CERT_STATUS_INVALID; |
210 } | 211 } |
211 | 212 |
212 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false | 213 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
213 // otherwise. A return of false also includes the case where the signature | 214 // otherwise. A return of false also includes the case where the signature |
214 // algorithm couldn't be conclusively labeled as weak. | 215 // algorithm couldn't be conclusively labeled as weak. |
215 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { | 216 bool CertUsesWeakHash(SecCertificateRef cert_handle) { |
216 x509_util::CSSMCachedCertificate cached_cert; | 217 x509_util::CSSMCachedCertificate cached_cert; |
217 OSStatus status = cached_cert.Init(cert_handle); | 218 OSStatus status = cached_cert.Init(cert_handle); |
218 if (status) | 219 if (status) |
219 return false; | 220 return false; |
220 | 221 |
221 x509_util::CSSMFieldValue signature_field; | 222 x509_util::CSSMFieldValue signature_field; |
222 status = | 223 status = |
223 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); | 224 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); |
224 if (status || !signature_field.field()) | 225 if (status || !signature_field.field()) |
225 return false; | 226 return false; |
(...skipping 383 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
609 // If there are no known roots, then an API failure occurred. For safety, | 610 // If there are no known roots, then an API failure occurred. For safety, |
610 // assume that all certificates are issued by known roots. | 611 // assume that all certificates are issued by known roots. |
611 if (known_roots_.empty()) | 612 if (known_roots_.empty()) |
612 return true; | 613 return true; |
613 | 614 |
614 CFIndex n = CFArrayGetCount(chain); | 615 CFIndex n = CFArrayGetCount(chain); |
615 if (n < 1) | 616 if (n < 1) |
616 return false; | 617 return false; |
617 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( | 618 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( |
618 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); | 619 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); |
619 SHA256HashValue hash = X509Certificate::CalculateFingerprint256(root_ref); | 620 SHA256HashValue hash = x509_util::CalculateFingerprint256(root_ref); |
620 return known_roots_.find(hash) != known_roots_.end(); | 621 return known_roots_.find(hash) != known_roots_.end(); |
621 } | 622 } |
622 | 623 |
623 private: | 624 private: |
624 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; | 625 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; |
625 | 626 |
626 OSXKnownRootHelper() { | 627 OSXKnownRootHelper() { |
627 CFArrayRef cert_array = NULL; | 628 CFArrayRef cert_array = NULL; |
628 OSStatus rv = SecTrustSettingsCopyCertificates( | 629 OSStatus rv = SecTrustSettingsCopyCertificates( |
629 kSecTrustSettingsDomainSystem, &cert_array); | 630 kSecTrustSettingsDomainSystem, &cert_array); |
630 if (rv != noErr) { | 631 if (rv != noErr) { |
631 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " | 632 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " |
632 << "trusted! Error " << rv; | 633 << "trusted! Error " << rv; |
633 return; | 634 return; |
634 } | 635 } |
635 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); | 636 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); |
636 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { | 637 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { |
637 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | 638 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
638 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); | 639 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); |
639 known_roots_.insert(X509Certificate::CalculateFingerprint256(cert)); | 640 known_roots_.insert(x509_util::CalculateFingerprint256(cert)); |
640 } | 641 } |
641 } | 642 } |
642 | 643 |
643 ~OSXKnownRootHelper() {} | 644 ~OSXKnownRootHelper() {} |
644 | 645 |
645 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; | 646 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; |
646 }; | 647 }; |
647 | 648 |
648 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = | 649 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = |
649 LAZY_INSTANCE_INITIALIZER; | 650 LAZY_INSTANCE_INITIALIZER; |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
775 "/System/Library/Keychains/SystemRootCertificates.keychain", | 776 "/System/Library/Keychains/SystemRootCertificates.keychain", |
776 &keychain); | 777 &keychain); |
777 if (status) | 778 if (status) |
778 return NetErrorFromOSStatus(status); | 779 return NetErrorFromOSStatus(status); |
779 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); | 780 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); |
780 | 781 |
781 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); | 782 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); |
782 } | 783 } |
783 | 784 |
784 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | 785 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
785 cert->CreateOSCertChainForCert()); | 786 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); |
| 787 if (!cert_array) |
| 788 return ERR_CERT_INVALID; |
786 | 789 |
787 // Beginning with the certificate chain as supplied by the server, attempt | 790 // Beginning with the certificate chain as supplied by the server, attempt |
788 // to verify the chain. If a failure is encountered, trim a certificate | 791 // to verify the chain. If a failure is encountered, trim a certificate |
789 // from the end (so long as one remains) and retry, in the hope of forcing | 792 // from the end (so long as one remains) and retry, in the hope of forcing |
790 // OS X to find a better path. | 793 // OS X to find a better path. |
791 while (CFArrayGetCount(cert_array) > 0) { | 794 while (CFArrayGetCount(cert_array) > 0) { |
792 ScopedCFTypeRef<SecTrustRef> temp_ref; | 795 ScopedCFTypeRef<SecTrustRef> temp_ref; |
793 SecTrustResultType temp_trust_result = kSecTrustResultDeny; | 796 SecTrustResultType temp_trust_result = kSecTrustResultDeny; |
794 ScopedCFTypeRef<CFArrayRef> temp_chain; | 797 ScopedCFTypeRef<CFArrayRef> temp_chain; |
795 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; | 798 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; |
(...skipping 282 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1078 // EV cert and it was covered by CRLSets or revocation checking passed. | 1081 // EV cert and it was covered by CRLSets or revocation checking passed. |
1079 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1082 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1080 } | 1083 } |
1081 | 1084 |
1082 return OK; | 1085 return OK; |
1083 } | 1086 } |
1084 | 1087 |
1085 } // namespace net | 1088 } // namespace net |
1086 | 1089 |
1087 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1090 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
OLD | NEW |