| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/trust_store_mac.h" | 5 #include "net/cert/internal/trust_store_mac.h" |
| 6 | 6 |
| 7 #include <Security/Security.h> | 7 #include <Security/Security.h> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/mac/foundation_util.h" | 10 #include "base/mac/foundation_util.h" |
| 11 #include "base/mac/mac_logging.h" | 11 #include "base/mac/mac_logging.h" |
| 12 #include "base/memory/ptr_util.h" | 12 #include "base/memory/ptr_util.h" |
| 13 #include "base/synchronization/lock.h" | 13 #include "base/synchronization/lock.h" |
| 14 #include "crypto/mac_security_services_lock.h" | 14 #include "crypto/mac_security_services_lock.h" |
| 15 #include "net/cert/internal/cert_errors.h" | 15 #include "net/cert/internal/cert_errors.h" |
| 16 #include "net/cert/internal/parse_name.h" | 16 #include "net/cert/internal/parse_name.h" |
| 17 #include "net/cert/internal/parsed_certificate.h" | 17 #include "net/cert/internal/parsed_certificate.h" |
| 18 #include "net/cert/test_keychain_search_list_mac.h" | 18 #include "net/cert/test_keychain_search_list_mac.h" |
| 19 #include "net/cert/x509_certificate.h" | |
| 20 #include "net/cert/x509_util.h" | 19 #include "net/cert/x509_util.h" |
| 20 #include "net/cert/x509_util_mac.h" |
| 21 | 21 |
| 22 namespace net { | 22 namespace net { |
| 23 | 23 |
| 24 namespace { | 24 namespace { |
| 25 | 25 |
| 26 // The rules for interpreting trust settings are documented at: | 26 // The rules for interpreting trust settings are documented at: |
| 27 // https://developer.apple.com/reference/security/1400261-sectrustsettingscopytr
ustsetting?language=objc | 27 // https://developer.apple.com/reference/security/1400261-sectrustsettingscopytr
ustsetting?language=objc |
| 28 | 28 |
| 29 // Indicates the trust status of a certificate. | 29 // Indicates the trust status of a certificate. |
| 30 enum class TrustStatus { | 30 enum class TrustStatus { |
| (...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 139 if (trust != TrustStatus::UNSPECIFIED) | 139 if (trust != TrustStatus::UNSPECIFIED) |
| 140 return trust; | 140 return trust; |
| 141 } | 141 } |
| 142 return TrustStatus::UNSPECIFIED; | 142 return TrustStatus::UNSPECIFIED; |
| 143 } | 143 } |
| 144 | 144 |
| 145 // Returns true if the certificate |cert_handle| is trusted for the policy | 145 // Returns true if the certificate |cert_handle| is trusted for the policy |
| 146 // |policy_oid|. | 146 // |policy_oid|. |
| 147 TrustStatus IsSecCertificateTrustedForPolicy(SecCertificateRef cert_handle, | 147 TrustStatus IsSecCertificateTrustedForPolicy(SecCertificateRef cert_handle, |
| 148 const CFStringRef policy_oid) { | 148 const CFStringRef policy_oid) { |
| 149 const bool is_self_signed = X509Certificate::IsSelfSigned(cert_handle); | 149 const bool is_self_signed = x509_util::IsSelfSigned(cert_handle); |
| 150 // Evaluate trust domains in user, admin, system order. Admin settings can | 150 // Evaluate trust domains in user, admin, system order. Admin settings can |
| 151 // override system ones, and user settings can override both admin and system. | 151 // override system ones, and user settings can override both admin and system. |
| 152 for (const auto& trust_domain : | 152 for (const auto& trust_domain : |
| 153 {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, | 153 {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, |
| 154 kSecTrustSettingsDomainSystem}) { | 154 kSecTrustSettingsDomainSystem}) { |
| 155 base::ScopedCFTypeRef<CFArrayRef> trust_settings; | 155 base::ScopedCFTypeRef<CFArrayRef> trust_settings; |
| 156 OSStatus err; | 156 OSStatus err; |
| 157 { | 157 { |
| 158 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | 158 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); |
| 159 err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain, | 159 err = SecTrustSettingsCopyTrustSettings(cert_handle, trust_domain, |
| (...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 313 return matching_items; | 313 return matching_items; |
| 314 } | 314 } |
| 315 | 315 |
| 316 // static | 316 // static |
| 317 base::ScopedCFTypeRef<CFDataRef> TrustStoreMac::GetMacNormalizedIssuer( | 317 base::ScopedCFTypeRef<CFDataRef> TrustStoreMac::GetMacNormalizedIssuer( |
| 318 const scoped_refptr<ParsedCertificate>& cert) { | 318 const scoped_refptr<ParsedCertificate>& cert) { |
| 319 base::ScopedCFTypeRef<CFDataRef> name_data; | 319 base::ScopedCFTypeRef<CFDataRef> name_data; |
| 320 // There does not appear to be any public API to get the normalized version | 320 // There does not appear to be any public API to get the normalized version |
| 321 // of a Name without creating a SecCertificate. | 321 // of a Name without creating a SecCertificate. |
| 322 base::ScopedCFTypeRef<SecCertificateRef> cert_handle( | 322 base::ScopedCFTypeRef<SecCertificateRef> cert_handle( |
| 323 X509Certificate::CreateOSCertHandleFromBytes( | 323 x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(), |
| 324 cert->der_cert().AsStringPiece().data(), cert->der_cert().Length())); | 324 cert->der_cert().Length())); |
| 325 if (!cert_handle) { | 325 if (!cert_handle) { |
| 326 LOG(ERROR) << "CreateOSCertHandleFromBytes"; | 326 LOG(ERROR) << "CreateOSCertHandleFromBytes"; |
| 327 return name_data; | 327 return name_data; |
| 328 } | 328 } |
| 329 { | 329 { |
| 330 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | 330 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); |
| 331 name_data.reset( | 331 name_data.reset( |
| 332 SecCertificateCopyNormalizedIssuerContent(cert_handle, nullptr)); | 332 SecCertificateCopyNormalizedIssuerContent(cert_handle, nullptr)); |
| 333 } | 333 } |
| 334 if (!name_data) | 334 if (!name_data) |
| 335 LOG(ERROR) << "SecCertificateCopyNormalizedIssuerContent"; | 335 LOG(ERROR) << "SecCertificateCopyNormalizedIssuerContent"; |
| 336 return name_data; | 336 return name_data; |
| 337 } | 337 } |
| 338 | 338 |
| 339 void TrustStoreMac::FindTrustAnchorsByMacNormalizedSubject( | 339 void TrustStoreMac::FindTrustAnchorsByMacNormalizedSubject( |
| 340 CFDataRef name_data, | 340 CFDataRef name_data, |
| 341 TrustAnchors* out_anchors) const { | 341 TrustAnchors* out_anchors) const { |
| 342 base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items = | 342 base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items = |
| 343 FindMatchingCertificatesForMacNormalizedSubject(name_data); | 343 FindMatchingCertificatesForMacNormalizedSubject(name_data); |
| 344 if (!scoped_matching_items) | 344 if (!scoped_matching_items) |
| 345 return; | 345 return; |
| 346 | 346 |
| 347 FilterTrustedCertificates(scoped_matching_items.get(), policy_oid_, | 347 FilterTrustedCertificates(scoped_matching_items.get(), policy_oid_, |
| 348 out_anchors); | 348 out_anchors); |
| 349 } | 349 } |
| 350 | 350 |
| 351 } // namespace net | 351 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2746103003:
Add X509CertificateBytes which uses CRYPTO_BUFFER instead of macOS-native certificate types. (Closed)
