Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(86)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_mac.cc

Issue 2760723002: Check X509Certificate::CreateFromHandle result. (Closed)
Patch Set: update for eroman's comments Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/cert_verify_proc_ios.cc ('K') | « net/cert/cert_verify_proc_ios.cc ('k') | net/cert/cert_verify_proc_nss.cc » ('j') | net/cert/cert_verify_proc_win.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_mac.h" 5 #include "net/cert/cert_verify_proc_mac.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h> 8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h> 9 #include <Security/Security.h>
10 10
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after
173 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies); 173 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies);
174 if (status) 174 if (status)
175 return status; 175 return status;
176 176
177 policies->reset(local_policies.release()); 177 policies->reset(local_policies.release());
178 return noErr; 178 return noErr;
179 } 179 }
180 180
181 // Stores the constructed certificate chain |cert_chain| into 181 // Stores the constructed certificate chain |cert_chain| into
182 // |*verify_result|. |cert_chain| must not be empty. 182 // |*verify_result|. |cert_chain| must not be empty.
183 void CopyCertChainToVerifyResult(CFArrayRef cert_chain, 183 bool CopyCertChainToVerifyResult(CFArrayRef cert_chain,
184 CertVerifyResult* verify_result) { 184 CertVerifyResult* verify_result) {
185 DCHECK_LT(0, CFArrayGetCount(cert_chain)); 185 DCHECK_LT(0, CFArrayGetCount(cert_chain));
186 186
187 SecCertificateRef verified_cert = NULL; 187 SecCertificateRef verified_cert = NULL;
188 std::vector<SecCertificateRef> verified_chain; 188 std::vector<SecCertificateRef> verified_chain;
189 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { 189 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {
190 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( 190 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
191 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); 191 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
192 if (i == 0) { 192 if (i == 0) {
193 verified_cert = chain_cert; 193 verified_cert = chain_cert;
194 } else { 194 } else {
195 verified_chain.push_back(chain_cert); 195 verified_chain.push_back(chain_cert);
196 } 196 }
197 } 197 }
198 if (!verified_cert) { 198 if (!verified_cert) {
199 NOTREACHED(); 199 NOTREACHED();
200 return; 200 return false;
201 } 201 }
202 202
203 verify_result->verified_cert = 203 scoped_refptr<X509Certificate> verified_cert_with_chain =
204 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 204 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
205 if (!verified_cert_with_chain)
206 return false;
207 verify_result->verified_cert = std::move(verified_cert_with_chain);
208 return true;
205 } 209 }
206 210
207 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false 211 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false
208 // otherwise. A return of false also includes the case where the signature 212 // otherwise. A return of false also includes the case where the signature
209 // algorithm couldn't be conclusively labeled as weak. 213 // algorithm couldn't be conclusively labeled as weak.
210 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { 214 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) {
211 x509_util::CSSMCachedCertificate cached_cert; 215 x509_util::CSSMCachedCertificate cached_cert;
212 OSStatus status = cached_cert.Init(cert_handle); 216 OSStatus status = cached_cert.Init(cert_handle);
213 if (status) 217 if (status)
214 return false; 218 return false;
(...skipping 672 matching lines...) Expand 10 before | Expand all | Expand 10 after
887 break; 891 break;
888 } 892 }
889 893
890 if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) 894 if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)
891 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 895 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
892 896
893 if (*completed_chain_crl_result == kCRLSetRevoked) 897 if (*completed_chain_crl_result == kCRLSetRevoked)
894 verify_result->cert_status |= CERT_STATUS_REVOKED; 898 verify_result->cert_status |= CERT_STATUS_REVOKED;
895 899
896 if (CFArrayGetCount(completed_chain) > 0) { 900 if (CFArrayGetCount(completed_chain) > 0) {
897 CopyCertChainToVerifyResult(completed_chain, verify_result); 901 if (!CopyCertChainToVerifyResult(completed_chain, verify_result))
902 verify_result->cert_status |= CERT_STATUS_INVALID;
898 } 903 }
899 904
900 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits 905 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
901 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds 906 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
902 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping 907 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping
903 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only 908 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only
904 // error was due to an unsupported key size. 909 // error was due to an unsupported key size.
905 bool policy_failed = false; 910 bool policy_failed = false;
906 bool policy_fail_already_mapped = false; 911 bool policy_fail_already_mapped = false;
907 bool weak_key_or_signature_algorithm = false; 912 bool weak_key_or_signature_algorithm = false;
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after
1096 // EV cert and it was covered by CRLSets or revocation checking passed. 1101 // EV cert and it was covered by CRLSets or revocation checking passed.
1097 verify_result->cert_status |= CERT_STATUS_IS_EV; 1102 verify_result->cert_status |= CERT_STATUS_IS_EV;
1098 } 1103 }
1099 1104
1100 return OK; 1105 return OK;
1101 } 1106 }
1102 1107
1103 } // namespace net 1108 } // namespace net
1104 1109
1105 #pragma clang diagnostic pop // "-Wdeprecated-declarations" 1110 #pragma clang diagnostic pop // "-Wdeprecated-declarations"
OLDNEW
« net/cert/cert_verify_proc_ios.cc ('K') | « net/cert/cert_verify_proc_ios.cc ('k') | net/cert/cert_verify_proc_nss.cc » ('j') | net/cert/cert_verify_proc_win.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698