| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <nss.h> | 8 #include <nss.h> |
| 9 #include <prerror.h> | 9 #include <prerror.h> |
| 10 #include <secerr.h> | 10 #include <secerr.h> |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 145 // Map PORT_GetError() return values to our cert status flags. | 145 // Map PORT_GetError() return values to our cert status flags. |
| 146 CertStatus MapCertErrorToCertStatus(int err) { | 146 CertStatus MapCertErrorToCertStatus(int err) { |
| 147 int net_error = MapSecurityError(err); | 147 int net_error = MapSecurityError(err); |
| 148 return MapNetErrorToCertStatus(net_error); | 148 return MapNetErrorToCertStatus(net_error); |
| 149 } | 149 } |
| 150 | 150 |
| 151 // Saves some information about the certificate chain cert_list in | 151 // Saves some information about the certificate chain cert_list in |
| 152 // *verify_result. The caller MUST initialize *verify_result before calling | 152 // *verify_result. The caller MUST initialize *verify_result before calling |
| 153 // this function. | 153 // this function. |
| 154 // Note that cert_list[0] is the end entity certificate. | 154 // Note that cert_list[0] is the end entity certificate. |
| 155 void GetCertChainInfo(CERTCertList* cert_list, | 155 bool GetCertChainInfo(CERTCertList* cert_list, |
| 156 CERTCertificate* root_cert, | 156 CERTCertificate* root_cert, |
| 157 CertVerifyResult* verify_result) { | 157 CertVerifyResult* verify_result) { |
| 158 DCHECK(cert_list); | 158 DCHECK(cert_list); |
| 159 | 159 |
| 160 CERTCertificate* verified_cert = NULL; | 160 CERTCertificate* verified_cert = NULL; |
| 161 std::vector<CERTCertificate*> verified_chain; | 161 std::vector<CERTCertificate*> verified_chain; |
| 162 size_t i = 0; | 162 size_t i = 0; |
| 163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 164 !CERT_LIST_END(node, cert_list); | 164 !CERT_LIST_END(node, cert_list); |
| 165 node = CERT_LIST_NEXT(node), ++i) { | 165 node = CERT_LIST_NEXT(node), ++i) { |
| (...skipping 22 matching lines...) Expand all Loading... |
| 188 &next_cert->derPublicKey)) { | 188 &next_cert->derPublicKey)) { |
| 189 continue; | 189 continue; |
| 190 } | 190 } |
| 191 } | 191 } |
| 192 verified_chain.push_back(node->cert); | 192 verified_chain.push_back(node->cert); |
| 193 } | 193 } |
| 194 } | 194 } |
| 195 | 195 |
| 196 if (root_cert) | 196 if (root_cert) |
| 197 verified_chain.push_back(root_cert); | 197 verified_chain.push_back(root_cert); |
| 198 verify_result->verified_cert = | 198 |
| 199 scoped_refptr<X509Certificate> verified_cert_with_chain = |
| 199 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 200 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 201 if (!verified_cert_with_chain) |
| 202 return false; |
| 203 verify_result->verified_cert = std::move(verified_cert_with_chain); |
| 204 return true; |
| 200 } | 205 } |
| 201 | 206 |
| 202 // IsKnownRoot returns true if the given certificate is one that we believe | 207 // IsKnownRoot returns true if the given certificate is one that we believe |
| 203 // is a standard (as opposed to user-installed) root. | 208 // is a standard (as opposed to user-installed) root. |
| 204 bool IsKnownRoot(CERTCertificate* root) { | 209 bool IsKnownRoot(CERTCertificate* root) { |
| 205 if (!root || !root->slot) | 210 if (!root || !root->slot) |
| 206 return false; | 211 return false; |
| 207 | 212 |
| 208 // This magic name is taken from | 213 // This magic name is taken from |
| 209 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 | 214 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 |
| (...skipping 662 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 872 cvout[cvout_trust_anchor_index].value.pointer.cert, | 877 cvout[cvout_trust_anchor_index].value.pointer.cert, |
| 873 &verify_result->public_key_hashes); | 878 &verify_result->public_key_hashes); |
| 874 | 879 |
| 875 verify_result->is_issued_by_known_root = | 880 verify_result->is_issued_by_known_root = |
| 876 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | 881 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
| 877 verify_result->is_issued_by_additional_trust_anchor = | 882 verify_result->is_issued_by_additional_trust_anchor = |
| 878 IsAdditionalTrustAnchor( | 883 IsAdditionalTrustAnchor( |
| 879 trust_anchors.get(), | 884 trust_anchors.get(), |
| 880 cvout[cvout_trust_anchor_index].value.pointer.cert); | 885 cvout[cvout_trust_anchor_index].value.pointer.cert); |
| 881 | 886 |
| 882 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 887 if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
| 883 cvout[cvout_trust_anchor_index].value.pointer.cert, | 888 cvout[cvout_trust_anchor_index].value.pointer.cert, |
| 884 verify_result); | 889 verify_result)) { |
| 890 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 891 } |
| 885 } | 892 } |
| 886 | 893 |
| 887 CRLSetResult crl_set_result = kCRLSetUnknown; | 894 CRLSetResult crl_set_result = kCRLSetUnknown; |
| 888 if (crl_set) { | 895 if (crl_set) { |
| 889 if (status == SECSuccess) { | 896 if (status == SECSuccess) { |
| 890 // Reverify the returned chain; NSS should have already called | 897 // Reverify the returned chain; NSS should have already called |
| 891 // CheckChainRevocationWithCRLSet prior to returning, but given the | 898 // CheckChainRevocationWithCRLSet prior to returning, but given the |
| 892 // edge cases (self-signed certs that are trusted; cached chains; | 899 // edge cases (self-signed certs that are trusted; cached chains; |
| 893 // unreadable code), this is more about defense in depth than | 900 // unreadable code), this is more about defense in depth than |
| 894 // functional necessity. | 901 // functional necessity. |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 954 CRLSet* crl_set, | 961 CRLSet* crl_set, |
| 955 const CertificateList& additional_trust_anchors, | 962 const CertificateList& additional_trust_anchors, |
| 956 CertVerifyResult* verify_result) { | 963 CertVerifyResult* verify_result) { |
| 957 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, | 964 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
| 958 additional_trust_anchors, | 965 additional_trust_anchors, |
| 959 NULL, // chain_verify_callback | 966 NULL, // chain_verify_callback |
| 960 verify_result); | 967 verify_result); |
| 961 } | 968 } |
| 962 | 969 |
| 963 } // namespace net | 970 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2760723002:
Check X509Certificate::CreateFromHandle result. (Closed)
