OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <prerror.h> | 9 #include <prerror.h> |
10 #include <secerr.h> | 10 #include <secerr.h> |
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
145 // Map PORT_GetError() return values to our cert status flags. | 145 // Map PORT_GetError() return values to our cert status flags. |
146 CertStatus MapCertErrorToCertStatus(int err) { | 146 CertStatus MapCertErrorToCertStatus(int err) { |
147 int net_error = MapSecurityError(err); | 147 int net_error = MapSecurityError(err); |
148 return MapNetErrorToCertStatus(net_error); | 148 return MapNetErrorToCertStatus(net_error); |
149 } | 149 } |
150 | 150 |
151 // Saves some information about the certificate chain cert_list in | 151 // Saves some information about the certificate chain cert_list in |
152 // *verify_result. The caller MUST initialize *verify_result before calling | 152 // *verify_result. The caller MUST initialize *verify_result before calling |
153 // this function. | 153 // this function. |
154 // Note that cert_list[0] is the end entity certificate. | 154 // Note that cert_list[0] is the end entity certificate. |
155 void GetCertChainInfo(CERTCertList* cert_list, | 155 bool GetCertChainInfo(CERTCertList* cert_list, |
156 CERTCertificate* root_cert, | 156 CERTCertificate* root_cert, |
157 CertVerifyResult* verify_result) { | 157 CertVerifyResult* verify_result) { |
158 DCHECK(cert_list); | 158 DCHECK(cert_list); |
159 | 159 |
160 CERTCertificate* verified_cert = NULL; | 160 CERTCertificate* verified_cert = NULL; |
161 std::vector<CERTCertificate*> verified_chain; | 161 std::vector<CERTCertificate*> verified_chain; |
162 size_t i = 0; | 162 size_t i = 0; |
163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
164 !CERT_LIST_END(node, cert_list); | 164 !CERT_LIST_END(node, cert_list); |
165 node = CERT_LIST_NEXT(node), ++i) { | 165 node = CERT_LIST_NEXT(node), ++i) { |
(...skipping 22 matching lines...) Expand all Loading... |
188 &next_cert->derPublicKey)) { | 188 &next_cert->derPublicKey)) { |
189 continue; | 189 continue; |
190 } | 190 } |
191 } | 191 } |
192 verified_chain.push_back(node->cert); | 192 verified_chain.push_back(node->cert); |
193 } | 193 } |
194 } | 194 } |
195 | 195 |
196 if (root_cert) | 196 if (root_cert) |
197 verified_chain.push_back(root_cert); | 197 verified_chain.push_back(root_cert); |
198 verify_result->verified_cert = | 198 |
| 199 scoped_refptr<X509Certificate> verified_cert_with_chain = |
199 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 200 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 201 if (!verified_cert_with_chain) |
| 202 return false; |
| 203 verify_result->verified_cert = std::move(verified_cert_with_chain); |
| 204 return true; |
200 } | 205 } |
201 | 206 |
202 // IsKnownRoot returns true if the given certificate is one that we believe | 207 // IsKnownRoot returns true if the given certificate is one that we believe |
203 // is a standard (as opposed to user-installed) root. | 208 // is a standard (as opposed to user-installed) root. |
204 bool IsKnownRoot(CERTCertificate* root) { | 209 bool IsKnownRoot(CERTCertificate* root) { |
205 if (!root || !root->slot) | 210 if (!root || !root->slot) |
206 return false; | 211 return false; |
207 | 212 |
208 // This magic name is taken from | 213 // This magic name is taken from |
209 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 | 214 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b
uiltins/constants.c&rev=1.13&mark=86,89#79 |
(...skipping 662 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
872 cvout[cvout_trust_anchor_index].value.pointer.cert, | 877 cvout[cvout_trust_anchor_index].value.pointer.cert, |
873 &verify_result->public_key_hashes); | 878 &verify_result->public_key_hashes); |
874 | 879 |
875 verify_result->is_issued_by_known_root = | 880 verify_result->is_issued_by_known_root = |
876 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | 881 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); |
877 verify_result->is_issued_by_additional_trust_anchor = | 882 verify_result->is_issued_by_additional_trust_anchor = |
878 IsAdditionalTrustAnchor( | 883 IsAdditionalTrustAnchor( |
879 trust_anchors.get(), | 884 trust_anchors.get(), |
880 cvout[cvout_trust_anchor_index].value.pointer.cert); | 885 cvout[cvout_trust_anchor_index].value.pointer.cert); |
881 | 886 |
882 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 887 if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
883 cvout[cvout_trust_anchor_index].value.pointer.cert, | 888 cvout[cvout_trust_anchor_index].value.pointer.cert, |
884 verify_result); | 889 verify_result)) { |
| 890 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 891 } |
885 } | 892 } |
886 | 893 |
887 CRLSetResult crl_set_result = kCRLSetUnknown; | 894 CRLSetResult crl_set_result = kCRLSetUnknown; |
888 if (crl_set) { | 895 if (crl_set) { |
889 if (status == SECSuccess) { | 896 if (status == SECSuccess) { |
890 // Reverify the returned chain; NSS should have already called | 897 // Reverify the returned chain; NSS should have already called |
891 // CheckChainRevocationWithCRLSet prior to returning, but given the | 898 // CheckChainRevocationWithCRLSet prior to returning, but given the |
892 // edge cases (self-signed certs that are trusted; cached chains; | 899 // edge cases (self-signed certs that are trusted; cached chains; |
893 // unreadable code), this is more about defense in depth than | 900 // unreadable code), this is more about defense in depth than |
894 // functional necessity. | 901 // functional necessity. |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
954 CRLSet* crl_set, | 961 CRLSet* crl_set, |
955 const CertificateList& additional_trust_anchors, | 962 const CertificateList& additional_trust_anchors, |
956 CertVerifyResult* verify_result) { | 963 CertVerifyResult* verify_result) { |
957 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, | 964 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
958 additional_trust_anchors, | 965 additional_trust_anchors, |
959 NULL, // chain_verify_callback | 966 NULL, // chain_verify_callback |
960 verify_result); | 967 verify_result); |
961 } | 968 } |
962 | 969 |
963 } // namespace net | 970 } // namespace net |
OLD | NEW |