| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_openssl.h" | 5 #include "net/cert/cert_verify_proc_openssl.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 102 if (i == 0) { | 102 if (i == 0) { |
| 103 verified_cert = cert; | 103 verified_cert = cert; |
| 104 } else { | 104 } else { |
| 105 verified_chain.push_back(cert); | 105 verified_chain.push_back(cert); |
| 106 } | 106 } |
| 107 } | 107 } |
| 108 | 108 |
| 109 // Set verify_result->verified_cert and | 109 // Set verify_result->verified_cert and |
| 110 // verify_result->is_issued_by_known_root. | 110 // verify_result->is_issued_by_known_root. |
| 111 if (verified_cert) { | 111 if (verified_cert) { |
| 112 verify_result->verified_cert = | 112 scoped_refptr<X509Certificate> verified_cert_with_chain = |
| 113 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 113 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 114 if (!verified_cert_with_chain) |
| 115 return false; |
| 116 verify_result->verified_cert = std::move(verified_cert_with_chain); |
| 114 | 117 |
| 115 // For OpenSSL builds, only certificates used for unit tests are treated | 118 // For OpenSSL builds, only certificates used for unit tests are treated |
| 116 // as not issued by known roots. The only way to determine whether a | 119 // as not issued by known roots. The only way to determine whether a |
| 117 // certificate is issued by a known root using OpenSSL is to examine | 120 // certificate is issued by a known root using OpenSSL is to examine |
| 118 // distro-and-release specific hardcoded lists. | 121 // distro-and-release specific hardcoded lists. |
| 119 verify_result->is_issued_by_known_root = true; | 122 verify_result->is_issued_by_known_root = true; |
| 120 if (TestRootCerts::HasInstance()) { | 123 if (TestRootCerts::HasInstance()) { |
| 121 X509* root = NULL; | 124 X509* root = NULL; |
| 122 if (verified_chain.empty()) { | 125 if (verified_chain.empty()) { |
| 123 root = verified_cert; | 126 root = verified_cert; |
| 124 } else { | 127 } else { |
| 125 root = verified_chain.back(); | 128 root = verified_chain.back(); |
| 126 } | 129 } |
| 127 TestRootCerts* root_certs = TestRootCerts::GetInstance(); | 130 TestRootCerts* root_certs = TestRootCerts::GetInstance(); |
| 128 if (root_certs->Contains(root)) | 131 if (root_certs->Contains(root)) |
| 129 verify_result->is_issued_by_known_root = false; | 132 verify_result->is_issued_by_known_root = false; |
| 130 } | 133 } |
| 131 } | 134 } |
| 135 return true; |
| 132 } | 136 } |
| 133 | 137 |
| 134 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, | 138 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, |
| 135 HashValueVector* hashes) { | 139 HashValueVector* hashes) { |
| 136 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); | 140 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 137 for (size_t i = 0; i < sk_X509_num(chain); ++i) { | 141 for (size_t i = 0; i < sk_X509_num(chain); ++i) { |
| 138 X509* cert = sk_X509_value(chain, i); | 142 X509* cert = sk_X509_value(chain, i); |
| 139 | 143 |
| 140 std::string der_data; | 144 std::string der_data; |
| 141 if (!X509Certificate::GetDEREncoded(cert, &der_data)) | 145 if (!X509Certificate::GetDEREncoded(cert, &der_data)) |
| (...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 205 int x509_error = X509_STORE_CTX_get_error(ctx.get()); | 209 int x509_error = X509_STORE_CTX_get_error(ctx.get()); |
| 206 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); | 210 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); |
| 207 LOG(ERROR) << "X509 Verification error " | 211 LOG(ERROR) << "X509 Verification error " |
| 208 << X509_verify_cert_error_string(x509_error) | 212 << X509_verify_cert_error_string(x509_error) |
| 209 << " : " << x509_error | 213 << " : " << x509_error |
| 210 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) | 214 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) |
| 211 << " : " << cert_status; | 215 << " : " << cert_status; |
| 212 verify_result->cert_status |= cert_status; | 216 verify_result->cert_status |= cert_status; |
| 213 } | 217 } |
| 214 | 218 |
| 215 GetCertChainInfo(ctx.get(), verify_result); | 219 if (!GetCertChainInfo(ctx.get(), verify_result)) |
| 220 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 216 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); | 221 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); |
| 217 | 222 |
| 218 if (IsCertStatusError(verify_result->cert_status)) | 223 if (IsCertStatusError(verify_result->cert_status)) |
| 219 return MapCertStatusToNetError(verify_result->cert_status); | 224 return MapCertStatusToNetError(verify_result->cert_status); |
| 220 | 225 |
| 221 return OK; | 226 return OK; |
| 222 } | 227 } |
| 223 | 228 |
| 224 } // namespace net | 229 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2760723002:
Check X509Certificate::CreateFromHandle result. (Closed)
