OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_win.h" | 5 #include "net/cert/cert_verify_proc_win.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
322 } | 322 } |
323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, | 323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, |
324 BUILT_IN_MAX_VALUE); | 324 BUILT_IN_MAX_VALUE); |
325 | 325 |
326 return is_builtin; | 326 return is_builtin; |
327 } | 327 } |
328 | 328 |
329 // Saves some information about the certificate chain |chain_context| in | 329 // Saves some information about the certificate chain |chain_context| in |
330 // |*verify_result|. The caller MUST initialize |*verify_result| before | 330 // |*verify_result|. The caller MUST initialize |*verify_result| before |
331 // calling this function. | 331 // calling this function. |
332 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, | 332 bool GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, |
333 CertVerifyResult* verify_result) { | 333 CertVerifyResult* verify_result) { |
334 if (chain_context->cChain == 0) | 334 if (chain_context->cChain == 0) |
335 return; | 335 return true; |
eroman
2017/03/23 23:41:31
Should this be false? (more discussion on this bel
mattm
2017/03/24 21:49:35
I guess the problem is I'm not really sure either.
eroman
2017/03/24 22:07:23
Either approach sounds fine to me.
mattm
2017/03/27 23:24:37
Ok, I'll just leave this one as is for now.
| |
336 | 336 |
337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
338 DWORD num_elements = first_chain->cElement; | 338 DWORD num_elements = first_chain->cElement; |
339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
340 | 340 |
341 PCCERT_CONTEXT verified_cert = NULL; | 341 PCCERT_CONTEXT verified_cert = NULL; |
342 std::vector<PCCERT_CONTEXT> verified_chain; | 342 std::vector<PCCERT_CONTEXT> verified_chain; |
343 | 343 |
344 bool has_root_ca = num_elements > 1 && | 344 bool has_root_ca = num_elements > 1 && |
345 !(chain_context->TrustStatus.dwErrorStatus & | 345 !(chain_context->TrustStatus.dwErrorStatus & |
(...skipping 16 matching lines...) Expand all Loading... | |
362 verified_cert = cert; | 362 verified_cert = cert; |
363 } else { | 363 } else { |
364 verified_chain.push_back(cert); | 364 verified_chain.push_back(cert); |
365 } | 365 } |
366 } | 366 } |
367 | 367 |
368 if (verified_cert) { | 368 if (verified_cert) { |
369 // Add the root certificate, if present, as it was not added above. | 369 // Add the root certificate, if present, as it was not added above. |
370 if (has_root_ca) | 370 if (has_root_ca) |
371 verified_chain.push_back(element[num_elements]->pCertContext); | 371 verified_chain.push_back(element[num_elements]->pCertContext); |
372 verify_result->verified_cert = | 372 scoped_refptr<X509Certificate> verified_cert_with_chain = |
373 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 373 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
374 if (!verified_cert_with_chain) | |
375 return false; | |
376 verify_result->verified_cert = std::move(verified_cert_with_chain); | |
374 } | 377 } |
378 return true; | |
eroman
2017/03/23 23:41:31
Not clear what true/false means from this function
mattm
2017/03/24 21:49:35
I like the idea of just setting the status directl
| |
375 } | 379 } |
376 | 380 |
377 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | 381 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO |
378 // structure and stores it in *output. | 382 // structure and stores it in *output. |
379 void GetCertPoliciesInfo( | 383 void GetCertPoliciesInfo( |
380 PCCERT_CONTEXT cert, | 384 PCCERT_CONTEXT cert, |
381 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) { | 385 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) { |
382 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | 386 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, |
383 cert->pCertInfo->cExtension, | 387 cert->pCertInfo->cExtension, |
384 cert->pCertInfo->rgExtension); | 388 cert->pCertInfo->rgExtension); |
(...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1107 &chain_para, | 1111 &chain_para, |
1108 chain_flags, | 1112 chain_flags, |
1109 NULL, // reserved | 1113 NULL, // reserved |
1110 &chain_context)) { | 1114 &chain_context)) { |
1111 verify_result->cert_status |= CERT_STATUS_INVALID; | 1115 verify_result->cert_status |= CERT_STATUS_INVALID; |
1112 return MapSecurityError(GetLastError()); | 1116 return MapSecurityError(GetLastError()); |
1113 } | 1117 } |
1114 } | 1118 } |
1115 | 1119 |
1116 CertVerifyResult temp_verify_result = *verify_result; | 1120 CertVerifyResult temp_verify_result = *verify_result; |
1117 GetCertChainInfo(chain_context, verify_result); | 1121 if (!GetCertChainInfo(chain_context, verify_result)) |
1122 verify_result->cert_status |= CERT_STATUS_INVALID; | |
1118 if (!verify_result->is_issued_by_known_root && | 1123 if (!verify_result->is_issued_by_known_root && |
1119 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) { | 1124 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) { |
1120 *verify_result = temp_verify_result; | 1125 *verify_result = temp_verify_result; |
1121 | 1126 |
1122 rev_checking_enabled = true; | 1127 rev_checking_enabled = true; |
1123 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 1128 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
1124 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; | 1129 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; |
1125 | 1130 |
1126 CertFreeCertificateChain(chain_context); | 1131 CertFreeCertificateChain(chain_context); |
1127 if (!CertGetCertificateChain( | 1132 if (!CertGetCertificateChain( |
1128 chain_engine, | 1133 chain_engine, |
1129 cert_list.get(), | 1134 cert_list.get(), |
1130 NULL, // current system time | 1135 NULL, // current system time |
1131 cert_list->hCertStore, | 1136 cert_list->hCertStore, |
1132 &chain_para, | 1137 &chain_para, |
1133 chain_flags, | 1138 chain_flags, |
1134 NULL, // reserved | 1139 NULL, // reserved |
1135 &chain_context)) { | 1140 &chain_context)) { |
1136 verify_result->cert_status |= CERT_STATUS_INVALID; | 1141 verify_result->cert_status |= CERT_STATUS_INVALID; |
1137 return MapSecurityError(GetLastError()); | 1142 return MapSecurityError(GetLastError()); |
1138 } | 1143 } |
1139 GetCertChainInfo(chain_context, verify_result); | 1144 if (!GetCertChainInfo(chain_context, verify_result)) |
1145 verify_result->cert_status |= CERT_STATUS_INVALID; | |
1140 | 1146 |
1141 if (chain_context->TrustStatus.dwErrorStatus & | 1147 if (chain_context->TrustStatus.dwErrorStatus & |
1142 CERT_TRUST_IS_OFFLINE_REVOCATION) { | 1148 CERT_TRUST_IS_OFFLINE_REVOCATION) { |
1143 verify_result->cert_status |= CERT_STATUS_REVOKED; | 1149 verify_result->cert_status |= CERT_STATUS_REVOKED; |
1144 } | 1150 } |
1145 } | 1151 } |
1146 | 1152 |
1147 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); | 1153 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); |
1148 | 1154 |
1149 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 1155 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1208 return MapCertStatusToNetError(verify_result->cert_status); | 1214 return MapCertStatusToNetError(verify_result->cert_status); |
1209 | 1215 |
1210 if (ev_policy_oid && | 1216 if (ev_policy_oid && |
1211 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { | 1217 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { |
1212 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1218 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1213 } | 1219 } |
1214 return OK; | 1220 return OK; |
1215 } | 1221 } |
1216 | 1222 |
1217 } // namespace net | 1223 } // namespace net |
OLD | NEW |