Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(181)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_ios.cc

Issue 2760723002: Check X509Certificate::CreateFromHandle result. (Closed)
Patch Set: 2nd round of updates Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/cert_verify_proc_builtin.cc ('k') | net/cert/cert_verify_proc_mac.cc » ('j') | net/cert/cert_verify_proc_mac.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_ios.h" 5 #include "net/cert/cert_verify_proc_ios.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/mac/scoped_cftyperef.h" 10 #include "base/mac/scoped_cftyperef.h"
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after
109 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { 109 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {
110 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( 110 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
111 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); 111 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
112 if (i == 0) { 112 if (i == 0) {
113 verified_cert = chain_cert; 113 verified_cert = chain_cert;
114 } else { 114 } else {
115 verified_chain.push_back(chain_cert); 115 verified_chain.push_back(chain_cert);
116 } 116 }
117 117
118 std::string der_bytes; 118 std::string der_bytes;
119 if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) 119 if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) {
120 verify_result->cert_status |= CERT_STATUS_INVALID;
120 return; 121 return;
122 }
121 123
122 base::StringPiece spki_bytes; 124 base::StringPiece spki_bytes;
123 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) 125 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) {
124 continue; 126 verify_result->cert_status |= CERT_STATUS_INVALID;
127 return;
128 }
125 129
126 HashValue sha1(HASH_VALUE_SHA1); 130 HashValue sha1(HASH_VALUE_SHA1);
127 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data()); 131 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
128 verify_result->public_key_hashes.push_back(sha1); 132 verify_result->public_key_hashes.push_back(sha1);
129 133
130 HashValue sha256(HASH_VALUE_SHA256); 134 HashValue sha256(HASH_VALUE_SHA256);
131 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data()); 135 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
132 verify_result->public_key_hashes.push_back(sha256); 136 verify_result->public_key_hashes.push_back(sha256);
133 137
134 // Ignore the signature algorithm for the trust anchor. 138 // Ignore the signature algorithm for the trust anchor.
135 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 && 139 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 &&
136 i == count - 1) { 140 i == count - 1) {
137 continue; 141 continue;
138 } 142 }
139 } 143 }
140 if (!verified_cert) { 144 if (!verified_cert) {
141 NOTREACHED(); 145 NOTREACHED();
146 verify_result->cert_status |= CERT_STATUS_INVALID;
eroman 2017/03/24 22:07:23 I don't know about this one, as reaching it means
mattm 2017/03/27 23:24:37 Yeah, on this and the mac one, due to the presence
142 return; 147 return;
143 } 148 }
144 149
145 verify_result->verified_cert = 150 scoped_refptr<X509Certificate> verified_cert_with_chain =
146 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 151 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
152 if (verified_cert_with_chain)
153 verify_result->verified_cert = std::move(verified_cert_with_chain);
154 else
155 verify_result->cert_status |= CERT_STATUS_INVALID;
147 } 156 }
148 157
149 } // namespace 158 } // namespace
150 159
151 CertVerifyProcIOS::CertVerifyProcIOS() {} 160 CertVerifyProcIOS::CertVerifyProcIOS() {}
152 161
153 // The iOS APIs don't expose an API-stable set of reasons for certificate 162 // The iOS APIs don't expose an API-stable set of reasons for certificate
154 // validation failures. However, internally, the reason is tracked, and it's 163 // validation failures. However, internally, the reason is tracked, and it's
155 // converted to user-facing localized strings. 164 // converted to user-facing localized strings.
156 // 165 //
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after
271 // roots. 280 // roots.
272 verify_result->is_issued_by_known_root = false; 281 verify_result->is_issued_by_known_root = false;
273 282
274 if (IsCertStatusError(verify_result->cert_status)) 283 if (IsCertStatusError(verify_result->cert_status))
275 return MapCertStatusToNetError(verify_result->cert_status); 284 return MapCertStatusToNetError(verify_result->cert_status);
276 285
277 return OK; 286 return OK;
278 } 287 }
279 288
280 } // namespace net 289 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/cert_verify_proc_builtin.cc ('k') | net/cert/cert_verify_proc_mac.cc » ('j') | net/cert/cert_verify_proc_mac.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698