Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(111)

Side by Side Diff: net/cert/cert_verify_proc_nss.cc

Issue 2760723002: Check X509Certificate::CreateFromHandle result. (Closed)
Patch Set: . Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_nss.h" 5 #include "net/cert/cert_verify_proc_nss.h"
6 6
7 #include <cert.h> 7 #include <cert.h>
8 #include <nss.h> 8 #include <nss.h>
9 #include <prerror.h> 9 #include <prerror.h>
10 #include <secerr.h> 10 #include <secerr.h>
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
145 // Map PORT_GetError() return values to our cert status flags. 145 // Map PORT_GetError() return values to our cert status flags.
146 CertStatus MapCertErrorToCertStatus(int err) { 146 CertStatus MapCertErrorToCertStatus(int err) {
147 int net_error = MapSecurityError(err); 147 int net_error = MapSecurityError(err);
148 return MapNetErrorToCertStatus(net_error); 148 return MapNetErrorToCertStatus(net_error);
149 } 149 }
150 150
151 // Saves some information about the certificate chain cert_list in 151 // Saves some information about the certificate chain cert_list in
152 // *verify_result. The caller MUST initialize *verify_result before calling 152 // *verify_result. The caller MUST initialize *verify_result before calling
153 // this function. 153 // this function.
154 // Note that cert_list[0] is the end entity certificate. 154 // Note that cert_list[0] is the end entity certificate.
155 void GetCertChainInfo(CERTCertList* cert_list, 155 bool GetCertChainInfo(CERTCertList* cert_list,
156 CERTCertificate* root_cert, 156 CERTCertificate* root_cert,
157 CertVerifyResult* verify_result) { 157 CertVerifyResult* verify_result) {
158 DCHECK(cert_list); 158 DCHECK(cert_list);
159 159
160 CERTCertificate* verified_cert = NULL; 160 CERTCertificate* verified_cert = NULL;
161 std::vector<CERTCertificate*> verified_chain; 161 std::vector<CERTCertificate*> verified_chain;
162 size_t i = 0; 162 size_t i = 0;
163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 163 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
164 !CERT_LIST_END(node, cert_list); 164 !CERT_LIST_END(node, cert_list);
165 node = CERT_LIST_NEXT(node), ++i) { 165 node = CERT_LIST_NEXT(node), ++i) {
(...skipping 24 matching lines...) Expand all
190 } 190 }
191 } 191 }
192 verified_chain.push_back(node->cert); 192 verified_chain.push_back(node->cert);
193 } 193 }
194 } 194 }
195 195
196 if (root_cert) 196 if (root_cert)
197 verified_chain.push_back(root_cert); 197 verified_chain.push_back(root_cert);
198 verify_result->verified_cert = 198 verify_result->verified_cert =
199 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 199 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
200 return !!verify_result->verified_cert;
200 } 201 }
201 202
202 // IsKnownRoot returns true if the given certificate is one that we believe 203 // IsKnownRoot returns true if the given certificate is one that we believe
203 // is a standard (as opposed to user-installed) root. 204 // is a standard (as opposed to user-installed) root.
204 bool IsKnownRoot(CERTCertificate* root) { 205 bool IsKnownRoot(CERTCertificate* root) {
205 if (!root || !root->slot) 206 if (!root || !root->slot)
206 return false; 207 return false;
207 208
208 // This magic name is taken from 209 // This magic name is taken from
209 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 210 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79
(...skipping 662 matching lines...) Expand 10 before | Expand all | Expand 10 after
872 cvout[cvout_trust_anchor_index].value.pointer.cert, 873 cvout[cvout_trust_anchor_index].value.pointer.cert,
873 &verify_result->public_key_hashes); 874 &verify_result->public_key_hashes);
874 875
875 verify_result->is_issued_by_known_root = 876 verify_result->is_issued_by_known_root =
876 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); 877 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
877 verify_result->is_issued_by_additional_trust_anchor = 878 verify_result->is_issued_by_additional_trust_anchor =
878 IsAdditionalTrustAnchor( 879 IsAdditionalTrustAnchor(
879 trust_anchors.get(), 880 trust_anchors.get(),
880 cvout[cvout_trust_anchor_index].value.pointer.cert); 881 cvout[cvout_trust_anchor_index].value.pointer.cert);
881 882
882 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, 883 if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
883 cvout[cvout_trust_anchor_index].value.pointer.cert, 884 cvout[cvout_trust_anchor_index].value.pointer.cert,
884 verify_result); 885 verify_result))
886 return ERR_CERT_INVALID;
885 } 887 }
886 888
887 CRLSetResult crl_set_result = kCRLSetUnknown; 889 CRLSetResult crl_set_result = kCRLSetUnknown;
888 if (crl_set) { 890 if (crl_set) {
889 if (status == SECSuccess) { 891 if (status == SECSuccess) {
890 // Reverify the returned chain; NSS should have already called 892 // Reverify the returned chain; NSS should have already called
891 // CheckChainRevocationWithCRLSet prior to returning, but given the 893 // CheckChainRevocationWithCRLSet prior to returning, but given the
892 // edge cases (self-signed certs that are trusted; cached chains; 894 // edge cases (self-signed certs that are trusted; cached chains;
893 // unreadable code), this is more about defense in depth than 895 // unreadable code), this is more about defense in depth than
894 // functional necessity. 896 // functional necessity.
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
954 CRLSet* crl_set, 956 CRLSet* crl_set,
955 const CertificateList& additional_trust_anchors, 957 const CertificateList& additional_trust_anchors,
956 CertVerifyResult* verify_result) { 958 CertVerifyResult* verify_result) {
957 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, 959 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
958 additional_trust_anchors, 960 additional_trust_anchors,
959 NULL, // chain_verify_callback 961 NULL, // chain_verify_callback
960 verify_result); 962 verify_result);
961 } 963 }
962 964
963 } // namespace net 965 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698