OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
173 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies); | 173 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED), local_policies); |
174 if (status) | 174 if (status) |
175 return status; | 175 return status; |
176 | 176 |
177 policies->reset(local_policies.release()); | 177 policies->reset(local_policies.release()); |
178 return noErr; | 178 return noErr; |
179 } | 179 } |
180 | 180 |
181 // Stores the constructed certificate chain |cert_chain| into | 181 // Stores the constructed certificate chain |cert_chain| into |
182 // |*verify_result|. |cert_chain| must not be empty. | 182 // |*verify_result|. |cert_chain| must not be empty. |
183 void CopyCertChainToVerifyResult(CFArrayRef cert_chain, | 183 bool CopyCertChainToVerifyResult(CFArrayRef cert_chain, |
184 CertVerifyResult* verify_result) { | 184 CertVerifyResult* verify_result) { |
185 DCHECK_LT(0, CFArrayGetCount(cert_chain)); | 185 DCHECK_LT(0, CFArrayGetCount(cert_chain)); |
186 | 186 |
187 SecCertificateRef verified_cert = NULL; | 187 SecCertificateRef verified_cert = NULL; |
188 std::vector<SecCertificateRef> verified_chain; | 188 std::vector<SecCertificateRef> verified_chain; |
189 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { | 189 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { |
190 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( | 190 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( |
191 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); | 191 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); |
192 if (i == 0) { | 192 if (i == 0) { |
193 verified_cert = chain_cert; | 193 verified_cert = chain_cert; |
194 } else { | 194 } else { |
195 verified_chain.push_back(chain_cert); | 195 verified_chain.push_back(chain_cert); |
196 } | 196 } |
197 } | 197 } |
198 if (!verified_cert) { | 198 if (!verified_cert) { |
199 NOTREACHED(); | 199 NOTREACHED(); |
200 return; | 200 return false; |
201 } | 201 } |
202 | 202 |
203 verify_result->verified_cert = | 203 verify_result->verified_cert = |
204 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 204 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
205 return !!verify_result->verified_cert; | |
205 } | 206 } |
206 | 207 |
207 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false | 208 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
208 // otherwise. A return of false also includes the case where the signature | 209 // otherwise. A return of false also includes the case where the signature |
209 // algorithm couldn't be conclusively labeled as weak. | 210 // algorithm couldn't be conclusively labeled as weak. |
210 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { | 211 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { |
211 x509_util::CSSMCachedCertificate cached_cert; | 212 x509_util::CSSMCachedCertificate cached_cert; |
212 OSStatus status = cached_cert.Init(cert_handle); | 213 OSStatus status = cached_cert.Init(cert_handle); |
213 if (status) | 214 if (status) |
214 return false; | 215 return false; |
(...skipping 672 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
887 break; | 888 break; |
888 } | 889 } |
889 | 890 |
890 if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) | 891 if (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED) |
891 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 892 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
892 | 893 |
893 if (*completed_chain_crl_result == kCRLSetRevoked) | 894 if (*completed_chain_crl_result == kCRLSetRevoked) |
894 verify_result->cert_status |= CERT_STATUS_REVOKED; | 895 verify_result->cert_status |= CERT_STATUS_REVOKED; |
895 | 896 |
896 if (CFArrayGetCount(completed_chain) > 0) { | 897 if (CFArrayGetCount(completed_chain) > 0) { |
897 CopyCertChainToVerifyResult(completed_chain, verify_result); | 898 if (!CopyCertChainToVerifyResult(completed_chain, verify_result)) |
899 return ERR_CERT_INVALID; | |
eroman
2017/03/22 22:17:52
same question about cert_status throughout.
mattm
2017/03/23 22:59:02
Acknowledged.
| |
898 } | 900 } |
899 | 901 |
900 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits | 902 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits |
901 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds | 903 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds |
902 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping | 904 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping |
903 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only | 905 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only |
904 // error was due to an unsupported key size. | 906 // error was due to an unsupported key size. |
905 bool policy_failed = false; | 907 bool policy_failed = false; |
906 bool policy_fail_already_mapped = false; | 908 bool policy_fail_already_mapped = false; |
907 bool weak_key_or_signature_algorithm = false; | 909 bool weak_key_or_signature_algorithm = false; |
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1096 // EV cert and it was covered by CRLSets or revocation checking passed. | 1098 // EV cert and it was covered by CRLSets or revocation checking passed. |
1097 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1099 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1098 } | 1100 } |
1099 | 1101 |
1100 return OK; | 1102 return OK; |
1101 } | 1103 } |
1102 | 1104 |
1103 } // namespace net | 1105 } // namespace net |
1104 | 1106 |
1105 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1107 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
OLD | NEW |