Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(941)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_openssl.cc

Issue 2760723002: Check X509Certificate::CreateFromHandle result. (Closed)
Patch Set: rebase on updated 2755203002 Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_nss.cc ('k') | net/cert/cert_verify_proc_win.cc » ('j') | net/cert/x509_certificate.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_openssl.h" 5 #include "net/cert/cert_verify_proc_openssl.h"
6 6
7 #include <string> 7 #include <string>
8 #include <vector> 8 #include <vector>
9 9
10 #include "base/logging.h" 10 #include "base/logging.h"
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after
104 } else { 104 } else {
105 verified_chain.push_back(cert); 105 verified_chain.push_back(cert);
106 } 106 }
107 } 107 }
108 108
109 // Set verify_result->verified_cert and 109 // Set verify_result->verified_cert and
110 // verify_result->is_issued_by_known_root. 110 // verify_result->is_issued_by_known_root.
111 if (verified_cert) { 111 if (verified_cert) {
112 verify_result->verified_cert = 112 verify_result->verified_cert =
113 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 113 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
114 if (!verify_result->verified_cert)
115 return false;
114 116
115 // For OpenSSL builds, only certificates used for unit tests are treated 117 // For OpenSSL builds, only certificates used for unit tests are treated
116 // as not issued by known roots. The only way to determine whether a 118 // as not issued by known roots. The only way to determine whether a
117 // certificate is issued by a known root using OpenSSL is to examine 119 // certificate is issued by a known root using OpenSSL is to examine
118 // distro-and-release specific hardcoded lists. 120 // distro-and-release specific hardcoded lists.
119 verify_result->is_issued_by_known_root = true; 121 verify_result->is_issued_by_known_root = true;
120 if (TestRootCerts::HasInstance()) { 122 if (TestRootCerts::HasInstance()) {
121 X509* root = NULL; 123 X509* root = NULL;
122 if (verified_chain.empty()) { 124 if (verified_chain.empty()) {
123 root = verified_cert; 125 root = verified_cert;
124 } else { 126 } else {
125 root = verified_chain.back(); 127 root = verified_chain.back();
126 } 128 }
127 TestRootCerts* root_certs = TestRootCerts::GetInstance(); 129 TestRootCerts* root_certs = TestRootCerts::GetInstance();
128 if (root_certs->Contains(root)) 130 if (root_certs->Contains(root))
129 verify_result->is_issued_by_known_root = false; 131 verify_result->is_issued_by_known_root = false;
130 } 132 }
131 } 133 }
134 return true;
132 } 135 }
133 136
134 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, 137 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx,
135 HashValueVector* hashes) { 138 HashValueVector* hashes) {
136 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); 139 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx);
137 for (size_t i = 0; i < sk_X509_num(chain); ++i) { 140 for (size_t i = 0; i < sk_X509_num(chain); ++i) {
138 X509* cert = sk_X509_value(chain, i); 141 X509* cert = sk_X509_value(chain, i);
139 142
140 std::string der_data; 143 std::string der_data;
141 if (!X509Certificate::GetDEREncoded(cert, &der_data)) 144 if (!X509Certificate::GetDEREncoded(cert, &der_data))
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after
205 int x509_error = X509_STORE_CTX_get_error(ctx.get()); 208 int x509_error = X509_STORE_CTX_get_error(ctx.get());
206 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); 209 CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
207 LOG(ERROR) << "X509 Verification error " 210 LOG(ERROR) << "X509 Verification error "
208 << X509_verify_cert_error_string(x509_error) 211 << X509_verify_cert_error_string(x509_error)
209 << " : " << x509_error 212 << " : " << x509_error
210 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) 213 << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
211 << " : " << cert_status; 214 << " : " << cert_status;
212 verify_result->cert_status |= cert_status; 215 verify_result->cert_status |= cert_status;
213 } 216 }
214 217
215 GetCertChainInfo(ctx.get(), verify_result); 218 if (!GetCertChainInfo(ctx.get(), verify_result))
219 return ERR_CERT_INVALID;
216 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); 220 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
217 221
218 if (IsCertStatusError(verify_result->cert_status)) 222 if (IsCertStatusError(verify_result->cert_status))
219 return MapCertStatusToNetError(verify_result->cert_status); 223 return MapCertStatusToNetError(verify_result->cert_status);
220 224
221 return OK; 225 return OK;
222 } 226 }
223 227
224 } // namespace net 228 } // namespace net
OLDNEW
« net/cert/cert_verify_proc_mac.cc ('K') | « net/cert/cert_verify_proc_nss.cc ('k') | net/cert/cert_verify_proc_win.cc » ('j') | net/cert/x509_certificate.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698