Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Side by Side Diff: net/cert/cert_verify_proc_win.cc

Issue 2760723002: Check X509Certificate::CreateFromHandle result. (Closed)
Patch Set: rebase on updated 2755203002 Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_win.h" 5 #include "net/cert/cert_verify_proc_win.h"
6 6
7 #include <memory> 7 #include <memory>
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
(...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after
322 } 322 }
323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, 323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status,
324 BUILT_IN_MAX_VALUE); 324 BUILT_IN_MAX_VALUE);
325 325
326 return is_builtin; 326 return is_builtin;
327 } 327 }
328 328
329 // Saves some information about the certificate chain |chain_context| in 329 // Saves some information about the certificate chain |chain_context| in
330 // |*verify_result|. The caller MUST initialize |*verify_result| before 330 // |*verify_result|. The caller MUST initialize |*verify_result| before
331 // calling this function. 331 // calling this function.
332 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, 332 bool GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
333 CertVerifyResult* verify_result) { 333 CertVerifyResult* verify_result) {
334 if (chain_context->cChain == 0) 334 if (chain_context->cChain == 0)
335 return; 335 return true;
336 336
337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; 337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
338 DWORD num_elements = first_chain->cElement; 338 DWORD num_elements = first_chain->cElement;
339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; 339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
340 340
341 PCCERT_CONTEXT verified_cert = NULL; 341 PCCERT_CONTEXT verified_cert = NULL;
342 std::vector<PCCERT_CONTEXT> verified_chain; 342 std::vector<PCCERT_CONTEXT> verified_chain;
343 343
344 bool has_root_ca = num_elements > 1 && 344 bool has_root_ca = num_elements > 1 &&
345 !(chain_context->TrustStatus.dwErrorStatus & 345 !(chain_context->TrustStatus.dwErrorStatus &
(...skipping 18 matching lines...) Expand all
364 verified_chain.push_back(cert); 364 verified_chain.push_back(cert);
365 } 365 }
366 } 366 }
367 367
368 if (verified_cert) { 368 if (verified_cert) {
369 // Add the root certificate, if present, as it was not added above. 369 // Add the root certificate, if present, as it was not added above.
370 if (has_root_ca) 370 if (has_root_ca)
371 verified_chain.push_back(element[num_elements]->pCertContext); 371 verified_chain.push_back(element[num_elements]->pCertContext);
372 verify_result->verified_cert = 372 verify_result->verified_cert =
373 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 373 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
374 return !!verify_result->verified_cert;
374 } 375 }
376 return true;
375 } 377 }
376 378
377 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO 379 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
378 // structure and stores it in *output. 380 // structure and stores it in *output.
379 void GetCertPoliciesInfo( 381 void GetCertPoliciesInfo(
380 PCCERT_CONTEXT cert, 382 PCCERT_CONTEXT cert,
381 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) { 383 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) {
382 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, 384 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES,
383 cert->pCertInfo->cExtension, 385 cert->pCertInfo->cExtension,
384 cert->pCertInfo->rgExtension); 386 cert->pCertInfo->rgExtension);
(...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after
1107 &chain_para, 1109 &chain_para,
1108 chain_flags, 1110 chain_flags,
1109 NULL, // reserved 1111 NULL, // reserved
1110 &chain_context)) { 1112 &chain_context)) {
1111 verify_result->cert_status |= CERT_STATUS_INVALID; 1113 verify_result->cert_status |= CERT_STATUS_INVALID;
1112 return MapSecurityError(GetLastError()); 1114 return MapSecurityError(GetLastError());
1113 } 1115 }
1114 } 1116 }
1115 1117
1116 CertVerifyResult temp_verify_result = *verify_result; 1118 CertVerifyResult temp_verify_result = *verify_result;
1117 GetCertChainInfo(chain_context, verify_result); 1119 if (!GetCertChainInfo(chain_context, verify_result))
1120 return ERR_CERT_INVALID;
1118 if (!verify_result->is_issued_by_known_root && 1121 if (!verify_result->is_issued_by_known_root &&
1119 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) { 1122 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) {
1120 *verify_result = temp_verify_result; 1123 *verify_result = temp_verify_result;
1121 1124
1122 rev_checking_enabled = true; 1125 rev_checking_enabled = true;
1123 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 1126 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
1124 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; 1127 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
1125 1128
1126 CertFreeCertificateChain(chain_context); 1129 CertFreeCertificateChain(chain_context);
1127 if (!CertGetCertificateChain( 1130 if (!CertGetCertificateChain(
1128 chain_engine, 1131 chain_engine,
1129 cert_list.get(), 1132 cert_list.get(),
1130 NULL, // current system time 1133 NULL, // current system time
1131 cert_list->hCertStore, 1134 cert_list->hCertStore,
1132 &chain_para, 1135 &chain_para,
1133 chain_flags, 1136 chain_flags,
1134 NULL, // reserved 1137 NULL, // reserved
1135 &chain_context)) { 1138 &chain_context)) {
1136 verify_result->cert_status |= CERT_STATUS_INVALID; 1139 verify_result->cert_status |= CERT_STATUS_INVALID;
1137 return MapSecurityError(GetLastError()); 1140 return MapSecurityError(GetLastError());
1138 } 1141 }
1139 GetCertChainInfo(chain_context, verify_result); 1142 if (!GetCertChainInfo(chain_context, verify_result))
1143 return ERR_CERT_INVALID;
1140 1144
1141 if (chain_context->TrustStatus.dwErrorStatus & 1145 if (chain_context->TrustStatus.dwErrorStatus &
1142 CERT_TRUST_IS_OFFLINE_REVOCATION) { 1146 CERT_TRUST_IS_OFFLINE_REVOCATION) {
1143 verify_result->cert_status |= CERT_STATUS_REVOKED; 1147 verify_result->cert_status |= CERT_STATUS_REVOKED;
1144 } 1148 }
1145 } 1149 }
1146 1150
1147 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); 1151 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context);
1148 1152
1149 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( 1153 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
1208 return MapCertStatusToNetError(verify_result->cert_status); 1212 return MapCertStatusToNetError(verify_result->cert_status);
1209 1213
1210 if (ev_policy_oid && 1214 if (ev_policy_oid &&
1211 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { 1215 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
1212 verify_result->cert_status |= CERT_STATUS_IS_EV; 1216 verify_result->cert_status |= CERT_STATUS_IS_EV;
1213 } 1217 }
1214 return OK; 1218 return OK;
1215 } 1219 }
1216 1220
1217 } // namespace net 1221 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698