| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_win.h" | 5 #include "net/cert/cert_verify_proc_win.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 322 } | 322 } |
| 323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, | 323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, |
| 324 BUILT_IN_MAX_VALUE); | 324 BUILT_IN_MAX_VALUE); |
| 325 | 325 |
| 326 return is_builtin; | 326 return is_builtin; |
| 327 } | 327 } |
| 328 | 328 |
| 329 // Saves some information about the certificate chain |chain_context| in | 329 // Saves some information about the certificate chain |chain_context| in |
| 330 // |*verify_result|. The caller MUST initialize |*verify_result| before | 330 // |*verify_result|. The caller MUST initialize |*verify_result| before |
| 331 // calling this function. | 331 // calling this function. |
| 332 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, | 332 bool GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, |
| 333 CertVerifyResult* verify_result) { | 333 CertVerifyResult* verify_result) { |
| 334 if (chain_context->cChain == 0) | 334 if (chain_context->cChain == 0) |
| 335 return; | 335 return true; |
| 336 | 336 |
| 337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 337 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
| 338 DWORD num_elements = first_chain->cElement; | 338 DWORD num_elements = first_chain->cElement; |
| 339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 339 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
| 340 | 340 |
| 341 PCCERT_CONTEXT verified_cert = NULL; | 341 PCCERT_CONTEXT verified_cert = NULL; |
| 342 std::vector<PCCERT_CONTEXT> verified_chain; | 342 std::vector<PCCERT_CONTEXT> verified_chain; |
| 343 | 343 |
| 344 bool has_root_ca = num_elements > 1 && | 344 bool has_root_ca = num_elements > 1 && |
| 345 !(chain_context->TrustStatus.dwErrorStatus & | 345 !(chain_context->TrustStatus.dwErrorStatus & |
| (...skipping 18 matching lines...) Expand all Loading... |
| 364 verified_chain.push_back(cert); | 364 verified_chain.push_back(cert); |
| 365 } | 365 } |
| 366 } | 366 } |
| 367 | 367 |
| 368 if (verified_cert) { | 368 if (verified_cert) { |
| 369 // Add the root certificate, if present, as it was not added above. | 369 // Add the root certificate, if present, as it was not added above. |
| 370 if (has_root_ca) | 370 if (has_root_ca) |
| 371 verified_chain.push_back(element[num_elements]->pCertContext); | 371 verified_chain.push_back(element[num_elements]->pCertContext); |
| 372 verify_result->verified_cert = | 372 verify_result->verified_cert = |
| 373 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 373 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 374 return !!verify_result->verified_cert; |
| 374 } | 375 } |
| 376 return true; |
| 375 } | 377 } |
| 376 | 378 |
| 377 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO | 379 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO |
| 378 // structure and stores it in *output. | 380 // structure and stores it in *output. |
| 379 void GetCertPoliciesInfo( | 381 void GetCertPoliciesInfo( |
| 380 PCCERT_CONTEXT cert, | 382 PCCERT_CONTEXT cert, |
| 381 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) { | 383 std::unique_ptr<CERT_POLICIES_INFO, base::FreeDeleter>* output) { |
| 382 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, | 384 PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES, |
| 383 cert->pCertInfo->cExtension, | 385 cert->pCertInfo->cExtension, |
| 384 cert->pCertInfo->rgExtension); | 386 cert->pCertInfo->rgExtension); |
| (...skipping 722 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1107 &chain_para, | 1109 &chain_para, |
| 1108 chain_flags, | 1110 chain_flags, |
| 1109 NULL, // reserved | 1111 NULL, // reserved |
| 1110 &chain_context)) { | 1112 &chain_context)) { |
| 1111 verify_result->cert_status |= CERT_STATUS_INVALID; | 1113 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 1112 return MapSecurityError(GetLastError()); | 1114 return MapSecurityError(GetLastError()); |
| 1113 } | 1115 } |
| 1114 } | 1116 } |
| 1115 | 1117 |
| 1116 CertVerifyResult temp_verify_result = *verify_result; | 1118 CertVerifyResult temp_verify_result = *verify_result; |
| 1117 GetCertChainInfo(chain_context, verify_result); | 1119 if (!GetCertChainInfo(chain_context, verify_result)) |
| 1120 return ERR_CERT_INVALID; |
| 1118 if (!verify_result->is_issued_by_known_root && | 1121 if (!verify_result->is_issued_by_known_root && |
| 1119 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) { | 1122 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)) { |
| 1120 *verify_result = temp_verify_result; | 1123 *verify_result = temp_verify_result; |
| 1121 | 1124 |
| 1122 rev_checking_enabled = true; | 1125 rev_checking_enabled = true; |
| 1123 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 1126 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 1124 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; | 1127 chain_flags &= ~CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; |
| 1125 | 1128 |
| 1126 CertFreeCertificateChain(chain_context); | 1129 CertFreeCertificateChain(chain_context); |
| 1127 if (!CertGetCertificateChain( | 1130 if (!CertGetCertificateChain( |
| 1128 chain_engine, | 1131 chain_engine, |
| 1129 cert_list.get(), | 1132 cert_list.get(), |
| 1130 NULL, // current system time | 1133 NULL, // current system time |
| 1131 cert_list->hCertStore, | 1134 cert_list->hCertStore, |
| 1132 &chain_para, | 1135 &chain_para, |
| 1133 chain_flags, | 1136 chain_flags, |
| 1134 NULL, // reserved | 1137 NULL, // reserved |
| 1135 &chain_context)) { | 1138 &chain_context)) { |
| 1136 verify_result->cert_status |= CERT_STATUS_INVALID; | 1139 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 1137 return MapSecurityError(GetLastError()); | 1140 return MapSecurityError(GetLastError()); |
| 1138 } | 1141 } |
| 1139 GetCertChainInfo(chain_context, verify_result); | 1142 if (!GetCertChainInfo(chain_context, verify_result)) |
| 1143 return ERR_CERT_INVALID; |
| 1140 | 1144 |
| 1141 if (chain_context->TrustStatus.dwErrorStatus & | 1145 if (chain_context->TrustStatus.dwErrorStatus & |
| 1142 CERT_TRUST_IS_OFFLINE_REVOCATION) { | 1146 CERT_TRUST_IS_OFFLINE_REVOCATION) { |
| 1143 verify_result->cert_status |= CERT_STATUS_REVOKED; | 1147 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 1144 } | 1148 } |
| 1145 } | 1149 } |
| 1146 | 1150 |
| 1147 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); | 1151 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); |
| 1148 | 1152 |
| 1149 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 1153 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1208 return MapCertStatusToNetError(verify_result->cert_status); | 1212 return MapCertStatusToNetError(verify_result->cert_status); |
| 1209 | 1213 |
| 1210 if (ev_policy_oid && | 1214 if (ev_policy_oid && |
| 1211 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { | 1215 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { |
| 1212 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1216 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 1213 } | 1217 } |
| 1214 return OK; | 1218 return OK; |
| 1215 } | 1219 } |
| 1216 | 1220 |
| 1217 } // namespace net | 1221 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2760723002:
Check X509Certificate::CreateFromHandle result. (Closed)
