Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(339)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_certificate_openssl.cc

Issue 2761333002: Add a DevTools warning for a missing subjectAltName (Closed)
Patch Set: Feedback & fixes Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/x509_certificate_nss.cc ('k') | net/cert/x509_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_certificate.h" 5 #include "net/cert/x509_certificate.h"
6 6
7 #include "base/macros.h" 7 #include "base/macros.h"
8 #include "base/memory/singleton.h" 8 #include "base/memory/singleton.h"
9 #include "base/numerics/safe_conversions.h" 9 #include "base/numerics/safe_conversions.h"
10 #include "base/pickle.h" 10 #include "base/pickle.h"
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 x509_util::ParsePrincipalValueByNID(x509_name, NID_commonName, 86 x509_util::ParsePrincipalValueByNID(x509_name, NID_commonName,
87 &principal->common_name); 87 &principal->common_name);
88 x509_util::ParsePrincipalValueByNID(x509_name, NID_localityName, 88 x509_util::ParsePrincipalValueByNID(x509_name, NID_localityName,
89 &principal->locality_name); 89 &principal->locality_name);
90 x509_util::ParsePrincipalValueByNID(x509_name, NID_stateOrProvinceName, 90 x509_util::ParsePrincipalValueByNID(x509_name, NID_stateOrProvinceName,
91 &principal->state_or_province_name); 91 &principal->state_or_province_name);
92 x509_util::ParsePrincipalValueByNID(x509_name, NID_countryName, 92 x509_util::ParsePrincipalValueByNID(x509_name, NID_countryName,
93 &principal->country_name); 93 &principal->country_name);
94 } 94 }
95 95
96 void ParseSubjectAltName(X509Certificate::OSCertHandle cert, 96 bool ParseSubjectAltName(X509Certificate::OSCertHandle cert,
97 std::vector<std::string>* dns_names, 97 std::vector<std::string>* dns_names,
98 std::vector<std::string>* ip_addresses) { 98 std::vector<std::string>* ip_addresses) {
99 DCHECK(dns_names || ip_addresses);
100 int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); 99 int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
101 X509_EXTENSION* alt_name_ext = X509_get_ext(cert, index); 100 X509_EXTENSION* alt_name_ext = X509_get_ext(cert, index);
102 if (!alt_name_ext) 101 if (!alt_name_ext)
103 return; 102 return false;
104 103
105 bssl::UniquePtr<GENERAL_NAMES> alt_names( 104 bssl::UniquePtr<GENERAL_NAMES> alt_names(
106 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); 105 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext)));
107 if (!alt_names.get()) 106 if (!alt_names.get())
108 return; 107 return false;
109 108
109 bool has_san = false;
110 for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { 110 for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) {
111 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); 111 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i);
112 if (name->type == GEN_DNS && dns_names) { 112 if (name->type == GEN_DNS) {
113 const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); 113 has_san = true;
114 if (!dns_name) 114 if (dns_names) {
115 continue; 115 const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName);
116 int dns_name_len = ASN1_STRING_length(name->d.dNSName); 116 int dns_name_len = ASN1_STRING_length(name->d.dNSName);
117 dns_names->push_back( 117 dns_names->push_back(
118 std::string(reinterpret_cast<const char*>(dns_name), dns_name_len)); 118 base::StringPiece(reinterpret_cast<const char*>(dns_name),
119 } else if (name->type == GEN_IPADD && ip_addresses) { 119 dns_name_len)
120 const unsigned char* ip_addr = name->d.iPAddress->data; 120 .as_string());
121 if (!ip_addr)
122 continue;
123 int ip_addr_len = name->d.iPAddress->length;
124 if (ip_addr_len != static_cast<int>(IPAddress::kIPv4AddressSize) &&
125 ip_addr_len != static_cast<int>(IPAddress::kIPv6AddressSize)) {
126 // http://www.ietf.org/rfc/rfc3280.txt requires subjectAltName iPAddress
127 // to have 4 or 16 bytes, whereas in a name constraint it includes a
128 // net mask hence 8 or 32 bytes. Logging to help diagnose any mixup.
129 LOG(WARNING) << "Bad sized IP Address in cert: " << ip_addr_len;
130 continue;
131 } 121 }
132 ip_addresses->push_back( 122 } else if (name->type == GEN_IPADD) {
133 std::string(reinterpret_cast<const char*>(ip_addr), ip_addr_len)); 123 has_san = true;
124 if (ip_addresses) {
125 const unsigned char* ip_addr = name->d.iPAddress->data;
126 int ip_addr_len = name->d.iPAddress->length;
127 ip_addresses->push_back(
128 base::StringPiece(reinterpret_cast<const char*>(ip_addr),
129 ip_addr_len)
130 .as_string());
131 }
134 } 132 }
133 // Fast path: Found at least one subjectAltName and the caller doesn't
134 // need the actual values.
135 if (has_san && !ip_addresses && !dns_names)
136 return true;
135 } 137 }
138 return has_san;
136 } 139 }
137 140
138 class X509InitSingleton { 141 class X509InitSingleton {
139 public: 142 public:
140 static X509InitSingleton* GetInstance() { 143 static X509InitSingleton* GetInstance() {
141 // We allow the X509 store to leak, because it is used from a non-joinable 144 // We allow the X509 store to leak, because it is used from a non-joinable
142 // worker that is not stopped on shutdown, hence may still be using 145 // worker that is not stopped on shutdown, hence may still be using
143 // OpenSSL library after the AtExit runner has completed. 146 // OpenSSL library after the AtExit runner has completed.
144 return base::Singleton<X509InitSingleton, base::LeakySingletonTraits< 147 return base::Singleton<X509InitSingleton, base::LeakySingletonTraits<
145 X509InitSingleton>>::get(); 148 X509InitSingleton>>::get();
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after
271 } 274 }
272 default: { 275 default: {
273 NOTREACHED() << "Certificate format " << format << " unimplemented"; 276 NOTREACHED() << "Certificate format " << format << " unimplemented";
274 break; 277 break;
275 } 278 }
276 } 279 }
277 280
278 return results; 281 return results;
279 } 282 }
280 283
281 void X509Certificate::GetSubjectAltName( 284 bool X509Certificate::GetSubjectAltName(
282 std::vector<std::string>* dns_names, 285 std::vector<std::string>* dns_names,
283 std::vector<std::string>* ip_addrs) const { 286 std::vector<std::string>* ip_addrs) const {
284 if (dns_names) 287 if (dns_names)
285 dns_names->clear(); 288 dns_names->clear();
286 if (ip_addrs) 289 if (ip_addrs)
287 ip_addrs->clear(); 290 ip_addrs->clear();
288 291
289 ParseSubjectAltName(cert_handle_, dns_names, ip_addrs); 292 return ParseSubjectAltName(cert_handle_, dns_names, ip_addrs);
290 } 293 }
291 294
292 // static 295 // static
293 X509_STORE* X509Certificate::cert_store() { 296 X509_STORE* X509Certificate::cert_store() {
294 return X509InitSingleton::GetInstance()->store(); 297 return X509InitSingleton::GetInstance()->store();
295 } 298 }
296 299
297 // static 300 // static
298 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, 301 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
299 std::string* encoded) { 302 std::string* encoded) {
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after
430 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { 433 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
431 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle)); 434 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle));
432 if (!scoped_key) 435 if (!scoped_key)
433 return false; 436 return false;
434 if (!X509_verify(cert_handle, scoped_key.get())) 437 if (!X509_verify(cert_handle, scoped_key.get()))
435 return false; 438 return false;
436 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK; 439 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK;
437 } 440 }
438 441
439 } // namespace net 442 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_certificate_nss.cc ('k') | net/cert/x509_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698