| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <map> | 10 #include <map> |
| (...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 497 | 497 |
| 498 bool X509Certificate::Equals(const X509Certificate* other) const { | 498 bool X509Certificate::Equals(const X509Certificate* other) const { |
| 499 return IsSameOSCert(cert_handle_, other->cert_handle_); | 499 return IsSameOSCert(cert_handle_, other->cert_handle_); |
| 500 } | 500 } |
| 501 | 501 |
| 502 // static | 502 // static |
| 503 bool X509Certificate::VerifyHostname( | 503 bool X509Certificate::VerifyHostname( |
| 504 const std::string& hostname, | 504 const std::string& hostname, |
| 505 const std::string& cert_common_name, | 505 const std::string& cert_common_name, |
| 506 const std::vector<std::string>& cert_san_dns_names, | 506 const std::vector<std::string>& cert_san_dns_names, |
| 507 const std::vector<std::string>& cert_san_ip_addrs) { | 507 const std::vector<std::string>& cert_san_ip_addrs, |
| 508 bool* common_name_fallback_used) { |
| 508 DCHECK(!hostname.empty()); | 509 DCHECK(!hostname.empty()); |
| 509 // Perform name verification following http://tools.ietf.org/html/rfc6125. | 510 // Perform name verification following http://tools.ietf.org/html/rfc6125. |
| 510 // The terminology used in this method is as per that RFC:- | 511 // The terminology used in this method is as per that RFC:- |
| 511 // Reference identifier == the host the local user/agent is intending to | 512 // Reference identifier == the host the local user/agent is intending to |
| 512 // access, i.e. the thing displayed in the URL bar. | 513 // access, i.e. the thing displayed in the URL bar. |
| 513 // Presented identifier(s) == name(s) the server knows itself as, in its cert. | 514 // Presented identifier(s) == name(s) the server knows itself as, in its cert. |
| 514 | 515 |
| 515 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. | 516 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. |
| 516 const std::string host_or_ip = hostname.find(':') != std::string::npos ? | 517 const std::string host_or_ip = hostname.find(':') != std::string::npos ? |
| 517 "[" + hostname + "]" : hostname; | 518 "[" + hostname + "]" : hostname; |
| 518 url_canon::CanonHostInfo host_info; | 519 url_canon::CanonHostInfo host_info; |
| 519 std::string reference_name = CanonicalizeHost(host_or_ip, &host_info); | 520 std::string reference_name = CanonicalizeHost(host_or_ip, &host_info); |
| 520 // CanonicalizeHost does not normalize absolute vs relative DNS names. If | 521 // CanonicalizeHost does not normalize absolute vs relative DNS names. If |
| 521 // the input name was absolute (included trailing .), normalize it as if it | 522 // the input name was absolute (included trailing .), normalize it as if it |
| 522 // was relative. | 523 // was relative. |
| 523 if (!reference_name.empty() && *reference_name.rbegin() == '.') | 524 if (!reference_name.empty() && *reference_name.rbegin() == '.') |
| 524 reference_name.resize(reference_name.size() - 1); | 525 reference_name.resize(reference_name.size() - 1); |
| 525 if (reference_name.empty()) | 526 if (reference_name.empty()) |
| 526 return false; | 527 return false; |
| 527 | 528 |
| 528 // Allow fallback to Common name matching? | 529 // Allow fallback to Common name matching? |
| 529 const bool common_name_fallback = cert_san_dns_names.empty() && | 530 const bool common_name_fallback = cert_san_dns_names.empty() && |
| 530 cert_san_ip_addrs.empty(); | 531 cert_san_ip_addrs.empty(); |
| 532 *common_name_fallback_used = common_name_fallback; |
| 531 | 533 |
| 532 // Fully handle all cases where |hostname| contains an IP address. | 534 // Fully handle all cases where |hostname| contains an IP address. |
| 533 if (host_info.IsIPAddress()) { | 535 if (host_info.IsIPAddress()) { |
| 534 if (common_name_fallback && | 536 if (common_name_fallback && |
| 535 host_info.family == url_canon::CanonHostInfo::IPV4) { | 537 host_info.family == url_canon::CanonHostInfo::IPV4) { |
| 536 // Fallback to Common name matching. As this is deprecated and only | 538 // Fallback to Common name matching. As this is deprecated and only |
| 537 // supported for compatibility refuse it for IPv6 addresses. | 539 // supported for compatibility refuse it for IPv6 addresses. |
| 538 return reference_name == cert_common_name; | 540 return reference_name == cert_common_name; |
| 539 } | 541 } |
| 540 base::StringPiece ip_addr_string( | 542 base::StringPiece ip_addr_string( |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 642 !(pattern_begin.empty() && pattern_end.empty())) | 644 !(pattern_begin.empty() && pattern_end.empty())) |
| 643 continue; | 645 continue; |
| 644 | 646 |
| 645 if (reference_host.starts_with(pattern_begin) && | 647 if (reference_host.starts_with(pattern_begin) && |
| 646 reference_host.ends_with(pattern_end)) | 648 reference_host.ends_with(pattern_end)) |
| 647 return true; | 649 return true; |
| 648 } | 650 } |
| 649 return false; | 651 return false; |
| 650 } | 652 } |
| 651 | 653 |
| 652 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 654 bool X509Certificate::VerifyNameMatch(const std::string& hostname, |
| 655 bool* common_name_fallback_used) const { |
| 653 std::vector<std::string> dns_names, ip_addrs; | 656 std::vector<std::string> dns_names, ip_addrs; |
| 654 GetSubjectAltName(&dns_names, &ip_addrs); | 657 GetSubjectAltName(&dns_names, &ip_addrs); |
| 655 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 658 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs, |
| 659 common_name_fallback_used); |
| 656 } | 660 } |
| 657 | 661 |
| 658 // static | 662 // static |
| 659 bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded, | 663 bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded, |
| 660 std::string* pem_encoded) { | 664 std::string* pem_encoded) { |
| 661 if (der_encoded.empty()) | 665 if (der_encoded.empty()) |
| 662 return false; | 666 return false; |
| 663 std::string b64_encoded; | 667 std::string b64_encoded; |
| 664 if (!base::Base64Encode(der_encoded, &b64_encoded) || b64_encoded.empty()) | 668 if (!base::Base64Encode(der_encoded, &b64_encoded) || b64_encoded.empty()) |
| 665 return false; | 669 return false; |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 725 RemoveFromCache(cert_handle_); | 729 RemoveFromCache(cert_handle_); |
| 726 FreeOSCertHandle(cert_handle_); | 730 FreeOSCertHandle(cert_handle_); |
| 727 } | 731 } |
| 728 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { | 732 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { |
| 729 RemoveFromCache(intermediate_ca_certs_[i]); | 733 RemoveFromCache(intermediate_ca_certs_[i]); |
| 730 FreeOSCertHandle(intermediate_ca_certs_[i]); | 734 FreeOSCertHandle(intermediate_ca_certs_[i]); |
| 731 } | 735 } |
| 732 } | 736 } |
| 733 | 737 |
| 734 } // namespace net | 738 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 27624002:
Add a histogram for measuring the number of times we fall back to common name matching, when a cert… (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src