OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
497 | 497 |
498 bool X509Certificate::Equals(const X509Certificate* other) const { | 498 bool X509Certificate::Equals(const X509Certificate* other) const { |
499 return IsSameOSCert(cert_handle_, other->cert_handle_); | 499 return IsSameOSCert(cert_handle_, other->cert_handle_); |
500 } | 500 } |
501 | 501 |
502 // static | 502 // static |
503 bool X509Certificate::VerifyHostname( | 503 bool X509Certificate::VerifyHostname( |
504 const std::string& hostname, | 504 const std::string& hostname, |
505 const std::string& cert_common_name, | 505 const std::string& cert_common_name, |
506 const std::vector<std::string>& cert_san_dns_names, | 506 const std::vector<std::string>& cert_san_dns_names, |
507 const std::vector<std::string>& cert_san_ip_addrs) { | 507 const std::vector<std::string>& cert_san_ip_addrs, |
508 bool* common_name_fallback_used) { | |
508 DCHECK(!hostname.empty()); | 509 DCHECK(!hostname.empty()); |
509 // Perform name verification following http://tools.ietf.org/html/rfc6125. | 510 // Perform name verification following http://tools.ietf.org/html/rfc6125. |
510 // The terminology used in this method is as per that RFC:- | 511 // The terminology used in this method is as per that RFC:- |
511 // Reference identifier == the host the local user/agent is intending to | 512 // Reference identifier == the host the local user/agent is intending to |
512 // access, i.e. the thing displayed in the URL bar. | 513 // access, i.e. the thing displayed in the URL bar. |
513 // Presented identifier(s) == name(s) the server knows itself as, in its cert. | 514 // Presented identifier(s) == name(s) the server knows itself as, in its cert. |
514 | 515 |
515 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. | 516 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. |
516 const std::string host_or_ip = hostname.find(':') != std::string::npos ? | 517 const std::string host_or_ip = hostname.find(':') != std::string::npos ? |
517 "[" + hostname + "]" : hostname; | 518 "[" + hostname + "]" : hostname; |
518 url_canon::CanonHostInfo host_info; | 519 url_canon::CanonHostInfo host_info; |
519 std::string reference_name = CanonicalizeHost(host_or_ip, &host_info); | 520 std::string reference_name = CanonicalizeHost(host_or_ip, &host_info); |
520 // CanonicalizeHost does not normalize absolute vs relative DNS names. If | 521 // CanonicalizeHost does not normalize absolute vs relative DNS names. If |
521 // the input name was absolute (included trailing .), normalize it as if it | 522 // the input name was absolute (included trailing .), normalize it as if it |
522 // was relative. | 523 // was relative. |
523 if (!reference_name.empty() && *reference_name.rbegin() == '.') | 524 if (!reference_name.empty() && *reference_name.rbegin() == '.') |
524 reference_name.resize(reference_name.size() - 1); | 525 reference_name.resize(reference_name.size() - 1); |
525 if (reference_name.empty()) | 526 if (reference_name.empty()) |
526 return false; | 527 return false; |
527 | 528 |
528 // Allow fallback to Common name matching? | 529 // Allow fallback to Common name matching? |
529 const bool common_name_fallback = cert_san_dns_names.empty() && | 530 const bool common_name_fallback = cert_san_dns_names.empty() && |
530 cert_san_ip_addrs.empty(); | 531 cert_san_ip_addrs.empty(); |
532 *common_name_fallback_used = common_name_fallback; | |
jar (doing other things)
2013/10/21 22:13:42
nit: indent
| |
531 | 533 |
532 // Fully handle all cases where |hostname| contains an IP address. | 534 // Fully handle all cases where |hostname| contains an IP address. |
533 if (host_info.IsIPAddress()) { | 535 if (host_info.IsIPAddress()) { |
534 if (common_name_fallback && | 536 if (common_name_fallback && |
535 host_info.family == url_canon::CanonHostInfo::IPV4) { | 537 host_info.family == url_canon::CanonHostInfo::IPV4) { |
536 // Fallback to Common name matching. As this is deprecated and only | 538 // Fallback to Common name matching. As this is deprecated and only |
537 // supported for compatibility refuse it for IPv6 addresses. | 539 // supported for compatibility refuse it for IPv6 addresses. |
538 return reference_name == cert_common_name; | 540 return reference_name == cert_common_name; |
539 } | 541 } |
540 base::StringPiece ip_addr_string( | 542 base::StringPiece ip_addr_string( |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
642 !(pattern_begin.empty() && pattern_end.empty())) | 644 !(pattern_begin.empty() && pattern_end.empty())) |
643 continue; | 645 continue; |
644 | 646 |
645 if (reference_host.starts_with(pattern_begin) && | 647 if (reference_host.starts_with(pattern_begin) && |
646 reference_host.ends_with(pattern_end)) | 648 reference_host.ends_with(pattern_end)) |
647 return true; | 649 return true; |
648 } | 650 } |
649 return false; | 651 return false; |
650 } | 652 } |
651 | 653 |
652 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 654 bool X509Certificate::VerifyNameMatch(const std::string& hostname, |
655 bool* common_name_fallback_used) const { | |
653 std::vector<std::string> dns_names, ip_addrs; | 656 std::vector<std::string> dns_names, ip_addrs; |
654 GetSubjectAltName(&dns_names, &ip_addrs); | 657 GetSubjectAltName(&dns_names, &ip_addrs); |
655 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 658 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs, |
659 common_name_fallback_used); | |
656 } | 660 } |
657 | 661 |
658 // static | 662 // static |
659 bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded, | 663 bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded, |
660 std::string* pem_encoded) { | 664 std::string* pem_encoded) { |
661 if (der_encoded.empty()) | 665 if (der_encoded.empty()) |
662 return false; | 666 return false; |
663 std::string b64_encoded; | 667 std::string b64_encoded; |
664 if (!base::Base64Encode(der_encoded, &b64_encoded) || b64_encoded.empty()) | 668 if (!base::Base64Encode(der_encoded, &b64_encoded) || b64_encoded.empty()) |
665 return false; | 669 return false; |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
725 RemoveFromCache(cert_handle_); | 729 RemoveFromCache(cert_handle_); |
726 FreeOSCertHandle(cert_handle_); | 730 FreeOSCertHandle(cert_handle_); |
727 } | 731 } |
728 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { | 732 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { |
729 RemoveFromCache(intermediate_ca_certs_[i]); | 733 RemoveFromCache(intermediate_ca_certs_[i]); |
730 FreeOSCertHandle(intermediate_ca_certs_[i]); | 734 FreeOSCertHandle(intermediate_ca_certs_[i]); |
731 } | 735 } |
732 } | 736 } |
733 | 737 |
734 } // namespace net | 738 } // namespace net |
OLD | NEW |