OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
223 return true; | 223 return true; |
224 | 224 |
225 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); | 225 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); |
226 it != intermediate_ca_certs_.end(); ++it) { | 226 it != intermediate_ca_certs_.end(); ++it) { |
227 if (IsCertIssuerInEncodedList(*it, valid_issuers)) | 227 if (IsCertIssuerInEncodedList(*it, valid_issuers)) |
228 return true; | 228 return true; |
229 } | 229 } |
230 return false; | 230 return false; |
231 } | 231 } |
232 | 232 |
233 void X509Certificate::GetSubjectAltName( | 233 bool X509Certificate::GetSubjectAltName( |
234 std::vector<std::string>* dns_names, | 234 std::vector<std::string>* dns_names, |
235 std::vector<std::string>* ip_addrs) const { | 235 std::vector<std::string>* ip_addrs) const { |
236 if (dns_names) | 236 if (dns_names) |
237 dns_names->clear(); | 237 dns_names->clear(); |
238 if (ip_addrs) | 238 if (ip_addrs) |
239 ip_addrs->clear(); | 239 ip_addrs->clear(); |
240 | 240 |
241 x509_util::CSSMCachedCertificate cached_cert; | 241 x509_util::CSSMCachedCertificate cached_cert; |
242 OSStatus status = cached_cert.Init(cert_handle_); | 242 OSStatus status = cached_cert.Init(cert_handle_); |
243 if (status) | 243 if (status) |
244 return; | 244 return false; |
| 245 |
245 x509_util::CSSMFieldValue subject_alt_name; | 246 x509_util::CSSMFieldValue subject_alt_name; |
246 status = cached_cert.GetField(&CSSMOID_SubjectAltName, &subject_alt_name); | 247 status = cached_cert.GetField(&CSSMOID_SubjectAltName, &subject_alt_name); |
247 if (status || !subject_alt_name.field()) | 248 if (status || !subject_alt_name.field()) |
248 return; | 249 return false; |
| 250 |
249 const CSSM_X509_EXTENSION* cssm_ext = | 251 const CSSM_X509_EXTENSION* cssm_ext = |
250 subject_alt_name.GetAs<CSSM_X509_EXTENSION>(); | 252 subject_alt_name.GetAs<CSSM_X509_EXTENSION>(); |
251 if (!cssm_ext || !cssm_ext->value.parsedValue) | 253 if (!cssm_ext || !cssm_ext->value.parsedValue) |
252 return; | 254 return false; |
253 const CE_GeneralNames* alt_name = | 255 const CE_GeneralNames* alt_name = |
254 reinterpret_cast<const CE_GeneralNames*>(cssm_ext->value.parsedValue); | 256 reinterpret_cast<const CE_GeneralNames*>(cssm_ext->value.parsedValue); |
255 | 257 |
| 258 bool has_san = false; |
256 for (size_t name = 0; name < alt_name->numNames; ++name) { | 259 for (size_t name = 0; name < alt_name->numNames; ++name) { |
257 const CE_GeneralName& name_struct = alt_name->generalName[name]; | 260 const CE_GeneralName& name_struct = alt_name->generalName[name]; |
258 const CSSM_DATA& name_data = name_struct.name; | 261 const CSSM_DATA& name_data = name_struct.name; |
259 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs | 262 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs |
260 // respectively, both of which can be byte copied from | 263 // respectively, both of which can be byte copied from |
261 // CSSM_DATA::data into the appropriate output vector. | 264 // CSSM_DATA::data into the appropriate output vector. |
262 if (dns_names && name_struct.nameType == GNT_DNSName) { | 265 if (name_struct.nameType == GNT_DNSName) { |
263 dns_names->push_back(std::string( | 266 has_san = true; |
264 reinterpret_cast<const char*>(name_data.Data), | 267 if (dns_names) { |
265 name_data.Length)); | 268 dns_names->push_back(std::string( |
266 } else if (ip_addrs && name_struct.nameType == GNT_IPAddress) { | 269 reinterpret_cast<const char*>(name_data.Data), name_data.Length)); |
267 ip_addrs->push_back(std::string( | 270 } |
268 reinterpret_cast<const char*>(name_data.Data), | 271 } else if (name_struct.nameType == GNT_IPAddress) { |
269 name_data.Length)); | 272 has_san = true; |
| 273 if (ip_addrs) { |
| 274 ip_addrs->push_back(std::string( |
| 275 reinterpret_cast<const char*>(name_data.Data), name_data.Length)); |
| 276 } |
270 } | 277 } |
| 278 // Fast path: Found at least one subjectAltName and the caller doesn't |
| 279 // need the actual values. |
| 280 if (has_san && !ip_addrs && !dns_names) |
| 281 return true; |
271 } | 282 } |
| 283 |
| 284 return has_san; |
272 } | 285 } |
273 | 286 |
274 // static | 287 // static |
275 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, | 288 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, |
276 std::string* encoded) { | 289 std::string* encoded) { |
277 CSSM_DATA der_data; | 290 CSSM_DATA der_data; |
278 if (!cert_handle || SecCertificateGetData(cert_handle, &der_data) != noErr) | 291 if (!cert_handle || SecCertificateGetData(cert_handle, &der_data) != noErr) |
279 return false; | 292 return false; |
280 encoded->assign(reinterpret_cast<char*>(der_data.Data), | 293 encoded->assign(reinterpret_cast<char*>(der_data.Data), |
281 der_data.Length); | 294 der_data.Length); |
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
551 return false; | 564 return false; |
552 | 565 |
553 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) | 566 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) |
554 return false; | 567 return false; |
555 return true; | 568 return true; |
556 } | 569 } |
557 | 570 |
558 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 571 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
559 | 572 |
560 } // namespace net | 573 } // namespace net |
OLD | NEW |