Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(184)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/cert_verify_proc_nss.cc

Issue 2781093003: De-prioritize 2.23.140.1.1 when searching for EV policy. (Closed)
Patch Set: Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/cert_verify_proc_nss.h" 5 #include "net/cert/cert_verify_proc_nss.h"
6 6
7 #include <cert.h> 7 #include <cert.h>
8 #include <nss.h> 8 #include <nss.h>
9 #include <prerror.h> 9 #include <prerror.h>
10 #include <secerr.h> 10 #include <secerr.h>
(...skipping 642 matching lines...) Expand 10 before | Expand all | Expand 10 after
653 } 653 }
654 654
655 // Returns true if |cert_handle| contains a policy OID that is an EV policy 655 // Returns true if |cert_handle| contains a policy OID that is an EV policy
656 // OID according to |metadata|, storing the resulting policy OID in 656 // OID according to |metadata|, storing the resulting policy OID in
657 // |*ev_policy_oid|. A true return is not sufficient to establish that a 657 // |*ev_policy_oid|. A true return is not sufficient to establish that a
658 // certificate is EV, but a false return is sufficient to establish the 658 // certificate is EV, but a false return is sufficient to establish the
659 // certificate cannot be EV. 659 // certificate cannot be EV.
660 bool IsEVCandidate(EVRootCAMetadata* metadata, 660 bool IsEVCandidate(EVRootCAMetadata* metadata,
661 CERTCertificate* cert_handle, 661 CERTCertificate* cert_handle,
662 SECOidTag* ev_policy_oid) { 662 SECOidTag* ev_policy_oid) {
663 *ev_policy_oid = SEC_OID_UNKNOWN;
663 DCHECK(cert_handle); 664 DCHECK(cert_handle);
664 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); 665 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
665 if (!policies.get()) 666 if (!policies.get())
666 return false; 667 return false;
667 668
668 CERTPolicyInfo** policy_infos = policies->policyInfos; 669 CERTPolicyInfo** policy_infos = policies->policyInfos;
669 while (*policy_infos != NULL) { 670 while (*policy_infos != NULL) {
670 CERTPolicyInfo* policy_info = *policy_infos++; 671 CERTPolicyInfo* policy_info = *policy_infos++;
671 // If the Policy OID is unknown, that implicitly means it has not been 672 // If the Policy OID is unknown, that implicitly means it has not been
672 // registered as an EV policy. 673 // registered as an EV policy.
673 if (policy_info->oid == SEC_OID_UNKNOWN) 674 if (policy_info->oid == SEC_OID_UNKNOWN)
674 continue; 675 continue;
675 if (metadata->IsEVPolicyOID(policy_info->oid)) { 676 if (metadata->IsEVPolicyOID(policy_info->oid)) {
676 *ev_policy_oid = policy_info->oid; 677 *ev_policy_oid = policy_info->oid;
677 return true; 678
679 // De-prioritize the CA/Browser forum Extended Validation policy
680 // (2.23.140.1.1). See crbug.com/705285.
681 if (!EVRootCAMetadata::IsCaBrowserForumEvOid(policy_info->oid))
682 break;
678 } 683 }
679 } 684 }
680 685
681 return false; 686 return *ev_policy_oid != SEC_OID_UNKNOWN;
682 } 687 }
683 688
684 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp 689 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
685 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate. 690 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate.
686 // TODO(wtc): A possible optimization is that we get the trust anchor from 691 // TODO(wtc): A possible optimization is that we get the trust anchor from
687 // the first PKIXVerifyCert call. We look up the EV policy for the trust 692 // the first PKIXVerifyCert call. We look up the EV policy for the trust
688 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. 693 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV.
689 // Otherwise, we pass just that EV policy (as opposed to all the EV policies) 694 // Otherwise, we pass just that EV policy (as opposed to all the EV policies)
690 // to the second PKIXVerifyCert call. 695 // to the second PKIXVerifyCert call.
691 bool VerifyEV(CERTCertificate* cert_handle, 696 bool VerifyEV(CERTCertificate* cert_handle,
(...skipping 262 matching lines...) Expand 10 before | Expand all | Expand 10 after
954 CRLSet* crl_set, 959 CRLSet* crl_set,
955 const CertificateList& additional_trust_anchors, 960 const CertificateList& additional_trust_anchors,
956 CertVerifyResult* verify_result) { 961 CertVerifyResult* verify_result) {
957 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, 962 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
958 additional_trust_anchors, 963 additional_trust_anchors,
959 NULL, // chain_verify_callback 964 NULL, // chain_verify_callback
960 verify_result); 965 verify_result);
961 } 966 }
962 967
963 } // namespace net 968 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/cert_verify_proc_mac.cc ('k') | net/cert/cert_verify_proc_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698