OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_nss.h" | 5 #include "net/cert/cert_verify_proc_nss.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <nss.h> | 8 #include <nss.h> |
9 #include <prerror.h> | 9 #include <prerror.h> |
10 #include <secerr.h> | 10 #include <secerr.h> |
(...skipping 642 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
653 } | 653 } |
654 | 654 |
655 // Returns true if |cert_handle| contains a policy OID that is an EV policy | 655 // Returns true if |cert_handle| contains a policy OID that is an EV policy |
656 // OID according to |metadata|, storing the resulting policy OID in | 656 // OID according to |metadata|, storing the resulting policy OID in |
657 // |*ev_policy_oid|. A true return is not sufficient to establish that a | 657 // |*ev_policy_oid|. A true return is not sufficient to establish that a |
658 // certificate is EV, but a false return is sufficient to establish the | 658 // certificate is EV, but a false return is sufficient to establish the |
659 // certificate cannot be EV. | 659 // certificate cannot be EV. |
660 bool IsEVCandidate(EVRootCAMetadata* metadata, | 660 bool IsEVCandidate(EVRootCAMetadata* metadata, |
661 CERTCertificate* cert_handle, | 661 CERTCertificate* cert_handle, |
662 SECOidTag* ev_policy_oid) { | 662 SECOidTag* ev_policy_oid) { |
| 663 *ev_policy_oid = SEC_OID_UNKNOWN; |
663 DCHECK(cert_handle); | 664 DCHECK(cert_handle); |
664 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); | 665 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); |
665 if (!policies.get()) | 666 if (!policies.get()) |
666 return false; | 667 return false; |
667 | 668 |
668 CERTPolicyInfo** policy_infos = policies->policyInfos; | 669 CERTPolicyInfo** policy_infos = policies->policyInfos; |
669 while (*policy_infos != NULL) { | 670 while (*policy_infos != NULL) { |
670 CERTPolicyInfo* policy_info = *policy_infos++; | 671 CERTPolicyInfo* policy_info = *policy_infos++; |
671 // If the Policy OID is unknown, that implicitly means it has not been | 672 // If the Policy OID is unknown, that implicitly means it has not been |
672 // registered as an EV policy. | 673 // registered as an EV policy. |
673 if (policy_info->oid == SEC_OID_UNKNOWN) | 674 if (policy_info->oid == SEC_OID_UNKNOWN) |
674 continue; | 675 continue; |
675 if (metadata->IsEVPolicyOID(policy_info->oid)) { | 676 if (metadata->IsEVPolicyOID(policy_info->oid)) { |
676 *ev_policy_oid = policy_info->oid; | 677 *ev_policy_oid = policy_info->oid; |
677 return true; | 678 |
| 679 // De-prioritize the CA/Browser forum Extended Validation policy |
| 680 // (2.23.140.1.1). See crbug.com/705285. |
| 681 if (!EVRootCAMetadata::IsCaBrowserForumEvOid(policy_info->oid)) |
| 682 break; |
678 } | 683 } |
679 } | 684 } |
680 | 685 |
681 return false; | 686 return *ev_policy_oid != SEC_OID_UNKNOWN; |
682 } | 687 } |
683 | 688 |
684 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp | 689 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp |
685 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate. | 690 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate. |
686 // TODO(wtc): A possible optimization is that we get the trust anchor from | 691 // TODO(wtc): A possible optimization is that we get the trust anchor from |
687 // the first PKIXVerifyCert call. We look up the EV policy for the trust | 692 // the first PKIXVerifyCert call. We look up the EV policy for the trust |
688 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. | 693 // anchor. If the trust anchor has no EV policy, we know the cert isn't EV. |
689 // Otherwise, we pass just that EV policy (as opposed to all the EV policies) | 694 // Otherwise, we pass just that EV policy (as opposed to all the EV policies) |
690 // to the second PKIXVerifyCert call. | 695 // to the second PKIXVerifyCert call. |
691 bool VerifyEV(CERTCertificate* cert_handle, | 696 bool VerifyEV(CERTCertificate* cert_handle, |
(...skipping 262 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
954 CRLSet* crl_set, | 959 CRLSet* crl_set, |
955 const CertificateList& additional_trust_anchors, | 960 const CertificateList& additional_trust_anchors, |
956 CertVerifyResult* verify_result) { | 961 CertVerifyResult* verify_result) { |
957 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, | 962 return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
958 additional_trust_anchors, | 963 additional_trust_anchors, |
959 NULL, // chain_verify_callback | 964 NULL, // chain_verify_callback |
960 verify_result); | 965 verify_result); |
961 } | 966 } |
962 | 967 |
963 } // namespace net | 968 } // namespace net |
OLD | NEW |