Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(450)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/cast_certificate/cast_cert_validator.cc

Issue 2800993002: Add a key purpose parameter to Certificate PathBuilder. (Closed)
Patch Set: add datafiles for ios build Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | components/cast_certificate/cast_crl.cc » ('j') | net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/cast_certificate/cast_cert_validator.cc
diff --git a/components/cast_certificate/cast_cert_validator.cc b/components/cast_certificate/cast_cert_validator.cc
index ccddd3757590f8add4ee4f4fa0ff1285ae85f9fa..1af69fa515df237013ab484509c15f0fa9ed3b45 100644
--- a/components/cast_certificate/cast_cert_validator.cc
+++ b/components/cast_certificate/cast_cert_validator.cc
@@ -160,19 +160,9 @@ bool GetCommonNameFromSubject(const net::der::Input& subject_tlv,
return false;
}
-// Returns true if the extended key usage list |ekus| contains client auth.
-bool HasClientAuth(const std::vector<net::der::Input>& ekus) {
- for (const auto& oid : ekus) {
- if (oid == net::ClientAuth())
- return true;
- }
- return false;
-}
-
// Checks properties on the target certificate.
//
// * The Key Usage must include Digital Signature
-// * The Extended Key Usage must include TLS Client Auth
// * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it
// is an audio-only device.
WARN_UNUSED_RESULT bool CheckTargetCertificate(
@@ -187,10 +177,14 @@ WARN_UNUSED_RESULT bool CheckTargetCertificate(
if (!cert->key_usage().AssertsBit(net::KEY_USAGE_BIT_DIGITAL_SIGNATURE))
return false;
- // Ensure Extended Key Usage contains client auth.
- if (!cert->has_extended_key_usage() ||
- !HasClientAuth(cert->extended_key_usage()))
- return false;
+ // TODO(delete before landing): Doug, the behavior after my change is a
+ // bit more permissive than what we had before, please confirm that
+ // this is acceptable (if not I can leave previous check in place).
+ //
+ // * The EKU can now be omitted in the target certificate (will be
+ // considered a match for clientAuth).
+ //
+ // * anyExtendedKeyUsage will also be considered a match for clientAuth
// Check for an optional audio-only policy extension.
*policy = CastDeviceCertPolicy::NONE;
@@ -281,9 +275,9 @@ bool VerifyDeviceCertUsingCustomTrustStore(
if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time))
return false;
net::CertPathBuilder::Result result;
- net::CertPathBuilder path_builder(target_cert.get(), trust_store,
- signature_policy.get(), verification_time,
- &result);
+ net::CertPathBuilder path_builder(
+ target_cert.get(), trust_store, signature_policy.get(), verification_time,
+ net::KeyPurpose::KEY_PURPOSE_CLIENT_AUTH, &result);
path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source);
path_builder.Run();
if (!result.HasValidPath()) {
« no previous file with comments | « no previous file | components/cast_certificate/cast_crl.cc » ('j') | net/data/verify_certificate_chain_unittest/generate-target-restricts-eku-fail.py » ('J')

Powered by Google App Engine
This is Rietveld 408576698