Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(423)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2803513003: Remove ParsedCertificate::unparsed_extensions(). (Closed)
Patch Set: remove unused Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/parsed_certificate_unittest.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/verify_certificate_chain.h" 5 #include "net/cert/internal/verify_certificate_chain.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/memory/ptr_util.h" 10 #include "base/memory/ptr_util.h"
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
49 "Does not have Basic Constraints"); 49 "Does not have Basic Constraints");
50 DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints, 50 DEFINE_CERT_ERROR_ID(kNotPermittedByNameConstraints,
51 "Not permitted by name constraints"); 51 "Not permitted by name constraints");
52 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer, 52 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer,
53 "subject does not match issuer"); 53 "subject does not match issuer");
54 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed"); 54 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed");
55 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding, 55 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding,
56 "Certificate.signatureAlgorithm is encoded differently " 56 "Certificate.signatureAlgorithm is encoded differently "
57 "than TBSCertificate.signature"); 57 "than TBSCertificate.signature");
58 58
59 bool IsHandledCriticalExtensionOid(const der::Input& oid) {
60 if (oid == BasicConstraintsOid())
61 return true;
62 if (oid == KeyUsageOid())
63 return true;
64 if (oid == NameConstraintsOid())
65 return true;
66 // TODO(eroman): SubjectAltName isn't actually used here, but rather is being
67 // checked by a higher layer.
68 if (oid == SubjectAltNameOid())
69 return true;
70
71 // TODO(eroman): Make this more complete.
72 return false;
73 }
74
59 // Adds errors to |errors| if the certificate contains unconsumed _critical_ 75 // Adds errors to |errors| if the certificate contains unconsumed _critical_
60 // extensions. 76 // extensions.
61 void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert, 77 void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert,
62 CertErrors* errors) { 78 CertErrors* errors) {
63 for (const auto& entry : cert.unparsed_extensions()) { 79 for (const auto& it : cert.extensions()) {
64 if (entry.second.critical) { 80 const ParsedExtension& extension = it.second;
81 if (extension.critical && !IsHandledCriticalExtensionOid(extension.oid)) {
65 errors->AddError(kUnconsumedCriticalExtension, 82 errors->AddError(kUnconsumedCriticalExtension,
66 CreateCertErrorParams2Der("oid", entry.second.oid, 83 CreateCertErrorParams2Der("oid", extension.oid, "value",
67 "value", entry.second.value)); 84 extension.value));
68 } 85 }
69 } 86 }
70 } 87 }
71 88
72 // Returns true if |cert| was self-issued. The definition of self-issuance 89 // Returns true if |cert| was self-issued. The definition of self-issuance
73 // comes from RFC 5280 section 6.1: 90 // comes from RFC 5280 section 6.1:
74 // 91 //
75 // A certificate is self-issued if the same DN appears in the subject 92 // A certificate is self-issued if the same DN appears in the subject
76 // and issuer fields (the two DNs are the same if they match according 93 // and issuer fields (the two DNs are the same if they match according
77 // to the rules specified in Section 7.1). In general, the issuer and 94 // to the rules specified in Section 7.1). In general, the issuer and
(...skipping 470 matching lines...) Expand 10 before | Expand all | Expand 10 after
548 CertPathErrors* errors) { 565 CertPathErrors* errors) {
549 // TODO(eroman): This function requires that |errors| is empty upon entry, 566 // TODO(eroman): This function requires that |errors| is empty upon entry,
550 // which is not part of the API contract. 567 // which is not part of the API contract.
551 DCHECK(!errors->ContainsHighSeverityErrors()); 568 DCHECK(!errors->ContainsHighSeverityErrors());
552 VerifyCertificateChainNoReturnValue(certs, trust_anchor, signature_policy, 569 VerifyCertificateChainNoReturnValue(certs, trust_anchor, signature_policy,
553 time, errors); 570 time, errors);
554 return !errors->ContainsHighSeverityErrors(); 571 return !errors->ContainsHighSeverityErrors();
555 } 572 }
556 573
557 } // namespace net 574 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/parsed_certificate_unittest.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698