| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/tools/cert_verify_tool/verify_using_path_builder.h" | 5 #include "net/tools/cert_verify_tool/verify_using_path_builder.h" |
| 6 | 6 |
| 7 #include <iostream> | 7 #include <iostream> |
| 8 | 8 |
| 9 #include "base/memory/ptr_util.h" | 9 #include "base/memory/ptr_util.h" |
| 10 #include "base/strings/string_number_conversions.h" | 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_util.h" | 11 #include "base/strings/string_util.h" |
| 12 #include "base/synchronization/waitable_event.h" | 12 #include "base/synchronization/waitable_event.h" |
| 13 #include "base/threading/thread.h" | 13 #include "base/threading/thread.h" |
| 14 #include "crypto/sha2.h" | 14 #include "crypto/sha2.h" |
| 15 #include "net/cert/cert_net_fetcher.h" | 15 #include "net/cert/cert_net_fetcher.h" |
| 16 #include "net/cert/internal/cert_issuer_source_aia.h" | 16 #include "net/cert/internal/cert_issuer_source_aia.h" |
| 17 #include "net/cert/internal/cert_issuer_source_static.h" | 17 #include "net/cert/internal/cert_issuer_source_static.h" |
| 18 #include "net/cert/internal/parse_name.h" | 18 #include "net/cert/internal/parse_name.h" |
| 19 #include "net/cert/internal/parsed_certificate.h" | 19 #include "net/cert/internal/parsed_certificate.h" |
| 20 #include "net/cert/internal/path_builder.h" | 20 #include "net/cert/internal/path_builder.h" |
| 21 #include "net/cert/internal/signature_policy.h" | 21 #include "net/cert/internal/signature_policy.h" |
| 22 #include "net/cert/internal/trust_store_collection.h" | 22 #include "net/cert/internal/system_trust_store.h" |
| 23 #include "net/cert/internal/trust_store_in_memory.h" | |
| 24 #include "net/cert/x509_util.h" | 23 #include "net/cert/x509_util.h" |
| 25 #include "net/cert_net/cert_net_fetcher_impl.h" | 24 #include "net/cert_net/cert_net_fetcher_impl.h" |
| 26 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h" | 25 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h" |
| 27 #include "net/url_request/url_request_context.h" | 26 #include "net/url_request/url_request_context.h" |
| 28 #include "net/url_request/url_request_context_builder.h" | 27 #include "net/url_request/url_request_context_builder.h" |
| 29 #include "net/url_request/url_request_context_getter.h" | 28 #include "net/url_request/url_request_context_getter.h" |
| 30 | 29 |
| 31 #if defined(USE_NSS_CERTS) | |
| 32 #include "base/threading/thread_task_runner_handle.h" | |
| 33 #include "net/cert/internal/cert_issuer_source_nss.h" | |
| 34 #include "net/cert/internal/trust_store_nss.h" | |
| 35 #endif | |
| 36 | |
| 37 #if defined(OS_LINUX) | 30 #if defined(OS_LINUX) |
| 38 #include "net/proxy/proxy_config.h" | 31 #include "net/proxy/proxy_config.h" |
| 39 #include "net/proxy/proxy_config_service_fixed.h" | 32 #include "net/proxy/proxy_config_service_fixed.h" |
| 40 #endif | 33 #endif |
| 41 | 34 |
| 42 #if defined(OS_MACOSX) && !defined(OS_IOS) | |
| 43 #include <Security/Security.h> | |
| 44 #include "net/cert/internal/trust_store_mac.h" | |
| 45 #endif | |
| 46 | |
| 47 namespace { | 35 namespace { |
| 48 | 36 |
| 49 std::string GetUserAgent() { | 37 std::string GetUserAgent() { |
| 50 return "cert_verify_tool/0.1"; | 38 return "cert_verify_tool/0.1"; |
| 51 } | 39 } |
| 52 | 40 |
| 53 // Converts a base::Time::Exploded to a net::der::GeneralizedTime. | 41 // Converts a base::Time::Exploded to a net::der::GeneralizedTime. |
| 54 // TODO(mattm): This function exists in cast_cert_validator.cc also. Dedupe it? | 42 // TODO(mattm): This function exists in cast_cert_validator.cc also. Dedupe it? |
| 55 net::der::GeneralizedTime ConvertExplodedTime( | 43 net::der::GeneralizedTime ConvertExplodedTime( |
| 56 const base::Time::Exploded& exploded) { | 44 const base::Time::Exploded& exploded) { |
| (...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 214 bool VerifyUsingPathBuilder( | 202 bool VerifyUsingPathBuilder( |
| 215 const CertInput& target_der_cert, | 203 const CertInput& target_der_cert, |
| 216 const std::vector<CertInput>& intermediate_der_certs, | 204 const std::vector<CertInput>& intermediate_der_certs, |
| 217 const std::vector<CertInput>& root_der_certs, | 205 const std::vector<CertInput>& root_der_certs, |
| 218 const base::Time at_time, | 206 const base::Time at_time, |
| 219 const base::FilePath& dump_prefix_path) { | 207 const base::FilePath& dump_prefix_path) { |
| 220 base::Time::Exploded exploded_time; | 208 base::Time::Exploded exploded_time; |
| 221 at_time.UTCExplode(&exploded_time); | 209 at_time.UTCExplode(&exploded_time); |
| 222 net::der::GeneralizedTime time = ConvertExplodedTime(exploded_time); | 210 net::der::GeneralizedTime time = ConvertExplodedTime(exploded_time); |
| 223 | 211 |
| 224 net::TrustStoreCollection trust_store; | 212 std::unique_ptr<net::SystemTrustStore> ssl_trust_store = |
| 213 net::CreateSslSystemTrustStore(); |
| 225 | 214 |
| 226 net::TrustStoreInMemory trust_store_in_memory; | |
| 227 trust_store.AddTrustStore(&trust_store_in_memory); | |
| 228 for (const auto& der_cert : root_der_certs) { | 215 for (const auto& der_cert : root_der_certs) { |
| 229 scoped_refptr<net::ParsedCertificate> cert = ParseCertificate(der_cert); | 216 scoped_refptr<net::ParsedCertificate> cert = ParseCertificate(der_cert); |
| 230 if (cert) { | 217 if (cert) { |
| 231 trust_store_in_memory.AddTrustAnchor( | 218 ssl_trust_store->AddTrustAnchor( |
| 232 net::TrustAnchor::CreateFromCertificateNoConstraints(cert)); | 219 net::TrustAnchor::CreateFromCertificateNoConstraints(cert)); |
| 233 } | 220 } |
| 234 } | 221 } |
| 235 | 222 |
| 236 #if defined(USE_NSS_CERTS) | 223 if (!ssl_trust_store->UsesSystemTrustStore() && root_der_certs.empty()) { |
| 237 net::TrustStoreNSS trust_store_nss(trustSSL); | |
| 238 trust_store.AddTrustStore(&trust_store_nss); | |
| 239 #elif defined(OS_MACOSX) && !defined(OS_IOS) | |
| 240 net::TrustStoreMac trust_store_mac(kSecPolicyAppleSSL); | |
| 241 trust_store.AddTrustStore(&trust_store_mac); | |
| 242 #else | |
| 243 if (root_der_certs.empty()) { | |
| 244 std::cerr << "NOTE: CertPathBuilder does not currently use OS trust " | 224 std::cerr << "NOTE: CertPathBuilder does not currently use OS trust " |
| 245 "settings (--roots must be specified).\n"; | 225 "settings (--roots must be specified).\n"; |
| 246 } | 226 } |
| 247 #endif | |
| 248 | |
| 249 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | 227 net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
| 250 for (const auto& der_cert : intermediate_der_certs) { | 228 for (const auto& der_cert : intermediate_der_certs) { |
| 251 scoped_refptr<net::ParsedCertificate> cert = ParseCertificate(der_cert); | 229 scoped_refptr<net::ParsedCertificate> cert = ParseCertificate(der_cert); |
| 252 if (cert) | 230 if (cert) |
| 253 intermediate_cert_issuer_source.AddCert(cert); | 231 intermediate_cert_issuer_source.AddCert(cert); |
| 254 } | 232 } |
| 255 | 233 |
| 256 scoped_refptr<net::ParsedCertificate> target_cert = | 234 scoped_refptr<net::ParsedCertificate> target_cert = |
| 257 ParseCertificate(target_der_cert); | 235 ParseCertificate(target_der_cert); |
| 258 if (!target_cert) | 236 if (!target_cert) |
| 259 return false; | 237 return false; |
| 260 | 238 |
| 261 // Verify the chain. | 239 // Verify the chain. |
| 262 net::SimpleSignaturePolicy signature_policy(2048); | 240 net::SimpleSignaturePolicy signature_policy(2048); |
| 263 net::CertPathBuilder::Result result; | 241 net::CertPathBuilder::Result result; |
| 264 net::CertPathBuilder path_builder(target_cert, &trust_store, | 242 net::CertPathBuilder path_builder( |
| 265 &signature_policy, time, | 243 target_cert, ssl_trust_store->GetTrustStore(), &signature_policy, time, |
| 266 net::KeyPurpose::SERVER_AUTH, &result); | 244 net::KeyPurpose::SERVER_AUTH, &result); |
| 267 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 245 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 268 #if defined(USE_NSS_CERTS) | 246 |
| 269 net::CertIssuerSourceNSS cert_issuer_source_nss; | 247 if (ssl_trust_store->GetCertIssuerSource()) |
| 270 path_builder.AddCertIssuerSource(&cert_issuer_source_nss); | 248 path_builder.AddCertIssuerSource(ssl_trust_store->GetCertIssuerSource()); |
| 271 #endif | |
| 272 | 249 |
| 273 // Create a network thread to be used for AIA fetches, and wait for a | 250 // Create a network thread to be used for AIA fetches, and wait for a |
| 274 // CertNetFetcher to be constructed on that thread. | 251 // CertNetFetcher to be constructed on that thread. |
| 275 base::Thread::Options options(base::MessageLoop::TYPE_IO, 0); | 252 base::Thread::Options options(base::MessageLoop::TYPE_IO, 0); |
| 276 base::Thread thread("network_thread"); | 253 base::Thread thread("network_thread"); |
| 277 CHECK(thread.StartWithOptions(options)); | 254 CHECK(thread.StartWithOptions(options)); |
| 278 // Owned by this thread, but initialized, used, and shutdown on the network | 255 // Owned by this thread, but initialized, used, and shutdown on the network |
| 279 // thread. | 256 // thread. |
| 280 std::unique_ptr<net::URLRequestContext> context; | 257 std::unique_ptr<net::URLRequestContext> context; |
| 281 scoped_refptr<net::CertNetFetcher> cert_net_fetcher; | 258 scoped_refptr<net::CertNetFetcher> cert_net_fetcher; |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 317 if (!DumpParsedCertificateChain( | 294 if (!DumpParsedCertificateChain( |
| 318 dump_prefix_path.AddExtension( | 295 dump_prefix_path.AddExtension( |
| 319 FILE_PATH_LITERAL(".CertPathBuilder.pem")), | 296 FILE_PATH_LITERAL(".CertPathBuilder.pem")), |
| 320 result.paths[result.best_result_index]->path)) { | 297 result.paths[result.best_result_index]->path)) { |
| 321 return false; | 298 return false; |
| 322 } | 299 } |
| 323 } | 300 } |
| 324 | 301 |
| 325 return result.HasValidPath(); | 302 return result.HasValidPath(); |
| 326 } | 303 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2829783002:
[refactor] Extract the platform-specific TrustStore instantiations and (Closed)
