| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/path_builder.h" | 5 #include "net/cert/internal/path_builder.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 #include <unordered_set> | 8 #include <unordered_set> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 129 const TrustStore* trust_store) | 129 const TrustStore* trust_store) |
| 130 : cert_(in_cert), | 130 : cert_(in_cert), |
| 131 cert_issuer_sources_(cert_issuer_sources), | 131 cert_issuer_sources_(cert_issuer_sources), |
| 132 trust_store_(trust_store) { | 132 trust_store_(trust_store) { |
| 133 DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert()) << ") created"; | 133 DVLOG(1) << "CertIssuersIter(" << CertDebugString(cert()) << ") created"; |
| 134 } | 134 } |
| 135 | 135 |
| 136 void CertIssuersIter::GetNextIssuer(CertificateOrTrustAnchor* out) { | 136 void CertIssuersIter::GetNextIssuer(CertificateOrTrustAnchor* out) { |
| 137 if (!did_initial_query_) { | 137 if (!did_initial_query_) { |
| 138 did_initial_query_ = true; | 138 did_initial_query_ = true; |
| 139 trust_store_->FindTrustAnchorsForCert(cert_, &anchors_); | 139 ParsedCertificateList issuers_from_trust_store; |
| 140 trust_store_->FindIssuers(cert_, &anchors_, &issuers_from_trust_store); |
| 141 AddIssuers(std::move(issuers_from_trust_store)); |
| 140 | 142 |
| 141 for (auto* cert_issuer_source : *cert_issuer_sources_) { | 143 for (auto* cert_issuer_source : *cert_issuer_sources_) { |
| 142 ParsedCertificateList new_issuers; | 144 ParsedCertificateList new_issuers; |
| 143 cert_issuer_source->SyncGetIssuersOf(cert(), &new_issuers); | 145 cert_issuer_source->SyncGetIssuersOf(cert(), &new_issuers); |
| 144 AddIssuers(std::move(new_issuers)); | 146 AddIssuers(std::move(new_issuers)); |
| 145 } | 147 } |
| 146 DVLOG(1) << anchors_.size() << " sync anchors, " << issuers_.size() | 148 DVLOG(1) << anchors_.size() << " sync anchors, " << issuers_.size() |
| 147 << " sync issuers"; | 149 << " sync issuers"; |
| 148 // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust | 150 // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust |
| 149 // anchor subject (or is a trust anchor), that should be sorted higher too. | 151 // anchor subject (or is a trust anchor), that should be sorted higher too. |
| (...skipping 393 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 543 | 545 |
| 544 // Verify the entire certificate chain. | 546 // Verify the entire certificate chain. |
| 545 auto result_path = base::MakeUnique<ResultPath>(); | 547 auto result_path = base::MakeUnique<ResultPath>(); |
| 546 bool verify_result = VerifyCertificateChain( | 548 bool verify_result = VerifyCertificateChain( |
| 547 next_path_.certs, next_path_.trust_anchor.get(), signature_policy_, time_, | 549 next_path_.certs, next_path_.trust_anchor.get(), signature_policy_, time_, |
| 548 key_purpose_, &result_path->errors); | 550 key_purpose_, &result_path->errors); |
| 549 DVLOG(1) << "CertPathBuilder VerifyCertificateChain result = " | 551 DVLOG(1) << "CertPathBuilder VerifyCertificateChain result = " |
| 550 << verify_result; | 552 << verify_result; |
| 551 result_path->path = next_path_; | 553 result_path->path = next_path_; |
| 552 DCHECK_EQ(verify_result, !result_path->errors.ContainsHighSeverityErrors()); | 554 DCHECK_EQ(verify_result, !result_path->errors.ContainsHighSeverityErrors()); |
| 555 |
| 556 // TODO(eroman): Check that none of the certificates are blacklisted. |
| 557 |
| 553 AddResultPath(std::move(result_path)); | 558 AddResultPath(std::move(result_path)); |
| 554 | 559 |
| 555 if (verify_result) { | 560 if (verify_result) { |
| 556 // Found a valid path, return immediately. | 561 // Found a valid path, return immediately. |
| 557 // TODO(mattm): add debug/test mode that tries all possible paths. | 562 // TODO(mattm): add debug/test mode that tries all possible paths. |
| 558 next_state_ = STATE_NONE; | 563 next_state_ = STATE_NONE; |
| 559 return; | 564 return; |
| 560 } | 565 } |
| 561 | 566 |
| 562 // Path did not verify. Try more paths. If there are no more paths, the result | 567 // Path did not verify. Try more paths. If there are no more paths, the result |
| 563 // will be returned next time DoGetNextPathComplete is called with next_path_ | 568 // will be returned next time DoGetNextPathComplete is called with next_path_ |
| 564 // empty. | 569 // empty. |
| 565 next_state_ = STATE_GET_NEXT_PATH; | 570 next_state_ = STATE_GET_NEXT_PATH; |
| 566 } | 571 } |
| 567 | 572 |
| 568 void CertPathBuilder::AddResultPath(std::unique_ptr<ResultPath> result_path) { | 573 void CertPathBuilder::AddResultPath(std::unique_ptr<ResultPath> result_path) { |
| 569 // TODO(mattm): set best_result_index based on number or severity of errors. | 574 // TODO(mattm): set best_result_index based on number or severity of errors. |
| 570 if (result_path->IsValid()) | 575 if (result_path->IsValid()) |
| 571 out_result_->best_result_index = out_result_->paths.size(); | 576 out_result_->best_result_index = out_result_->paths.size(); |
| 572 // TODO(mattm): add flag to only return a single path or all attempted paths? | 577 // TODO(mattm): add flag to only return a single path or all attempted paths? |
| 573 out_result_->paths.push_back(std::move(result_path)); | 578 out_result_->paths.push_back(std::move(result_path)); |
| 574 } | 579 } |
| 575 | 580 |
| 576 } // namespace net | 581 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2832703002:
Allow the TrustStore interface to return matching intermediates, and identify distrusted certs. (Closed)
