| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_win.h" | 5 #include "net/cert/cert_verify_proc_win.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| 11 #include "base/memory/free_deleter.h" | 11 #include "base/memory/free_deleter.h" |
| 12 #include "base/metrics/histogram_macros.h" | 12 #include "base/metrics/histogram_macros.h" |
| 13 #include "base/sha1.h" | 13 #include "base/sha1.h" |
| 14 #include "base/strings/string_util.h" | 14 #include "base/strings/string_util.h" |
| 15 #include "base/strings/utf_string_conversions.h" | 15 #include "base/strings/utf_string_conversions.h" |
| 16 #include "base/threading/thread_local.h" | 16 #include "base/threading/thread_local.h" |
| 17 #include "crypto/capi_util.h" | 17 #include "crypto/capi_util.h" |
| 18 #include "crypto/scoped_capi_types.h" | 18 #include "crypto/scoped_capi_types.h" |
| 19 #include "crypto/sha2.h" | 19 #include "crypto/sha2.h" |
| 20 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
| 21 #include "net/cert/asn1_util.h" | 21 #include "net/cert/asn1_util.h" |
| 22 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
| 23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
| 25 #include "net/cert/crl_set.h" | 25 #include "net/cert/crl_set.h" |
| 26 #include "net/cert/ev_root_ca_metadata.h" | 26 #include "net/cert/ev_root_ca_metadata.h" |
| 27 #include "net/cert/known_roots_win.h" |
| 27 #include "net/cert/test_root_certs.h" | 28 #include "net/cert/test_root_certs.h" |
| 28 #include "net/cert/x509_certificate.h" | 29 #include "net/cert/x509_certificate.h" |
| 29 #include "net/cert/x509_certificate_known_roots_win.h" | |
| 30 | 30 |
| 31 #if !defined(CERT_TRUST_HAS_WEAK_SIGNATURE) | 31 #if !defined(CERT_TRUST_HAS_WEAK_SIGNATURE) |
| 32 // This was introduced in Windows 8 / Windows Server 2012, but retroactively | 32 // This was introduced in Windows 8 / Windows Server 2012, but retroactively |
| 33 // ported as far back as Windows XP via system update. | 33 // ported as far back as Windows XP via system update. |
| 34 #define CERT_TRUST_HAS_WEAK_SIGNATURE 0x00100000 | 34 #define CERT_TRUST_HAS_WEAK_SIGNATURE 0x00100000 |
| 35 #endif | 35 #endif |
| 36 | 36 |
| 37 namespace net { | 37 namespace net { |
| 38 | 38 |
| 39 namespace { | 39 namespace { |
| (...skipping 237 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 277 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA | 277 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA |
| 278 // which we recognise as a standard root. | 278 // which we recognise as a standard root. |
| 279 // static | 279 // static |
| 280 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { | 280 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { |
| 281 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 281 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
| 282 int num_elements = first_chain->cElement; | 282 int num_elements = first_chain->cElement; |
| 283 if (num_elements < 1) | 283 if (num_elements < 1) |
| 284 return false; | 284 return false; |
| 285 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 285 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
| 286 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; | 286 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; |
| 287 | 287 return IsKnownRoot(cert); |
| 288 SHA256HashValue hash = X509Certificate::CalculateFingerprint256(cert); | |
| 289 bool is_builtin = | |
| 290 IsSHA256HashInSortedArray(hash, &kKnownRootCertSHA256Hashes[0][0], | |
| 291 sizeof(kKnownRootCertSHA256Hashes)); | |
| 292 | |
| 293 // Test to see if the use of a built-in set of known roots on Windows can be | |
| 294 // replaced with using AuthRoot's SHA-256 property. On any system other than | |
| 295 // a fresh RTM with no AuthRoot updates, this property should always exist for | |
| 296 // roots delivered via AuthRoot.stl, but should not exist on any manually or | |
| 297 // administratively deployed roots. | |
| 298 BYTE hash_prop[32] = {0}; | |
| 299 DWORD size = sizeof(hash_prop); | |
| 300 bool found_property = | |
| 301 CertGetCertificateContextProperty( | |
| 302 cert, CERT_AUTH_ROOT_SHA256_HASH_PROP_ID, &hash_prop, &size) && | |
| 303 size == sizeof(hash_prop); | |
| 304 | |
| 305 enum BuiltinStatus { | |
| 306 BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET = 0, | |
| 307 BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET = 1, | |
| 308 BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET = 2, | |
| 309 BUILT_IN_PROPERTY_FOUND_BUILTIN_SET = 3, | |
| 310 BUILT_IN_MAX_VALUE, | |
| 311 } status; | |
| 312 if (!found_property && !is_builtin) { | |
| 313 status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET; | |
| 314 } else if (!found_property && is_builtin) { | |
| 315 status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET; | |
| 316 } else if (found_property && !is_builtin) { | |
| 317 status = BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET; | |
| 318 } else if (found_property && is_builtin) { | |
| 319 status = BUILT_IN_PROPERTY_FOUND_BUILTIN_SET; | |
| 320 } else { | |
| 321 status = BUILT_IN_MAX_VALUE; | |
| 322 } | |
| 323 UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status, | |
| 324 BUILT_IN_MAX_VALUE); | |
| 325 | |
| 326 return is_builtin; | |
| 327 } | 288 } |
| 328 | 289 |
| 329 // Saves some information about the certificate chain |chain_context| in | 290 // Saves some information about the certificate chain |chain_context| in |
| 330 // |*verify_result|. The caller MUST initialize |*verify_result| before | 291 // |*verify_result|. The caller MUST initialize |*verify_result| before |
| 331 // calling this function. | 292 // calling this function. |
| 332 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, | 293 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, |
| 333 CertVerifyResult* verify_result) { | 294 CertVerifyResult* verify_result) { |
| 334 if (chain_context->cChain == 0) | 295 if (chain_context->cChain == 0) |
| 335 return; | 296 return; |
| 336 | 297 |
| (...skipping 879 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1216 return MapCertStatusToNetError(verify_result->cert_status); | 1177 return MapCertStatusToNetError(verify_result->cert_status); |
| 1217 | 1178 |
| 1218 if (ev_policy_oid && | 1179 if (ev_policy_oid && |
| 1219 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { | 1180 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { |
| 1220 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1181 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 1221 } | 1182 } |
| 1222 return OK; | 1183 return OK; |
| 1223 } | 1184 } |
| 1224 | 1185 |
| 1225 } // namespace net | 1186 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2833623002:
Extract IsKnownRoot() functionality for testing if a certificate is a (Closed)
