| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/system_trust_store.h" | 5 #include "net/cert/internal/system_trust_store.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS_CERTS) | 7 #if defined(USE_NSS_CERTS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 10 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 11 #include <Security/Security.h> | 11 #include <Security/Security.h> |
| 12 #endif | 12 #endif |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "net/cert/internal/trust_store_collection.h" | 15 #include "net/cert/internal/trust_store_collection.h" |
| 16 #include "net/cert/internal/trust_store_in_memory.h" | 16 #include "net/cert/internal/trust_store_in_memory.h" |
| 17 | 17 |
| 18 #if defined(USE_NSS_CERTS) | 18 #if defined(USE_NSS_CERTS) |
| 19 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 20 #include "net/cert/internal/cert_issuer_source_nss.h" | 20 #include "net/cert/internal/cert_issuer_source_nss.h" |
| 21 #include "net/cert/internal/trust_store_nss.h" | 21 #include "net/cert/internal/trust_store_nss.h" |
| 22 #include "net/cert/known_roots_nss.h" |
| 22 #include "net/cert/scoped_nss_types.h" | 23 #include "net/cert/scoped_nss_types.h" |
| 23 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 24 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 24 #include "net/cert/internal/trust_store_mac.h" | 25 #include "net/cert/internal/trust_store_mac.h" |
| 26 #include "net/cert/known_roots_mac.h" |
| 27 #include "net/cert/x509_util_mac.h" |
| 25 #endif | 28 #endif |
| 26 | 29 |
| 27 namespace net { | 30 namespace net { |
| 28 | 31 |
| 29 namespace { | 32 namespace { |
| 30 | 33 |
| 31 // Abstract implementation of SystemTrustStore to be used as a base class. | 34 // Abstract implementation of SystemTrustStore to be used as a base class. |
| 32 // Handles the addition of additional trust anchors. | 35 // Handles the addition of additional trust anchors. |
| 33 class BaseSystemTrustStore : public SystemTrustStore { | 36 class BaseSystemTrustStore : public SystemTrustStore { |
| 34 public: | 37 public: |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 86 SECItem der_cert; | 89 SECItem der_cert; |
| 87 der_cert.data = | 90 der_cert.data = |
| 88 const_cast<uint8_t*>(trust_anchor->cert()->der_cert().UnsafeData()); | 91 const_cast<uint8_t*>(trust_anchor->cert()->der_cert().UnsafeData()); |
| 89 der_cert.len = trust_anchor->cert()->der_cert().Length(); | 92 der_cert.len = trust_anchor->cert()->der_cert().Length(); |
| 90 der_cert.type = siDERCertBuffer; | 93 der_cert.type = siDERCertBuffer; |
| 91 ScopedCERTCertificate nss_cert( | 94 ScopedCERTCertificate nss_cert( |
| 92 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); | 95 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); |
| 93 if (!nss_cert) | 96 if (!nss_cert) |
| 94 return false; | 97 return false; |
| 95 | 98 |
| 96 return IsKnownRoot(nss_cert.get()); | 99 return net::IsKnownRoot(nss_cert.get()); |
| 97 } | 100 } |
| 98 | 101 |
| 99 private: | 102 private: |
| 100 // TODO(eroman): This function was copied verbatim from | |
| 101 // cert_verify_proc_nss.cc | |
| 102 // | |
| 103 // IsKnownRoot returns true if the given certificate is one that we believe | |
| 104 // is a standard (as opposed to user-installed) root. | |
| 105 bool IsKnownRoot(CERTCertificate* root) const { | |
| 106 if (!root || !root->slot) | |
| 107 return false; | |
| 108 | |
| 109 // This magic name is taken from | |
| 110 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw
/builtins/constants.c&rev=1.13&mark=86,89#79 | |
| 111 return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects"); | |
| 112 } | |
| 113 | |
| 114 TrustStoreNSS trust_store_nss_; | 103 TrustStoreNSS trust_store_nss_; |
| 115 CertIssuerSourceNSS cert_issuer_source_nss_; | 104 CertIssuerSourceNSS cert_issuer_source_nss_; |
| 116 }; | 105 }; |
| 117 | 106 |
| 118 } // namespace | 107 } // namespace |
| 119 | 108 |
| 120 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 109 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 121 return base::MakeUnique<SystemTrustStoreNSS>(); | 110 return base::MakeUnique<SystemTrustStoreNSS>(); |
| 122 } | 111 } |
| 123 | 112 |
| 124 #elif defined(OS_MACOSX) && !defined(OS_IOS) | 113 #elif defined(OS_MACOSX) && !defined(OS_IOS) |
| 125 | 114 |
| 115 // TODO(eroman): Compose with test roots added via cert/test_roots.h |
| 126 class SystemTrustStoreMac : public BaseSystemTrustStore { | 116 class SystemTrustStoreMac : public BaseSystemTrustStore { |
| 127 public: | 117 public: |
| 128 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { | 118 explicit SystemTrustStoreMac() : trust_store_mac_(kSecPolicyAppleSSL) { |
| 119 InitializeKnownRoots(); |
| 129 trust_store_.AddTrustStore(&trust_store_mac_); | 120 trust_store_.AddTrustStore(&trust_store_mac_); |
| 130 } | 121 } |
| 131 | 122 |
| 132 CertIssuerSource* GetCertIssuerSource() override { | 123 CertIssuerSource* GetCertIssuerSource() override { |
| 133 // TODO(eroman): Should this return something? | 124 // TODO(eroman): Implement. |
| 134 return nullptr; | 125 return nullptr; |
| 135 } | 126 } |
| 136 | 127 |
| 137 bool UsesSystemTrustStore() const override { return true; } | 128 bool UsesSystemTrustStore() const override { return true; } |
| 138 | 129 |
| 139 // IsKnownRoot returns true if the given trust anchor is a standard one (as | 130 // IsKnownRoot returns true if the given trust anchor is a standard one (as |
| 140 // opposed to a user-installed root) | 131 // opposed to a user-installed root) |
| 141 bool IsKnownRoot( | 132 bool IsKnownRoot( |
| 142 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 133 const scoped_refptr<TrustAnchor>& trust_anchor) const override { |
| 143 // TODO(eroman): Implement. | 134 if (!trust_anchor->cert()) |
| 144 return false; | 135 return false; |
| 136 |
| 137 der::Input bytes = trust_anchor->cert()->der_cert(); |
| 138 base::ScopedCFTypeRef<SecCertificateRef> cert_ref = |
| 139 x509_util::CreateSecCertificateFromBytes(bytes.UnsafeData(), |
| 140 bytes.Length()); |
| 141 if (!cert_ref) |
| 142 return false; |
| 143 |
| 144 return net::IsKnownRoot(cert_ref); |
| 145 } | 145 } |
| 146 | 146 |
| 147 private: | 147 private: |
| 148 TrustStoreMac trust_store_mac_; | 148 TrustStoreMac trust_store_mac_; |
| 149 }; | 149 }; |
| 150 | 150 |
| 151 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 151 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 152 return base::MakeUnique<SystemTrustStoreMac>(); | 152 return base::MakeUnique<SystemTrustStoreMac>(); |
| 153 } | 153 } |
| 154 #else | 154 #else |
| 155 | 155 |
| 156 class DummySystemTrustStore : public BaseSystemTrustStore { | 156 class DummySystemTrustStore : public BaseSystemTrustStore { |
| 157 public: | 157 public: |
| 158 bool UsesSystemTrustStore() const override { return false; } | 158 bool UsesSystemTrustStore() const override { return false; } |
| 159 | 159 |
| 160 bool IsKnownRoot( | 160 bool IsKnownRoot( |
| 161 const scoped_refptr<TrustAnchor>& trust_anchor) const override { | 161 const scoped_refptr<TrustAnchor>& trust_anchor) const override { |
| 162 return false; | 162 return false; |
| 163 } | 163 } |
| 164 }; | 164 }; |
| 165 | 165 |
| 166 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { | 166 std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { |
| 167 return base::MakeUnique<DummySystemTrustStore>(); | 167 return base::MakeUnique<DummySystemTrustStore>(); |
| 168 } | 168 } |
| 169 #endif | 169 #endif |
| 170 | 170 |
| 171 } // namespace net | 171 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2833623002:
Extract IsKnownRoot() functionality for testing if a certificate is a (Closed)
