Chromium Code Reviews Chromium Code Reviews
Issue 2833623002:
Extract IsKnownRoot() functionality for testing if a certificate is a (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/known_roots_mac.h" | |
| 6 | |
| 7 #include <Security/Security.h> | |
| 8 | |
| 9 #include <set> | |
| 10 | |
| 11 #include "base/lazy_instance.h" | |
| 12 #include "base/sha1.h" | |
|
mattm
2017/04/20 02:14:12
unnecessary?
eroman
2017/04/20 17:30:59
Done.
| |
| 13 #include "crypto/mac_security_services_lock.h" | |
| 14 #include "crypto/sha2.h" | |
|
mattm
2017/04/20 02:14:12
unnecessary?
eroman
2017/04/20 17:30:59
Done.
| |
| 15 #include "net/cert/x509_util_mac.h" | |
| 16 | |
| 17 using base::ScopedCFTypeRef; | |
| 18 | |
| 19 namespace net { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 // Helper class for managing the set of OS X Known Roots. This is only safe | |
| 24 // to initialize while the crypto::GetMacSecurityServicesLock() is held, due | |
| 25 // to calling into Security.framework functions; however, once initialized, | |
| 26 // it can be called at any time. | |
| 27 // In practice, due to lazy initialization, it's best to just always guard | |
| 28 // accesses with the lock. | |
| 29 class OSXKnownRootHelper { | |
| 30 public: | |
| 31 bool IsKnownRoot(SecCertificateRef cert) { | |
| 32 // If there are no known roots, then an API failure occurred. For safety, | |
| 33 // assume that all certificates are issued by known roots. | |
| 34 if (known_roots_.empty()) | |
| 35 return true; | |
| 36 | |
| 37 SHA256HashValue hash = x509_util::CalculateFingerprint256(cert); | |
| 38 return known_roots_.find(hash) != known_roots_.end(); | |
| 39 } | |
| 40 | |
| 41 private: | |
| 42 friend struct base::LazyInstanceTraitsBase<OSXKnownRootHelper>; | |
| 43 | |
| 44 OSXKnownRootHelper() { | |
| 45 crypto::GetMacSecurityServicesLock().AssertAcquired(); | |
| 46 | |
| 47 CFArrayRef cert_array = NULL; | |
| 48 OSStatus rv = SecTrustSettingsCopyCertificates( | |
| 49 kSecTrustSettingsDomainSystem, &cert_array); | |
| 50 if (rv != noErr) { | |
| 51 LOG(ERROR) << "Unable to determine trusted roots; assuming all roots are " | |
| 52 << "trusted! Error " << rv; | |
| 53 return; | |
| 54 } | |
| 55 base::ScopedCFTypeRef<CFArrayRef> scoped_array(cert_array); | |
| 56 for (CFIndex i = 0, size = CFArrayGetCount(cert_array); i < size; ++i) { | |
| 57 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | |
| 58 const_cast<void*>(CFArrayGetValueAtIndex(cert_array, i))); | |
| 59 known_roots_.insert(x509_util::CalculateFingerprint256(cert)); | |
| 60 } | |
| 61 } | |
| 62 | |
| 63 ~OSXKnownRootHelper() {} | |
| 64 | |
| 65 std::set<SHA256HashValue, SHA256HashValueLessThan> known_roots_; | |
| 66 }; | |
| 67 | |
| 68 base::LazyInstance<OSXKnownRootHelper>::Leaky g_known_roots = | |
| 69 LAZY_INSTANCE_INITIALIZER; | |
| 70 | |
| 71 } // namespace | |
| 72 | |
| 73 bool IsKnownRoot(SecCertificateRef cert) { | |
| 74 return g_known_roots.Get().IsKnownRoot(cert); | |
| 75 } | |
| 76 | |
| 77 void InitializeKnownRoots() { | |
| 78 base::AutoLock lock(crypto::GetMacSecurityServicesLock()); | |
| 79 g_known_roots.Get(); | |
| 80 } | |
| 81 | |
| 82 } // namespace net | |
| OLD | NEW |
