| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/memory/ptr_util.h" | 10 #include "base/memory/ptr_util.h" |
| 11 #include "net/cert/internal/cert_error_params.h" | 11 #include "net/cert/internal/cert_error_params.h" |
| 12 #include "net/cert/internal/cert_errors.h" | 12 #include "net/cert/internal/cert_errors.h" |
| 13 #include "net/cert/internal/extended_key_usage.h" | 13 #include "net/cert/internal/extended_key_usage.h" |
| 14 #include "net/cert/internal/name_constraints.h" | 14 #include "net/cert/internal/name_constraints.h" |
| 15 #include "net/cert/internal/parse_certificate.h" | 15 #include "net/cert/internal/parse_certificate.h" |
| 16 #include "net/cert/internal/signature_algorithm.h" | 16 #include "net/cert/internal/signature_algorithm.h" |
| 17 #include "net/cert/internal/signature_policy.h" | 17 #include "net/cert/internal/signature_policy.h" |
| 18 #include "net/cert/internal/trust_store.h" | 18 #include "net/cert/internal/trust_store.h" |
| 19 #include "net/cert/internal/verify_signed_data.h" | 19 #include "net/cert/internal/verify_signed_data.h" |
| 20 #include "net/der/input.h" | 20 #include "net/der/input.h" |
| 21 #include "net/der/parser.h" | 21 #include "net/der/parser.h" |
| 22 | 22 |
| 23 namespace net { | 23 namespace net { |
| 24 | 24 |
| 25 DEFINE_CERT_ERROR_ID(kValidityFailedNotAfter, "Time is after notAfter"); | 25 DEFINE_CERT_ERROR_ID(kValidityFailedNotAfter, "Time is after notAfter"); |
| 26 DEFINE_CERT_ERROR_ID(kValidityFailedNotBefore, "Time is before notBefore"); | 26 DEFINE_CERT_ERROR_ID(kValidityFailedNotBefore, "Time is before notBefore"); |
| 27 DEFINE_CERT_ERROR_ID(kCertIsDistrusted, "Certificate is distrusted"); |
| 27 | 28 |
| 28 namespace { | 29 namespace { |
| 29 | 30 |
| 30 // ----------------------------------------------- | 31 // ----------------------------------------------- |
| 31 // Errors/Warnings set by VerifyCertificateChain | 32 // Errors/Warnings set by VerifyCertificateChain |
| 32 // ----------------------------------------------- | 33 // ----------------------------------------------- |
| 33 | 34 |
| 34 DEFINE_CERT_ERROR_ID( | 35 DEFINE_CERT_ERROR_ID( |
| 35 kSignatureAlgorithmMismatch, | 36 kSignatureAlgorithmMismatch, |
| 36 "Certificate.signatureAlgorithm != TBSCertificate.signature"); | 37 "Certificate.signatureAlgorithm != TBSCertificate.signature"); |
| (...skipping 18 matching lines...) Expand all Loading... |
| 55 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer, | 56 DEFINE_CERT_ERROR_ID(kSubjectDoesNotMatchIssuer, |
| 56 "subject does not match issuer"); | 57 "subject does not match issuer"); |
| 57 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed"); | 58 DEFINE_CERT_ERROR_ID(kVerifySignedDataFailed, "VerifySignedData failed"); |
| 58 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding, | 59 DEFINE_CERT_ERROR_ID(kSignatureAlgorithmsDifferentEncoding, |
| 59 "Certificate.signatureAlgorithm is encoded differently " | 60 "Certificate.signatureAlgorithm is encoded differently " |
| 60 "than TBSCertificate.signature"); | 61 "than TBSCertificate.signature"); |
| 61 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth, | 62 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth, |
| 62 "The extended key usage does not include server auth"); | 63 "The extended key usage does not include server auth"); |
| 63 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth, | 64 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth, |
| 64 "The extended key usage does not include client auth"); | 65 "The extended key usage does not include client auth"); |
| 65 DEFINE_CERT_ERROR_ID(kCertIsDistrusted, "Certificate is distrusted"); | |
| 66 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor, | 66 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor, |
| 67 "Certificate is not a trust anchor"); | 67 "Certificate is not a trust anchor"); |
| 68 | 68 |
| 69 bool IsHandledCriticalExtensionOid(const der::Input& oid) { | 69 bool IsHandledCriticalExtensionOid(const der::Input& oid) { |
| 70 if (oid == BasicConstraintsOid()) | 70 if (oid == BasicConstraintsOid()) |
| 71 return true; | 71 return true; |
| 72 // Key Usage is NOT processed for end-entity certificates (this is the | 72 // Key Usage is NOT processed for end-entity certificates (this is the |
| 73 // responsibility of callers), however it is considered "handled" here in | 73 // responsibility of callers), however it is considered "handled" here in |
| 74 // order to allow being marked as critical. | 74 // order to allow being marked as critical. |
| 75 if (oid == KeyUsageOid()) | 75 if (oid == KeyUsageOid()) |
| (...skipping 579 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 655 } | 655 } |
| 656 } | 656 } |
| 657 | 657 |
| 658 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: | 658 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: |
| 659 // | 659 // |
| 660 // A certificate MUST NOT appear more than once in a prospective | 660 // A certificate MUST NOT appear more than once in a prospective |
| 661 // certification path. | 661 // certification path. |
| 662 } | 662 } |
| 663 | 663 |
| 664 } // namespace net | 664 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2854263004:
Add tests for PathBuilder when certificates are distrusted. (Closed)
