net/cert/cert_verify_proc_ios.cc - Issue 2864133002: Convert iOS to use X509CertificateBytes.

Side by Side Diff: net/cert/cert_verify_proc_ios.cc

Issue 2864133002: Convert iOS to use X509CertificateBytes. (Closed)

Patch Set: static_cast, more unittest Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2016 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc_ios.h"	5 #include "net/cert/cert_verify_proc_ios.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8	8

9 #include "base/logging.h"	9 #include "base/logging.h"

10 #include "base/mac/scoped_cftyperef.h"	10 #include "base/mac/scoped_cftyperef.h"

11 #include "crypto/sha2.h"	11 #include "crypto/sha2.h"

12 #include "net/base/net_errors.h"	12 #include "net/base/net_errors.h"

13 #include "net/cert/asn1_util.h"	13 #include "net/cert/asn1_util.h"

14 #include "net/cert/cert_verify_result.h"	14 #include "net/cert/cert_verify_result.h"

15 #include "net/cert/test_root_certs.h"	15 #include "net/cert/test_root_certs.h"

16 #include "net/cert/x509_certificate.h"	16 #include "net/cert/x509_certificate.h"

	17 #include "net/cert/x509_util_ios.h"

	18 #include "net/cert/x509_util_ios_and_mac.h"

17 #include "net/ssl/openssl_ssl_util.h"	19 #include "net/ssl/openssl_ssl_util.h"

18	20

19 using base::ScopedCFTypeRef;	21 using base::ScopedCFTypeRef;

20	22

21 namespace net {	23 namespace net {

22	24

23 namespace {	25 namespace {

24	26

25 int NetErrorFromOSStatus(OSStatus status) {	27 int NetErrorFromOSStatus(OSStatus status) {

26 switch (status) {	28 switch (status) {

(...skipping 81 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
108 std::vector<SecCertificateRef> verified_chain;	110 std::vector<SecCertificateRef> verified_chain;

109 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {	111 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {

110 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(	112 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(

111 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));	113 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));

112 if (i == 0) {	114 if (i == 0) {

113 verified_cert = chain_cert;	115 verified_cert = chain_cert;

114 } else {	116 } else {

115 verified_chain.push_back(chain_cert);	117 verified_chain.push_back(chain_cert);

116 }	118 }

117	119

118 std::string der_bytes;	120 base::ScopedCFTypeRef<CFDataRef> der_data(

119 if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) {	121 SecCertificateCopyData(chain_cert));

	122 if (!der_data) {

120 verify_result->cert_status \|= CERT_STATUS_INVALID;	123 verify_result->cert_status \|= CERT_STATUS_INVALID;

121 return;	124 return;

122 }	125 }

123	126

124 base::StringPiece spki_bytes;	127 base::StringPiece spki_bytes;

125 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) {	128 if (!asn1::ExtractSPKIFromDERCert(

	129 base::StringPiece(

	130 reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),

	131 CFDataGetLength(der_data)),

	132 &spki_bytes)) {

126 verify_result->cert_status \|= CERT_STATUS_INVALID;	133 verify_result->cert_status \|= CERT_STATUS_INVALID;

127 return;	134 return;

128 }	135 }

129	136

130 HashValue sha1(HASH_VALUE_SHA1);	137 HashValue sha1(HASH_VALUE_SHA1);

131 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());	138 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());

132 verify_result->public_key_hashes.push_back(sha1);	139 verify_result->public_key_hashes.push_back(sha1);

133	140

134 HashValue sha256(HASH_VALUE_SHA256);	141 HashValue sha256(HASH_VALUE_SHA256);

135 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());	142 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());

136 verify_result->public_key_hashes.push_back(sha256);	143 verify_result->public_key_hashes.push_back(sha256);

137	144

138 // Ignore the signature algorithm for the trust anchor.	145 // Ignore the signature algorithm for the trust anchor.

139 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 &&	146 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 &&

140 i == count - 1) {	147 i == count - 1) {

141 continue;	148 continue;

142 }	149 }

143 }	150 }

144 if (!verified_cert) {	151 if (!verified_cert) {

145 NOTREACHED();	152 NOTREACHED();

146 verify_result->cert_status \|= CERT_STATUS_INVALID;	153 verify_result->cert_status \|= CERT_STATUS_INVALID;

147 return;	154 return;

148 }	155 }

149	156

150 scoped_refptr<X509Certificate> verified_cert_with_chain =	157 scoped_refptr<X509Certificate> verified_cert_with_chain =

151 X509Certificate::CreateFromHandle(verified_cert, verified_chain);	158 x509_util::CreateX509CertificateFromSecCertificate(verified_cert,

	159 verified_chain);

152 if (verified_cert_with_chain)	160 if (verified_cert_with_chain)

153 verify_result->verified_cert = std::move(verified_cert_with_chain);	161 verify_result->verified_cert = std::move(verified_cert_with_chain);

154 else	162 else

155 verify_result->cert_status \|= CERT_STATUS_INVALID;	163 verify_result->cert_status \|= CERT_STATUS_INVALID;

156 }	164 }

157	165

158 } // namespace	166 } // namespace

159	167

160 CertVerifyProcIOS::CertVerifyProcIOS() {}	168 CertVerifyProcIOS::CertVerifyProcIOS() {}

161	169

(...skipping 79 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
241 int flags,	249 int flags,

242 CRLSet* crl_set,	250 CRLSet* crl_set,

243 const CertificateList& additional_trust_anchors,	251 const CertificateList& additional_trust_anchors,

244 CertVerifyResult* verify_result) {	252 CertVerifyResult* verify_result) {

245 ScopedCFTypeRef<CFArrayRef> trust_policies;	253 ScopedCFTypeRef<CFArrayRef> trust_policies;

246 OSStatus status = CreateTrustPolicies(&trust_policies);	254 OSStatus status = CreateTrustPolicies(&trust_policies);

247 if (status)	255 if (status)

248 return NetErrorFromOSStatus(status);	256 return NetErrorFromOSStatus(status);

249	257

250 ScopedCFTypeRef<CFMutableArrayRef> cert_array(	258 ScopedCFTypeRef<CFMutableArrayRef> cert_array(

251 cert->CreateOSCertChainForCert());	259 x509_util::CreateSecCertificateArrayForX509Certificate(cert));

252 ScopedCFTypeRef<SecTrustRef> trust_ref;	260 ScopedCFTypeRef<SecTrustRef> trust_ref;

253 SecTrustResultType trust_result = kSecTrustResultDeny;	261 SecTrustResultType trust_result = kSecTrustResultDeny;

254 ScopedCFTypeRef<CFArrayRef> final_chain;	262 ScopedCFTypeRef<CFArrayRef> final_chain;

255	263

256 status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref,	264 status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref,

257 &final_chain, &trust_result);	265 &final_chain, &trust_result);

258 if (status)	266 if (status)

259 return NetErrorFromOSStatus(status);	267 return NetErrorFromOSStatus(status);

260	268

261 if (CFArrayGetCount(final_chain) == 0)	269 if (CFArrayGetCount(final_chain) == 0)

(...skipping 18 matching lines...) Expand all Loading...
280 // roots.	288 // roots.

281 verify_result->is_issued_by_known_root = false;	289 verify_result->is_issued_by_known_root = false;

282	290

283 if (IsCertStatusError(verify_result->cert_status))	291 if (IsCertStatusError(verify_result->cert_status))

284 return MapCertStatusToNetError(verify_result->cert_status);	292 return MapCertStatusToNetError(verify_result->cert_status);

285	293

286 return OK;	294 return OK;

287 }	295 }

288	296

289 } // namespace net	297 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/net_string_util_icu_alternatives_ios.mm ('k') | net/cert/cert_verify_proc_ios_unittest.cc » ('j') | no next file with comments »