Chromium Code Reviews Chromium Code Reviews
Issue 2889813002:
Add tests for certificates that pass X509CertificateBytes parsing, but fail in CertVerifyProc. Fix … (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 | 10 |
| (...skipping 724 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 735 &keychain); | 735 &keychain); |
| 736 if (status) | 736 if (status) |
| 737 return NetErrorFromOSStatus(status); | 737 return NetErrorFromOSStatus(status); |
| 738 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); | 738 ScopedCFTypeRef<SecKeychainRef> scoped_keychain(keychain); |
| 739 | 739 |
| 740 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); | 740 CFArrayInsertValueAtIndex(mutable_keychain_search_list, 0, keychain); |
| 741 } | 741 } |
| 742 | 742 |
| 743 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | 743 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
| 744 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); | 744 x509_util::CreateSecCertificateArrayForX509Certificate(cert)); |
| 745 if (!cert_array) | 745 if (!cert_array) { |
| 746 verify_result->cert_status |= CERT_STATUS_INVALID; | |
|
mattm
2017/05/16 22:46:26
note: Need to set status here or later checks in C
| |
| 746 return ERR_CERT_INVALID; | 747 return ERR_CERT_INVALID; |
| 748 } | |
| 747 | 749 |
| 748 // Beginning with the certificate chain as supplied by the server, attempt | 750 // Beginning with the certificate chain as supplied by the server, attempt |
| 749 // to verify the chain. If a failure is encountered, trim a certificate | 751 // to verify the chain. If a failure is encountered, trim a certificate |
| 750 // from the end (so long as one remains) and retry, in the hope of forcing | 752 // from the end (so long as one remains) and retry, in the hope of forcing |
| 751 // OS X to find a better path. | 753 // OS X to find a better path. |
| 752 while (CFArrayGetCount(cert_array) > 0) { | 754 while (CFArrayGetCount(cert_array) > 0) { |
| 753 ScopedCFTypeRef<SecTrustRef> temp_ref; | 755 ScopedCFTypeRef<SecTrustRef> temp_ref; |
| 754 SecTrustResultType temp_trust_result = kSecTrustResultDeny; | 756 SecTrustResultType temp_trust_result = kSecTrustResultDeny; |
| 755 ScopedCFTypeRef<CFArrayRef> temp_chain; | 757 ScopedCFTypeRef<CFArrayRef> temp_chain; |
| 756 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; | 758 CSSM_TP_APPLE_EVIDENCE_INFO* temp_chain_info = NULL; |
| (...skipping 281 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1038 // EV cert and it was covered by CRLSets or revocation checking passed. | 1040 // EV cert and it was covered by CRLSets or revocation checking passed. |
| 1039 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1041 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 1040 } | 1042 } |
| 1041 | 1043 |
| 1042 return OK; | 1044 return OK; |
| 1043 } | 1045 } |
| 1044 | 1046 |
| 1045 } // namespace net | 1047 } // namespace net |
| 1046 | 1048 |
| 1047 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1049 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| OLD | NEW |
