| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 169 CastDeviceCertPolicy* policy) { | 169 CastDeviceCertPolicy* policy) { |
| 170 // Get the Key Usage extension. | 170 // Get the Key Usage extension. |
| 171 if (!cert->has_key_usage()) | 171 if (!cert->has_key_usage()) |
| 172 return false; | 172 return false; |
| 173 | 173 |
| 174 // Ensure Key Usage contains digitalSignature. | 174 // Ensure Key Usage contains digitalSignature. |
| 175 if (!cert->key_usage().AssertsBit(net::KEY_USAGE_BIT_DIGITAL_SIGNATURE)) | 175 if (!cert->key_usage().AssertsBit(net::KEY_USAGE_BIT_DIGITAL_SIGNATURE)) |
| 176 return false; | 176 return false; |
| 177 | 177 |
| 178 // Check for an optional audio-only policy extension. | 178 // Check for an optional audio-only policy extension. |
| 179 // |
| 180 // TODO(eroman): Use |user_constrained_policy_set| that was output from |
| 181 // verification instead. (Checking just the leaf certificate's policy |
| 182 // assertion doesn't take into account policy restrictions on intermediates, |
| 183 // policy constraints/inhibits, or policy re-mappings). |
| 179 *policy = CastDeviceCertPolicy::NONE; | 184 *policy = CastDeviceCertPolicy::NONE; |
| 180 if (cert->has_policy_oids()) { | 185 if (cert->has_policy_oids()) { |
| 181 const std::vector<net::der::Input>& policies = cert->policy_oids(); | 186 const std::vector<net::der::Input>& policies = cert->policy_oids(); |
| 182 // Look for an audio-only policy. Disregard any other policy found. | 187 // Look for an audio-only policy. Disregard any other policy found. |
| 183 if (std::find(policies.begin(), policies.end(), AudioOnlyPolicyOid()) != | 188 if (std::find(policies.begin(), policies.end(), AudioOnlyPolicyOid()) != |
| 184 policies.end()) { | 189 policies.end()) { |
| 185 *policy = CastDeviceCertPolicy::AUDIO_ONLY; | 190 *policy = CastDeviceCertPolicy::AUDIO_ONLY; |
| 186 } | 191 } |
| 187 } | 192 } |
| 188 | 193 |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 257 | 262 |
| 258 // Use a signature policy compatible with Cast's PKI. | 263 // Use a signature policy compatible with Cast's PKI. |
| 259 auto signature_policy = CreateCastSignaturePolicy(); | 264 auto signature_policy = CreateCastSignaturePolicy(); |
| 260 | 265 |
| 261 // Do path building and RFC 5280 compatible certificate verification using the | 266 // Do path building and RFC 5280 compatible certificate verification using the |
| 262 // two Cast trust anchors and Cast signature policy. | 267 // two Cast trust anchors and Cast signature policy. |
| 263 net::der::GeneralizedTime verification_time; | 268 net::der::GeneralizedTime verification_time; |
| 264 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) | 269 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) |
| 265 return false; | 270 return false; |
| 266 net::CertPathBuilder::Result result; | 271 net::CertPathBuilder::Result result; |
| 267 net::CertPathBuilder path_builder(target_cert.get(), trust_store, | 272 net::CertPathBuilder path_builder( |
| 268 signature_policy.get(), verification_time, | 273 target_cert.get(), trust_store, signature_policy.get(), verification_time, |
| 269 net::KeyPurpose::CLIENT_AUTH, &result); | 274 net::KeyPurpose::CLIENT_AUTH, net::InitialExplicitPolicy::kFalse, |
| 275 {net::AnyPolicy()}, net::InitialPolicyMappingInhibit::kFalse, |
| 276 net::InitialAnyPolicyInhibit::kFalse, &result); |
| 270 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 277 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 271 path_builder.Run(); | 278 path_builder.Run(); |
| 272 if (!result.HasValidPath()) { | 279 if (!result.HasValidPath()) { |
| 273 // TODO(crbug.com/634443): Log error information. | 280 // TODO(crbug.com/634443): Log error information. |
| 274 return false; | 281 return false; |
| 275 } | 282 } |
| 276 | 283 |
| 277 // Check properties of the leaf certificate (key usage, policy), and construct | 284 // Check properties of the leaf certificate (key usage, policy), and construct |
| 278 // a CertVerificationContext that uses its public key. | 285 // a CertVerificationContext that uses its public key. |
| 279 if (!CheckTargetCertificate(target_cert.get(), context, policy)) | 286 if (!CheckTargetCertificate(target_cert.get(), context, policy)) |
| (...skipping 14 matching lines...) Expand all Loading... |
| 294 | 301 |
| 295 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 302 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 296 const base::StringPiece& spki) { | 303 const base::StringPiece& spki) { |
| 297 // Use a bogus CommonName, since this is just exposed for testing signature | 304 // Use a bogus CommonName, since this is just exposed for testing signature |
| 298 // verification by unittests. | 305 // verification by unittests. |
| 299 return base::MakeUnique<CertVerificationContextImpl>(net::der::Input(spki), | 306 return base::MakeUnique<CertVerificationContextImpl>(net::der::Input(spki), |
| 300 "CommonName"); | 307 "CommonName"); |
| 301 } | 308 } |
| 302 | 309 |
| 303 } // namespace cast_certificate | 310 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2898303005:
Wire up certificate policies support in PathBuilder. (Closed)
