| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <algorithm> | 5 #include <algorithm> |
| 6 | 6 |
| 7 #include "net/cert/internal/certificate_policies.h" | 7 #include "net/cert/internal/certificate_policies.h" |
| 8 | 8 |
| 9 #include "net/der/input.h" | 9 #include "net/der/input.h" |
| 10 #include "net/der/parse_values.h" | 10 #include "net/der/parse_values.h" |
| (...skipping 21 matching lines...) Expand all Loading... |
| 32 // In dotted decimal form: 1.3.6.1.5.5.7.2.2 | 32 // In dotted decimal form: 1.3.6.1.5.5.7.2.2 |
| 33 const der::Input UserNoticeId() { | 33 const der::Input UserNoticeId() { |
| 34 static const uint8_t user_notice_id[] = {0x2b, 0x06, 0x01, 0x05, | 34 static const uint8_t user_notice_id[] = {0x2b, 0x06, 0x01, 0x05, |
| 35 0x05, 0x07, 0x02, 0x02}; | 35 0x05, 0x07, 0x02, 0x02}; |
| 36 return der::Input(user_notice_id); | 36 return der::Input(user_notice_id); |
| 37 } | 37 } |
| 38 | 38 |
| 39 // Ignores the policyQualifiers, but does some minimal correctness checking. | 39 // Ignores the policyQualifiers, but does some minimal correctness checking. |
| 40 // TODO(mattm): parse and return the policyQualifiers, since the cert viewer | 40 // TODO(mattm): parse and return the policyQualifiers, since the cert viewer |
| 41 // still needs to display them. | 41 // still needs to display them. |
| 42 bool ParsePolicyQualifiers(const der::Input& policy_oid, | 42 bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers, |
| 43 der::Parser* policy_qualifiers_sequence_parser) { | 43 der::Parser* policy_qualifiers_sequence_parser) { |
| 44 // If it is present, the policyQualifiers sequence should have at least 1 | 44 // If it is present, the policyQualifiers sequence should have at least 1 |
| 45 // element. | 45 // element. |
| 46 if (!policy_qualifiers_sequence_parser->HasMore()) | 46 if (!policy_qualifiers_sequence_parser->HasMore()) |
| 47 return false; | 47 return false; |
| 48 while (policy_qualifiers_sequence_parser->HasMore()) { | 48 while (policy_qualifiers_sequence_parser->HasMore()) { |
| 49 der::Parser policy_information_parser; | 49 der::Parser policy_information_parser; |
| 50 if (!policy_qualifiers_sequence_parser->ReadSequence( | 50 if (!policy_qualifiers_sequence_parser->ReadSequence( |
| 51 &policy_information_parser)) { | 51 &policy_information_parser)) { |
| 52 return false; | 52 return false; |
| 53 } | 53 } |
| 54 der::Input qualifier_oid; | 54 der::Input qualifier_oid; |
| 55 if (!policy_information_parser.ReadTag(der::kOid, &qualifier_oid)) | 55 if (!policy_information_parser.ReadTag(der::kOid, &qualifier_oid)) |
| 56 return false; | 56 return false; |
| 57 // RFC 5280 section 4.2.1.4: When qualifiers are used with the special | 57 if (restrict_to_known_qualifiers && qualifier_oid != CpsPointerId() && |
| 58 // policy anyPolicy, they MUST be limited to the qualifiers identified in | |
| 59 // this section. | |
| 60 if (policy_oid == AnyPolicy() && qualifier_oid != CpsPointerId() && | |
| 61 qualifier_oid != UserNoticeId()) { | 58 qualifier_oid != UserNoticeId()) { |
| 62 return false; | 59 return false; |
| 63 } | 60 } |
| 64 der::Tag tag; | 61 der::Tag tag; |
| 65 der::Input value; | 62 der::Input value; |
| 66 if (!policy_information_parser.ReadTagAndValue(&tag, &value)) | 63 if (!policy_information_parser.ReadTagAndValue(&tag, &value)) |
| 67 return false; | 64 return false; |
| 68 // Should not have trailing data after qualifier. | 65 // Should not have trailing data after qualifier. |
| 69 if (policy_information_parser.HasMore()) | 66 if (policy_information_parser.HasMore()) |
| 70 return false; | 67 return false; |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 136 // NoticeReference ::= SEQUENCE { | 133 // NoticeReference ::= SEQUENCE { |
| 137 // organization DisplayText, | 134 // organization DisplayText, |
| 138 // noticeNumbers SEQUENCE OF INTEGER } | 135 // noticeNumbers SEQUENCE OF INTEGER } |
| 139 // | 136 // |
| 140 // DisplayText ::= CHOICE { | 137 // DisplayText ::= CHOICE { |
| 141 // ia5String IA5String (SIZE (1..200)), | 138 // ia5String IA5String (SIZE (1..200)), |
| 142 // visibleString VisibleString (SIZE (1..200)), | 139 // visibleString VisibleString (SIZE (1..200)), |
| 143 // bmpString BMPString (SIZE (1..200)), | 140 // bmpString BMPString (SIZE (1..200)), |
| 144 // utf8String UTF8String (SIZE (1..200)) } | 141 // utf8String UTF8String (SIZE (1..200)) } |
| 145 bool ParseCertificatePoliciesExtension(const der::Input& extension_value, | 142 bool ParseCertificatePoliciesExtension(const der::Input& extension_value, |
| 143 bool fail_parsing_unknown_qualifier_oids, |
| 146 std::vector<der::Input>* policies) { | 144 std::vector<der::Input>* policies) { |
| 147 der::Parser extension_parser(extension_value); | 145 der::Parser extension_parser(extension_value); |
| 148 der::Parser policies_sequence_parser; | 146 der::Parser policies_sequence_parser; |
| 149 if (!extension_parser.ReadSequence(&policies_sequence_parser)) | 147 if (!extension_parser.ReadSequence(&policies_sequence_parser)) |
| 150 return false; | 148 return false; |
| 151 // Should not have trailing data after certificatePolicies sequence. | 149 // Should not have trailing data after certificatePolicies sequence. |
| 152 if (extension_parser.HasMore()) | 150 if (extension_parser.HasMore()) |
| 153 return false; | 151 return false; |
| 154 // The certificatePolicies sequence should have at least 1 element. | 152 // The certificatePolicies sequence should have at least 1 element. |
| 155 if (!policies_sequence_parser.HasMore()) | 153 if (!policies_sequence_parser.HasMore()) |
| (...skipping 25 matching lines...) Expand all Loading... |
| 181 continue; | 179 continue; |
| 182 | 180 |
| 183 der::Parser policy_qualifiers_sequence_parser; | 181 der::Parser policy_qualifiers_sequence_parser; |
| 184 if (!policy_information_parser.ReadSequence( | 182 if (!policy_information_parser.ReadSequence( |
| 185 &policy_qualifiers_sequence_parser)) { | 183 &policy_qualifiers_sequence_parser)) { |
| 186 return false; | 184 return false; |
| 187 } | 185 } |
| 188 // Should not have trailing data after policyQualifiers sequence. | 186 // Should not have trailing data after policyQualifiers sequence. |
| 189 if (policy_information_parser.HasMore()) | 187 if (policy_information_parser.HasMore()) |
| 190 return false; | 188 return false; |
| 191 if (!ParsePolicyQualifiers(policy_oid, &policy_qualifiers_sequence_parser)) | 189 |
| 190 // RFC 5280 section 4.2.1.4: When qualifiers are used with the special |
| 191 // policy anyPolicy, they MUST be limited to the qualifiers identified in |
| 192 // this section. |
| 193 if (!ParsePolicyQualifiers( |
| 194 fail_parsing_unknown_qualifier_oids || policy_oid == AnyPolicy(), |
| 195 &policy_qualifiers_sequence_parser)) { |
| 192 return false; | 196 return false; |
| 197 } |
| 193 } | 198 } |
| 194 | 199 |
| 195 return true; | 200 return true; |
| 196 } | 201 } |
| 197 | 202 |
| 198 // From RFC 5280: | 203 // From RFC 5280: |
| 199 // | 204 // |
| 200 // PolicyConstraints ::= SEQUENCE { | 205 // PolicyConstraints ::= SEQUENCE { |
| 201 // requireExplicitPolicy [0] SkipCerts OPTIONAL, | 206 // requireExplicitPolicy [0] SkipCerts OPTIONAL, |
| 202 // inhibitPolicyMapping [1] SkipCerts OPTIONAL } | 207 // inhibitPolicyMapping [1] SkipCerts OPTIONAL } |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 } | 323 } |
| 319 | 324 |
| 320 // There shouldn't be extra unconsumed data. | 325 // There shouldn't be extra unconsumed data. |
| 321 if (parser.HasMore()) | 326 if (parser.HasMore()) |
| 322 return false; | 327 return false; |
| 323 | 328 |
| 324 return true; | 329 return true; |
| 325 } | 330 } |
| 326 | 331 |
| 327 } // namespace net | 332 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2923903002:
Reject certificates that contain unknown policy qualifiers if the (Closed)
