Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(446)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2923903002: Reject certificates that contain unknown policy qualifiers if the (Closed)
Patch Set: update ios files Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/parsed_certificate.cc ('k') | net/cert/internal/verify_certificate_chain_typed_unittest.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/verify_certificate_chain.h" 5 #include "net/cert/internal/verify_certificate_chain.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <memory> 8 #include <memory>
9 9
10 #include "base/logging.h" 10 #include "base/logging.h"
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
61 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth, 61 DEFINE_CERT_ERROR_ID(kEkuLacksServerAuth,
62 "The extended key usage does not include server auth"); 62 "The extended key usage does not include server auth");
63 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth, 63 DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
64 "The extended key usage does not include client auth"); 64 "The extended key usage does not include client auth");
65 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor, 65 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor,
66 "Certificate is not a trust anchor"); 66 "Certificate is not a trust anchor");
67 DEFINE_CERT_ERROR_ID(kNoValidPolicy, "No valid policy"); 67 DEFINE_CERT_ERROR_ID(kNoValidPolicy, "No valid policy");
68 DEFINE_CERT_ERROR_ID(kPolicyMappingAnyPolicy, 68 DEFINE_CERT_ERROR_ID(kPolicyMappingAnyPolicy,
69 "PolicyMappings must not map anyPolicy"); 69 "PolicyMappings must not map anyPolicy");
70 70
71 bool IsHandledCriticalExtensionOid(const der::Input& oid) { 71 bool IsHandledCriticalExtension(const ParsedExtension& extension) {
72 if (oid == BasicConstraintsOid()) 72 if (extension.oid == BasicConstraintsOid())
73 return true; 73 return true;
74 // Key Usage is NOT processed for end-entity certificates (this is the 74 // Key Usage is NOT processed for end-entity certificates (this is the
75 // responsibility of callers), however it is considered "handled" here in 75 // responsibility of callers), however it is considered "handled" here in
76 // order to allow being marked as critical. 76 // order to allow being marked as critical.
77 if (oid == KeyUsageOid()) 77 if (extension.oid == KeyUsageOid())
78 return true; 78 return true;
79 if (oid == ExtKeyUsageOid()) 79 if (extension.oid == ExtKeyUsageOid())
80 return true; 80 return true;
81 if (oid == NameConstraintsOid()) 81 if (extension.oid == NameConstraintsOid())
82 return true; 82 return true;
83 if (oid == SubjectAltNameOid()) 83 if (extension.oid == SubjectAltNameOid())
84 return true; 84 return true;
85 // TODO(eroman): The policy qualifiers are not processed (or in some cases 85 if (extension.oid == CertificatePoliciesOid()) {
86 // even parsed). This is fine when the policies extension is non-critical, 86 // Policy qualifiers are skipped during processing, so if the
87 // however if it is critical the code should also ensure that the policy 87 // extension is marked critical need to ensure there weren't any
88 // qualifiers are only recognized ones (CPS and User Notice). 88 // qualifiers other than User Notice / CPS.
89 if (oid == CertificatePoliciesOid()) 89 //
90 // This follows from RFC 5280 section 4.2.1.4:
91 //
92 // If this extension is critical, the path validation software MUST
93 // be able to interpret this extension (including the optional
94 // qualifier), or MUST reject the certificate.
95 std::vector<der::Input> unused_policies;
96 return ParseCertificatePoliciesExtension(
97 extension.value, true /*fail_parsing_unknown_qualifier_oids*/,
98 &unused_policies);
99
100 // TODO(eroman): Give a better error message.
101 }
102 if (extension.oid == PolicyMappingsOid())
90 return true; 103 return true;
91 if (oid == PolicyMappingsOid()) 104 if (extension.oid == PolicyConstraintsOid())
92 return true; 105 return true;
93 if (oid == PolicyConstraintsOid()) 106 if (extension.oid == InhibitAnyPolicyOid())
94 return true;
95 if (oid == InhibitAnyPolicyOid())
96 return true; 107 return true;
97 108
98 return false; 109 return false;
99 } 110 }
100 111
101 // Adds errors to |errors| if the certificate contains unconsumed _critical_ 112 // Adds errors to |errors| if the certificate contains unconsumed _critical_
102 // extensions. 113 // extensions.
103 void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert, 114 void VerifyNoUnconsumedCriticalExtensions(const ParsedCertificate& cert,
104 CertErrors* errors) { 115 CertErrors* errors) {
105 for (const auto& it : cert.extensions()) { 116 for (const auto& it : cert.extensions()) {
106 const ParsedExtension& extension = it.second; 117 const ParsedExtension& extension = it.second;
107 if (extension.critical && !IsHandledCriticalExtensionOid(extension.oid)) { 118 if (extension.critical && !IsHandledCriticalExtension(extension)) {
108 errors->AddError(kUnconsumedCriticalExtension, 119 errors->AddError(kUnconsumedCriticalExtension,
109 CreateCertErrorParams2Der("oid", extension.oid, "value", 120 CreateCertErrorParams2Der("oid", extension.oid, "value",
110 extension.value)); 121 extension.value));
111 } 122 }
112 } 123 }
113 } 124 }
114 125
115 // Returns true if |cert| was self-issued. The definition of self-issuance 126 // Returns true if |cert| was self-issued. The definition of self-issuance
116 // comes from RFC 5280 section 6.1: 127 // comes from RFC 5280 section 6.1:
117 // 128 //
(...skipping 1130 matching lines...) Expand 10 before | Expand all | Expand 10 after
1248 std::set<der::Input>* user_constrained_policy_set, 1259 std::set<der::Input>* user_constrained_policy_set,
1249 CertPathErrors* errors) { 1260 CertPathErrors* errors) {
1250 PathVerifier verifier; 1261 PathVerifier verifier;
1251 verifier.Run(certs, last_cert_trust, signature_policy, time, 1262 verifier.Run(certs, last_cert_trust, signature_policy, time,
1252 required_key_purpose, initial_explicit_policy, 1263 required_key_purpose, initial_explicit_policy,
1253 user_initial_policy_set, initial_policy_mapping_inhibit, 1264 user_initial_policy_set, initial_policy_mapping_inhibit,
1254 initial_any_policy_inhibit, user_constrained_policy_set, errors); 1265 initial_any_policy_inhibit, user_constrained_policy_set, errors);
1255 } 1266 }
1256 1267
1257 } // namespace net 1268 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/parsed_certificate.cc ('k') | net/cert/internal/verify_certificate_chain_typed_unittest.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698