| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | |
| 8 // until NSS 3.12.2 comes out and we update to it. | |
| 9 #define Lock FOO_NSS_Lock | |
| 10 #include <cert.h> | 7 #include <cert.h> |
| 11 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 #include <prerror.h> |
| 12 #include <prtime.h> | 10 #include <prtime.h> |
| 13 #include <secder.h> | 11 #include <secder.h> |
| 14 #include <secerr.h> | 12 #include <secerr.h> |
| 15 #include <sechash.h> | 13 #include <sechash.h> |
| 16 #include <sslerr.h> | 14 #include <sslerr.h> |
| 17 #undef Lock | |
| 18 | 15 |
| 19 #include "base/logging.h" | 16 #include "base/logging.h" |
| 20 #include "base/pickle.h" | 17 #include "base/pickle.h" |
| 21 #include "base/time.h" | 18 #include "base/time.h" |
| 22 #include "base/nss_init.h" | 19 #include "base/nss_init.h" |
| 23 #include "net/base/cert_status_flags.h" | 20 #include "net/base/cert_status_flags.h" |
| 24 #include "net/base/cert_verify_result.h" | 21 #include "net/base/cert_verify_result.h" |
| 25 #include "net/base/ev_root_ca_metadata.h" | 22 #include "net/base/ev_root_ca_metadata.h" |
| 26 #include "net/base/net_errors.h" | 23 #include "net/base/net_errors.h" |
| 27 | 24 |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 113 | 110 |
| 114 private: | 111 private: |
| 115 CERTValOutParam* cvout_; | 112 CERTValOutParam* cvout_; |
| 116 | 113 |
| 117 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); | 114 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); |
| 118 }; | 115 }; |
| 119 | 116 |
| 120 // Map PORT_GetError() return values to our network error codes. | 117 // Map PORT_GetError() return values to our network error codes. |
| 121 int MapSecurityError(int err) { | 118 int MapSecurityError(int err) { |
| 122 switch (err) { | 119 switch (err) { |
| 120 case PR_DIRECTORY_LOOKUP_ERROR: // DNS lookup error. |
| 121 return ERR_NAME_NOT_RESOLVED; |
| 123 case SEC_ERROR_INVALID_ARGS: | 122 case SEC_ERROR_INVALID_ARGS: |
| 124 return ERR_INVALID_ARGUMENT; | 123 return ERR_INVALID_ARGUMENT; |
| 125 case SEC_ERROR_INVALID_TIME: | 124 case SEC_ERROR_INVALID_TIME: |
| 126 case SEC_ERROR_EXPIRED_CERTIFICATE: | 125 case SEC_ERROR_EXPIRED_CERTIFICATE: |
| 127 return ERR_CERT_DATE_INVALID; | 126 return ERR_CERT_DATE_INVALID; |
| 128 case SEC_ERROR_UNKNOWN_ISSUER: | 127 case SEC_ERROR_UNKNOWN_ISSUER: |
| 129 case SEC_ERROR_UNTRUSTED_ISSUER: | 128 case SEC_ERROR_UNTRUSTED_ISSUER: |
| 130 case SEC_ERROR_CA_CERT_INVALID: | 129 case SEC_ERROR_CA_CERT_INVALID: |
| 131 case SEC_ERROR_UNTRUSTED_CERT: | 130 case SEC_ERROR_UNTRUSTED_CERT: |
| 132 return ERR_CERT_AUTHORITY_INVALID; | 131 return ERR_CERT_AUTHORITY_INVALID; |
| (...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 404 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; | 403 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; |
| 405 revocation_flags.chainTests.cert_rev_method_independent_flags = | 404 revocation_flags.chainTests.cert_rev_method_independent_flags = |
| 406 revocation_method_independent_flags; | 405 revocation_method_independent_flags; |
| 407 | 406 |
| 408 CERTValInParam cvin[4]; | 407 CERTValInParam cvin[4]; |
| 409 int cvin_index = 0; | 408 int cvin_index = 0; |
| 410 // No need to set cert_pi_trustAnchors here. | 409 // No need to set cert_pi_trustAnchors here. |
| 411 cvin[cvin_index].type = cert_pi_revocationFlags; | 410 cvin[cvin_index].type = cert_pi_revocationFlags; |
| 412 cvin[cvin_index].value.pointer.revocation = &revocation_flags; | 411 cvin[cvin_index].value.pointer.revocation = &revocation_flags; |
| 413 cvin_index++; | 412 cvin_index++; |
| 414 cvin[cvin_index].type = cert_pi_useAIACertFetch; | |
| 415 cvin[cvin_index].value.scalar.b = PR_TRUE; | |
| 416 cvin_index++; | |
| 417 std::vector<SECOidTag> policies; | 413 std::vector<SECOidTag> policies; |
| 418 if (policy_oids && num_policy_oids > 0) { | 414 if (policy_oids && num_policy_oids > 0) { |
| 419 cvin[cvin_index].type = cert_pi_policyOID; | 415 cvin[cvin_index].type = cert_pi_policyOID; |
| 420 cvin[cvin_index].value.arraySize = num_policy_oids; | 416 cvin[cvin_index].value.arraySize = num_policy_oids; |
| 421 cvin[cvin_index].value.array.oids = policy_oids; | 417 cvin[cvin_index].value.array.oids = policy_oids; |
| 422 cvin_index++; | 418 cvin_index++; |
| 423 } | 419 } |
| 420 // Add cert_pi_useAIACertFetch last so we can easily remove it from the |
| 421 // cvin array in the workaround below. |
| 422 cvin[cvin_index].type = cert_pi_useAIACertFetch; |
| 423 cvin[cvin_index].value.scalar.b = PR_TRUE; |
| 424 cvin_index++; |
| 424 cvin[cvin_index].type = cert_pi_end; | 425 cvin[cvin_index].type = cert_pi_end; |
| 425 | 426 |
| 426 return CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, | 427 SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, |
| 427 cvin, cvout, NULL); | 428 cvin, cvout, NULL); |
| 429 if (rv != SECSuccess) { |
| 430 // cert_pi_useAIACertFetch can't handle a CA issuers access location that |
| 431 // is an LDAP URL with an empty host name (NSS bug 528741). If cert fetch |
| 432 // fails because of a network error, it also causes CERT_PKIXVerifyCert |
| 433 // to report the network error rather than SEC_ERROR_UNKNOWN_ISSUER. To |
| 434 // work around these NSS bugs, we retry without cert_pi_useAIACertFetch. |
| 435 int nss_error = PORT_GetError(); |
| 436 if (nss_error == SEC_ERROR_INVALID_ARGS || !IS_SEC_ERROR(nss_error)) { |
| 437 cvin_index--; |
| 438 DCHECK_EQ(cvin[cvin_index].type, cert_pi_useAIACertFetch); |
| 439 cvin[cvin_index].type = cert_pi_end; |
| 440 rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, |
| 441 cvin, cvout, NULL); |
| 442 } |
| 443 } |
| 444 return rv; |
| 428 } | 445 } |
| 429 | 446 |
| 430 bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle, | 447 bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle, |
| 431 SECOidTag ev_policy_tag) { | 448 SECOidTag ev_policy_tag) { |
| 432 SECItem policy_ext; | 449 SECItem policy_ext; |
| 433 SECStatus rv = CERT_FindCertExtension( | 450 SECStatus rv = CERT_FindCertExtension( |
| 434 cert_handle, SEC_OID_X509_CERTIFICATE_POLICIES, &policy_ext); | 451 cert_handle, SEC_OID_X509_CERTIFICATE_POLICIES, &policy_ext); |
| 435 if (rv != SECSuccess) { | 452 if (rv != SECSuccess) { |
| 436 LOG(ERROR) << "Cert has no policies extension."; | 453 LOG(ERROR) << "Cert has no policies extension."; |
| 437 return false; | 454 return false; |
| (...skipping 196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 634 DCHECK(0 != cert->derCert.len); | 651 DCHECK(0 != cert->derCert.len); |
| 635 | 652 |
| 636 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 653 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
| 637 cert->derCert.data, cert->derCert.len); | 654 cert->derCert.data, cert->derCert.len); |
| 638 DCHECK(rv == SECSuccess); | 655 DCHECK(rv == SECSuccess); |
| 639 | 656 |
| 640 return sha1; | 657 return sha1; |
| 641 } | 658 } |
| 642 | 659 |
| 643 } // namespace net | 660 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 418001:
Work around the NSS bugs in the AIA certificate fetch code by retrying... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/