Chromium Code Reviews Chromium Code Reviews
Issue 4184004:
Add support for certificate name checking (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
| 8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
| 9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
| 10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
| 11 #include <openssl/pkcs7.h> | 11 #include <openssl/pkcs7.h> |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 98 if (!alt_name_ext) | 98 if (!alt_name_ext) |
| 99 return; | 99 return; |
| 100 | 100 |
| 101 ScopedSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( | 101 ScopedSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names( |
| 102 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); | 102 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); |
| 103 if (!alt_names.get()) | 103 if (!alt_names.get()) |
| 104 return; | 104 return; |
| 105 | 105 |
| 106 for (int i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { | 106 for (int i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { |
| 107 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); | 107 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); |
| 108 if (name->type == GEN_DNS) { | 108 if (name->type == GEN_DNS) { |
|
wtc
2010/11/16 00:15:21
The ParseSubjectAltNames function only includes DN
joth
2010/11/16 14:01:10
Yes. Hopefully my TODO on line 382, plus details i
| |
| 109 unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); | 109 unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); |
| 110 if (!dns_name) | 110 if (!dns_name) |
| 111 continue; | 111 continue; |
| 112 int dns_name_len = ASN1_STRING_length(name->d.dNSName); | 112 int dns_name_len = ASN1_STRING_length(name->d.dNSName); |
| 113 dns_names->push_back( | 113 dns_names->push_back( |
| 114 std::string(reinterpret_cast<char*>(dns_name), dns_name_len)); | 114 std::string(reinterpret_cast<char*>(dns_name), dns_name_len)); |
| 115 } | 115 } |
| 116 } | 116 } |
| 117 } | 117 } |
| 118 | 118 |
| (...skipping 253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 372 | 372 |
| 373 if (dns_names->empty()) | 373 if (dns_names->empty()) |
| 374 dns_names->push_back(subject_.common_name); | 374 dns_names->push_back(subject_.common_name); |
| 375 } | 375 } |
| 376 | 376 |
| 377 int X509Certificate::Verify(const std::string& hostname, | 377 int X509Certificate::Verify(const std::string& hostname, |
| 378 int flags, | 378 int flags, |
| 379 CertVerifyResult* verify_result) const { | 379 CertVerifyResult* verify_result) const { |
| 380 verify_result->Reset(); | 380 verify_result->Reset(); |
| 381 | 381 |
| 382 // TODO(joth): We should fetch the subjectAltNames directly rather than via | |
| 383 // GetDNSNames, so we can apply special handling for IP addresses vs DNS | |
| 384 // names, etc. See http://crbug.com/62973. | |
| 385 std::vector<std::string> cert_names; | |
| 386 GetDNSNames(&cert_names); | |
| 387 if (!x509_openssl_util::VerifyHostname(hostname, cert_names)) | |
| 388 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | |
| 389 | |
| 382 ScopedSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(X509_STORE_CTX_new()); | 390 ScopedSSL<X509_STORE_CTX, X509_STORE_CTX_free> ctx(X509_STORE_CTX_new()); |
| 383 | 391 |
| 384 ScopedSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(sk_X509_new_null()); | 392 ScopedSSL<STACK_OF(X509), sk_X509_free_fn> intermediates(sk_X509_new_null()); |
| 385 if (!intermediates.get()) | 393 if (!intermediates.get()) |
| 386 return ERR_OUT_OF_MEMORY; | 394 return ERR_OUT_OF_MEMORY; |
| 387 | 395 |
| 388 for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin(); | 396 for (OSCertHandles::const_iterator it = intermediate_ca_certs_.begin(); |
| 389 it != intermediate_ca_certs_.end(); ++it) { | 397 it != intermediate_ca_certs_.end(); ++it) { |
| 390 if (!sk_X509_push(intermediates.get(), *it)) | 398 if (!sk_X509_push(intermediates.get(), *it)) |
| 391 return ERR_OUT_OF_MEMORY; | 399 return ERR_OUT_OF_MEMORY; |
| (...skipping 30 matching lines...) Expand all Loading... | |
| 422 // cache the DER (if not already cached via X509_set_ex_data). | 430 // cache the DER (if not already cached via X509_set_ex_data). |
| 423 DERCache der_cache_a, der_cache_b; | 431 DERCache der_cache_a, der_cache_b; |
| 424 | 432 |
| 425 return GetDERAndCacheIfNeeded(a, &der_cache_a) && | 433 return GetDERAndCacheIfNeeded(a, &der_cache_a) && |
| 426 GetDERAndCacheIfNeeded(b, &der_cache_b) && | 434 GetDERAndCacheIfNeeded(b, &der_cache_b) && |
| 427 der_cache_a.data_length == der_cache_b.data_length && | 435 der_cache_a.data_length == der_cache_b.data_length && |
| 428 memcmp(der_cache_a.data, der_cache_b.data, der_cache_a.data_length) == 0; | 436 memcmp(der_cache_a.data, der_cache_b.data, der_cache_a.data_length) == 0; |
| 429 } | 437 } |
| 430 | 438 |
| 431 } // namespace net | 439 } // namespace net |
| OLD | NEW |
