OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
9 #include <time.h> | 9 #include <time.h> |
10 | 10 |
11 #include "base/lazy_instance.h" | 11 #include "base/lazy_instance.h" |
12 #include "base/logging.h" | 12 #include "base/logging.h" |
13 #include "base/pickle.h" | 13 #include "base/pickle.h" |
14 #include "base/singleton.h" | 14 #include "base/singleton.h" |
15 #include "base/mac/scoped_cftyperef.h" | 15 #include "base/mac/scoped_cftyperef.h" |
16 #include "base/sys_string_conversions.h" | 16 #include "base/sys_string_conversions.h" |
17 #include "net/base/cert_status_flags.h" | 17 #include "net/base/cert_status_flags.h" |
18 #include "net/base/cert_verify_result.h" | 18 #include "net/base/cert_verify_result.h" |
19 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 20 #include "net/base/test_root_certs.h" |
20 | 21 |
21 using base::mac::ScopedCFTypeRef; | 22 using base::mac::ScopedCFTypeRef; |
22 using base::Time; | 23 using base::Time; |
23 | 24 |
24 namespace net { | 25 namespace net { |
25 | 26 |
26 namespace { | 27 namespace { |
27 | 28 |
28 class MacTrustedCertificates { | |
29 public: | |
30 // Sets the trusted root certificate used by tests. Call with |cert| set | |
31 // to NULL to clear the test certificate. | |
32 void SetTestCertificate(X509Certificate* cert) { | |
33 AutoLock lock(lock_); | |
34 test_certificate_ = cert; | |
35 } | |
36 | |
37 // Returns an array containing the trusted certificates for use with | |
38 // SecTrustSetAnchorCertificates(). Returns NULL if the system-supplied | |
39 // list of trust anchors is acceptable (that is, there is not test | |
40 // certificate available). Ownership follows the Create Rule (caller | |
41 // is responsible for calling CFRelease on the non-NULL result). | |
42 CFArrayRef CopyTrustedCertificateArray() { | |
43 AutoLock lock(lock_); | |
44 | |
45 if (!test_certificate_) | |
46 return NULL; | |
47 | |
48 // Failure to copy the anchor certificates or add the test certificate | |
49 // is non-fatal; SecTrustEvaluate() will use the system anchors instead. | |
50 CFArrayRef anchor_array; | |
51 OSStatus status = SecTrustCopyAnchorCertificates(&anchor_array); | |
52 if (status) | |
53 return NULL; | |
54 ScopedCFTypeRef<CFArrayRef> scoped_anchor_array(anchor_array); | |
55 CFMutableArrayRef merged_array = CFArrayCreateMutableCopy( | |
56 kCFAllocatorDefault, 0, anchor_array); | |
57 if (!merged_array) | |
58 return NULL; | |
59 CFArrayAppendValue(merged_array, test_certificate_->os_cert_handle()); | |
60 | |
61 return merged_array; | |
62 } | |
63 private: | |
64 friend struct base::DefaultLazyInstanceTraits<MacTrustedCertificates>; | |
65 | |
66 // Obtain an instance of MacTrustedCertificates via the singleton | |
67 // interface. | |
68 MacTrustedCertificates() : test_certificate_(NULL) { } | |
69 | |
70 // An X509Certificate object that may be appended to the list of | |
71 // system trusted anchors. | |
72 scoped_refptr<X509Certificate> test_certificate_; | |
73 | |
74 // The trusted cache may be accessed from multiple threads. | |
75 mutable Lock lock_; | |
76 | |
77 DISALLOW_COPY_AND_ASSIGN(MacTrustedCertificates); | |
78 }; | |
79 | |
80 base::LazyInstance<MacTrustedCertificates, | |
81 base::LeakyLazyInstanceTraits<MacTrustedCertificates> > | |
82 g_mac_trusted_certificates(base::LINKER_INITIALIZED); | |
83 | |
84 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, | 29 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, |
85 CFDictionaryRef*); | 30 CFDictionaryRef*); |
86 | 31 |
87 int NetErrorFromOSStatus(OSStatus status) { | 32 int NetErrorFromOSStatus(OSStatus status) { |
88 switch (status) { | 33 switch (status) { |
89 case noErr: | 34 case noErr: |
90 return OK; | 35 return OK; |
91 case errSecNotAvailable: | 36 case errSecNotAvailable: |
92 case errSecNoCertificateModule: | 37 case errSecNoCertificateModule: |
93 case errSecNoPolicyModule: | 38 case errSecNoPolicyModule: |
(...skipping 325 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
419 if (IsValidOSCertHandle(cert)) { | 364 if (IsValidOSCertHandle(cert)) { |
420 CFRetain(cert); | 365 CFRetain(cert); |
421 output->push_back(cert); | 366 output->push_back(cert); |
422 } | 367 } |
423 } | 368 } |
424 } | 369 } |
425 } | 370 } |
426 | 371 |
427 } // namespace | 372 } // namespace |
428 | 373 |
429 void SetMacTestCertificate(X509Certificate* cert) { | |
430 g_mac_trusted_certificates.Get().SetTestCertificate(cert); | |
431 } | |
432 | |
433 void X509Certificate::Initialize() { | 374 void X509Certificate::Initialize() { |
434 const CSSM_X509_NAME* name; | 375 const CSSM_X509_NAME* name; |
435 OSStatus status = SecCertificateGetSubject(cert_handle_, &name); | 376 OSStatus status = SecCertificateGetSubject(cert_handle_, &name); |
436 if (!status) | 377 if (!status) |
437 subject_.Parse(name); | 378 subject_.Parse(name); |
438 | 379 |
439 status = SecCertificateGetIssuer(cert_handle_, &name); | 380 status = SecCertificateGetIssuer(cert_handle_, &name); |
440 if (!status) | 381 if (!status) |
441 issuer_.Parse(name); | 382 issuer_.Parse(name); |
442 | 383 |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
521 // Apple's cert code, which we suspect are caused by a thread-safety issue. | 462 // Apple's cert code, which we suspect are caused by a thread-safety issue. |
522 // So as a speculative fix allow only one thread to use SecTrust on this cert. | 463 // So as a speculative fix allow only one thread to use SecTrust on this cert. |
523 AutoLock lock(verification_lock_); | 464 AutoLock lock(verification_lock_); |
524 | 465 |
525 SecTrustRef trust_ref = NULL; | 466 SecTrustRef trust_ref = NULL; |
526 status = SecTrustCreateWithCertificates(cert_array, ssl_policy, &trust_ref); | 467 status = SecTrustCreateWithCertificates(cert_array, ssl_policy, &trust_ref); |
527 if (status) | 468 if (status) |
528 return NetErrorFromOSStatus(status); | 469 return NetErrorFromOSStatus(status); |
529 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref); | 470 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref); |
530 | 471 |
531 // Set the trusted anchor certificates for the SecTrustRef by merging the | 472 if (TestRootCerts::HasInstance()) { |
532 // system trust anchors and the test root certificate. | 473 status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref); |
533 CFArrayRef anchor_array = | |
534 g_mac_trusted_certificates.Get().CopyTrustedCertificateArray(); | |
535 ScopedCFTypeRef<CFArrayRef> scoped_anchor_array(anchor_array); | |
536 if (anchor_array) { | |
537 status = SecTrustSetAnchorCertificates(trust_ref, anchor_array); | |
538 if (status) | 474 if (status) |
539 return NetErrorFromOSStatus(status); | 475 return NetErrorFromOSStatus(status); |
540 } | 476 } |
541 | 477 |
542 if (flags & VERIFY_REV_CHECKING_ENABLED) { | 478 if (flags & VERIFY_REV_CHECKING_ENABLED) { |
543 // When called with VERIFY_REV_CHECKING_ENABLED, we ask SecTrustEvaluate() | 479 // When called with VERIFY_REV_CHECKING_ENABLED, we ask SecTrustEvaluate() |
544 // to apply OCSP and CRL checking, but we're still subject to the global | 480 // to apply OCSP and CRL checking, but we're still subject to the global |
545 // settings, which are configured in the Keychain Access application (in | 481 // settings, which are configured in the Keychain Access application (in |
546 // the Certificates tab of the Preferences dialog). If the user has | 482 // the Certificates tab of the Preferences dialog). If the user has |
547 // revocation disabled (which is the default), then we will get | 483 // revocation disabled (which is the default), then we will get |
(...skipping 442 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
990 cert_chain, | 926 cert_chain, |
991 CFRangeMake(1, chain_count - 1)); | 927 CFRangeMake(1, chain_count - 1)); |
992 } | 928 } |
993 CFRelease(cert_chain); | 929 CFRelease(cert_chain); |
994 } | 930 } |
995 | 931 |
996 return chain.release(); | 932 return chain.release(); |
997 } | 933 } |
998 | 934 |
999 } // namespace net | 935 } // namespace net |
OLD | NEW |