OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
| 7 #include "base/crypto/scoped_capi_types.h" |
7 #include "base/lazy_instance.h" | 8 #include "base/lazy_instance.h" |
8 #include "base/logging.h" | 9 #include "base/logging.h" |
9 #include "base/pickle.h" | 10 #include "base/pickle.h" |
10 #include "base/string_tokenizer.h" | 11 #include "base/string_tokenizer.h" |
11 #include "base/string_util.h" | 12 #include "base/string_util.h" |
12 #include "base/utf_string_conversions.h" | 13 #include "base/utf_string_conversions.h" |
13 #include "net/base/cert_status_flags.h" | 14 #include "net/base/cert_status_flags.h" |
14 #include "net/base/cert_verify_result.h" | 15 #include "net/base/cert_verify_result.h" |
15 #include "net/base/ev_root_ca_metadata.h" | 16 #include "net/base/ev_root_ca_metadata.h" |
16 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
17 #include "net/base/scoped_cert_chain_context.h" | 18 #include "net/base/scoped_cert_chain_context.h" |
| 19 #include "net/base/test_root_certs.h" |
18 | 20 |
19 #pragma comment(lib, "crypt32.lib") | 21 #pragma comment(lib, "crypt32.lib") |
20 | 22 |
21 using base::Time; | 23 using base::Time; |
22 | 24 |
23 namespace net { | 25 namespace net { |
24 | 26 |
25 namespace { | 27 namespace { |
26 | 28 |
| 29 typedef base::ScopedCAPIHandle< |
| 30 HCERTSTORE, |
| 31 base::CAPIDestroyerWithFlags<HCERTSTORE, |
| 32 CertCloseStore, 0> > ScopedHCERTSTORE; |
| 33 |
| 34 struct FreeChainEngineFunctor { |
| 35 void operator()(HCERTCHAINENGINE engine) const { |
| 36 if (engine) |
| 37 CertFreeCertificateChainEngine(engine); |
| 38 } |
| 39 }; |
| 40 |
| 41 typedef base::ScopedCAPIHandle<HCERTCHAINENGINE, FreeChainEngineFunctor> |
| 42 ScopedHCERTCHAINENGINE; |
| 43 |
27 //----------------------------------------------------------------------------- | 44 //----------------------------------------------------------------------------- |
28 | 45 |
29 // TODO(wtc): This is a copy of the MapSecurityError function in | 46 // TODO(wtc): This is a copy of the MapSecurityError function in |
30 // ssl_client_socket_win.cc. Another function that maps Windows error codes | 47 // ssl_client_socket_win.cc. Another function that maps Windows error codes |
31 // to our network error codes is WinInetUtil::OSErrorToNetError. We should | 48 // to our network error codes is WinInetUtil::OSErrorToNetError. We should |
32 // eliminate the code duplication. | 49 // eliminate the code duplication. |
33 int MapSecurityError(SECURITY_STATUS err) { | 50 int MapSecurityError(SECURITY_STATUS err) { |
34 // There are numerous security error codes, but these are the ones we thus | 51 // There are numerous security error codes, but these are the ones we thus |
35 // far find interesting. | 52 // far find interesting. |
36 switch (err) { | 53 switch (err) { |
(...skipping 565 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
602 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; | 619 chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND; |
603 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; | 620 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1; |
604 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = | 621 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = |
605 &ev_policy_oid; | 622 &ev_policy_oid; |
606 break; | 623 break; |
607 } | 624 } |
608 } | 625 } |
609 } | 626 } |
610 } | 627 } |
611 | 628 |
| 629 // For non-test scenarios, use the default HCERTCHAINENGINE, NULL, which |
| 630 // corresponds to HCCE_CURRENT_USER and is is initialized as needed by |
| 631 // crypt32. However, when testing, it is necessary to create a new |
| 632 // HCERTCHAINENGINE and use that instead. This is because each |
| 633 // HCERTCHAINENGINE maintains a cache of information about certificates |
| 634 // encountered, and each test run may modify the trust status of a |
| 635 // certificate. |
| 636 ScopedHCERTCHAINENGINE chain_engine(NULL); |
| 637 if (TestRootCerts::HasInstance()) |
| 638 chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine()); |
| 639 |
612 PCCERT_CHAIN_CONTEXT chain_context; | 640 PCCERT_CHAIN_CONTEXT chain_context; |
613 // IE passes a non-NULL pTime argument that specifies the current system | 641 // IE passes a non-NULL pTime argument that specifies the current system |
614 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the | 642 // time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the |
615 // chain_flags argument. | 643 // chain_flags argument. |
616 if (!CertGetCertificateChain( | 644 if (!CertGetCertificateChain( |
617 NULL, // default chain engine, HCCE_CURRENT_USER | 645 chain_engine, |
618 cert_handle_, | 646 cert_handle_, |
619 NULL, // current system time | 647 NULL, // current system time |
620 cert_handle_->hCertStore, // search this store | 648 cert_handle_->hCertStore, |
621 &chain_para, | 649 &chain_para, |
622 chain_flags, | 650 chain_flags, |
623 NULL, // reserved | 651 NULL, // reserved |
624 &chain_context)) { | 652 &chain_context)) { |
625 return MapSecurityError(GetLastError()); | 653 return MapSecurityError(GetLastError()); |
626 } | 654 } |
627 if (chain_context->TrustStatus.dwErrorStatus & | 655 if (chain_context->TrustStatus.dwErrorStatus & |
628 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 656 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
629 ev_policy_oid = NULL; | 657 ev_policy_oid = NULL; |
630 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 658 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
631 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 659 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
632 CertFreeCertificateChain(chain_context); | 660 CertFreeCertificateChain(chain_context); |
633 if (!CertGetCertificateChain( | 661 if (!CertGetCertificateChain( |
634 NULL, // default chain engine, HCCE_CURRENT_USER | 662 chain_engine, |
635 cert_handle_, | 663 cert_handle_, |
636 NULL, // current system time | 664 NULL, // current system time |
637 cert_handle_->hCertStore, // search this store | 665 cert_handle_->hCertStore, |
638 &chain_para, | 666 &chain_para, |
639 chain_flags, | 667 chain_flags, |
640 NULL, // reserved | 668 NULL, // reserved |
641 &chain_context)) { | 669 &chain_context)) { |
642 return MapSecurityError(GetLastError()); | 670 return MapSecurityError(GetLastError()); |
643 } | 671 } |
644 } | 672 } |
645 ScopedCertChainContext scoped_chain_context(chain_context); | 673 ScopedCertChainContext scoped_chain_context(chain_context); |
646 | 674 |
647 GetCertChainInfo(chain_context, verify_result); | 675 GetCertChainInfo(chain_context, verify_result); |
648 | |
649 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 676 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
650 chain_context->TrustStatus.dwErrorStatus); | 677 chain_context->TrustStatus.dwErrorStatus); |
651 | 678 |
652 // Treat certificates signed using broken signature algorithms as invalid. | 679 // Treat certificates signed using broken signature algorithms as invalid. |
653 if (verify_result->has_md4) | 680 if (verify_result->has_md4) |
654 verify_result->cert_status |= CERT_STATUS_INVALID; | 681 verify_result->cert_status |= CERT_STATUS_INVALID; |
655 | 682 |
656 // Flag certificates signed using weak signature algorithms. | 683 // Flag certificates signed using weak signature algorithms. |
657 if (verify_result->has_md2) | 684 if (verify_result->has_md2) |
658 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 685 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
860 DWORD sha1_size = sizeof(sha1.data); | 887 DWORD sha1_size = sizeof(sha1.data); |
861 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 888 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
862 cert->cbCertEncoded, sha1.data, &sha1_size); | 889 cert->cbCertEncoded, sha1.data, &sha1_size); |
863 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 890 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
864 if (!rv) | 891 if (!rv) |
865 memset(sha1.data, 0, sizeof(sha1.data)); | 892 memset(sha1.data, 0, sizeof(sha1.data)); |
866 return sha1; | 893 return sha1; |
867 } | 894 } |
868 | 895 |
869 } // namespace net | 896 } // namespace net |
OLD | NEW |