OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_android.h" | 5 #include "net/cert/cert_verify_proc_android.h" |
6 | 6 |
7 #include <openssl/x509v3.h> | |
8 | |
7 #include <string> | 9 #include <string> |
8 #include <vector> | 10 #include <vector> |
9 | 11 |
10 #include "base/logging.h" | 12 #include "base/logging.h" |
11 #include "base/sha1.h" | 13 #include "base/sha1.h" |
12 #include "base/strings/string_piece.h" | 14 #include "base/strings/string_piece.h" |
13 #include "crypto/sha2.h" | 15 #include "crypto/sha2.h" |
14 #include "net/android/cert_verify_result_android.h" | 16 #include "net/android/cert_verify_result_android.h" |
15 #include "net/android/network_library.h" | 17 #include "net/android/network_library.h" |
16 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
64 std::vector<base::StringPiece> verified_chain_pieces(verified_chain.size()); | 66 std::vector<base::StringPiece> verified_chain_pieces(verified_chain.size()); |
65 for (size_t i = 0; i < verified_chain.size(); i++) { | 67 for (size_t i = 0; i < verified_chain.size(); i++) { |
66 verified_chain_pieces[i] = base::StringPiece(verified_chain[i]); | 68 verified_chain_pieces[i] = base::StringPiece(verified_chain[i]); |
67 } | 69 } |
68 scoped_refptr<X509Certificate> verified_cert = | 70 scoped_refptr<X509Certificate> verified_cert = |
69 X509Certificate::CreateFromDERCertChain(verified_chain_pieces); | 71 X509Certificate::CreateFromDERCertChain(verified_chain_pieces); |
70 if (verified_cert) | 72 if (verified_cert) |
71 verify_result->verified_cert = verified_cert; | 73 verify_result->verified_cert = verified_cert; |
72 } | 74 } |
73 | 75 |
76 // Extract the algorithm information from the certs | |
77 X509Certificate::OSCertHandles chain; | |
78 const X509Certificate::OSCertHandles& intermediates = | |
79 verify_result->verified_cert->GetIntermediateCertificates(); | |
80 chain.push_back(verify_result->verified_cert->os_cert_handle()); | |
81 chain.insert(chain.end(), intermediates.begin(), intermediates.end()); | |
82 | |
83 // If a root certificate is present, ignore its signature algorithm. If it | |
84 // is unclear whether or not a root is present, assume the chain is a full, | |
85 // but unverified, chain. | |
davidben
2014/08/28 19:42:08
Is this comment accurate? If we were unable to bui
| |
86 size_t correction_for_root = | |
87 (verify_result->cert_status & | |
88 (CERT_STATUS_AUTHORITY_INVALID | CERT_STATUS_INVALID)) | |
89 ? 0 | |
90 : 1; | |
91 for (size_t i = 0; i < chain.size() - correction_for_root; ++i) { | |
92 int sig_alg = OBJ_obj2nid(chain[i]->sig_alg->algorithm); | |
93 if (sig_alg == NID_md2WithRSAEncryption) { | |
94 verify_result->has_md2 = true; | |
95 } else if (sig_alg == NID_md4WithRSAEncryption) { | |
96 verify_result->has_md4 = true; | |
97 } else if (sig_alg == NID_md5WithRSAEncryption || | |
98 sig_alg == NID_md5WithRSA) { | |
99 verify_result->has_md5 = true; | |
100 } else if (sig_alg == NID_sha1WithRSAEncryption || | |
101 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || | |
102 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || | |
103 sig_alg == NID_ecdsa_with_SHA1) { | |
104 verify_result->has_sha1 = true; | |
105 } | |
106 } | |
107 | |
74 // Extract the public key hashes. | 108 // Extract the public key hashes. |
75 for (size_t i = 0; i < verified_chain.size(); i++) { | 109 for (size_t i = 0; i < verified_chain.size(); i++) { |
76 base::StringPiece spki_bytes; | 110 base::StringPiece spki_bytes; |
77 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) | 111 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) |
78 continue; | 112 continue; |
79 | 113 |
80 HashValue sha1(HASH_VALUE_SHA1); | 114 HashValue sha1(HASH_VALUE_SHA1); |
81 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 115 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
82 spki_bytes.size(), sha1.data()); | 116 spki_bytes.size(), sha1.data()); |
83 verify_result->public_key_hashes.push_back(sha1); | 117 verify_result->public_key_hashes.push_back(sha1); |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
141 NOTREACHED(); | 175 NOTREACHED(); |
142 return ERR_FAILED; | 176 return ERR_FAILED; |
143 } | 177 } |
144 if (IsCertStatusError(verify_result->cert_status)) | 178 if (IsCertStatusError(verify_result->cert_status)) |
145 return MapCertStatusToNetError(verify_result->cert_status); | 179 return MapCertStatusToNetError(verify_result->cert_status); |
146 | 180 |
147 return OK; | 181 return OK; |
148 } | 182 } |
149 | 183 |
150 } // namespace net | 184 } // namespace net |
OLD | NEW |