OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_android.h" | 5 #include "net/cert/cert_verify_proc_android.h" |
6 | 6 |
| 7 #include <openssl/x509v3.h> |
| 8 |
7 #include <string> | 9 #include <string> |
8 #include <vector> | 10 #include <vector> |
9 | 11 |
10 #include "base/logging.h" | 12 #include "base/logging.h" |
11 #include "base/sha1.h" | 13 #include "base/sha1.h" |
12 #include "base/strings/string_piece.h" | 14 #include "base/strings/string_piece.h" |
13 #include "crypto/sha2.h" | 15 #include "crypto/sha2.h" |
14 #include "net/android/cert_verify_result_android.h" | 16 #include "net/android/cert_verify_result_android.h" |
15 #include "net/android/network_library.h" | 17 #include "net/android/network_library.h" |
16 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
64 std::vector<base::StringPiece> verified_chain_pieces(verified_chain.size()); | 66 std::vector<base::StringPiece> verified_chain_pieces(verified_chain.size()); |
65 for (size_t i = 0; i < verified_chain.size(); i++) { | 67 for (size_t i = 0; i < verified_chain.size(); i++) { |
66 verified_chain_pieces[i] = base::StringPiece(verified_chain[i]); | 68 verified_chain_pieces[i] = base::StringPiece(verified_chain[i]); |
67 } | 69 } |
68 scoped_refptr<X509Certificate> verified_cert = | 70 scoped_refptr<X509Certificate> verified_cert = |
69 X509Certificate::CreateFromDERCertChain(verified_chain_pieces); | 71 X509Certificate::CreateFromDERCertChain(verified_chain_pieces); |
70 if (verified_cert) | 72 if (verified_cert) |
71 verify_result->verified_cert = verified_cert; | 73 verify_result->verified_cert = verified_cert; |
72 } | 74 } |
73 | 75 |
| 76 // Extract the algorithm information from the certs |
| 77 X509Certificate::OSCertHandles chain; |
| 78 const X509Certificate::OSCertHandles& intermediates = |
| 79 verify_result->verified_cert->GetIntermediateCertificates(); |
| 80 chain.push_back(verify_result->verified_cert->os_cert_handle()); |
| 81 chain.insert(chain.end(), intermediates.begin(), intermediates.end()); |
| 82 |
| 83 // If the chain successfully verified, ignore the trust anchor (the last |
| 84 // certificate). Otherwise, assume the chain is partial. This is not entirely |
| 85 // correct, as a full chain may have been constructed and then failed to |
| 86 // validate. However, if that is the case, the more serious error will |
| 87 // override any SHA-1 considerations. |
| 88 size_t correction_for_root = (status == android::VERIFY_OK) ? 1 : 0; |
| 89 for (size_t i = 0; i < chain.size() - correction_for_root; ++i) { |
| 90 int sig_alg = OBJ_obj2nid(chain[i]->sig_alg->algorithm); |
| 91 if (sig_alg == NID_md2WithRSAEncryption) { |
| 92 verify_result->has_md2 = true; |
| 93 } else if (sig_alg == NID_md4WithRSAEncryption) { |
| 94 verify_result->has_md4 = true; |
| 95 } else if (sig_alg == NID_md5WithRSAEncryption || |
| 96 sig_alg == NID_md5WithRSA) { |
| 97 verify_result->has_md5 = true; |
| 98 } else if (sig_alg == NID_sha1WithRSAEncryption || |
| 99 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || |
| 100 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || |
| 101 sig_alg == NID_ecdsa_with_SHA1) { |
| 102 verify_result->has_sha1 = true; |
| 103 } |
| 104 } |
| 105 |
74 // Extract the public key hashes. | 106 // Extract the public key hashes. |
75 for (size_t i = 0; i < verified_chain.size(); i++) { | 107 for (size_t i = 0; i < verified_chain.size(); i++) { |
76 base::StringPiece spki_bytes; | 108 base::StringPiece spki_bytes; |
77 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) | 109 if (!asn1::ExtractSPKIFromDERCert(verified_chain[i], &spki_bytes)) |
78 continue; | 110 continue; |
79 | 111 |
80 HashValue sha1(HASH_VALUE_SHA1); | 112 HashValue sha1(HASH_VALUE_SHA1); |
81 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 113 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
82 spki_bytes.size(), sha1.data()); | 114 spki_bytes.size(), sha1.data()); |
83 verify_result->public_key_hashes.push_back(sha1); | 115 verify_result->public_key_hashes.push_back(sha1); |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
141 NOTREACHED(); | 173 NOTREACHED(); |
142 return ERR_FAILED; | 174 return ERR_FAILED; |
143 } | 175 } |
144 if (IsCertStatusError(verify_result->cert_status)) | 176 if (IsCertStatusError(verify_result->cert_status)) |
145 return MapCertStatusToNetError(verify_result->cert_status); | 177 return MapCertStatusToNetError(verify_result->cert_status); |
146 | 178 |
147 return OK; | 179 return OK; |
148 } | 180 } |
149 | 181 |
150 } // namespace net | 182 } // namespace net |
OLD | NEW |