Chromium Code Reviews Chromium Code Reviews
Issue 6793041:
net: add ability to distinguish user-added root CAs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <nss.h> | 10 #include <nss.h> |
| (...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 196 break; | 196 break; |
| 197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: | 197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: |
| 198 verify_result->has_md4 = true; | 198 verify_result->has_md4 = true; |
| 199 break; | 199 break; |
| 200 default: | 200 default: |
| 201 break; | 201 break; |
| 202 } | 202 } |
| 203 } | 203 } |
| 204 } | 204 } |
| 205 | 205 |
| 206 // IsKnownRoot returns true if the given certificate is one that we believe is | |
| 207 // a standard (as opposed to user-installed) root. | |
| 208 static bool IsKnownRoot(CERTCertificate* root) { | |
|
wtc
2011/04/06 04:28:38
Remove 'static', because this is in the unnamed na
agl
2011/04/06 19:02:02
Done.
| |
| 209 if (!root->slot) | |
| 210 return false; | |
| 211 | |
| 212 // This magic name is taken from | |
| 213 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79 | |
| 214 return 0 == strcmp(PK11_GetSlotName(root->slot), | |
| 215 "NSS Builtin Objects"); | |
| 216 } | |
| 217 | |
| 206 typedef char* (*CERTGetNameFunc)(CERTName* name); | 218 typedef char* (*CERTGetNameFunc)(CERTName* name); |
| 207 | 219 |
| 208 void ParsePrincipal(CERTName* name, | 220 void ParsePrincipal(CERTName* name, |
| 209 CertPrincipal* principal) { | 221 CertPrincipal* principal) { |
| 210 // TODO(jcampan): add business_category and serial_number. | 222 // TODO(jcampan): add business_category and serial_number. |
| 211 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and | 223 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
| 212 // CERT_GetDomainComponentName functions, but they return only the most | 224 // CERT_GetDomainComponentName functions, but they return only the most |
| 213 // general (the first) RDN. NSS doesn't have a function for the street | 225 // general (the first) RDN. NSS doesn't have a function for the street |
| 214 // address. | 226 // address. |
| 215 static const SECOidTag kOIDs[] = { | 227 static const SECOidTag kOIDs[] = { |
| (...skipping 546 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 762 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | 774 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 763 | 775 |
| 764 // Make sure that the cert is valid now. | 776 // Make sure that the cert is valid now. |
| 765 SECCertTimeValidity validity = CERT_CheckCertValidTimes( | 777 SECCertTimeValidity validity = CERT_CheckCertValidTimes( |
| 766 cert_handle_, PR_Now(), PR_TRUE); | 778 cert_handle_, PR_Now(), PR_TRUE); |
| 767 if (validity != secCertTimeValid) | 779 if (validity != secCertTimeValid) |
| 768 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; | 780 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; |
| 769 | 781 |
| 770 CERTValOutParam cvout[3]; | 782 CERTValOutParam cvout[3]; |
| 771 int cvout_index = 0; | 783 int cvout_index = 0; |
| 772 // We don't need the trust anchor for the first PKIXVerifyCert call. | 784 // We don't need the trust anchor for the first PKIXVerifyCert call. |
|
wtc
2011/04/06 04:28:38
Delete this comment because it's no longer true.
agl
2011/04/06 19:02:02
Done.
| |
| 773 cvout[cvout_index].type = cert_po_certList; | 785 cvout[cvout_index].type = cert_po_certList; |
| 774 cvout[cvout_index].value.pointer.chain = NULL; | 786 cvout[cvout_index].value.pointer.chain = NULL; |
| 775 int cvout_cert_list_index = cvout_index; | 787 int cvout_cert_list_index = cvout_index; |
| 776 cvout_index++; | 788 cvout_index++; |
| 789 cvout[cvout_index].type = cert_po_trustAnchor; | |
| 790 cvout[cvout_index].value.pointer.cert = NULL; | |
| 791 int cvout_trust_anchor_index = cvout_index; | |
| 792 cvout_index++; | |
| 777 cvout[cvout_index].type = cert_po_end; | 793 cvout[cvout_index].type = cert_po_end; |
| 778 ScopedCERTValOutParam scoped_cvout(cvout); | 794 ScopedCERTValOutParam scoped_cvout(cvout); |
| 779 | 795 |
| 780 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); | 796 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); |
| 781 if (check_revocation) { | 797 if (check_revocation) { |
| 782 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; | 798 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; |
| 783 } else { | 799 } else { |
| 784 // EV requires revocation checking. | 800 // EV requires revocation checking. |
| 785 flags &= ~VERIFY_EV_CERT; | 801 flags &= ~VERIFY_EV_CERT; |
| 786 } | 802 } |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 801 } | 817 } |
| 802 // |err| is not a certificate error. | 818 // |err| is not a certificate error. |
| 803 return MapSecurityError(err); | 819 return MapSecurityError(err); |
| 804 } | 820 } |
| 805 | 821 |
| 806 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, | 822 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, |
| 807 verify_result); | 823 verify_result); |
| 808 if (IsCertStatusError(verify_result->cert_status)) | 824 if (IsCertStatusError(verify_result->cert_status)) |
| 809 return MapCertStatusToNetError(verify_result->cert_status); | 825 return MapCertStatusToNetError(verify_result->cert_status); |
| 810 | 826 |
| 827 verify_result->is_probably_mitm_cert = | |
| 828 !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); | |
| 829 | |
| 811 if ((flags & VERIFY_EV_CERT) && VerifyEV()) | 830 if ((flags & VERIFY_EV_CERT) && VerifyEV()) |
| 812 verify_result->cert_status |= CERT_STATUS_IS_EV; | 831 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 813 return OK; | 832 return OK; |
| 814 } | 833 } |
| 815 | 834 |
| 816 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 835 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
| 817 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess; | 836 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess; |
| 818 } | 837 } |
| 819 | 838 |
| 820 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp | 839 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp |
| (...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 958 DCHECK(0 != cert->derCert.len); | 977 DCHECK(0 != cert->derCert.len); |
| 959 | 978 |
| 960 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, | 979 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, |
| 961 cert->derCert.data, cert->derCert.len); | 980 cert->derCert.data, cert->derCert.len); |
| 962 DCHECK(rv == SECSuccess); | 981 DCHECK(rv == SECSuccess); |
| 963 | 982 |
| 964 return sha1; | 983 return sha1; |
| 965 } | 984 } |
| 966 | 985 |
| 967 } // namespace net | 986 } // namespace net |
| OLD | NEW |
