Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(42)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate_nss.cc

Issue 6793041: net: add ability to distinguish user-added root CAs. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_mac_known_roots.h ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #include <cert.h> 7 #include <cert.h>
8 #include <cryptohi.h> 8 #include <cryptohi.h>
9 #include <keyhi.h> 9 #include <keyhi.h>
10 #include <nss.h> 10 #include <nss.h>
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after
196 break; 196 break;
197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: 197 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
198 verify_result->has_md4 = true; 198 verify_result->has_md4 = true;
199 break; 199 break;
200 default: 200 default:
201 break; 201 break;
202 } 202 }
203 } 203 }
204 } 204 }
205 205
206 // IsBuiltinRoot returns true if the given certificate is one that we believe
207 // is a standard (as opposed to user-installed) root.
208 bool IsBuiltinRoot(CERTCertificate* root) {
wtc 2011/04/07 05:01:54 Please change this back to IsKnownRoot for consist
agl 2011/04/07 15:02:49 Done.
209 if (!root->slot)
210 return true;
wtc 2011/04/07 05:01:54 BUG: this should still return false.
agl 2011/04/07 15:02:49 I'm not sure that it should. In the event of an er
211
212 // This magic name is taken from
213 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/b uiltins/constants.c&rev=1.13&mark=86,89#79
214 return 0 == strcmp(PK11_GetSlotName(root->slot),
215 "NSS Builtin Objects");
216 }
217
206 typedef char* (*CERTGetNameFunc)(CERTName* name); 218 typedef char* (*CERTGetNameFunc)(CERTName* name);
207 219
208 void ParsePrincipal(CERTName* name, 220 void ParsePrincipal(CERTName* name,
209 CertPrincipal* principal) { 221 CertPrincipal* principal) {
210 // TODO(jcampan): add business_category and serial_number. 222 // TODO(jcampan): add business_category and serial_number.
211 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and 223 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and
212 // CERT_GetDomainComponentName functions, but they return only the most 224 // CERT_GetDomainComponentName functions, but they return only the most
213 // general (the first) RDN. NSS doesn't have a function for the street 225 // general (the first) RDN. NSS doesn't have a function for the street
214 // address. 226 // address.
215 static const SECOidTag kOIDs[] = { 227 static const SECOidTag kOIDs[] = {
(...skipping 546 matching lines...) Expand 10 before | Expand all | Expand 10 after
762 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; 774 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
763 775
764 // Make sure that the cert is valid now. 776 // Make sure that the cert is valid now.
765 SECCertTimeValidity validity = CERT_CheckCertValidTimes( 777 SECCertTimeValidity validity = CERT_CheckCertValidTimes(
766 cert_handle_, PR_Now(), PR_TRUE); 778 cert_handle_, PR_Now(), PR_TRUE);
767 if (validity != secCertTimeValid) 779 if (validity != secCertTimeValid)
768 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; 780 verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
769 781
770 CERTValOutParam cvout[3]; 782 CERTValOutParam cvout[3];
771 int cvout_index = 0; 783 int cvout_index = 0;
772 // We don't need the trust anchor for the first PKIXVerifyCert call.
773 cvout[cvout_index].type = cert_po_certList; 784 cvout[cvout_index].type = cert_po_certList;
774 cvout[cvout_index].value.pointer.chain = NULL; 785 cvout[cvout_index].value.pointer.chain = NULL;
775 int cvout_cert_list_index = cvout_index; 786 int cvout_cert_list_index = cvout_index;
776 cvout_index++; 787 cvout_index++;
788 cvout[cvout_index].type = cert_po_trustAnchor;
789 cvout[cvout_index].value.pointer.cert = NULL;
790 int cvout_trust_anchor_index = cvout_index;
791 cvout_index++;
777 cvout[cvout_index].type = cert_po_end; 792 cvout[cvout_index].type = cert_po_end;
778 ScopedCERTValOutParam scoped_cvout(cvout); 793 ScopedCERTValOutParam scoped_cvout(cvout);
779 794
780 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); 795 bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED);
781 if (check_revocation) { 796 if (check_revocation) {
782 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 797 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
783 } else { 798 } else {
784 // EV requires revocation checking. 799 // EV requires revocation checking.
785 flags &= ~VERIFY_EV_CERT; 800 flags &= ~VERIFY_EV_CERT;
786 } 801 }
(...skipping 14 matching lines...) Expand all
801 } 816 }
802 // |err| is not a certificate error. 817 // |err| is not a certificate error.
803 return MapSecurityError(err); 818 return MapSecurityError(err);
804 } 819 }
805 820
806 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, 821 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
807 verify_result); 822 verify_result);
808 if (IsCertStatusError(verify_result->cert_status)) 823 if (IsCertStatusError(verify_result->cert_status))
809 return MapCertStatusToNetError(verify_result->cert_status); 824 return MapCertStatusToNetError(verify_result->cert_status);
810 825
826 verify_result->is_issued_by_known_root =
827 IsBuiltinRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
828
811 if ((flags & VERIFY_EV_CERT) && VerifyEV()) 829 if ((flags & VERIFY_EV_CERT) && VerifyEV())
812 verify_result->cert_status |= CERT_STATUS_IS_EV; 830 verify_result->cert_status |= CERT_STATUS_IS_EV;
813 return OK; 831 return OK;
814 } 832 }
815 833
816 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { 834 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
817 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess; 835 return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess;
818 } 836 }
819 837
820 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp 838 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
958 DCHECK(0 != cert->derCert.len); 976 DCHECK(0 != cert->derCert.len);
959 977
960 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data, 978 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
961 cert->derCert.data, cert->derCert.len); 979 cert->derCert.data, cert->derCert.len);
962 DCHECK(rv == SECSuccess); 980 DCHECK(rv == SECSuccess);
963 981
964 return sha1; 982 return sha1;
965 } 983 }
966 984
967 } // namespace net 985 } // namespace net
OLDNEW
« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_mac_known_roots.h ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698