OLD | NEW |
---|---|
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include "base/crypto/rsa_private_key.h" | 7 #include "base/crypto/rsa_private_key.h" |
8 #include "base/crypto/scoped_capi_types.h" | 8 #include "base/crypto/scoped_capi_types.h" |
9 #include "base/lazy_instance.h" | 9 #include "base/lazy_instance.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "base/pickle.h" | 11 #include "base/pickle.h" |
12 #include "base/sha1.h" | |
12 #include "base/string_tokenizer.h" | 13 #include "base/string_tokenizer.h" |
13 #include "base/string_util.h" | 14 #include "base/string_util.h" |
14 #include "base/utf_string_conversions.h" | 15 #include "base/utf_string_conversions.h" |
15 #include "net/base/cert_status_flags.h" | 16 #include "net/base/cert_status_flags.h" |
16 #include "net/base/cert_verify_result.h" | 17 #include "net/base/cert_verify_result.h" |
17 #include "net/base/ev_root_ca_metadata.h" | 18 #include "net/base/ev_root_ca_metadata.h" |
18 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
19 #include "net/base/scoped_cert_chain_context.h" | 20 #include "net/base/scoped_cert_chain_context.h" |
20 #include "net/base/test_root_certs.h" | 21 #include "net/base/test_root_certs.h" |
22 #include "net/base/x509_certificate_win_known_hashes.h" | |
wtc
2011/04/07 05:01:54
Typo: hashes => roots
Nit: it may be better to na
agl
2011/04/07 15:02:49
Done.
| |
21 | 23 |
22 #pragma comment(lib, "crypt32.lib") | 24 #pragma comment(lib, "crypt32.lib") |
23 | 25 |
24 using base::Time; | 26 using base::Time; |
25 | 27 |
26 namespace net { | 28 namespace net { |
27 | 29 |
28 namespace { | 30 namespace { |
29 | 31 |
30 typedef base::ScopedCAPIHandle< | 32 typedef base::ScopedCAPIHandle< |
(...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
497 scoped_array<uint8> serial_bytes(new uint8[serial->cbData]); | 499 scoped_array<uint8> serial_bytes(new uint8[serial->cbData]); |
498 for (unsigned i = 0; i < serial->cbData; i++) | 500 for (unsigned i = 0; i < serial->cbData; i++) |
499 serial_bytes[i] = serial->pbData[serial->cbData - i - 1]; | 501 serial_bytes[i] = serial->pbData[serial->cbData - i - 1]; |
500 serial_number_ = std::string( | 502 serial_number_ = std::string( |
501 reinterpret_cast<char*>(serial_bytes.get()), serial->cbData); | 503 reinterpret_cast<char*>(serial_bytes.get()), serial->cbData); |
502 // Remove leading zeros. | 504 // Remove leading zeros. |
503 while (serial_number_.size() > 1 && serial_number_[0] == 0) | 505 while (serial_number_.size() > 1 && serial_number_[0] == 0) |
504 serial_number_ = serial_number_.substr(1, serial_number_.size() - 1); | 506 serial_number_ = serial_number_.substr(1, serial_number_.size() - 1); |
505 } | 507 } |
506 | 508 |
509 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA | |
510 // which we recognise as a standard root. | |
511 bool X509Certificate::IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { | |
512 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | |
513 int num_elements = first_chain->cElement; | |
514 if (num_elements < 1) | |
515 return true; | |
516 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | |
517 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; | |
518 | |
519 SHA1Fingerprint hash = CalculateFingerprint(cert); | |
520 return X509Certificate::IsSHA1HashInSortedArray( | |
521 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); | |
522 } | |
523 | |
507 // static | 524 // static |
508 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, | 525 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, |
509 void** pickle_iter) { | 526 void** pickle_iter) { |
510 const char* data; | 527 const char* data; |
511 int length; | 528 int length; |
512 if (!pickle.ReadData(pickle_iter, &data, &length)) | 529 if (!pickle.ReadData(pickle_iter, &data, &length)) |
513 return NULL; | 530 return NULL; |
514 | 531 |
515 OSCertHandle cert_handle = NULL; | 532 OSCertHandle cert_handle = NULL; |
516 if (!CertAddSerializedElementToStore( | 533 if (!CertAddSerializedElementToStore( |
(...skipping 258 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
775 verify_result->cert_status |= CERT_STATUS_INVALID; | 792 verify_result->cert_status |= CERT_STATUS_INVALID; |
776 | 793 |
777 // Flag certificates signed using weak signature algorithms. | 794 // Flag certificates signed using weak signature algorithms. |
778 if (verify_result->has_md2) | 795 if (verify_result->has_md2) |
779 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 796 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
780 | 797 |
781 // Flag certificates that have a Subject common name with a NULL character. | 798 // Flag certificates that have a Subject common name with a NULL character. |
782 if (CertSubjectCommonNameHasNull(cert_handle_)) | 799 if (CertSubjectCommonNameHasNull(cert_handle_)) |
783 verify_result->cert_status |= CERT_STATUS_INVALID; | 800 verify_result->cert_status |= CERT_STATUS_INVALID; |
784 | 801 |
802 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); | |
803 | |
785 std::wstring wstr_hostname = ASCIIToWide(hostname); | 804 std::wstring wstr_hostname = ASCIIToWide(hostname); |
786 | 805 |
787 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; | 806 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; |
788 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); | 807 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); |
789 extra_policy_para.cbSize = sizeof(extra_policy_para); | 808 extra_policy_para.cbSize = sizeof(extra_policy_para); |
790 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; | 809 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; |
791 extra_policy_para.fdwChecks = 0; | 810 extra_policy_para.fdwChecks = 0; |
792 extra_policy_para.pwszServerName = | 811 extra_policy_para.pwszServerName = |
793 const_cast<wchar_t*>(wstr_hostname.c_str()); | 812 const_cast<wchar_t*>(wstr_hostname.c_str()); |
794 | 813 |
(...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
990 DWORD sha1_size = sizeof(sha1.data); | 1009 DWORD sha1_size = sizeof(sha1.data); |
991 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, | 1010 rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, |
992 cert->cbCertEncoded, sha1.data, &sha1_size); | 1011 cert->cbCertEncoded, sha1.data, &sha1_size); |
993 DCHECK(rv && sha1_size == sizeof(sha1.data)); | 1012 DCHECK(rv && sha1_size == sizeof(sha1.data)); |
994 if (!rv) | 1013 if (!rv) |
995 memset(sha1.data, 0, sizeof(sha1.data)); | 1014 memset(sha1.data, 0, sizeof(sha1.data)); |
996 return sha1; | 1015 return sha1; |
997 } | 1016 } |
998 | 1017 |
999 } // namespace net | 1018 } // namespace net |
OLD | NEW |