| Index: net/cert/sha256_legacy_support_win.cc
|
| diff --git a/net/cert/sha256_legacy_support_win.cc b/net/cert/sha256_legacy_support_win.cc
|
| index 656edd73ad419214a34881acb10d4020c93c07bb..3fe700e4e1136f8a581be6fe5ad90c9569b55c85 100644
|
| --- a/net/cert/sha256_legacy_support_win.cc
|
| +++ b/net/cert/sha256_legacy_support_win.cc
|
| @@ -4,25 +4,10 @@
|
|
|
| #include "net/cert/sha256_legacy_support_win.h"
|
|
|
| -#include <windows.h>
|
| -#include <wincrypt.h>
|
| -
|
| -#include <cert.h>
|
| -#include <keyhi.h>
|
| -#include <secoid.h>
|
| -
|
| -#include "base/lazy_instance.h"
|
| -#include "base/logging.h"
|
| -#include "base/strings/string_piece.h"
|
| -#include "base/win/windows_version.h"
|
| -#include "crypto/scoped_nss_types.h"
|
| -
|
| namespace net {
|
|
|
| namespace sha256_interception {
|
|
|
| -namespace {
|
| -
|
| bool IsSupportedSubjectType(DWORD subject_type) {
|
| switch (subject_type) {
|
| case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB:
|
| @@ -89,107 +74,6 @@ PCERT_PUBLIC_KEY_INFO GetIssuerPublicKey(DWORD issuer_type,
|
| return NULL;
|
| }
|
|
|
| -} // namespace
|
| -
|
| -BOOL CryptVerifyCertificateSignatureExHook(
|
| - CryptVerifyCertificateSignatureExFunc original_func,
|
| - HCRYPTPROV_LEGACY provider,
|
| - DWORD encoding_type,
|
| - DWORD subject_type,
|
| - void* subject_data,
|
| - DWORD issuer_type,
|
| - void* issuer_data,
|
| - DWORD flags,
|
| - void* extra) {
|
| - CHECK(original_func);
|
| -
|
| - // Only intercept if the arguments are supported.
|
| - if (provider != NULL || (encoding_type != X509_ASN_ENCODING) ||
|
| - !IsSupportedSubjectType(subject_type) || subject_data == NULL ||
|
| - !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) {
|
| - return original_func(provider, encoding_type, subject_type, subject_data,
|
| - issuer_type, issuer_data, flags, extra);
|
| - }
|
| -
|
| - base::StringPiece subject_signature =
|
| - GetSubjectSignature(subject_type, subject_data);
|
| - bool should_intercept = false;
|
| -
|
| - crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
|
| - CERTSignedData signed_data;
|
| - memset(&signed_data, 0, sizeof(signed_data));
|
| -
|
| - // Attempt to decode the subject using the generic "Signed Data" template,
|
| - // which all of the supported subject types match. If the signature
|
| - // algorithm is RSA with one of the SHA-2 algorithms supported by NSS
|
| - // (excluding SHA-224, which is pointless), then defer to the NSS
|
| - // implementation. Otherwise, fall back and let the OS handle it (e.g.
|
| - // in case there are any algorithm policies in effect).
|
| - if (!subject_signature.empty()) {
|
| - SECItem subject_sig_item;
|
| - subject_sig_item.data = const_cast<unsigned char*>(
|
| - reinterpret_cast<const unsigned char*>(subject_signature.data()));
|
| - subject_sig_item.len = subject_signature.size();
|
| - SECStatus rv = SEC_QuickDERDecodeItem(
|
| - arena.get(), &signed_data, SEC_ASN1_GET(CERT_SignedDataTemplate),
|
| - &subject_sig_item);
|
| - if (rv == SECSuccess) {
|
| - SECOidTag signature_alg =
|
| - SECOID_GetAlgorithmTag(&signed_data.signatureAlgorithm);
|
| - if (signature_alg == SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION ||
|
| - signature_alg == SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION ||
|
| - signature_alg == SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION) {
|
| - should_intercept = true;
|
| - }
|
| - }
|
| - }
|
| -
|
| - if (!should_intercept) {
|
| - return original_func(provider, encoding_type, subject_type, subject_data,
|
| - issuer_type, issuer_data, flags, extra);
|
| - }
|
| -
|
| - // Rather than attempting to synthesize a CERTSubjectPublicKeyInfo by hand,
|
| - // just force the OS to do an ASN.1 encoding and then decode it back into
|
| - // NSS. This is silly for performance, but safest for consistency.
|
| - PCERT_PUBLIC_KEY_INFO issuer_public_key =
|
| - GetIssuerPublicKey(issuer_type, issuer_data);
|
| - if (!issuer_public_key) {
|
| - SetLastError(static_cast<DWORD>(NTE_BAD_ALGID));
|
| - return FALSE;
|
| - }
|
| -
|
| - unsigned char* issuer_spki_data = NULL;
|
| - DWORD issuer_spki_len = 0;
|
| - if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO,
|
| - issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL,
|
| - &issuer_spki_data, &issuer_spki_len)) {
|
| - return FALSE;
|
| - }
|
| -
|
| - SECItem nss_issuer_spki;
|
| - nss_issuer_spki.data = issuer_spki_data;
|
| - nss_issuer_spki.len = issuer_spki_len;
|
| - CERTSubjectPublicKeyInfo* spki =
|
| - SECKEY_DecodeDERSubjectPublicKeyInfo(&nss_issuer_spki);
|
| - ::LocalFree(issuer_spki_data);
|
| - if (!spki) {
|
| - SetLastError(static_cast<DWORD>(NTE_BAD_ALGID));
|
| - return FALSE;
|
| - }
|
| -
|
| - // Attempt to actually verify the signed data. If it fails, synthesize the
|
| - // failure as a generic "bad signature" and let CryptoAPI handle the rest.
|
| - SECStatus rv = CERT_VerifySignedDataWithPublicKeyInfo(
|
| - &signed_data, spki, NULL);
|
| - SECKEY_DestroySubjectPublicKeyInfo(spki);
|
| - if (rv != SECSuccess) {
|
| - SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE));
|
| - return FALSE;
|
| - }
|
| - return TRUE;
|
| -}
|
| -
|
| } // namespace sha256_interception
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 683113005:
Update from chromium https://crrev.com/302282 (Closed)
Base URL: git@github.com:domokit/mojo.git@master