OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 573 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
584 verify_result->Reset(); | 584 verify_result->Reset(); |
585 verify_result->verified_cert = const_cast<X509Certificate*>(this); | 585 verify_result->verified_cert = const_cast<X509Certificate*>(this); |
586 | 586 |
587 if (IsBlacklisted()) { | 587 if (IsBlacklisted()) { |
588 verify_result->cert_status |= CERT_STATUS_REVOKED; | 588 verify_result->cert_status |= CERT_STATUS_REVOKED; |
589 return ERR_CERT_REVOKED; | 589 return ERR_CERT_REVOKED; |
590 } | 590 } |
591 | 591 |
592 int rv = VerifyInternal(hostname, flags, verify_result); | 592 int rv = VerifyInternal(hostname, flags, verify_result); |
593 | 593 |
594 // If needed, do any post-validation here. | 594 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
595 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | |
596 rv = ERR_CERT_AUTHORITY_INVALID; | |
wtc
2011/08/30 00:02:44
This line should say:
rv = MapCertStatusToNetE
agl
2011/08/30 00:13:48
Done.
| |
597 } | |
598 | |
595 return rv; | 599 return rv; |
596 } | 600 } |
597 | 601 |
598 #if !defined(USE_NSS) | 602 #if !defined(USE_NSS) |
599 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 603 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
600 std::vector<std::string> dns_names, ip_addrs; | 604 std::vector<std::string> dns_names, ip_addrs; |
601 GetSubjectAltName(&dns_names, &ip_addrs); | 605 GetSubjectAltName(&dns_names, &ip_addrs); |
602 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 606 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
603 } | 607 } |
604 #endif | 608 #endif |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
682 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials); | 686 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials); |
683 return true; | 687 return true; |
684 } | 688 } |
685 } | 689 } |
686 } | 690 } |
687 | 691 |
688 return false; | 692 return false; |
689 } | 693 } |
690 | 694 |
691 // static | 695 // static |
696 bool X509Certificate::IsPublicKeyBlacklisted( | |
697 const std::vector<SHA1Fingerprint>& public_key_hashes) { | |
698 static const unsigned kNumHashes = 1; | |
699 static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = { | |
700 // CN=DigiNotar Root CA/emailAddress=info@diginotar.nl | |
wtc
2011/08/30 00:02:44
Nit: you can probably omit the emailAddress compon
agl
2011/08/30 00:13:48
Done.
| |
701 {0x41,0x0f,0x36,0x36,0x32,0x58,0xf3,0x0b,0x34,0x7d, | |
702 0x12,0xce,0x48,0x63,0xe4,0x33,0x43,0x78,0x06,0xa8}, | |
wtc
2011/08/30 00:02:44
Nit: add a space between the bytes (unless they ma
agl
2011/08/30 00:13:48
Done.
| |
703 }; | |
704 | |
705 for (unsigned i = 0; i < kNumHashes; i++) { | |
706 for (std::vector<SHA1Fingerprint>::const_iterator | |
707 j = public_key_hashes.begin(); j != public_key_hashes.end(); j++) { | |
wtc
2011/08/30 00:02:44
Nit: j++ => ++j
Nit: omit the curly braces on lin
agl
2011/08/30 00:13:48
Done.
| |
708 if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0) { | |
709 return true; | |
710 } | |
711 } | |
712 } | |
713 | |
714 return false; | |
715 } | |
716 | |
717 // static | |
692 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 718 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
693 const uint8* array, | 719 const uint8* array, |
694 size_t array_byte_len) { | 720 size_t array_byte_len) { |
695 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); | 721 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); |
696 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; | 722 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; |
697 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, | 723 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, |
698 CompareSHA1Hashes); | 724 CompareSHA1Hashes); |
699 } | 725 } |
700 | 726 |
701 } // namespace net | 727 } // namespace net |
OLD | NEW |