Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(322)

Side by Side Diff: net/base/x509_certificate.cc

Issue 7795014: Mark DigiNotar as untrusted (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 9 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/x509_certificate.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <map> 10 #include <map>
(...skipping 573 matching lines...) Expand 10 before | Expand all | Expand 10 after
584 verify_result->Reset(); 584 verify_result->Reset();
585 verify_result->verified_cert = const_cast<X509Certificate*>(this); 585 verify_result->verified_cert = const_cast<X509Certificate*>(this);
586 586
587 if (IsBlacklisted()) { 587 if (IsBlacklisted()) {
588 verify_result->cert_status |= CERT_STATUS_REVOKED; 588 verify_result->cert_status |= CERT_STATUS_REVOKED;
589 return ERR_CERT_REVOKED; 589 return ERR_CERT_REVOKED;
590 } 590 }
591 591
592 int rv = VerifyInternal(hostname, flags, verify_result); 592 int rv = VerifyInternal(hostname, flags, verify_result);
593 593
594 // If needed, do any post-validation here. 594 // This check is done after VerifyInternal so that VerifyInternal can fill in
595 // the list of public key hashes.
596 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
597 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
598 rv = MapCertStatusToNetError(verify_result->cert_status);
599 }
600
595 return rv; 601 return rv;
596 } 602 }
597 603
598 #if !defined(USE_NSS) 604 #if !defined(USE_NSS)
599 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { 605 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
600 std::vector<std::string> dns_names, ip_addrs; 606 std::vector<std::string> dns_names, ip_addrs;
601 GetSubjectAltName(&dns_names, &ip_addrs); 607 GetSubjectAltName(&dns_names, &ip_addrs);
602 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); 608 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);
603 } 609 }
604 #endif 610 #endif
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
682 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials); 688 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials);
683 return true; 689 return true;
684 } 690 }
685 } 691 }
686 } 692 }
687 693
688 return false; 694 return false;
689 } 695 }
690 696
691 // static 697 // static
698 bool X509Certificate::IsPublicKeyBlacklisted(
699 const std::vector<SHA1Fingerprint>& public_key_hashes) {
700 static const unsigned kNumHashes = 1;
701 static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
702 // CN=DigiNotar Root CA
703 {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d,
704 0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8},
705 };
706
707 for (unsigned i = 0; i < kNumHashes; i++) {
708 for (std::vector<SHA1Fingerprint>::const_iterator
709 j = public_key_hashes.begin(); j != public_key_hashes.end(); ++j) {
710 if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0)
711 return true;
712 }
713 }
714
715 return false;
716 }
717
718 // static
692 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, 719 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
693 const uint8* array, 720 const uint8* array,
694 size_t array_byte_len) { 721 size_t array_byte_len) {
695 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); 722 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH);
696 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; 723 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH;
697 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, 724 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH,
698 CompareSHA1Hashes); 725 CompareSHA1Hashes);
699 } 726 }
700 727
701 } // namespace net 728 } // namespace net
OLDNEW
« no previous file with comments | « net/base/x509_certificate.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698