OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 573 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
584 verify_result->Reset(); | 584 verify_result->Reset(); |
585 verify_result->verified_cert = const_cast<X509Certificate*>(this); | 585 verify_result->verified_cert = const_cast<X509Certificate*>(this); |
586 | 586 |
587 if (IsBlacklisted()) { | 587 if (IsBlacklisted()) { |
588 verify_result->cert_status |= CERT_STATUS_REVOKED; | 588 verify_result->cert_status |= CERT_STATUS_REVOKED; |
589 return ERR_CERT_REVOKED; | 589 return ERR_CERT_REVOKED; |
590 } | 590 } |
591 | 591 |
592 int rv = VerifyInternal(hostname, flags, verify_result); | 592 int rv = VerifyInternal(hostname, flags, verify_result); |
593 | 593 |
594 // If needed, do any post-validation here. | 594 // This check is done after VerifyInternal so that VerifyInternal can fill in |
| 595 // the list of public key hashes. |
| 596 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
| 597 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
| 598 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 599 } |
| 600 |
595 return rv; | 601 return rv; |
596 } | 602 } |
597 | 603 |
598 #if !defined(USE_NSS) | 604 #if !defined(USE_NSS) |
599 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 605 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
600 std::vector<std::string> dns_names, ip_addrs; | 606 std::vector<std::string> dns_names, ip_addrs; |
601 GetSubjectAltName(&dns_names, &ip_addrs); | 607 GetSubjectAltName(&dns_names, &ip_addrs); |
602 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 608 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
603 } | 609 } |
604 #endif | 610 #endif |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
682 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials); | 688 UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i, kNumSerials); |
683 return true; | 689 return true; |
684 } | 690 } |
685 } | 691 } |
686 } | 692 } |
687 | 693 |
688 return false; | 694 return false; |
689 } | 695 } |
690 | 696 |
691 // static | 697 // static |
| 698 bool X509Certificate::IsPublicKeyBlacklisted( |
| 699 const std::vector<SHA1Fingerprint>& public_key_hashes) { |
| 700 static const unsigned kNumHashes = 1; |
| 701 static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = { |
| 702 // CN=DigiNotar Root CA |
| 703 {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d, |
| 704 0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8}, |
| 705 }; |
| 706 |
| 707 for (unsigned i = 0; i < kNumHashes; i++) { |
| 708 for (std::vector<SHA1Fingerprint>::const_iterator |
| 709 j = public_key_hashes.begin(); j != public_key_hashes.end(); ++j) { |
| 710 if (memcmp(j->data, kHashes[i], base::SHA1_LENGTH) == 0) |
| 711 return true; |
| 712 } |
| 713 } |
| 714 |
| 715 return false; |
| 716 } |
| 717 |
| 718 // static |
692 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 719 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
693 const uint8* array, | 720 const uint8* array, |
694 size_t array_byte_len) { | 721 size_t array_byte_len) { |
695 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); | 722 DCHECK_EQ(0u, array_byte_len % base::SHA1_LENGTH); |
696 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; | 723 const unsigned arraylen = array_byte_len / base::SHA1_LENGTH; |
697 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, | 724 return NULL != bsearch(hash.data, array, arraylen, base::SHA1_LENGTH, |
698 CompareSHA1Hashes); | 725 CompareSHA1Hashes); |
699 } | 726 } |
700 | 727 |
701 } // namespace net | 728 } // namespace net |
OLD | NEW |