OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. | 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. |
8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. | 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. |
9 | 9 |
10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
(...skipping 848 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
859 // chain_flags argument. | 859 // chain_flags argument. |
860 if (!CertGetCertificateChain( | 860 if (!CertGetCertificateChain( |
861 chain_engine, | 861 chain_engine, |
862 cert_list.get(), | 862 cert_list.get(), |
863 NULL, // current system time | 863 NULL, // current system time |
864 cert_list->hCertStore, | 864 cert_list->hCertStore, |
865 &chain_para, | 865 &chain_para, |
866 chain_flags, | 866 chain_flags, |
867 NULL, // reserved | 867 NULL, // reserved |
868 &chain_context)) { | 868 &chain_context)) { |
| 869 verify_result->cert_status |= CERT_STATUS_INVALID; |
869 return MapSecurityError(GetLastError()); | 870 return MapSecurityError(GetLastError()); |
870 } | 871 } |
871 | 872 |
872 if (chain_context->TrustStatus.dwErrorStatus & | 873 if (chain_context->TrustStatus.dwErrorStatus & |
873 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { | 874 CERT_TRUST_IS_NOT_VALID_FOR_USAGE) { |
874 ev_policy_oid = NULL; | 875 ev_policy_oid = NULL; |
875 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; | 876 chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0; |
876 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; | 877 chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL; |
877 CertFreeCertificateChain(chain_context); | 878 CertFreeCertificateChain(chain_context); |
878 if (!CertGetCertificateChain( | 879 if (!CertGetCertificateChain( |
879 chain_engine, | 880 chain_engine, |
880 cert_list.get(), | 881 cert_list.get(), |
881 NULL, // current system time | 882 NULL, // current system time |
882 cert_list->hCertStore, | 883 cert_list->hCertStore, |
883 &chain_para, | 884 &chain_para, |
884 chain_flags, | 885 chain_flags, |
885 NULL, // reserved | 886 NULL, // reserved |
886 &chain_context)) { | 887 &chain_context)) { |
| 888 verify_result->cert_status |= CERT_STATUS_INVALID; |
887 return MapSecurityError(GetLastError()); | 889 return MapSecurityError(GetLastError()); |
888 } | 890 } |
889 } | 891 } |
890 | 892 |
891 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); | 893 ScopedPCCERT_CHAIN_CONTEXT scoped_chain_context(chain_context); |
892 | 894 |
893 GetCertChainInfo(chain_context, verify_result); | 895 GetCertChainInfo(chain_context, verify_result); |
894 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( | 896 verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( |
895 chain_context->TrustStatus.dwErrorStatus); | 897 chain_context->TrustStatus.dwErrorStatus); |
896 | 898 |
897 // Treat certificates signed using broken signature algorithms as invalid. | |
898 if (verify_result->has_md4) | |
899 verify_result->cert_status |= CERT_STATUS_INVALID; | |
900 | |
901 // Flag certificates signed using weak signature algorithms. | |
902 if (verify_result->has_md2) | |
903 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | |
904 | |
905 // Flag certificates that have a Subject common name with a NULL character. | 899 // Flag certificates that have a Subject common name with a NULL character. |
906 if (CertSubjectCommonNameHasNull(cert_handle_)) | 900 if (CertSubjectCommonNameHasNull(cert_handle_)) |
907 verify_result->cert_status |= CERT_STATUS_INVALID; | 901 verify_result->cert_status |= CERT_STATUS_INVALID; |
908 | 902 |
909 std::wstring wstr_hostname = ASCIIToWide(hostname); | 903 std::wstring wstr_hostname = ASCIIToWide(hostname); |
910 | 904 |
911 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; | 905 SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; |
912 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); | 906 memset(&extra_policy_para, 0, sizeof(extra_policy_para)); |
913 extra_policy_para.cbSize = sizeof(extra_policy_para); | 907 extra_policy_para.cbSize = sizeof(extra_policy_para); |
914 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; | 908 extra_policy_para.dwAuthType = AUTHTYPE_SERVER; |
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1171 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], | 1165 if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0], |
1172 &length)) { | 1166 &length)) { |
1173 return false; | 1167 return false; |
1174 } | 1168 } |
1175 | 1169 |
1176 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), | 1170 return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]), |
1177 length); | 1171 length); |
1178 } | 1172 } |
1179 | 1173 |
1180 } // namespace net | 1174 } // namespace net |
OLD | NEW |