diff options
author | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-20 02:01:55 +0000 |
---|---|---|
committer | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-20 02:01:55 +0000 |
commit | e135ed5dab24ca11b00a67b2f154b37c2c03d94c (patch) | |
tree | 32de54658551f087637f735e98eb10bcba9bf08c | |
parent | 783b7d156fc041def17acca2863f7c7f8b3e6afc (diff) | |
download | chromium_src-e135ed5dab24ca11b00a67b2f154b37c2c03d94c.zip chromium_src-e135ed5dab24ca11b00a67b2f154b37c2c03d94c.tar.gz chromium_src-e135ed5dab24ca11b00a67b2f154b37c2c03d94c.tar.bz2 |
Certificate Transparency: Address review comments from issue 65863002.
BUG=309578
Review URL: https://codereview.chromium.org/65533014
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@236097 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | net/cert/ct_objects_extractor_nss.cc | 24 | ||||
-rw-r--r-- | net/cert/scoped_nss_types.h | 26 | ||||
-rw-r--r-- | net/net.gyp | 2 | ||||
-rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 10 |
4 files changed, 36 insertions, 26 deletions
diff --git a/net/cert/ct_objects_extractor_nss.cc b/net/cert/ct_objects_extractor_nss.cc index 97b8590..0f353489e 100644 --- a/net/cert/ct_objects_extractor_nss.cc +++ b/net/cert/ct_objects_extractor_nss.cc @@ -13,6 +13,7 @@ #include "crypto/scoped_nss_types.h" #include "crypto/sha2.h" #include "net/cert/asn1_util.h" +#include "net/cert/scoped_nss_types.h" #include "net/cert/signed_certificate_timestamp.h" namespace net { @@ -21,16 +22,6 @@ namespace ct { namespace { -struct FreeCERTCertificate { - public: - inline void operator()(CERTCertificate* x) const { - CERT_DestroyCertificate(x); - } -}; - -typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate> - ScopedCERTCertificate; - // Wrapper class to convert a X509Certificate::OSCertHandle directly // into a CERTCertificate* usable with other NSS functions. This is used for // platforms where X509Certificate::OSCertHandle refers to a different type @@ -65,9 +56,9 @@ NSSCertWrapper::NSSCertWrapper(X509Certificate::OSCertHandle cert_handle) { // The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of // RFC6962. -static const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01, - 0xD6, 0x79, 0x02, 0x04, 0x02}; -static const char kEmbeddedSCTDescription[] = +const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01, + 0xD6, 0x79, 0x02, 0x04, 0x02}; +const char kEmbeddedSCTDescription[] = "X.509v3 Certificate Transparency Embedded Signed Certificate Timestamp " "List"; @@ -131,11 +122,10 @@ bool GetOctetStringExtension(CERTCertificate* cert, base::StringPiece raw_data(reinterpret_cast<char*>(extension.data), extension.len); base::StringPiece parsed_data; - if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data)) { + if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data) || + raw_data.size() > 0) { // Decoding failure or raw data left rv = SECFailure; } else { - if (raw_data.size() > 0) - return false; // leftover data parsed_data.CopyToString(extension_data); } @@ -144,7 +134,7 @@ bool GetOctetStringExtension(CERTCertificate* cert, } // Given a |cert|, extract the TBSCertificate from this certificate, also -// removing X.509 extensions with OID 1.3.6.1.4.1.11129.2.4.2 (that is, +// removing the X.509 extension with OID 1.3.6.1.4.1.11129.2.4.2 (that is, // the embedded SCT) bool ExtractTBSCertWithoutSCTs(CERTCertificate* cert, std::string* to_be_signed) { diff --git a/net/cert/scoped_nss_types.h b/net/cert/scoped_nss_types.h new file mode 100644 index 0000000..3e6d57d --- /dev/null +++ b/net/cert/scoped_nss_types.h @@ -0,0 +1,26 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// // Use of this source code is governed by a BSD-style license that can be +// // found in the LICENSE file. +// +#ifndef NET_CERT_SCOPED_NSS_TYPES_H_ +#define NET_CERT_SCOPED_NSS_TYPES_H_ + +#include <cert.h> + +#include "base/memory/scoped_ptr.h" + +namespace net { + +struct FreeCERTCertificate { + public: + void operator()(CERTCertificate* x) const { + CERT_DestroyCertificate(x); + } +}; + +typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate> + ScopedCERTCertificate; + +} // namespace net + +#endif // NET_CERT_SCOPED_NSS_TYPES_H_ diff --git a/net/net.gyp b/net/net.gyp index 8a7dd26..9b80bd4 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -290,6 +290,7 @@ 'cert/nss_cert_database.h', 'cert/pem_tokenizer.cc', 'cert/pem_tokenizer.h', + 'cert/scoped_nss_types.h', 'cert/signed_certificate_timestamp.cc', 'cert/signed_certificate_timestamp.h', 'cert/single_request_cert_verifier.cc', @@ -1274,6 +1275,7 @@ 'cert/jwk_serializer_nss.cc', 'cert/nss_cert_database.cc', 'cert/nss_cert_database.h', + 'cert/scoped_nss_types.h', 'cert/test_root_certs_nss.cc', 'cert/x509_certificate_nss.cc', 'cert/x509_util_nss.cc', diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 6f1910c..89eab14 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -93,6 +93,7 @@ #include "net/cert/asn1_util.h" #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verifier.h" +#include "net/cert/scoped_nss_types.h" #include "net/cert/single_request_cert_verifier.h" #include "net/cert/x509_certificate_net_log_param.h" #include "net/cert/x509_util.h" @@ -221,15 +222,6 @@ bool IsOCSPStaplingSupported() { } #endif -class FreeCERTCertificate { - public: - inline void operator()(CERTCertificate* x) const { - CERT_DestroyCertificate(x); - } -}; -typedef scoped_ptr_malloc<CERTCertificate, FreeCERTCertificate> - ScopedCERTCertificate; - #if defined(OS_WIN) // This callback is intended to be used with CertFindChainInStore. In addition |