net: use SSL_PeerCertificateChain for getting server certs

Now that we have SSL_PeerCertificateChain, we can remove uses of CERT_GetCertChainFromCert. The latter would return a constructed certificate chain rather than the actual chain returned from the server. Thus we can also remove the Comodo cert workaround. BUG=none TEST=net_unittests http://codereview.chromium.org/4185001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@64262 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-28 16:50:32 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-10-28 16:50:32 +0000
commit: 4feca4bc5a385528932f93e74ef197626b0d82d5 (patch)
tree: 6960d83f09eaee590bb0632951e63f87264dbe5d
parent: 9ec7446c2fc481ca998ebda86466f996d6fc4f8d (diff)
download: chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.zip
chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.tar.gz
chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.tar.bz2
2 files changed, 17 insertions, 110 deletions
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index ad49f18..7bbce5c 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -154,56 +154,6 @@ X509Certificate* X509Certificate::CreateFromHandle(
 }
 
 #if defined(OS_WIN)
-// See IsProblematicComodoEVCACert, below.
-// Issuer:
-// CN = AddTrust External CA Root
-// OU = AddTrust External TTP Network
-// O = AddTrust AB
-// C = SE
-//
-// This is the first 308 bytes of the certificate, which covers the serial
-// number, issuer and subject. It stops just short of the public key.
-static const uint8 kProblematicComodoEVCACert[] = {
-  0x30, 0x82, 0x04, 0xd5, 0x30, 0x82, 0x03, 0xbd, 0xa0, 0x03, 0x02, 0x01, 0x02,
-  0x02, 0x10, 0x79, 0x0a, 0x83, 0x4d, 0x48, 0x40, 0x6b, 0xab, 0x6c, 0x35, 0x2a,
-  0xd5, 0x1f, 0x42, 0x83, 0xfe, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
-  0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x6f, 0x31, 0x0b, 0x30, 0x09,
-  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x53, 0x45, 0x31, 0x14, 0x30, 0x12,
-  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75,
-  0x73, 0x74, 0x20, 0x41, 0x42, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04,
-  0x0b, 0x13, 0x1d, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x45,
-  0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x20, 0x54, 0x54, 0x50, 0x20, 0x4e,
-  0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55,
-  0x04, 0x03, 0x13, 0x19, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20,
-  0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x20, 0x52,
-  0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x37, 0x30, 0x31, 0x30, 0x31,
-  0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x35,
-  0x33, 0x30, 0x31, 0x30, 0x34, 0x38, 0x33, 0x38, 0x5a, 0x30, 0x73, 0x31, 0x0b,
-  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b,
-  0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12, 0x47, 0x72, 0x65, 0x61,
-  0x74, 0x65, 0x72, 0x20, 0x4d, 0x61, 0x6e, 0x63, 0x68, 0x65, 0x73, 0x74, 0x65,
-  0x72, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x53,
-  0x61, 0x6c, 0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55,
-  0x04, 0x0a, 0x13, 0x11, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x43, 0x41,
-  0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x19, 0x30, 0x17, 0x06,
-  0x03, 0x55, 0x04, 0x03, 0x13, 0x10, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20,
-  0x45, 0x56, 0x20, 0x53, 0x47, 0x43, 0x20, 0x43, 0x41,
-};
-
-// A certificate for COMODO EV SGC CA, issued by AddTrust External CA Root,
-// causes CertGetCertificateChain to report CERT_TRUST_IS_NOT_VALID_FOR_USAGE.
-// It seems to be caused by the szOID_APPLICATION_CERT_POLICIES extension in
-// that certificate.
-//
-// This function is used in the workaround for http://crbug.com/43538
-static bool IsProblematicComodoEVCACert(base::StringPiece der_cert) {
-  return der_cert.size() >= sizeof(kProblematicComodoEVCACert) &&
-         memcmp(der_cert.data(), kProblematicComodoEVCACert,
-                sizeof(kProblematicComodoEVCACert)) == 0;
-}
-#endif
-
-#if defined(OS_WIN)
 static X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) {
   X509Certificate::OSCertHandle cert_handle = NULL;
   BOOL ok = CertAddEncodedCertificateToStore(
@@ -227,10 +177,6 @@ X509Certificate* X509Certificate::CreateFromDERCertChain(
 
   X509Certificate::OSCertHandles intermediate_ca_certs;
   for (size_t i = 1; i < der_certs.size(); i++) {
-#if defined(OS_WIN)
-    if (IsProblematicComodoEVCACert(der_certs[i]))
-      continue;
-#endif
     OSCertHandle handle = CreateOSCert(der_certs[i]);
     DCHECK(handle);
     intermediate_ca_certs.push_back(handle);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index dbf1b90..358efd4 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1072,28 +1072,15 @@ X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
   if (server_cert_ == NULL) {
     server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
     if (server_cert_nss_) {
-#if defined(OS_WIN) || defined(OS_MACOSX)
-      std::vector<base::StringPiece> der_certs;
-      CERTCertList* cert_list = CERT_GetCertChainFromCert(
-          server_cert_nss_, PR_Now(), certUsageSSLCA);
-      if (cert_list) {
-        for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
-             !CERT_LIST_END(node, cert_list);
-             node = CERT_LIST_NEXT(node)) {
-          der_certs.push_back(base::StringPiece(
-                reinterpret_cast<const char*>(node->cert->derCert.data),
-                node->cert->derCert.len));
-        }
-        server_cert_ = X509Certificate::CreateFromDERCertChain(der_certs);
-        CERT_DestroyCertList(cert_list);
+      PeerCertificateChain certs(nss_fd_);
+      std::vector<base::StringPiece> der_certs(certs.size());
+
+      for (unsigned i = 0; i < certs.size(); i++) {
+        der_certs[i] = base::StringPiece(
+            reinterpret_cast<const char*>(certs[i]->derCert.data),
+            certs[i]->derCert.len);
       }
-#else
-      // TODO(agl): this should use SSL_PeerCertificateChain
-      server_cert_ = X509Certificate::CreateFromHandle(
-          server_cert_nss_,
-          X509Certificate::SOURCE_FROM_NETWORK,
-          X509Certificate::OSCertHandles());
-#endif
+      server_cert_ = X509Certificate::CreateFromDERCertChain(der_certs);
     }
   }
   return server_cert_;
@@ -2247,41 +2234,15 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   if (SSLConfigService::snap_start_enabled())
     result = OK;
 
-  if (result == OK) {
-    // Remember the intermediate CA certs if the server sends them to us.
-    //
-    // We used to remember the intermediate CA certs in the NSS database
-    // persistently.  However, NSS opens a connection to the SQLite database
-    // during NSS initialization and doesn't close the connection until NSS
-    // shuts down.  If the file system where the database resides is gone,
-    // the database connection goes bad.  What's worse, the connection won't
-    // recover when the file system comes back.  Until this NSS or SQLite bug
-    // is fixed, we need to  avoid using the NSS database for non-essential
-    // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
-    // http://crbug.com/15630 for more info.
-    CERTCertList* cert_list = CERT_GetCertChainFromCert(
-        server_cert_nss_, PR_Now(), certUsageSSLCA);
-    if (cert_list) {
-      for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
-           !CERT_LIST_END(node, cert_list);
-           node = CERT_LIST_NEXT(node)) {
-        if (node->cert->slot || node->cert->isRoot || node->cert->isperm ||
-            node->cert == server_cert_nss_) {
-          // Some certs we don't want to remember are:
-          // - found on a token.
-          // - the root cert.
-          // - already stored in perm db.
-          // - the server cert itself.
-          continue;
-        }
-
-        // We have found a CA cert that we want to remember.
-        // TODO(wtc): Remember the intermediate CA certs in a std::set
-        // temporarily (http://crbug.com/15630).
-      }
-      CERT_DestroyCertList(cert_list);
-    }
-  }
+  // We used to remember the intermediate CA certs in the NSS database
+  // persistently.  However, NSS opens a connection to the SQLite database
+  // during NSS initialization and doesn't close the connection until NSS
+  // shuts down.  If the file system where the database resides is gone,
+  // the database connection goes bad.  What's worse, the connection won't
+  // recover when the file system comes back.  Until this NSS or SQLite bug
+  // is fixed, we need to  avoid using the NSS database for non-essential
+  // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
+  // http://crbug.com/15630 for more info.
 
   // If we have been explicitly told to accept this certificate, override the
   // result of verifier_.Verify.
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-28 16:50:32 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-10-28 16:50:32 +0000
commit	4feca4bc5a385528932f93e74ef197626b0d82d5 (patch)
tree	6960d83f09eaee590bb0632951e63f87264dbe5d
parent	9ec7446c2fc481ca998ebda86466f996d6fc4f8d (diff)
download	chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.zip chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.tar.gz chromium_src-4feca4bc5a385528932f93e74ef197626b0d82d5.tar.bz2