diff options
author | pneubeck <pneubeck@chromium.org> | 2015-09-30 09:53:49 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-09-30 16:54:29 +0000 |
commit | 908e55b5c37b0edc5208739224366cf09557fbf4 (patch) | |
tree | 8f49b4363bb3e89a0a72633e5a7d23f17c320006 /chromeos/network/client_cert_resolver.cc | |
parent | 0a1bbc1aecdade9ec10dad00b92c3c7626cf154d (diff) | |
download | chromium_src-908e55b5c37b0edc5208739224366cf09557fbf4.zip chromium_src-908e55b5c37b0edc5208739224366cf09557fbf4.tar.gz chromium_src-908e55b5c37b0edc5208739224366cf09557fbf4.tar.bz2 |
Ignore a missing issuer certificate for certificate matching.
BUG=506185
Review URL: https://codereview.chromium.org/1212433006
Cr-Commit-Position: refs/heads/master@{#351579}
Diffstat (limited to 'chromeos/network/client_cert_resolver.cc')
-rw-r--r-- | chromeos/network/client_cert_resolver.cc | 50 |
1 files changed, 29 insertions, 21 deletions
diff --git a/chromeos/network/client_cert_resolver.cc b/chromeos/network/client_cert_resolver.cc index e5e4dd9..a0545c9 100644 --- a/chromeos/network/client_cert_resolver.cc +++ b/chromeos/network/client_cert_resolver.cc @@ -71,6 +71,7 @@ bool HasPrivateKey(const net::X509Certificate& cert) { } // Describes a certificate which is issued by |issuer| (encoded as PEM). +// |issuer| can be empty if no issuer certificate is found in the database. struct CertAndIssuer { CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate, const std::string& issuer) @@ -127,6 +128,33 @@ struct MatchCertWithPattern { const CertificatePattern pattern; }; +// Lookup the issuer certificate of |cert|. If it is available, return the PEM +// encoding of that certificate. Otherwise return the empty string. +std::string GetPEMEncodedIssuer(const net::X509Certificate& cert) { + net::ScopedCERTCertificate issuer_handle( + CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA)); + if (!issuer_handle) { + VLOG(1) << "Couldn't find an issuer."; + return std::string(); + } + + scoped_refptr<net::X509Certificate> issuer = + net::X509Certificate::CreateFromHandle( + issuer_handle.get(), + net::X509Certificate::OSCertHandles() /* no intermediate certs */); + if (!issuer.get()) { + LOG(ERROR) << "Couldn't create issuer cert."; + return std::string(); + } + std::string pem_encoded_issuer; + if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(), + &pem_encoded_issuer)) { + LOG(ERROR) << "Couldn't PEM-encode certificate."; + return std::string(); + } + return pem_encoded_issuer; +} + std::vector<CertAndIssuer> CreateSortedCertAndIssuerList( const net::CertificateList& certs) { // Filter all client certs and determines each certificate's issuer, which is @@ -140,27 +168,7 @@ std::vector<CertAndIssuer> CreateSortedCertAndIssuerList( !CertLoader::IsCertificateHardwareBacked(&cert)) { continue; } - net::ScopedCERTCertificate issuer_handle( - CERT_FindCertIssuer(cert.os_cert_handle(), PR_Now(), certUsageAnyCA)); - if (!issuer_handle) { - LOG(ERROR) << "Couldn't find an issuer."; - continue; - } - scoped_refptr<net::X509Certificate> issuer = - net::X509Certificate::CreateFromHandle( - issuer_handle.get(), - net::X509Certificate::OSCertHandles() /* no intermediate certs */); - if (!issuer.get()) { - LOG(ERROR) << "Couldn't create issuer cert."; - continue; - } - std::string pem_encoded_issuer; - if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(), - &pem_encoded_issuer)) { - LOG(ERROR) << "Couldn't PEM-encode certificate."; - continue; - } - client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer)); + client_certs.push_back(CertAndIssuer(*it, GetPEMEncodedIssuer(cert))); } std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration); |