diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-07 15:06:46 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-07 15:06:46 +0000 |
| commit | 81502db60102ce82450113c755cba4987bd311ab (patch) | |
| tree | d30fde473581469ea239230b1f821c6b2d9e4c78 /net/base/x509_certificate_mac.cc | |
| parent | fbb1bffa8523f50389815d80038949ce7af6c0c6 (diff) | |
| download | chromium_src-81502db60102ce82450113c755cba4987bd311ab.zip chromium_src-81502db60102ce82450113c755cba4987bd311ab.tar.gz chromium_src-81502db60102ce82450113c755cba4987bd311ab.tar.bz2 | |
net: add ability to distinguish user-added root CAs.
We have several places where a need to distinguish `real' root CAs from
user-added root CAs will be useful:
1) Monoscope wants to inspect correctly signed, but unknown certificates, but
doesn't want to deal with proxy MITM certificates.
2) HSTS is likely to add a method for pinning to a certificate, but we don't
want to break every proxy MITM with it.
This change adds several lists of known, `real' roots. These lists present an
ongoing maintainance issue. However, in the event that the lists are incomplete
in the future, we fail open. This is because roots not in these lists are
treated as user-added and user-added roots have more authority than `real'
roots.
In some sense, this is a problem because it might be a security issue that new
roots are given too much authority. On the other hand, we're not breaking
things when we're behind on updating the lists so the maintainance issue isn't
too pressing.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/6793041
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80778 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/x509_certificate_mac.cc')
| -rw-r--r-- | net/base/x509_certificate_mac.cc | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index 4cecb50..fd3f665 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -14,15 +14,17 @@ #include "base/crypto/rsa_private_key.h" #include "base/lazy_instance.h" #include "base/logging.h" +#include "base/mac/scoped_cftyperef.h" #include "base/memory/singleton.h" #include "base/nss_util.h" #include "base/pickle.h" -#include "base/mac/scoped_cftyperef.h" +#include "base/sha1.h" #include "base/sys_string_conversions.h" #include "net/base/cert_status_flags.h" #include "net/base/cert_verify_result.h" #include "net/base/net_errors.h" #include "net/base/test_root_certs.h" +#include "net/base/x509_certificate_known_roots_mac.h" #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" using base::mac::ScopedCFTypeRef; @@ -514,6 +516,20 @@ void X509Certificate::Initialize() { serial_number_ = GetCertSerialNumber(cert_handle_); } +// IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA +// that we recognise as a standard root. +// static +bool X509Certificate::IsIssuedByKnownRoot(CFArrayRef chain) { + int n = CFArrayGetCount(chain); + if (n < 1) + return false; + SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( + const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); + SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref); + return IsSHA1HashInSortedArray( + hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); +} + // static X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, void** pickle_iter) { @@ -908,6 +924,8 @@ int X509Certificate::Verify(const std::string& hostname, int flags, } } + verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); + return OK; } |