diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 03:01:31 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 03:01:31 +0000 |
| commit | ae5bcd4259d5cc277fd92a363d3bed6575341355 (patch) | |
| tree | 51ab861fb21df212c550c8a9b429b12b9520ded7 /net/base | |
| parent | b50bb48e2fec7ad0a696e5b4eaafc65bb056d6f8 (diff) | |
| download | chromium_src-ae5bcd4259d5cc277fd92a363d3bed6575341355.zip chromium_src-ae5bcd4259d5cc277fd92a363d3bed6575341355.tar.gz chromium_src-ae5bcd4259d5cc277fd92a363d3bed6575341355.tar.bz2 | |
Request the szOID_PKIX_KP_SERVER_AUTH usage when constructing
the certificate chain so that we reject a root CA certificate
whose "Server Authentication" certificate purpose has been
disabled.
R=rvargas
BUG=34231
TEST=On Windows, run certmgr.msc as Administrator. Under
"Trusted Root Certification Authorities", open the Properties
for the root CA certificate with the friendly name "VeriSign
Class 3 Public Primary CA" and disable its "Server Authentication"
certificate purpose. Visit https://www.google.com/. Chrome
should display the "Invalid Server Certificate" error page.
Review URL: http://codereview.chromium.org/652181
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39851 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_win.cc | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index cc6fda2d..df43814 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -50,6 +50,9 @@ int MapSecurityError(SECURITY_STATUS err) { case SEC_E_CERT_UNKNOWN: case CERT_E_ROLE: return ERR_CERT_INVALID; + case CERT_E_WRONG_USAGE: + // TODO(wtc): Should we add ERR_CERT_WRONG_USAGE? + return ERR_CERT_INVALID; // We received an unexpected_message or illegal_parameter alert message // from the server. case SEC_E_ILLEGAL_MESSAGE: @@ -98,8 +101,8 @@ int MapCertChainErrorStatusToCertStatus(DWORD error_status) { const DWORD kWrongUsageErrors = CERT_TRUST_IS_NOT_VALID_FOR_USAGE | CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE; if (error_status & kWrongUsageErrors) { - // TODO(wtc): Handle these errors. - // cert_status = |= CERT_STATUS_WRONG_USAGE; + // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE? + cert_status |= CERT_STATUS_INVALID; } // The rest of the errors. @@ -534,11 +537,17 @@ int X509Certificate::Verify(const std::string& hostname, CERT_CHAIN_PARA chain_para; memset(&chain_para, 0, sizeof(chain_para)); chain_para.cbSize = sizeof(chain_para); - // TODO(wtc): consider requesting the usage szOID_PKIX_KP_SERVER_AUTH - // or szOID_SERVER_GATED_CRYPTO or szOID_SGC_NETSCAPE - chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND; - chain_para.RequestedUsage.Usage.cUsageIdentifier = 0; - chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL; // LPSTR* + // TODO(wtc): Do we still need to request szOID_SERVER_GATED_CRYPTO or + // szOID_SGC_NETSCAPE today? + static const LPSTR usage[] = { + szOID_PKIX_KP_SERVER_AUTH, + szOID_SERVER_GATED_CRYPTO, + szOID_SGC_NETSCAPE + }; + chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR; + chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage); + chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = + const_cast<LPSTR*>(usage); // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains. DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT; if (flags & VERIFY_REV_CHECKING_ENABLED) { |