diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-02 01:45:55 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-02 01:45:55 +0000 |
| commit | 7548cebee69f8c560e0e3e14e220f237e3112a55 (patch) | |
| tree | bed2cc6da8a63177342c06b4c30e8ca30b9782ca /net/base | |
| parent | 1858aad0023b6a6f34852f99f6ce4b51ec077e6f (diff) | |
| download | chromium_src-7548cebee69f8c560e0e3e14e220f237e3112a55.zip chromium_src-7548cebee69f8c560e0e3e14e220f237e3112a55.tar.gz chromium_src-7548cebee69f8c560e0e3e14e220f237e3112a55.tar.bz2 | |
Map SEC_ERROR_OCSP_BAD_HTTP_RESPONSE (-8073) to
CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
Change ParsePrincipal to take the decoded CERTName as
argument.
Use the NSS functions for getting the common name, locality
name, state or province name, and country name because they
escape the strings properly.
R=dank
BUG=none
TEST=none (covered by existing unit tests)
Review URL: http://codereview.chromium.org/248028
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27819 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 58 |
1 files changed, 20 insertions, 38 deletions
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 9b63b1e..84fc8f5 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -156,6 +156,7 @@ int MapCertErrorToCertStatus(int err) { case SEC_ERROR_CA_CERT_INVALID: return CERT_STATUS_AUTHORITY_INVALID; // TODO(port): map CERT_STATUS_NO_REVOCATION_MECHANISM. + case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE: case SEC_ERROR_OCSP_SERVER_ERROR: return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; case SEC_ERROR_REVOKED_CERTIFICATE: @@ -227,49 +228,29 @@ base::Time PRTimeToBaseTime(PRTime prtime) { return base::Time::FromUTCExploded(exploded); } -void ParsePrincipal(SECItem* der_name, - X509Certificate::Principal* principal) { - CERTName name; - PRArenaPool* arena = NULL; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - DCHECK(arena != NULL); - if (arena == NULL) - return; - - // TODO(dkegel): is CERT_NameTemplate what we always want here? - SECStatus rv; - rv = SEC_QuickDERDecodeItem(arena, &name, CERT_NameTemplate, der_name); - DCHECK(rv == SECSuccess); - if ( rv != SECSuccess ) { - PORT_FreeArena(arena, PR_FALSE); - return; - } - - std::vector<std::string> common_names, locality_names, state_names, - country_names; +typedef char* (*CERTGetNameFunc)(CERTName* name); +void ParsePrincipal(CERTName* name, + X509Certificate::Principal* principal) { // TODO(jcampan): add business_category and serial_number. + // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and + // CERT_GetDomainComponentName functions, but they return only the most + // general (the first) RDN. NSS doesn't have a function for the street + // address. static const SECOidTag kOIDs[] = { - SEC_OID_AVA_COMMON_NAME, - SEC_OID_AVA_LOCALITY, - SEC_OID_AVA_STATE_OR_PROVINCE, - SEC_OID_AVA_COUNTRY_NAME, SEC_OID_AVA_STREET_ADDRESS, SEC_OID_AVA_ORGANIZATION_NAME, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, SEC_OID_AVA_DC }; std::vector<std::string>* values[] = { - &common_names, &locality_names, - &state_names, &country_names, &principal->street_addresses, &principal->organization_names, &principal->organization_unit_names, &principal->domain_components }; DCHECK(arraysize(kOIDs) == arraysize(values)); - CERTRDN** rdns = name.rdns; + CERTRDN** rdns = name->rdns; for (size_t rdn = 0; rdns[rdn]; ++rdn) { CERTAVA** avas = rdns[rdn]->avas; for (size_t pair = 0; avas[pair] != 0; ++pair) { @@ -279,6 +260,7 @@ void ParsePrincipal(SECItem* der_name, SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); if (!decode_item) break; + // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. std::string value(reinterpret_cast<char*>(decode_item->data), decode_item->len); values[oid]->push_back(value); @@ -289,18 +271,18 @@ void ParsePrincipal(SECItem* der_name, } } - // We don't expect to have more than one CN, L, S, and C. - std::vector<std::string>* single_value_lists[4] = { - &common_names, &locality_names, &state_names, &country_names }; + // CN, L, S, and C. + CERTGetNameFunc get_name_funcs[4] = { + CERT_GetCommonName, CERT_GetLocalityName, + CERT_GetStateName, CERT_GetCountryName }; std::string* single_values[4] = { &principal->common_name, &principal->locality_name, &principal->state_or_province_name, &principal->country_name }; - for (size_t i = 0; i < arraysize(single_value_lists); ++i) { - DCHECK(single_value_lists[i]->size() <= 1); - if (single_value_lists[i]->size() > 0) - *(single_values[i]) = (*(single_value_lists[i]))[0]; + for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { + char* value = get_name_funcs[i](name); + single_values[i]->assign(value); + PORT_Free(value); } - PORT_FreeArena(arena, PR_FALSE); } void ParseDate(SECItem* der_date, base::Time* result) { @@ -471,8 +453,8 @@ bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle, } // namespace void X509Certificate::Initialize() { - ParsePrincipal(&cert_handle_->derSubject, &subject_); - ParsePrincipal(&cert_handle_->derIssuer, &issuer_); + ParsePrincipal(&cert_handle_->subject, &subject_); + ParsePrincipal(&cert_handle_->issuer, &issuer_); ParseDate(&cert_handle_->validity.notBefore, &valid_start_); ParseDate(&cert_handle_->validity.notAfter, &valid_expiry_); |