diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 01:57:48 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 01:57:48 +0000 |
| commit | 82ca7c8720626d61491ceff114dc67681500de6d (patch) | |
| tree | 1c33bb16602705eb65b95e7b423bc722f7aa64b8 /net/cert | |
| parent | d7e1efbaf028814769185489d023ad951aa492b8 (diff) | |
| download | chromium_src-82ca7c8720626d61491ceff114dc67681500de6d.zip chromium_src-82ca7c8720626d61491ceff114dc67681500de6d.tar.gz chromium_src-82ca7c8720626d61491ceff114dc67681500de6d.tar.bz2 | |
Set verify_result->is_issued_by_known_root correctly in
CertVerifyProcOpenSSL.
Right now CertVerifyProcOpenSSL uses only the default root certs and
the test root certs. So if a cert is not issued by a test root, consider
it as being issued by a known root.
R=rsleevi@chromium.org
BUG=312754
TEST=net_unittests
Review URL: https://codereview.chromium.org/115393005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@241444 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert')
| -rw-r--r-- | net/cert/cert_verify_proc_openssl.cc | 34 | ||||
| -rw-r--r-- | net/cert/test_root_certs.h | 10 | ||||
| -rw-r--r-- | net/cert/test_root_certs_openssl.cc | 12 |
3 files changed, 39 insertions, 17 deletions
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc index 906e4cb..3bff531 100644 --- a/net/cert/cert_verify_proc_openssl.cc +++ b/net/cert/cert_verify_proc_openssl.cc @@ -18,6 +18,7 @@ #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" +#include "net/cert/test_root_certs.h" #include "net/cert/x509_certificate.h" namespace net { @@ -121,9 +122,34 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx, } } + // Set verify_result->verified_cert and + // verify_result->is_issued_by_known_root. if (verified_cert) { verify_result->verified_cert = X509Certificate::CreateFromHandle(verified_cert, verified_chain); + + // For OpenSSL builds, only certificates used for unit tests are treated + // as not issued by known roots. The only way to determine whether a + // certificate is issued by a known root using OpenSSL is to examine + // distro-and-release specific hardcoded lists. + verify_result->is_issued_by_known_root = true; + if (TestRootCerts::HasInstance()) { + X509* root = NULL; + if (verified_chain.empty()) { + root = verified_cert; + } else { + root = verified_chain.back(); + } + const CertificateList& temporary_roots = + TestRootCerts::GetInstance()->temporary_roots(); + for (size_t i = 0; i < temporary_roots.size(); ++i) { + if (X509Certificate::IsSameOSCert( + root, temporary_roots[i]->os_cert_handle())) { + verify_result->is_issued_by_known_root = false; + break; + } + } + } } } @@ -214,14 +240,6 @@ int CertVerifyProcOpenSSL::VerifyInternal( if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); - // Currently we only ues OpenSSL's default root CA paths, so treat all - // correctly verified certs as being from a known root. - // TODO(joth): if the motivations described in - // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an - // issue on OpenSSL builds, we will need to embed a hardcoded list of well - // known root CAs, as per the _mac and _win versions. - verify_result->is_issued_by_known_root = true; - return OK; } diff --git a/net/cert/test_root_certs.h b/net/cert/test_root_certs.h index 22c635f..03cedcc 100644 --- a/net/cert/test_root_certs.h +++ b/net/cert/test_root_certs.h @@ -12,6 +12,8 @@ #if defined(USE_NSS) || defined(OS_IOS) #include <list> +#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) +#include <vector> #elif defined(OS_WIN) #include <windows.h> #include <wincrypt.h> @@ -68,7 +70,9 @@ class NET_EXPORT_PRIVATE TestRootCerts { // be trusted. By default, this is true, indicating that the TestRootCerts // are used in addition to OS trust store. void SetAllowSystemTrust(bool allow_system_trust); - +#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) + const std::vector<scoped_refptr<X509Certificate> >& + temporary_roots() const { return temporary_roots_; } #elif defined(OS_WIN) HCERTSTORE temporary_roots() const { return temporary_roots_; } @@ -93,6 +97,8 @@ class NET_EXPORT_PRIVATE TestRootCerts { // settings, in order to restore them when Clear() is called. class TrustEntry; std::list<TrustEntry*> trust_cache_; +#elif defined(USE_OPENSSL) && !defined(OS_ANDROID) + std::vector<scoped_refptr<X509Certificate> > temporary_roots_; #elif defined(OS_WIN) HCERTSTORE temporary_roots_; #elif defined(OS_MACOSX) @@ -100,7 +106,7 @@ class NET_EXPORT_PRIVATE TestRootCerts { bool allow_system_trust_; #endif -#if defined(OS_WIN) || defined(USE_OPENSSL) +#if defined(OS_WIN) || defined(OS_ANDROID) // True if there are no temporarily trusted root certificates. bool empty_; #endif diff --git a/net/cert/test_root_certs_openssl.cc b/net/cert/test_root_certs_openssl.cc index 3d5cf3d..99e1976 100644 --- a/net/cert/test_root_certs_openssl.cc +++ b/net/cert/test_root_certs_openssl.cc @@ -26,26 +26,24 @@ bool TestRootCerts::Add(X509Certificate* certificate) { ERR_clear_error(); } - empty_ = false; + temporary_roots_.push_back(certificate); return true; } void TestRootCerts::Clear() { - if (empty_) + if (temporary_roots_.empty()) return; + temporary_roots_.clear(); X509Certificate::ResetCertStore(); - empty_ = true; } bool TestRootCerts::IsEmpty() const { - return empty_; + return temporary_roots_.empty(); } TestRootCerts::~TestRootCerts() {} -void TestRootCerts::Init() { - empty_ = true; -} +void TestRootCerts::Init() {} } // namespace net |