diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-01-11 16:26:09 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-01-11 16:26:09 +0000 |
| commit | 9c1f832c42c4cdb47c75d855a95a0b35fad5baf4 (patch) | |
| tree | e6d6696af83980798a77e0cd462f76af9b26b435 /net | |
| parent | 0ac718acacbf80a701e75154b7dfc97c8d8d62ad (diff) | |
| download | chromium_src-9c1f832c42c4cdb47c75d855a95a0b35fad5baf4.zip chromium_src-9c1f832c42c4cdb47c75d855a95a0b35fad5baf4.tar.gz chromium_src-9c1f832c42c4cdb47c75d855a95a0b35fad5baf4.tar.bz2 | |
Implement CRLSet checking on Windows.
BUG=none
TEST=net_unittests
Review URL: http://codereview.chromium.org/9153014
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117225 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 4 | ||||
| -rw-r--r-- | net/base/x509_certificate_win.cc | 66 |
2 files changed, 67 insertions, 3 deletions
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 2badf8b..a32c37c 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -1384,7 +1384,7 @@ TEST(X509CertificateTest, GetDEREncoded) { } #endif -#if defined(USE_NSS) +#if defined(USE_NSS) || defined(OS_WIN) static const uint8 kCRLSetThawteSPKIBlocked[] = { 0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index 3fd48e1..19ac3e2 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,9 +17,11 @@ #include "base/utf_string_conversions.h" #include "crypto/rsa_private_key.h" #include "crypto/scoped_capi_types.h" +#include "crypto/sha2.h" #include "net/base/asn1_util.h" #include "net/base/cert_status_flags.h" #include "net/base/cert_verify_result.h" +#include "net/base/crl_set.h" #include "net/base/ev_root_ca_metadata.h" #include "net/base/net_errors.h" #include "net/base/test_root_certs.h" @@ -456,6 +458,65 @@ X509Certificate::OSCertHandles ParsePKCS7(const char* data, size_t length) { return results; } +bool CheckRevocationWithCRLSet(PCCERT_CHAIN_CONTEXT chain, + CRLSet* crl_set) { + if (chain->cChain == 0) + return true; + + const PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0]; + const PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; + + const int num_elements = first_chain->cElement; + if (num_elements == 0) + return true; + + // We iterate from the root certificate down to the leaf, keeping track of + // the issuer's SPKI at each step. + std::string issuer_spki_hash; + for (int i = num_elements - 1; i >= 0; i--) { + PCCERT_CONTEXT cert = element[i]->pCertContext; + + base::StringPiece der_bytes( + reinterpret_cast<const char*>(cert->pbCertEncoded), + cert->cbCertEncoded); + base::StringPiece spki; + if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) { + NOTREACHED(); + continue; + } + + const std::string spki_hash = crypto::SHA256HashString(spki); + + const CRYPT_INTEGER_BLOB* serial_blob = &cert->pCertInfo->SerialNumber; + scoped_array<uint8> serial_bytes(new uint8[serial_blob->cbData]); + // The bytes of the serial number are stored little-endian. + for (unsigned j = 0; j < serial_blob->cbData; j++) + serial_bytes[j] = serial_blob->pbData[serial_blob->cbData - j - 1]; + base::StringPiece serial(reinterpret_cast<const char*>(serial_bytes.get()), + serial_blob->cbData); + + CRLSet::Result result = crl_set->CheckSPKI(spki_hash); + + if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) + result = crl_set->CheckSerial(serial, issuer_spki_hash); + + issuer_spki_hash = spki_hash; + + switch (result) { + case CRLSet::REVOKED: + return false; + case CRLSet::UNKNOWN: + case CRLSet::GOOD: + continue; + default: + NOTREACHED(); + continue; + } + } + + return true; +} + void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain, std::vector<SHA1Fingerprint>* hashes) { if (chain->cChain == 0) @@ -900,6 +961,9 @@ int X509Certificate::VerifyInternal(const std::string& hostname, if (CertSubjectCommonNameHasNull(cert_handle_)) verify_result->cert_status |= CERT_STATUS_INVALID; + if (crl_set && !CheckRevocationWithCRLSet(chain_context, crl_set)) + verify_result->cert_status |= CERT_STATUS_REVOKED; + std::wstring wstr_hostname = ASCIIToWide(hostname); SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para; |