summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-11-04 23:45:12 +0000
committerwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-11-04 23:45:12 +0000
commitb1bb04649edcd48d41e370091de355343991619b (patch)
tree926e806dc61aa1cedc1b3ff09be76e03376c4062 /net
parentf5f2a3cc88d1bdde78c56ab60ac154c6bba9cb79 (diff)
downloadchromium_src-b1bb04649edcd48d41e370091de355343991619b.zip
chromium_src-b1bb04649edcd48d41e370091de355343991619b.tar.gz
chromium_src-b1bb04649edcd48d41e370091de355343991619b.tar.bz2
On Windows, merge X509Certificate::VerifyEV into
X509Certificate::Verify, so that we call the Windows CertGetCertificateChain function only once in the common case. This allows us to do EV verification, with little overhead, even if the caller doesn't ask for it. This requires adding new methods to the EVRootCAMetadata class. R=rvargas BUG=41267 TEST=none Review URL: http://codereview.chromium.org/4124012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65139 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/base/ev_root_ca_metadata.cc84
-rw-r--r--net/base/ev_root_ca_metadata.h27
-rw-r--r--net/base/x509_certificate.h4
-rw-r--r--net/base/x509_certificate_mac.cc1
-rw-r--r--net/base/x509_certificate_win.cc130
5 files changed, 163 insertions, 83 deletions
diff --git a/net/base/ev_root_ca_metadata.cc b/net/base/ev_root_ca_metadata.cc
index 7c1c96a..7de971b 100644
--- a/net/base/ev_root_ca_metadata.cc
+++ b/net/base/ev_root_ca_metadata.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -9,6 +9,8 @@
#include <pkcs11n.h>
#include <secerr.h>
#include <secoid.h>
+#elif defined(OS_WIN)
+#include <stdlib.h>
#endif
#include "base/logging.h"
@@ -251,6 +253,36 @@ static const EVMetadata ev_root_ca_metadata[] = {
}
};
+#if defined(OS_WIN)
+// static
+const EVRootCAMetadata::PolicyOID EVRootCAMetadata::policy_oids_[] = {
+ // The OIDs must be sorted in ascending order.
+ "1.2.392.200091.100.721.1",
+ "1.3.6.1.4.1.14370.1.6",
+ "1.3.6.1.4.1.22234.2.5.2.3.1",
+ "1.3.6.1.4.1.23223.1.1.1",
+ "1.3.6.1.4.1.34697.2.1",
+ "1.3.6.1.4.1.34697.2.2",
+ "1.3.6.1.4.1.34697.2.3",
+ "1.3.6.1.4.1.34697.2.4",
+ "1.3.6.1.4.1.4146.1.1",
+ "1.3.6.1.4.1.6334.1.100.1",
+ "1.3.6.1.4.1.6449.1.2.1.5.1",
+ "1.3.6.1.4.1.782.1.2.1.8.1",
+ "1.3.6.1.4.1.8024.0.2.100.1.2",
+ "2.16.528.1.1001.1.1.1.12.6.1.1.1",
+ "2.16.756.1.89.1.2.1.1",
+ "2.16.840.1.113733.1.7.23.6",
+ "2.16.840.1.113733.1.7.48.1",
+ "2.16.840.1.114028.10.1.2",
+ "2.16.840.1.114171.500.9",
+ "2.16.840.1.114404.1.1.2.4.1",
+ "2.16.840.1.114412.2.1",
+ "2.16.840.1.114413.1.7.23.3",
+ "2.16.840.1.114414.1.7.23.3",
+};
+#endif
+
// static
EVRootCAMetadata* EVRootCAMetadata::GetInstance() {
return Singleton<EVRootCAMetadata>::get();
@@ -266,6 +298,35 @@ bool EVRootCAMetadata::GetPolicyOID(
return true;
}
+#if defined(OS_WIN)
+static int PolicyOIDCmp(const void* keyval, const void* datum) {
+ const char* oid1 = reinterpret_cast<const char*>(keyval);
+ const char* const* oid2 = reinterpret_cast<const char* const*>(datum);
+ return strcmp(oid1, *oid2);
+}
+
+bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
+ return bsearch(policy_oid, &policy_oids_[0], num_policy_oids_,
+ sizeof(PolicyOID), PolicyOIDCmp) != NULL;
+}
+#else
+bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
+ for (size_t i = 0; i < policy_oids_.size(); ++i) {
+ if (PolicyOIDsAreEqual(policy_oid, policy_oids_[i]))
+ return true;
+ }
+ return false;
+}
+#endif
+
+bool EVRootCAMetadata::HasEVPolicyOID(const SHA1Fingerprint& fingerprint,
+ PolicyOID policy_oid) const {
+ PolicyOID ev_policy_oid;
+ if (!GetPolicyOID(fingerprint, &ev_policy_oid))
+ return false;
+ return PolicyOIDsAreEqual(ev_policy_oid, policy_oid);
+}
+
EVRootCAMetadata::EVRootCAMetadata() {
// Constructs the object from the raw metadata in ev_root_ca_metadata.
#if defined(USE_NSS)
@@ -293,6 +354,18 @@ EVRootCAMetadata::EVRootCAMetadata() {
ev_policy_[metadata.fingerprint] = policy;
policy_oids_.push_back(policy);
}
+#elif defined(OS_WIN)
+ num_policy_oids_ = arraysize(policy_oids_);
+ // Verify policy_oids_ is in ascending order.
+ for (int i = 0; i < num_policy_oids_ - 1; i++)
+ CHECK(strcmp(policy_oids_[i], policy_oids_[i + 1]) < 0);
+
+ for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
+ const EVMetadata& metadata = ev_root_ca_metadata[i];
+ ev_policy_[metadata.fingerprint] = metadata.policy_oid;
+ // Verify policy_oids_ contains every EV policy OID.
+ DCHECK(IsEVPolicyOID(metadata.policy_oid));
+ }
#else
for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
const EVMetadata& metadata = ev_root_ca_metadata[i];
@@ -308,4 +381,13 @@ EVRootCAMetadata::EVRootCAMetadata() {
EVRootCAMetadata::~EVRootCAMetadata() {
}
+// static
+bool EVRootCAMetadata::PolicyOIDsAreEqual(PolicyOID a, PolicyOID b) {
+#if defined(USE_NSS)
+ return a == b;
+#else
+ return !strcmp(a, b);
+#endif
+}
+
} // namespace net
diff --git a/net/base/ev_root_ca_metadata.h b/net/base/ev_root_ca_metadata.h
index e9e8130..e0961f3 100644
--- a/net/base/ev_root_ca_metadata.h
+++ b/net/base/ev_root_ca_metadata.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
@@ -40,21 +40,40 @@ class EVRootCAMetadata {
PolicyOID* policy_oid) const;
const PolicyOID* GetPolicyOIDs() const { return &policy_oids_[0]; }
+#if defined(OS_WIN)
+ int NumPolicyOIDs() const { return num_policy_oids_; }
+#else
int NumPolicyOIDs() const { return policy_oids_.size(); }
+#endif
- private:
- EVRootCAMetadata();
- ~EVRootCAMetadata();
+ // Returns true if policy_oid is an EV policy OID of some root CA.
+ bool IsEVPolicyOID(PolicyOID policy_oid) const;
+
+ // Returns true if the root CA with the given certificate fingerprint has
+ // the EV policy OID policy_oid.
+ bool HasEVPolicyOID(const SHA1Fingerprint& fingerprint,
+ PolicyOID policy_oid) const;
+ private:
friend struct DefaultSingletonTraits<EVRootCAMetadata>;
typedef std::map<SHA1Fingerprint, PolicyOID,
SHA1FingerprintLessThan> PolicyOidMap;
+ EVRootCAMetadata();
+ ~EVRootCAMetadata();
+
+ static bool PolicyOIDsAreEqual(PolicyOID a, PolicyOID b);
+
// Maps an EV root CA cert's SHA-1 fingerprint to its EV policy OID.
PolicyOidMap ev_policy_;
+#if defined(OS_WIN)
+ static const PolicyOID policy_oids_[];
+ int num_policy_oids_;
+#else
std::vector<PolicyOID> policy_oids_;
+#endif
DISALLOW_COPY_AND_ASSIGN(EVRootCAMetadata);
};
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index a7eef9d..68762e4 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -286,6 +286,10 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
// Common object initialization code. Called by the constructors only.
void Initialize();
+#if defined(OS_WIN)
+ bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
+ const char* policy_oid) const;
+#endif
bool VerifyEV() const;
// Calculates the SHA-1 fingerprint of the certificate. Returns an empty
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 361e37c..a2a0eea 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -694,6 +694,7 @@ int X509Certificate::Verify(const std::string& hostname, int flags,
// Determine the certificate's EV status using SecTrustCopyExtendedResult(),
// which we need to look up because the function wasn't added until
// Mac OS X 10.5.7.
+ // Note: "ExtendedResult" means extended validation results.
CFBundleRef bundle =
CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
if (bundle) {
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 1236f85..9e018fd 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -291,48 +291,6 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
}
}
-///////////////////////////////////////////////////////////////////////////
-//
-// Functions used by X509Certificate::IsEV
-//
-///////////////////////////////////////////////////////////////////////////
-
-// Constructs a certificate chain starting from the end certificate
-// 'cert_context', matching any of the certificate policies.
-//
-// Returns the certificate chain context on success, or NULL on failure.
-// The caller is responsible for freeing the certificate chain context with
-// CertFreeCertificateChain.
-PCCERT_CHAIN_CONTEXT ConstructCertChain(
- PCCERT_CONTEXT cert_context,
- const char* const* policies,
- int num_policies) {
- CERT_CHAIN_PARA chain_para;
- memset(&chain_para, 0, sizeof(chain_para));
- chain_para.cbSize = sizeof(chain_para);
- chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
- chain_para.RequestedUsage.Usage.cUsageIdentifier = 0;
- chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL; // LPSTR*
- chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_OR;
- chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = num_policies;
- chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
- const_cast<char**>(policies);
- PCCERT_CHAIN_CONTEXT chain_context;
- if (!CertGetCertificateChain(
- NULL, // default chain engine, HCCE_CURRENT_USER
- cert_context,
- NULL, // current system time
- cert_context->hCertStore, // search this store
- &chain_para,
- CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT |
- CERT_CHAIN_CACHE_END_CERT,
- NULL, // reserved
- &chain_context)) {
- return NULL;
- }
- return chain_context;
-}
-
// Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
// structure and stores it in *output.
void GetCertPoliciesInfo(PCCERT_CONTEXT cert,
@@ -362,18 +320,6 @@ void GetCertPoliciesInfo(PCCERT_CONTEXT cert,
output->reset(policies_info);
}
-// Returns true if the policy is in the array of CERT_POLICY_INFO in
-// the CERT_POLICIES_INFO structure.
-bool ContainsPolicy(const CERT_POLICIES_INFO* policies_info,
- const char* policy) {
- int num_policies = policies_info->cPolicyInfo;
- for (int i = 0; i < num_policies; i++) {
- if (!strcmp(policies_info->rgPolicyInfo[i].pszPolicyIdentifier, policy))
- return true;
- }
- return false;
-}
-
// Helper function to parse a principal from a WinInet description of that
// principal.
void ParsePrincipal(const std::string& description,
@@ -637,6 +583,28 @@ int X509Certificate::Verify(const std::string& hostname,
// EV requires revocation checking.
flags &= ~VERIFY_EV_CERT;
}
+
+ // Get the certificatePolicies extension of the certificate.
+ scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
+ LPSTR ev_policy_oid = NULL;
+ if (flags & VERIFY_EV_CERT) {
+ GetCertPoliciesInfo(cert_handle_, &policies_info);
+ if (policies_info.get()) {
+ EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
+ for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) {
+ LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier;
+ if (metadata->IsEVPolicyOID(policy_oid)) {
+ ev_policy_oid = policy_oid;
+ chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
+ chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1;
+ chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
+ &ev_policy_oid;
+ break;
+ }
+ }
+ }
+ }
+
PCCERT_CHAIN_CONTEXT chain_context;
// IE passes a non-NULL pTime argument that specifies the current system
// time. IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
@@ -652,6 +620,24 @@ int X509Certificate::Verify(const std::string& hostname,
&chain_context)) {
return MapSecurityError(GetLastError());
}
+ if (chain_context->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
+ ev_policy_oid = NULL;
+ chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0;
+ chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL;
+ CertFreeCertificateChain(chain_context);
+ if (!CertGetCertificateChain(
+ NULL, // default chain engine, HCCE_CURRENT_USER
+ cert_handle_,
+ NULL, // current system time
+ cert_handle_->hCertStore, // search this store
+ &chain_para,
+ chain_flags,
+ NULL, // reserved
+ &chain_context)) {
+ return MapSecurityError(GetLastError());
+ }
+ }
ScopedCertChainContext scoped_chain_context(chain_context);
GetCertChainInfo(chain_context, verify_result);
@@ -756,8 +742,7 @@ int X509Certificate::Verify(const std::string& hostname,
if (IsCertStatusError(verify_result->cert_status))
return MapCertStatusToNetError(verify_result->cert_status);
- // TODO(ukai): combine regular cert verification and EV cert verification.
- if ((flags & VERIFY_EV_CERT) && VerifyEV())
+ if (ev_policy_oid && CheckEV(chain_context, ev_policy_oid))
verify_result->cert_status |= CERT_STATUS_IS_EV;
return OK;
}
@@ -768,16 +753,8 @@ int X509Certificate::Verify(const std::string& hostname,
// certificates in the certificate chain according to Section 7 (pp. 11-12)
// of the EV Certificate Guidelines Version 1.0 at
// http://cabforum.org/EV_Certificate_Guidelines.pdf.
-bool X509Certificate::VerifyEV() const {
- DCHECK(cert_handle_);
- net::EVRootCAMetadata* metadata = net::EVRootCAMetadata::GetInstance();
-
- PCCERT_CHAIN_CONTEXT chain_context = ConstructCertChain(cert_handle_,
- metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs());
- if (!chain_context)
- return false;
- ScopedCertChainContext scoped_chain_context(chain_context);
-
+bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
+ const char* policy_oid) const {
DCHECK(chain_context->cChain != 0);
// If the cert doesn't match any of the policies, the
// CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in
@@ -798,19 +775,16 @@ bool X509Certificate::VerifyEV() const {
// Look up the EV policy OID of the root CA.
PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
SHA1Fingerprint fingerprint = CalculateFingerprint(root_cert);
- const char* ev_policy_oid = NULL;
- if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid))
- return false;
- DCHECK(ev_policy_oid);
-
- // Get the certificatePolicies extension of the end certificate.
- PCCERT_CONTEXT end_cert = element[0]->pCertContext;
- scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
- GetCertPoliciesInfo(end_cert, &policies_info);
- if (!policies_info.get())
- return false;
+ EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
+ return metadata->HasEVPolicyOID(fingerprint, policy_oid);
+}
- return ContainsPolicy(policies_info.get(), ev_policy_oid);
+bool X509Certificate::VerifyEV() const {
+ // We don't call this private method, but we do need to implement it because
+ // it's defined in x509_certificate.h. We perform EV checking in the
+ // Verify() above.
+ NOTREACHED();
+ return false;
}
// static
generated by cgit v1.1 at 2025-01-18 13:02:22 +0000