Implement CRLSet checking on Mac.

BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/9152019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117242 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-01-11 18:24:57 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-01-11 18:24:57 +0000
commit: c395b3091c0bc29d4ee5938c796af922d0f1bf21 (patch)
tree: a27885ab40165550e8a0e64c2938e1d7ee865f21 /net
parent: 76e6e7c63aaa8e30e4143b8db9fc7d754812e718 (diff)
download: chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.zip
chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.tar.gz
chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.tar.bz2
2 files changed, 63 insertions, 3 deletions
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 0947e22..b796288 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,9 +21,11 @@
 #include "crypto/cssm_init.h"
 #include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
+#include "crypto/sha2.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
+#include "net/base/crl_set.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_root_certs.h"
 #include "net/base/x509_certificate_known_roots_mac.h"
@@ -685,6 +687,61 @@ void AppendPublicKeyHashes(CFArrayRef chain,
   }
 }
 
+bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
+  if (CFArrayGetCount(chain) == 0)
+    return true;
+
+  // We iterate from the root certificate down to the leaf, keeping track of
+  // the issuer's SPKI at each step.
+  std::string issuer_spki_hash;
+  for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {
+    SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
+        const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
+
+    CSSM_DATA cert_data;
+    OSStatus err = SecCertificateGetData(cert, &cert_data);
+    if (err != noErr) {
+      NOTREACHED();
+      continue;
+    }
+    base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
+                                cert_data.Length);
+    base::StringPiece spki;
+    if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) {
+      NOTREACHED();
+      continue;
+    }
+
+    const std::string spki_hash = crypto::SHA256HashString(spki);
+    CSSMCachedCertificate cached_cert;
+    if (cached_cert.Init(cert) != CSSM_OK) {
+      NOTREACHED();
+      continue;
+    }
+    const std::string serial = GetCertSerialNumber(cached_cert);
+
+    CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
+
+    if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
+      result = crl_set->CheckSerial(serial, issuer_spki_hash);
+
+    issuer_spki_hash = spki_hash;
+
+    switch (result) {
+      case CRLSet::REVOKED:
+        return false;
+      case CRLSet::UNKNOWN:
+      case CRLSet::GOOD:
+        continue;
+      default:
+        NOTREACHED();
+        return false;
+    }
+  }
+
+  return true;
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
@@ -995,6 +1052,9 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
     return NetErrorFromOSStatus(status);
   ScopedCFTypeRef<CFArrayRef> scoped_completed_chain(completed_chain);
 
+  if (crl_set && !CheckRevocationWithCRLSet(completed_chain, crl_set))
+    verify_result->cert_status |= CERT_STATUS_REVOKED;
+
   GetCertChainInfo(scoped_completed_chain.get(), chain_info, verify_result);
 
   // Evaluate the results
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 2badf8b..3a84a6d3 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -1384,7 +1384,7 @@ TEST(X509CertificateTest, GetDEREncoded) {
 }
 #endif
 
-#if defined(USE_NSS)
+#if defined(USE_NSS) || defined(OS_MACOSX)
 static const uint8 kCRLSetThawteSPKIBlocked[] = {
   0x8e, 0x00, 0x7b, 0x22, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x3a,
   0x30, 0x2c, 0x22, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70,
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-01-11 18:24:57 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-01-11 18:24:57 +0000
commit	c395b3091c0bc29d4ee5938c796af922d0f1bf21 (patch)
tree	a27885ab40165550e8a0e64c2938e1d7ee865f21 /net
parent	76e6e7c63aaa8e30e4143b8db9fc7d754812e718 (diff)
download	chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.zip chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.tar.gz chromium_src-c395b3091c0bc29d4ee5938c796af922d0f1bf21.tar.bz2