diff options
| -rw-r--r-- | chrome/browser/page_info_model.cc | 2 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_host_state.cc | 2 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_host_state.h | 4 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_host_state_unittest.cc | 24 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_policy.cc | 4 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_policy_backend.cc | 2 | ||||
| -rw-r--r-- | chrome/browser/ssl/ssl_policy_backend.h | 2 | ||||
| -rw-r--r-- | net/base/ev_root_ca_metadata.cc | 4 | ||||
| -rw-r--r-- | net/base/ev_root_ca_metadata.h | 6 | ||||
| -rw-r--r-- | net/base/x509_cert_types.h | 13 | ||||
| -rw-r--r-- | net/base/x509_certificate.cc | 48 | ||||
| -rw-r--r-- | net/base/x509_certificate.h | 50 | ||||
| -rw-r--r-- | net/base/x509_certificate_mac.cc | 9 | ||||
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 8 | ||||
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 40 | ||||
| -rw-r--r-- | net/base/x509_certificate_win.cc | 8 |
16 files changed, 107 insertions, 119 deletions
diff --git a/chrome/browser/page_info_model.cc b/chrome/browser/page_info_model.cc index da20fa2..7f904c0 100644 --- a/chrome/browser/page_info_model.cc +++ b/chrome/browser/page_info_model.cc @@ -22,7 +22,7 @@ namespace { // Returns a name that can be used to represent the issuer. It tries in this // order CN, O and OU and returns the first non-empty one found. - std::string GetIssuerName(const net::X509Certificate::Principal& issuer) { + std::string GetIssuerName(const net::CertPrincipal& issuer) { if (!issuer.common_name.empty()) return issuer.common_name; if (!issuer.organization_names.empty()) diff --git a/chrome/browser/ssl/ssl_host_state.cc b/chrome/browser/ssl/ssl_host_state.cc index e12c458..564afa9 100644 --- a/chrome/browser/ssl/ssl_host_state.cc +++ b/chrome/browser/ssl/ssl_host_state.cc @@ -54,7 +54,7 @@ void SSLHostState::AllowCertForHost(net::X509Certificate* cert, cert_policy_for_host_[host].Allow(cert); } -net::X509Certificate::Policy::Judgment SSLHostState::QueryPolicy( +net::CertPolicy::Judgment SSLHostState::QueryPolicy( net::X509Certificate* cert, const std::string& host) { DCHECK(CalledOnValidThread()); diff --git a/chrome/browser/ssl/ssl_host_state.h b/chrome/browser/ssl/ssl_host_state.h index 3c87900..b35cb36 100644 --- a/chrome/browser/ssl/ssl_host_state.h +++ b/chrome/browser/ssl/ssl_host_state.h @@ -40,7 +40,7 @@ class SSLHostState : public NonThreadSafe { void AllowCertForHost(net::X509Certificate* cert, const std::string& host); // Queries whether |cert| is allowed or denied for |host|. - net::X509Certificate::Policy::Judgment QueryPolicy( + net::CertPolicy::Judgment QueryPolicy( net::X509Certificate* cert, const std::string& host); private: @@ -54,7 +54,7 @@ class SSLHostState : public NonThreadSafe { std::set<BrokenHostEntry> ran_insecure_content_hosts_; // Certificate policies for each host. - std::map<std::string, net::X509Certificate::Policy> cert_policy_for_host_; + std::map<std::string, net::CertPolicy> cert_policy_for_host_; DISALLOW_COPY_AND_ASSIGN(SSLHostState); }; diff --git a/chrome/browser/ssl/ssl_host_state_unittest.cc b/chrome/browser/ssl/ssl_host_state_unittest.cc index 09db79b..32e89ed 100644 --- a/chrome/browser/ssl/ssl_host_state_unittest.cc +++ b/chrome/browser/ssl/ssl_host_state_unittest.cc @@ -119,36 +119,36 @@ TEST_F(SSLHostStateTest, QueryPolicy) { SSLHostState state; EXPECT_EQ(state.QueryPolicy(google_cert.get(), "www.google.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "google.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "example.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); state.AllowCertForHost(google_cert.get(), "www.google.com"); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "www.google.com"), - net::X509Certificate::Policy::ALLOWED); + net::CertPolicy::ALLOWED); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "google.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "example.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); state.AllowCertForHost(google_cert.get(), "example.com"); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "www.google.com"), - net::X509Certificate::Policy::ALLOWED); + net::CertPolicy::ALLOWED); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "google.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "example.com"), - net::X509Certificate::Policy::ALLOWED); + net::CertPolicy::ALLOWED); state.DenyCertForHost(google_cert.get(), "example.com"); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "www.google.com"), - net::X509Certificate::Policy::ALLOWED); + net::CertPolicy::ALLOWED); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "google.com"), - net::X509Certificate::Policy::UNKNOWN); + net::CertPolicy::UNKNOWN); EXPECT_EQ(state.QueryPolicy(google_cert.get(), "example.com"), - net::X509Certificate::Policy::DENIED); + net::CertPolicy::DENIED); } diff --git a/chrome/browser/ssl/ssl_policy.cc b/chrome/browser/ssl/ssl_policy.cc index 768422f..ea1ff71 100644 --- a/chrome/browser/ssl/ssl_policy.cc +++ b/chrome/browser/ssl/ssl_policy.cc @@ -42,11 +42,11 @@ SSLPolicy::SSLPolicy(SSLPolicyBackend* backend) void SSLPolicy::OnCertError(SSLCertErrorHandler* handler) { // First we check if we know the policy for this error. - net::X509Certificate::Policy::Judgment judgment = + net::CertPolicy::Judgment judgment = backend_->QueryPolicy(handler->ssl_info().cert, handler->request_url().host()); - if (judgment == net::X509Certificate::Policy::ALLOWED) { + if (judgment == net::CertPolicy::ALLOWED) { handler->ContinueRequest(); return; } diff --git a/chrome/browser/ssl/ssl_policy_backend.cc b/chrome/browser/ssl/ssl_policy_backend.cc index 7674fca..42fef7a 100644 --- a/chrome/browser/ssl/ssl_policy_backend.cc +++ b/chrome/browser/ssl/ssl_policy_backend.cc @@ -123,7 +123,7 @@ void SSLPolicyBackend::AllowCertForHost(net::X509Certificate* cert, ssl_host_state_->AllowCertForHost(cert, host); } -net::X509Certificate::Policy::Judgment SSLPolicyBackend::QueryPolicy( +net::CertPolicy::Judgment SSLPolicyBackend::QueryPolicy( net::X509Certificate* cert, const std::string& host) { return ssl_host_state_->QueryPolicy(cert, host); } diff --git a/chrome/browser/ssl/ssl_policy_backend.h b/chrome/browser/ssl/ssl_policy_backend.h index ee80d5b..4059df7 100644 --- a/chrome/browser/ssl/ssl_policy_backend.h +++ b/chrome/browser/ssl/ssl_policy_backend.h @@ -42,7 +42,7 @@ class SSLPolicyBackend { void AllowCertForHost(net::X509Certificate* cert, const std::string& host); // Queries whether |cert| is allowed or denied for |host|. - net::X509Certificate::Policy::Judgment QueryPolicy( + net::CertPolicy::Judgment QueryPolicy( net::X509Certificate* cert, const std::string& host); // Shows the pending messages (in info-bars) if any. diff --git a/net/base/ev_root_ca_metadata.cc b/net/base/ev_root_ca_metadata.cc index 2212723..023b1fb 100644 --- a/net/base/ev_root_ca_metadata.cc +++ b/net/base/ev_root_ca_metadata.cc @@ -20,7 +20,7 @@ namespace net { struct EVMetadata { // The SHA-1 fingerprint of the root CA certificate, used as a unique // identifier for a root CA certificate. - X509Certificate::Fingerprint fingerprint; + SHA1Fingerprint fingerprint; // The EV policy OID of the root CA. // Note: a root CA may have multiple EV policies. When that actually @@ -233,7 +233,7 @@ EVRootCAMetadata* EVRootCAMetadata::GetInstance() { } bool EVRootCAMetadata::GetPolicyOID( - const X509Certificate::Fingerprint& fingerprint, + const SHA1Fingerprint& fingerprint, PolicyOID* policy_oid) const { PolicyOidMap::const_iterator iter = ev_policy_.find(fingerprint); if (iter == ev_policy_.end()) diff --git a/net/base/ev_root_ca_metadata.h b/net/base/ev_root_ca_metadata.h index f006878..b1b2781 100644 --- a/net/base/ev_root_ca_metadata.h +++ b/net/base/ev_root_ca_metadata.h @@ -35,7 +35,7 @@ class EVRootCAMetadata { // If the root CA cert has an EV policy OID, returns true and stores the // policy OID in *policy_oid. Otherwise, returns false. - bool GetPolicyOID(const X509Certificate::Fingerprint& fingerprint, + bool GetPolicyOID(const SHA1Fingerprint& fingerprint, PolicyOID* policy_oid) const; const PolicyOID* GetPolicyOIDs() const { return &policy_oids_[0]; } @@ -47,8 +47,8 @@ class EVRootCAMetadata { friend struct DefaultSingletonTraits<EVRootCAMetadata>; - typedef std::map<X509Certificate::Fingerprint, PolicyOID, - X509Certificate::FingerprintLessThan> PolicyOidMap; + typedef std::map<SHA1Fingerprint, PolicyOID, + SHA1FingerprintLessThan> PolicyOidMap; // Maps an EV root CA cert's SHA-1 fingerprint to its EV policy OID. PolicyOidMap ev_policy_; diff --git a/net/base/x509_cert_types.h b/net/base/x509_cert_types.h index 2c9e279..0f5122e 100644 --- a/net/base/x509_cert_types.h +++ b/net/base/x509_cert_types.h @@ -2,11 +2,13 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef NET_BASE_X509_TYPES_H_ -#define NET_BASE_X509_TYPES_H_ +#ifndef NET_BASE_X509_CERT_TYPES_H_ +#define NET_BASE_X509_CERT_TYPES_H_ #include <string.h> +#include <functional> +#include <iostream> #include <map> #include <set> #include <string> @@ -43,7 +45,10 @@ struct SHA1Fingerprint { class SHA1FingerprintLessThan : public std::binary_function<SHA1Fingerprint, SHA1Fingerprint, bool> { public: - bool operator() (const SHA1Fingerprint& lhs, const SHA1Fingerprint& rhs) const; + bool operator() (const SHA1Fingerprint& lhs, + const SHA1Fingerprint& rhs) const { + return memcmp(lhs.data, rhs.data, sizeof(lhs.data)) < 0; + } }; // CertPrincipal represents the issuer or subject field of an X.509 certificate. @@ -129,4 +134,4 @@ inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) { } // namespace net -#endif // NET_BASE_X509_TYPES_H_ +#endif // NET_BASE_X509_CERT_TYPES_H_ diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc index 27a4ae0..f5b28a6 100644 --- a/net/base/x509_certificate.cc +++ b/net/base/x509_certificate.cc @@ -10,8 +10,11 @@ #include <cert.h> #endif +#include <map> + #include "base/histogram.h" #include "base/logging.h" +#include "base/singleton.h" #include "base/time.h" namespace net { @@ -20,7 +23,7 @@ namespace { // Returns true if this cert fingerprint is the null (all zero) fingerprint. // We use this as a bogus fingerprint value. -bool IsNullFingerprint(const X509Certificate::Fingerprint& fingerprint) { +bool IsNullFingerprint(const SHA1Fingerprint& fingerprint) { for (size_t i = 0; i < arraysize(fingerprint.data); ++i) { if (fingerprint.data[i] != 0) return false; @@ -57,24 +60,12 @@ bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, #endif } -bool X509Certificate::FingerprintLessThan::operator()( - const SHA1Fingerprint& lhs, - const SHA1Fingerprint& rhs) const { - for (size_t i = 0; i < sizeof(lhs.data); ++i) { - if (lhs.data[i] < rhs.data[i]) - return true; - if (lhs.data[i] > rhs.data[i]) - return false; - } - return false; -} - bool X509Certificate::LessThan::operator()(X509Certificate* lhs, X509Certificate* rhs) const { if (lhs == rhs) return false; - X509Certificate::FingerprintLessThan fingerprint_functor; + SHA1FingerprintLessThan fingerprint_functor; return fingerprint_functor(lhs->fingerprint_, rhs->fingerprint_); } @@ -83,6 +74,32 @@ bool X509Certificate::LessThan::operator()(X509Certificate* lhs, // The cache does not hold a reference to the certificate objects. The objects // must |Remove| themselves from the cache upon destruction (or else the cache // will be holding dead pointers to the objects). +// TODO(rsleevi): There exists a chance of a use-after-free, due to a race +// between Find() and Remove(). See http://crbug.com/49377 +class X509Certificate::Cache { + public: + static Cache* GetInstance(); + void Insert(X509Certificate* cert); + void Remove(X509Certificate* cert); + X509Certificate* Find(const SHA1Fingerprint& fingerprint); + + private: + typedef std::map<SHA1Fingerprint, X509Certificate*, SHA1FingerprintLessThan> + CertMap; + + // Obtain an instance of X509Certificate::Cache via GetInstance(). + Cache() {} + friend struct DefaultSingletonTraits<Cache>; + + // You must acquire this lock before using any private data of this object. + // You must not block while holding this lock. + Lock lock_; + + // The certificate cache. You must acquire |lock_| before using |cache_|. + CertMap cache_; + + DISALLOW_COPY_AND_ASSIGN(Cache); +}; // Get the singleton object for the cache. // static @@ -113,7 +130,8 @@ void X509Certificate::Cache::Remove(X509Certificate* cert) { // Find a certificate in the cache with the given fingerprint. If one does // not exist, this method returns NULL. -X509Certificate* X509Certificate::Cache::Find(const Fingerprint& fingerprint) { +X509Certificate* X509Certificate::Cache::Find( + const SHA1Fingerprint& fingerprint) { AutoLock lock(lock_); CertMap::iterator pos(cache_.find(fingerprint)); diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index b962154..d6b3447 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -7,13 +7,10 @@ #include <string.h> -#include <map> -#include <set> #include <string> #include <vector> #include "base/ref_counted.h" -#include "base/singleton.h" #include "base/time.h" #include "net/base/x509_cert_types.h" #include "testing/gtest/include/gtest/gtest_prod.h" @@ -54,13 +51,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { typedef std::vector<OSCertHandle> OSCertHandles; - // Legacy names for types now defined in x509_cert_types.h. - // TODO(snej): Clean up existing code using these names to use the new names. - typedef CertPrincipal Principal; - typedef CertPolicy Policy; - typedef SHA1Fingerprint Fingerprint; - typedef SHA1FingerprintLessThan FingerprintLessThan; - // Predicate functor used in maps when X509Certificate is used as the key. class LessThan : public std::binary_function<X509Certificate*, X509Certificate*, bool> { @@ -120,10 +110,10 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { // The subject of the certificate. For HTTPS server certificates, this // represents the web server. The common name of the subject should match // the host name of the web server. - const Principal& subject() const { return subject_; } + const CertPrincipal& subject() const { return subject_; } // The issuer of the certificate. - const Principal& issuer() const { return issuer_; } + const CertPrincipal& issuer() const { return issuer_; } // Time period during which the certificate is valid. More precisely, this // certificate is invalid before the |valid_start| date and invalid after @@ -134,7 +124,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { const base::Time& valid_expiry() const { return valid_expiry_; } // The fingerprint of this certificate. - const Fingerprint& fingerprint() const { return fingerprint_; } + const SHA1Fingerprint& fingerprint() const { return fingerprint_; } // Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1 // Server Identity, if the certificate has a subjectAltName extension of @@ -224,31 +214,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { FRIEND_TEST(X509CertificateTest, Cache); FRIEND_TEST(X509CertificateTest, IntermediateCertificates); - // A cache of X509Certificate objects. - class Cache { - public: - static Cache* GetInstance(); - void Insert(X509Certificate* cert); - void Remove(X509Certificate* cert); - X509Certificate* Find(const Fingerprint& fingerprint); - - private: - typedef std::map<Fingerprint, X509Certificate*, FingerprintLessThan> - CertMap; - - // Obtain an instance of X509Certificate::Cache via GetInstance(). - Cache() { } - friend struct DefaultSingletonTraits<Cache>; - - // You must acquire this lock before using any private data of this object. - // You must not block while holding this lock. - Lock lock_; - - // The certificate cache. You must acquire |lock_| before using |cache_|. - CertMap cache_; - - DISALLOW_COPY_AND_ASSIGN(Cache); - }; + class Cache; // Construct an X509Certificate from a handle to the certificate object // in the underlying crypto library. @@ -264,13 +230,13 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { // Calculates the SHA-1 fingerprint of the certificate. Returns an empty // (all zero) fingerprint on failure. - static Fingerprint CalculateFingerprint(OSCertHandle cert_handle); + static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle); // The subject of the certificate. - Principal subject_; + CertPrincipal subject_; // The issuer of the certificate. - Principal issuer_; + CertPrincipal issuer_; // This certificate is not valid before |valid_start_| base::Time valid_start_; @@ -279,7 +245,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { base::Time valid_expiry_; // The fingerprint of this certificate. - Fingerprint fingerprint_; + SHA1Fingerprint fingerprint_; // A handle to the certificate object in the underlying crypto library. OSCertHandle cert_handle_; diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc index 08da804..ed46adc 100644 --- a/net/base/x509_certificate_mac.cc +++ b/net/base/x509_certificate_mac.cc @@ -691,9 +691,9 @@ void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { } // static -X509Certificate::Fingerprint X509Certificate::CalculateFingerprint( +SHA1Fingerprint X509Certificate::CalculateFingerprint( OSCertHandle cert) { - Fingerprint sha1; + SHA1Fingerprint sha1; memset(sha1.data, 0, sizeof(sha1.data)); CSSM_DATA cert_data; @@ -791,7 +791,7 @@ OSStatus X509Certificate::CreateSSLClientPolicy(SecPolicyRef* out_policy) { // static bool X509Certificate::GetSSLClientCertificates ( const std::string& server_domain, - const std::vector<Principal>& valid_issuers, + const std::vector<CertPrincipal>& valid_issuers, std::vector<scoped_refptr<X509Certificate> >* certs) { scoped_cftyperef<SecIdentityRef> preferred_identity; if (!server_domain.empty()) { @@ -826,12 +826,11 @@ bool X509Certificate::GetSSLClientCertificates ( scoped_refptr<X509Certificate> cert( CreateFromHandle(cert_handle, SOURCE_LONE_CERT_IMPORT, OSCertHandles())); - // cert_handle is adoped by cert, so I don't need to release it myself. if (cert->HasExpired() || !cert->SupportsSSLClientAuth()) continue; // Skip duplicates (a cert may be in multiple keychains). - X509Certificate::Fingerprint fingerprint = cert->fingerprint(); + const SHA1Fingerprint& fingerprint = cert->fingerprint(); unsigned i; for (i = 0; i < certs->size(); ++i) { if ((*certs)[i]->fingerprint().Equals(fingerprint)) diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index e311edb..8eb337f 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -219,7 +219,7 @@ void GetCertChainInfo(CERTCertList* cert_list, typedef char* (*CERTGetNameFunc)(CERTName* name); void ParsePrincipal(CERTName* name, - X509Certificate::Principal* principal) { + CertPrincipal* principal) { // TODO(jcampan): add business_category and serial_number. // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and // CERT_GetDomainComponentName functions, but they return only the most @@ -706,7 +706,7 @@ bool X509Certificate::VerifyEV() const { cvout[cvout_trust_anchor_index].value.pointer.cert; if (root_ca == NULL) return false; - X509Certificate::Fingerprint fingerprint = + SHA1Fingerprint fingerprint = X509Certificate::CalculateFingerprint(root_ca); SECOidTag ev_policy_tag = SEC_OID_UNKNOWN; if (!metadata->GetPolicyOID(fingerprint, &ev_policy_tag)) @@ -750,9 +750,9 @@ void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { } // static -X509Certificate::Fingerprint X509Certificate::CalculateFingerprint( +SHA1Fingerprint X509Certificate::CalculateFingerprint( OSCertHandle cert) { - Fingerprint sha1; + SHA1Fingerprint sha1; memset(sha1.data, 0, sizeof(sha1.data)); DCHECK(NULL != cert->derCert.data); diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 03c696a..63eec15 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -108,7 +108,7 @@ TEST(X509CertificateTest, GoogleCertParsing) { ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert); - const X509Certificate::Principal& subject = google_cert->subject(); + const CertPrincipal& subject = google_cert->subject(); EXPECT_EQ("www.google.com", subject.common_name); EXPECT_EQ("Mountain View", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); @@ -119,7 +119,7 @@ TEST(X509CertificateTest, GoogleCertParsing) { EXPECT_EQ(0U, subject.organization_unit_names.size()); EXPECT_EQ(0U, subject.domain_components.size()); - const X509Certificate::Principal& issuer = google_cert->issuer(); + const CertPrincipal& issuer = google_cert->issuer(); EXPECT_EQ("Thawte SGC CA", issuer.common_name); EXPECT_EQ("", issuer.locality_name); EXPECT_EQ("", issuer.state_or_province_name); @@ -137,7 +137,7 @@ TEST(X509CertificateTest, GoogleCertParsing) { const Time& valid_expiry = google_cert->valid_expiry(); EXPECT_EQ(1269728407, valid_expiry.ToDoubleT()); // Mar 27 22:20:07 2010 GMT - const X509Certificate::Fingerprint& fingerprint = google_cert->fingerprint(); + const SHA1Fingerprint& fingerprint = google_cert->fingerprint(); for (size_t i = 0; i < 20; ++i) EXPECT_EQ(google_fingerprint[i], fingerprint.data[i]); @@ -162,7 +162,7 @@ TEST(X509CertificateTest, WebkitCertParsing) { ASSERT_NE(static_cast<X509Certificate*>(NULL), webkit_cert); - const X509Certificate::Principal& subject = webkit_cert->subject(); + const CertPrincipal& subject = webkit_cert->subject(); EXPECT_EQ("Cupertino", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); EXPECT_EQ("US", subject.country_name); @@ -173,7 +173,7 @@ TEST(X509CertificateTest, WebkitCertParsing) { EXPECT_EQ("Mac OS Forge", subject.organization_unit_names[0]); EXPECT_EQ(0U, subject.domain_components.size()); - const X509Certificate::Principal& issuer = webkit_cert->issuer(); + const CertPrincipal& issuer = webkit_cert->issuer(); EXPECT_EQ("Go Daddy Secure Certification Authority", issuer.common_name); EXPECT_EQ("Scottsdale", issuer.locality_name); EXPECT_EQ("Arizona", issuer.state_or_province_name); @@ -193,7 +193,7 @@ TEST(X509CertificateTest, WebkitCertParsing) { const Time& valid_expiry = webkit_cert->valid_expiry(); EXPECT_EQ(1300491319, valid_expiry.ToDoubleT()); // Mar 18 23:35:19 2011 GMT - const X509Certificate::Fingerprint& fingerprint = webkit_cert->fingerprint(); + const SHA1Fingerprint& fingerprint = webkit_cert->fingerprint(); for (size_t i = 0; i < 20; ++i) EXPECT_EQ(webkit_fingerprint[i], fingerprint.data[i]); @@ -218,7 +218,7 @@ TEST(X509CertificateTest, ThawteCertParsing) { ASSERT_NE(static_cast<X509Certificate*>(NULL), thawte_cert); - const X509Certificate::Principal& subject = thawte_cert->subject(); + const CertPrincipal& subject = thawte_cert->subject(); EXPECT_EQ("www.thawte.com", subject.common_name); EXPECT_EQ("Mountain View", subject.locality_name); EXPECT_EQ("California", subject.state_or_province_name); @@ -229,7 +229,7 @@ TEST(X509CertificateTest, ThawteCertParsing) { EXPECT_EQ(0U, subject.organization_unit_names.size()); EXPECT_EQ(0U, subject.domain_components.size()); - const X509Certificate::Principal& issuer = thawte_cert->issuer(); + const CertPrincipal& issuer = thawte_cert->issuer(); EXPECT_EQ("thawte Extended Validation SSL CA", issuer.common_name); EXPECT_EQ("", issuer.locality_name); EXPECT_EQ("", issuer.state_or_province_name); @@ -249,7 +249,7 @@ TEST(X509CertificateTest, ThawteCertParsing) { const Time& valid_expiry = thawte_cert->valid_expiry(); EXPECT_EQ(1263772799, valid_expiry.ToDoubleT()); // Jan 17 23:59:59 2010 GMT - const X509Certificate::Fingerprint& fingerprint = thawte_cert->fingerprint(); + const SHA1Fingerprint& fingerprint = thawte_cert->fingerprint(); for (size_t i = 0; i < 20; ++i) EXPECT_EQ(thawte_fingerprint[i], fingerprint.data[i]); @@ -281,7 +281,7 @@ TEST(X509CertificateTest, PaypalNullCertParsing) { ASSERT_NE(static_cast<X509Certificate*>(NULL), paypal_null_cert); - const X509Certificate::Fingerprint& fingerprint = + const SHA1Fingerprint& fingerprint = paypal_null_cert->fingerprint(); for (size_t i = 0; i < 20; ++i) EXPECT_EQ(paypal_null_fingerprint[i], fingerprint.data[i]); @@ -309,7 +309,7 @@ TEST(X509CertificateTest, UnoSoftCertParsing) { ASSERT_NE(static_cast<X509Certificate*>(NULL), unosoft_hu_cert); - const X509Certificate::Fingerprint& fingerprint = + const SHA1Fingerprint& fingerprint = unosoft_hu_cert->fingerprint(); for (size_t i = 0; i < 20; ++i) EXPECT_EQ(unosoft_hu_fingerprint[i], fingerprint.data[i]); @@ -438,31 +438,31 @@ TEST(X509CertificateTest, Policy) { scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes( reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der)); - X509Certificate::Policy policy; + CertPolicy policy; - EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::UNKNOWN); - EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); + EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::UNKNOWN); + EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::UNKNOWN); EXPECT_FALSE(policy.HasAllowedCert()); EXPECT_FALSE(policy.HasDeniedCert()); policy.Allow(google_cert.get()); - EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::ALLOWED); - EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); + EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::ALLOWED); + EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::UNKNOWN); EXPECT_TRUE(policy.HasAllowedCert()); EXPECT_FALSE(policy.HasDeniedCert()); policy.Deny(google_cert.get()); - EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED); - EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::UNKNOWN); + EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED); + EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::UNKNOWN); EXPECT_FALSE(policy.HasAllowedCert()); EXPECT_TRUE(policy.HasDeniedCert()); policy.Allow(webkit_cert.get()); - EXPECT_EQ(policy.Check(google_cert.get()), X509Certificate::Policy::DENIED); - EXPECT_EQ(policy.Check(webkit_cert.get()), X509Certificate::Policy::ALLOWED); + EXPECT_EQ(policy.Check(google_cert.get()), CertPolicy::DENIED); + EXPECT_EQ(policy.Check(webkit_cert.get()), CertPolicy::ALLOWED); EXPECT_TRUE(policy.HasAllowedCert()); EXPECT_TRUE(policy.HasDeniedCert()); } diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index 23f4230..901c0a6 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -377,7 +377,7 @@ bool ContainsPolicy(const CERT_POLICIES_INFO* policies_info, // Helper function to parse a principal from a WinInet description of that // principal. void ParsePrincipal(const std::string& description, - X509Certificate::Principal* principal) { + CertPrincipal* principal) { // The description of the principal is a string with each LDAP value on // a separate line. const std::string kDelimiters("\r\n"); @@ -722,7 +722,7 @@ bool X509Certificate::VerifyEV() const { // Look up the EV policy OID of the root CA. PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext; - Fingerprint fingerprint = CalculateFingerprint(root_cert); + SHA1Fingerprint fingerprint = CalculateFingerprint(root_cert); const char* ev_policy_oid = NULL; if (!metadata->GetPolicyOID(fingerprint, &ev_policy_oid)) return false; @@ -766,13 +766,13 @@ void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { } // static -X509Certificate::Fingerprint X509Certificate::CalculateFingerprint( +SHA1Fingerprint X509Certificate::CalculateFingerprint( OSCertHandle cert) { DCHECK(NULL != cert->pbCertEncoded); DCHECK(0 != cert->cbCertEncoded); BOOL rv; - Fingerprint sha1; + SHA1Fingerprint sha1; DWORD sha1_size = sizeof(sha1.data); rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded, cert->cbCertEncoded, sha1.data, &sha1_size); |