summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/base/x509_certificate_win.cc23
1 files changed, 16 insertions, 7 deletions
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index cc6fda2d..df43814 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -50,6 +50,9 @@ int MapSecurityError(SECURITY_STATUS err) {
case SEC_E_CERT_UNKNOWN:
case CERT_E_ROLE:
return ERR_CERT_INVALID;
+ case CERT_E_WRONG_USAGE:
+ // TODO(wtc): Should we add ERR_CERT_WRONG_USAGE?
+ return ERR_CERT_INVALID;
// We received an unexpected_message or illegal_parameter alert message
// from the server.
case SEC_E_ILLEGAL_MESSAGE:
@@ -98,8 +101,8 @@ int MapCertChainErrorStatusToCertStatus(DWORD error_status) {
const DWORD kWrongUsageErrors = CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE;
if (error_status & kWrongUsageErrors) {
- // TODO(wtc): Handle these errors.
- // cert_status = |= CERT_STATUS_WRONG_USAGE;
+ // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?
+ cert_status |= CERT_STATUS_INVALID;
}
// The rest of the errors.
@@ -534,11 +537,17 @@ int X509Certificate::Verify(const std::string& hostname,
CERT_CHAIN_PARA chain_para;
memset(&chain_para, 0, sizeof(chain_para));
chain_para.cbSize = sizeof(chain_para);
- // TODO(wtc): consider requesting the usage szOID_PKIX_KP_SERVER_AUTH
- // or szOID_SERVER_GATED_CRYPTO or szOID_SGC_NETSCAPE
- chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
- chain_para.RequestedUsage.Usage.cUsageIdentifier = 0;
- chain_para.RequestedUsage.Usage.rgpszUsageIdentifier = NULL; // LPSTR*
+ // TODO(wtc): Do we still need to request szOID_SERVER_GATED_CRYPTO or
+ // szOID_SGC_NETSCAPE today?
+ static const LPSTR usage[] = {
+ szOID_PKIX_KP_SERVER_AUTH,
+ szOID_SERVER_GATED_CRYPTO,
+ szOID_SGC_NETSCAPE
+ };
+ chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
+ chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
+ chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
+ const_cast<LPSTR*>(usage);
// We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT;
if (flags & VERIFY_REV_CHECKING_ENABLED) {
generated by cgit v1.1 at 2025-02-19 04:54:46 +0000