summaryrefslogtreecommitdiffstats
path: root/net/base/x509_certificate_nss.cc
Commit message (Collapse)AuthorAgeFilesLines
* Add a context-sensitive error mapping function specific to SSLwtc@chromium.org2010-01-151-0/+2
| | | | | | | | | | | | | | handshake errors. It should never return a certificate error because we don't have the server's certificate when handshake fails. R=agl BUG=24064 TEST=Visit the test URL in issue 24064 comment 8 on Linux. Chromium should not crash. Review URL: http://codereview.chromium.org/550026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36426 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: Add Certificate Info dialog (part 1)mattm@chromium.org2010-01-141-20/+2
| | | | | | | | | | | Rename base/nss_init.{h,cc} to base/nss_util.{h,cc}, move PRTimeToBaseTime there. BUG=18119 TEST=Load https://www.google.com, compare to firefox cert dialog. Review URL: http://codereview.chromium.org/500141 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36291 0039d316-1c4b-4281-b951-d872f2087c98
* Don't assert what the certificate's subjectAltName extensionwtc@chromium.org2009-12-071-5/+9
| | | | | | | | | | | | contains, which can be anything. Assert the type of subjectAltName we're trying to find. R=avi BUG=none TEST=none Review URL: http://codereview.chromium.org/464026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@33995 0039d316-1c4b-4281-b951-d872f2087c98
* Work around the NSS bugs in the AIA certificate fetch code by retryingwtc@chromium.org2009-11-201-9/+26
| | | | | | | | | | | | | | | | | | | | CERT_PKIXVerifyCert without cert_pi_useAIACertFetch. Add a unit test with a certificate that gives cert_pi_useAIACertFetch trouble. Remove workarounds for old versions of NSS. Map the NSPR error PR_DIRECTORY_LOOKUP_ERROR to ERR_NAME_NOT_RESOLVED. Move the certificate data to a new header x509_certificate_unittest.h to make x509_certificate_unittest.cc less crowded. R=eroman BUG=27497 TEST=new unit test Review URL: http://codereview.chromium.org/418001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32712 0039d316-1c4b-4281-b951-d872f2087c98
* X509Certificate::Verify should honor thewtc@chromium.org2009-10-301-8/+25
| | | | | | | | | | | | | | | | | | | VERIFY_REV_CHECKING_ENABLED flag. This allows us to enable part of the X509CertificateTest.PaypalNullCertParsing test for Linux because the test disables revocation checking, thereby avoiding the overly strict assertion in nss_ocsp.cc. Enable cert_pi_useAIACertFetch to fetch missing intermediate CA certificates. Handle a non-certificate error reported by PKIXVerifyCert. R=ukai BUG=none TEST=none Review URL: http://codereview.chromium.org/333033 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@30585 0039d316-1c4b-4281-b951-d872f2087c98
* Second try. r27819 was missing a null pointer check forwtc@chromium.org2009-10-021-38/+22
| | | | | | | | | | | | | | | | | | | | | the return value of CERT_GetCommonName, etc. Map SEC_ERROR_OCSP_BAD_HTTP_RESPONSE (-8073) to CERT_STATUS_UNABLE_TO_CHECK_REVOCATION. Change ParsePrincipal to take the decoded CERTName as argument. Use the NSS functions for getting the common name, locality name, state or province name, and country name because they escape the strings properly. R=dank BUG=none TEST=none (covered by existing unit tests) Review URL: http://codereview.chromium.org/255055 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27903 0039d316-1c4b-4281-b951-d872f2087c98
* Revert r27819 because it causes net_unittests to crash in thewtc@chromium.org2009-10-021-20/+38
| | | | | | HTTPSRequestTest.HTTPSGetTest test. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27821 0039d316-1c4b-4281-b951-d872f2087c98
* Map SEC_ERROR_OCSP_BAD_HTTP_RESPONSE (-8073) towtc@chromium.org2009-10-021-38/+20
| | | | | | | | | | | | | | | | | | CERT_STATUS_UNABLE_TO_CHECK_REVOCATION. Change ParsePrincipal to take the decoded CERTName as argument. Use the NSS functions for getting the common name, locality name, state or province name, and country name because they escape the strings properly. R=dank BUG=none TEST=none (covered by existing unit tests) Review URL: http://codereview.chromium.org/248028 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27819 0039d316-1c4b-4281-b951-d872f2087c98
* Don't use NSS databases for non-essential purposes, such as rememberingwtc@chromium.org2009-09-211-1/+2
| | | | | | | | | | | | | | | the intermediate CA certificates we see, because NSS's connections to the SQLite databases go bad if the file system where the databases reside is gone, even just transiently. Add the hostname to the error log message for CERT_PKIXVerifyCert failure. R=eroman,ukai BUG=15630 TEST=existing unit tests should pass. Review URL: http://codereview.chromium.org/214028 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26714 0039d316-1c4b-4281-b951-d872f2087c98
* Add a NOTREACHED() to catch users of pre-release NSS.chase@chromium.org2009-09-111-0/+5
| | | | | | | | | | | | | | Catch a crash for debug build users who followed the Linux 64bit instructions. BUG=21454 TEST=debug chrome crashes at NOTREACHED in error condition using old NSS, skips past in new NSS and under both conditions in release builds. Review URL: http://codereview.chromium.org/201086 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25969 0039d316-1c4b-4281-b951-d872f2087c98
* Add code for enabling or disabling CRLs and OCSP correctly.wtc@chromium.org2009-08-241-2/+18
| | | | | | | | | | | | | | Previously we varied the number of elements in the method_flags array to enable/disable OCSP. It turns out that's the wrong way. Between CRLs and OCSP, we prefer OCSP. R=ukai BUG=http://crbug.com/10911 TEST=none Review URL: http://codereview.chromium.org/174283 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24126 0039d316-1c4b-4281-b951-d872f2087c98
* Improve certificate error mapping.wtc@chromium.org2009-08-211-2/+9
| | | | | | | | | | | | | Fix leaks of (encoded) certificate extensions returned by CERT_FindCertExtension. They can be freed as soon as they are decoded. R=ukai BUG=http://crbug.com/10911 TEST=none Review URL: http://codereview.chromium.org/173154 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24041 0039d316-1c4b-4281-b951-d872f2087c98
* Try to fix crash in OCSP handlers.ukai@chromium.org2009-08-191-16/+3
| | | | | | | | | | | | | | | Make sure OCSPRequestSession::Core is cancelled when OCSPRequestSession is deleted as URLFetcher does. Revert http://src.chromium.org/viewvc/chrome?view=rev&revision=23575 BUG=18907,10911 TEST=none Review URL: http://codereview.chromium.org/165362 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23696 0039d316-1c4b-4281-b951-d872f2087c98
* Disable OCSP until we have fixed the crash in OCSP code. As a result ourwtc@chromium.org2009-08-171-3/+16
| | | | | | | | | | | | | | EV checks must fail because EV requires revocation checking. (We aren't downloading CRLs yet.) R=willchan BUG=18907,10911 TEST=Visit EV websites such as https://www.paypal.com/ and https://www.verisign.com/. Chromium must not show the EV status because it is not doing OCSP checks. Review URL: http://codereview.chromium.org/172050 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23575 0039d316-1c4b-4281-b951-d872f2087c98
* Address Alexei Volkov's comments on http://codereview.chromium.org/119026.wtc@chromium.org2009-08-131-7/+20
| | | | | | | | | | | Patch by Fumitoshi Ukai. R=alexei,wtc BUG=http://crbug.com/10911 TEST=none Review URL: http://codereview.chromium.org/164521 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23390 0039d316-1c4b-4281-b951-d872f2087c98
* typedef PolicyOID to support Linux-only SECOidTag in EVRootCAMetadata methods.ukai@chromium.org2009-08-121-61/+4
| | | | | | | | | BUG=none TEST=none Review URL: http://codereview.chromium.org/164134 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23164 0039d316-1c4b-4281-b951-d872f2087c98
* Use strict revocation flags only for EV verification.wtc@chromium.org2009-08-081-3/+14
| | | | | | | | | | TBR=ukai BUG=10911,13336 TEST=Visit https://migs.mastercard.com.au/ma/. Chromium should not say the cert is revoked. Review URL: http://codereview.chromium.org/165206 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22857 0039d316-1c4b-4281-b951-d872f2087c98
* Fix build break with uninitialized variable 'ev_policy_tag'.ukai@chromium.org2009-08-071-10/+9
| | | | | | | | | | | | Fix some last nits in codereview.chromium.org/119026 TBR=wtc BUG=10911 TEST=none Review URL: http://codereview.chromium.org/165117 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22720 0039d316-1c4b-4281-b951-d872f2087c98
* Implement X509Certificate::IsEV for NSS.ukai@chromium.org2009-08-071-82/+202
| | | | | | | | | | | Factor out PKIXVerifyCert function from Verify and share it with IsEV. BUG=10911 TEST=EV info shown on omnibar for https://www.thawte.com/, but not on https://bugs.webkit.org/ Review URL: http://codereview.chromium.org/119026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22718 0039d316-1c4b-4281-b951-d872f2087c98
* Use LOAD_VERIFY_EV_CERT to verify EV-ness in Verify().ukai@chromium.org2009-06-231-2/+7
| | | | | | | | | | | | | | | | | If LOAD_VERIFY_EV_CERT is requested on load_flags and revokation checking is performed, Verify() peforms EV certificate verification as well, and sets CERT_STATUS_IS_EV in verify_result. Eliminate X509Certificate::IsEV() BUG=3592 TEST=net_unittests with ALLOW_EXTERNAL_ACCESS=1, \ visit https://www.thawte.com/ and shows EV info. Review URL: http://codereview.chromium.org/125120 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19011 0039d316-1c4b-4281-b951-d872f2087c98
* Don't consider a certificate revoked if we don't havewtc@chromium.org2009-06-051-2/+5
| | | | | | | | | | | | | | | fresh revocation status of the certificate. We haven't written the code for NSS to use our network stack to download CRLs or talk to OCSP responders, so NSS doesn't have any revocation info. R=agl,ukai BUG=http://crbug.com/13336 TEST=none (requires a Linux system with NSS 3.12.3) Review URL: http://codereview.chromium.org/118314 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17756 0039d316-1c4b-4281-b951-d872f2087c98
* Move X509Certificate::HasExpired to x509_certificate.cc.ukai@chromium.org2009-06-011-5/+0
| | | | | | | | | | | All versions have implemented valid_expiry(), so we can use common code for X509Certificate::HasExpired. R=wtc Review URL: http://codereview.chromium.org/118069 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17311 0039d316-1c4b-4281-b951-d872f2087c98
* Implement X509Certificate::Verify for Linux.ukai@chromium.org2009-05-281-7/+270
| | | | | | | | | | | | | | | | | | | | | | | Use CERT_PKIXVerifyCert() with CRL to verify certificate. With OCSP, CERT_PKIXVerifyCert() failed with SEC_ERROR_INVALID_ARGS. Increase stack size. It was not enough size if we use CERT_PKIXVerifyCert() on some sites. For example, https://www.google.com/ works, but https://bugs.webkit.org/ or https://www.thawte.com/ would die by SIGSEGV. This is because pkix_List_Destroy() routine destroys PKIX_List recursively, so if there are some long PKIX_Lists, it consumes stack a lot and dies by stack overflow. Note that X509Certificate::Verify isn't used in SSLClientSocketNSS yet. BUG=10911 TEST=net_unittests passes Review URL: http://codereview.chromium.org/113578 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17071 0039d316-1c4b-4281-b951-d872f2087c98
* Remove another NOTIMPLEMENTEDkuchhal@chromium.org2009-05-201-1/+1
| | | | | | | | | BUG=12052 Review URL: http://codereview.chromium.org/113642 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16487 0039d316-1c4b-4281-b951-d872f2087c98
* Don't return true from unimplemented X509Certificate::IsEV.ukai@chromium.org2009-04-291-0/+6
| | | | | | | Move linux version of X509Certificate::IsEV in x509certificate_nss.cc git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14883 0039d316-1c4b-4281-b951-d872f2087c98
* Fix leak in GetCertSubjectAltNamesOfType(). Found by valgrind.dkegel@google.com2009-03-181-0/+1
| | | | | | | | | | | | ERROR:root:Leak_DefinitelyLost malloc (ome/kcc/depot2-kcc-ts_valgrind-client/google_vendor_src_branch/valgrind/trunk/coregrind/m_replacemalloc/vg_replace_malloc.c:207) ... CERT_FindCertExtension (/usr/lib32/libnss3.so.1d) net::(anonymous namespace)::GetCertSubjectAltNamesOfType(CERTCertificateStr*, CERTGeneralNameTypeEnum, std::vector<std::string, std::allocator<std::string> >*) (net/base/x509_certificate_nss.cc:134) Review URL: http://codereview.chromium.org/48097 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11941 0039d316-1c4b-4281-b951-d872f2087c98
* NO CODE CHANGEdeanm@chromium.org2009-03-111-1/+0
| | | | | | | | | Normalize end of file newlines in net/. All files end in a single newline. Review URL: http://codereview.chromium.org/43079 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11442 0039d316-1c4b-4281-b951-d872f2087c98
* Implement X509Certificate::Persist. dkegel@google.com2009-02-241-14/+17
| | | | | | | | This lets the browser read gmail on linux. Review URL: http://codereview.chromium.org/27033 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10269 0039d316-1c4b-4281-b951-d872f2087c98
* Enable SSL error handling in Linux again.dkegel@google.com2009-02-191-1/+4
| | | | | | | | | | Evan, could you review the change since http://codereview.chromium.org/20444 : - load temporary root cert in test_shell Thanks! Review URL: http://codereview.chromium.org/20511 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10055 0039d316-1c4b-4281-b951-d872f2087c98
* Stub out an unimplemented NSS function.evan@chromium.org2009-02-091-0/+5
| | | | | | | Review URL: http://codereview.chromium.org/21169 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9406 0039d316-1c4b-4281-b951-d872f2087c98
* Add X509Certificate::Verify stubs for Mac and Linux.wtc@chromium.org2009-02-051-0/+8
| | | | | | | | | | | | | | | | | They do nothing but return ERR_NOT_IMPLEMENTED. In SSLClientSocketWin, call X509Certificate::CreateFromHandle only once and store the result in the server_cert_ member. Add the CertVerifyResult::Reset method to clear all members. R=eroman BUG=3592 Review URL: http://codereview.chromium.org/21071 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9272 0039d316-1c4b-4281-b951-d872f2087c98
* Reverting 8868.ericroman@google.com2009-01-291-70/+38
| | | | | | | This relands wtc's original CL for working around not caching the intermediate CA certificates. We believe the original commit failed on buildbot because of a bad incremental build, and will be resolved by doing a clobber Review URL: http://codereview.chromium.org/19463 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@8870 0039d316-1c4b-4281-b951-d872f2087c98
* Reverting 8864.wtc@chromium.org2009-01-291-38/+70
| | | | | | | Revert r8864. It broke the build url_request_intercept_job.cc. Review URL: http://codereview.chromium.org/19462 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@8868 0039d316-1c4b-4281-b951-d872f2087c98
* Work around our not caching the intermediate CAwtc@chromium.org2009-01-291-70/+38
| | | | | | | | | | | | | | | | | | | | | | certificates by passing the source of each OSCertHandle to CreateFromHandle and the X509Certificate constructor. If the OSCertHandle comes from the network layer, we know it has a complete certificate chain and therefore prefer it to an OSCertHandle that comes from the HTTP cache, which doesn't have the intermediate CA certificates. A certificate from the network layer can kick out a certificate from the HTTP cache in our certificate cache. This workaround seems good enough to fix all the known symptoms of not caching the intermediate CA certificates. Move the common code in x509_certificate_<os>.cc to x509_certificate.cc. R=eroman BUG=3154,7065 Review URL: http://codereview.chromium.org/18836 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@8864 0039d316-1c4b-4281-b951-d872f2087c98
* Implement part of x509_certificate on linux, enable its unit test.dkegel@google.com2008-12-221-5/+242
| | | | | | Review URL: http://codereview.chromium.org/16205 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@7350 0039d316-1c4b-4281-b951-d872f2087c98
* Port a few test_shell_tests. Now it runs 45 of them.evanm@google.com2008-10-271-0/+10
| | | | | | | | | | | | | | | | I removed some files from test_files because scons complains (warns) when a file is both in test_files and input_files. So the files removed from test_files also exist in input_files and at some pointed will be ported anyway. I also made some linking stubs. BUG=3674 Review URL: http://codereview.chromium.org/7974 Patch from Paweł Hajdan jr <phajdan.jr@gmail.com>. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4031 0039d316-1c4b-4281-b951-d872f2087c98
* Port SSLClientSocket to Linuxdkegel@google.com2008-10-221-0/+21
Passes tests (once you enable them by removing DISABLED_). Probably want to add a mock https server so we can leave those tests enabled when we check in. Had to add full duplex support to TCPClientSocket on Linux to avoid kludgy plumbing issues. Also had to add dummy implementation of X509Certificate::~X509Certificate to prevent link error. Rediffed to current trunk, addressed all review issues. Review URL: http://codereview.chromium.org/4049 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@3751 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-01-31 06:29:00 +0000