summaryrefslogtreecommitdiffstats
path: root/net/base/x509_certificate_win.cc
Commit message (Collapse)AuthorAgeFilesLines
* net: extract net/cert out of net/basephajdan.jr@chromium.org2013-03-291-505/+0
| | | | | | | | | | | | This introduces the following dependency of net/base on things outside: net/base/openssl_client_key_store.cc:#include "net/cert/x509_certificate.h" BUG=70818 Review URL: https://codereview.chromium.org/13006020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@191450 0039d316-1c4b-4281-b951-d872f2087c98
* Move string tokenizer to base/strings.brettw@chromium.org2013-02-021-1/+0
| | | | | | | | BUG= Review URL: https://codereview.chromium.org/12087091 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@180211 0039d316-1c4b-4281-b951-d872f2087c98
* Add X509Certificate::IsIssuedByEncoded()digit@chromium.org2013-01-111-0/+41
| | | | | | | | | | | | | | | | | | | This new method is used to ensure that a given client certificate is issued by one of the CA names listed by the server, as they appear in the SSL Handshake "Certificate Request" message. The patch also adds two new X509CertificateTest unit tests, moves existing hard-coded DN tables to net/base/test_certificate_data.h to share them between multiple test sources, and adds a few new DN tables too. R=rsleevi@chromium.org,wtc@chromium.org,agl@chromium.org BUG=134418 NOTRY=true Review URL: https://chromiumcodereview.appspot.com/11579002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@176371 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint supportpalmer@chromium.org2012-09-071-4/+4
| | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10826257 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@155365 0039d316-1c4b-4281-b951-d872f2087c98
* net: don't crash when processing a certificate with an unknown public key.agl@chromium.org2012-08-241-6/+8
| | | | | | | | | BUG=144466 Review URL: https://chromiumcodereview.appspot.com/10883012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@153220 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 150375 - Implement SHA-256 fingerprint supportpalmer@chromium.org2012-08-081-4/+4
| | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10825211 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10836150 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150507 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint supportpalmer@chromium.org2012-08-071-4/+4
| | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10825211 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150375 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 150124 - Implement SHA-256 fingerprint support.dimich@chromium.org2012-08-061-4/+4
| | | | | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. This CL reverts 149268, which reverted 149261 the previous version of this CL. It includes a fix to the compile problem that necessitated 149268. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10836062 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10836120 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150166 0039d316-1c4b-4281-b951-d872f2087c98
* Implement SHA-256 fingerprint support.palmer@chromium.org2012-08-061-4/+4
| | | | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. This CL reverts 149268, which reverted 149261 the previous version of this CL. It includes a fix to the compile problem that necessitated 149268. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10836062 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@150124 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 149261 - Support SHA-256 in public key pins for HTTPS.vandebo@chromium.org2012-07-311-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Broke the compile on CrOS. Looks like const-ness problem: net/socket/ssl_client_socket_nss.cc: In member function 'int net::SSLClientSocketNSS::DoVerifyCertComplete(int)': net/socket/ssl_client_socket_nss.cc:3458:error: no matching function for call to 'net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(std::vector<std::vector<net::HashValue, std::allocator<net::HashValue> >, std::allocator<std::vector<net::HashValue, std::allocator<net::HashValue> > > >&)' ./net/base/transport_security_state.h:94: note: candidates are: bool net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(const net::HashValueVector&) const The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10545166 TBR=palmer@chromium.org Review URL: https://chromiumcodereview.appspot.com/10827104 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149268 0039d316-1c4b-4281-b951-d872f2087c98
* Support SHA-256 in public key pins for HTTPS.palmer@chromium.org2012-07-311-4/+4
| | | | | | | | | | | | | | | | The HTTP-based Public Key Pinning Internet Draft (tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this. Per wtc, give the *Fingeprint* types more meaningful *HashValue* names. Cleaning up lint along the way. BUG=117914 TEST=net_unittests, unit_tests TransportSecurityPersisterTest Review URL: https://chromiumcodereview.appspot.com/10545166 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149261 0039d316-1c4b-4281-b951-d872f2087c98
* Cache certificates as DER on all platforms.rsleevi@chromium.org2012-03-291-20/+26
| | | | | | | | | | | | | | With the exception of Windows, every other platform was already serializing as a DER chain. Update Windows to no longer serialize in a proprietary format - use DER on all platforms. BUG=118706 TEST=existing unit tests Review URL: https://chromiumcodereview.appspot.com/9808094 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@129725 0039d316-1c4b-4281-b951-d872f2087c98
* Move X509Certificate::Verify into CertVerifyProc rsleevi@chromium.org2012-03-221-693/+0
| | | | | | | | | | | | | | | With this split, CertVerifyProc is responsible for interacting with the underlying PKIX path building and verification library, while X509Certificate is responsible for parsing certificates with the underlying crypto library and exposing a common interface for higher-level code such as UI. BUG=114343 TEST=net_unittests Review URL: https://chromiumcodereview.appspot.com/9691054 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@128172 0039d316-1c4b-4281-b951-d872f2087c98
* Revert "Revert "net: fallback to online revocation checks for EV status when ↵agl@chromium.org2012-03-201-7/+11
| | | | | | | | | | | | | | | | | | | | | | | CRLSet has expired."" (First landed in r127757, reverted in r127773 because a unittest failed in debug mode.) After this change our CRLSet logic is: * If we have a fresh CRLSet then we don't do online revocation checks unless the user has configured them. (It can be configured either via the settings UI, or with the EnableOnlineRevocationChecks policy option.) * If we don't have a CRLSet, or if it has expired, and we're trying EV verification, then we require a positive online revocation check in order to show the EV badge. An invalid revocation check reply will prevent the EV badge, but not hard-fail the whole verification. BUG=none TEST=net_unittests Review URL: https://chromiumcodereview.appspot.com/9699043 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127800 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 127757 - net: fallback to online revocation checks for EV status when ↵dgrogan@chromium.org2012-03-201-11/+7
| | | | | | | | | | | | | | | | | | | | | | | CRLSet has expired. After this change our CRLSet logic is: * If we have a fresh CRLSet then we don't do online revocation checks unless the user has configured them. (It can be configured either via the settings UI, or with the EnableOnlineRevocationChecks policy option.) * If we don't have a CRLSet, or if it has expired, and we're trying EV verification, then we require a positive online revocation check in order to show the EV badge. An invalid revocation check reply will prevent the EV badge, but not hard-fail the whole verification. BUG=none TEST=net_unittests Review URL: https://chromiumcodereview.appspot.com/9699043 TBR=agl@chromium.org Review URL: https://chromiumcodereview.appspot.com/9783001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127773 0039d316-1c4b-4281-b951-d872f2087c98
* net: fallback to online revocation checks for EV status when CRLSet has expired.agl@chromium.org2012-03-201-7/+11
| | | | | | | | | | | | | | | | | | After this change our CRLSet logic is: * If we have a fresh CRLSet then we don't do online revocation checks unless the user has configured them. (It can be configured either via the settings UI, or with the EnableOnlineRevocationChecks policy option.) * If we don't have a CRLSet, or if it has expired, and we're trying EV verification, then we require a positive online revocation check in order to show the EV badge. An invalid revocation check reply will prevent the EV badge, but not hard-fail the whole verification. BUG=none TEST=net_unittests Review URL: https://chromiumcodereview.appspot.com/9699043 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127757 0039d316-1c4b-4281-b951-d872f2087c98
* Change the old type name PRArenaPool to PLArenaPool.wtc@chromium.org2012-03-091-1/+0
| | | | | | | | | | | | | Remove a workaround in x509_certificate_win.cc for a blapi.h header problem that has been fixed. R=rsleevi@chromium.org BUG=none TEST=no compilation errors Review URL: http://codereview.chromium.org/9653020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@125822 0039d316-1c4b-4281-b951-d872f2087c98
* net: add a NotAfter field to CRLSets.agl@chromium.org2012-03-071-0/+1
| | | | | | | | | | | | | For now the EXPIRED signal is ignored so that this CL can land before the x509_certificate_xxx work. BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/9464012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@125472 0039d316-1c4b-4281-b951-d872f2087c98
* net: allow EV indication on Windows when the local OCSP/CRL cache is stale.agl@chromium.org2012-03-071-2/+11
| | | | | | | | | | BUG=116984 TEST=On a Windows machine, run `certutil -urlcache * delete` on the command line. Then start Chrome and ensure that https://www.paypal.com shows a green EV indication in the URL bar. Review URL: http://codereview.chromium.org/9619007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@125468 0039d316-1c4b-4281-b951-d872f2087c98
* Refactor Pickle Read methods to use higher performance PickleIterator.jbates@chromium.org2012-03-071-1/+1
| | | | | | | | | | | | | | | | There was a lot of redundant error checking and initialization code in all Pickle Read methods because of the void** iterator type. This change replaces the void* iterator with PickleIterator, which encapsulates the read pointer so that less error checking and initialization code is needed for reading. PickleIterator has all the necessary data to do the actual reading. The advantage of having it provide Read methods (as opposed to leaving them solely in the Pickle interface) is that the callers do not need to pass around the const Pickle* once they have a PickleIterator. Followup CLs will refactor the call sites to remove const Pickle* arguments where they are now unnecessary. Then the Pickle::Read* methods can be removed entirely. The alternative approach would have been to change the Pickle::Read methods to non-const and remove the iterator parameter (making Read methods advance an internal read pointer). Unfortunately, the const Read with iterator design is entrenched throughout the chromium code, making this a much more complex change with the same performance outcome. BUG=13108 Review URL: https://chromiumcodereview.appspot.com/9447084 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@125447 0039d316-1c4b-4281-b951-d872f2087c98
* net: permit EV without online revocation checking.agl@chromium.org2012-02-161-2/+0
| | | | | | | | | | | (We now have solid EV coverage in the CRL set.) BUG=none TEST=net_unittests https://chromiumcodereview.appspot.com/9379012/ git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122295 0039d316-1c4b-4281-b951-d872f2087c98
* net: check cached revocations on Windows when online checks are disabled.agl@chromium.org2012-02-161-2/+10
| | | | | | | | | | | | | | | I noticed this last week and Rob Stradling poked me about it today. When we disable online revocation checking, we set the flag to only check cached revocations, but we don't set the flag to enable revocation checking. Therefore I believe that we were previously ignoring cached revoctions when online checking was off. BUG=114195 TEST=none Review URL: https://chromiumcodereview.appspot.com/9392011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122294 0039d316-1c4b-4281-b951-d872f2087c98
* Remove the global HCERTSTORE from Windows in favour of using the NULL ↵rsleevi@chromium.org2012-02-151-32/+2
| | | | | | | | | | | | | | | | | HCERTSTORE. BUG=none TEST=Existing unit tests should cover all affected functionality. (Windows Only) On a fresh profile, navigate to different HTTPS sites. From the Page Info bubble, select Certificate Information, and in the Windows Certificate Viewer, click "Certification Path" to ensure the entire chain is displayed. This is a variation of http://crbug.com/45706, which should not regress. Review URL: http://codereview.chromium.org/9381016 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122055 0039d316-1c4b-4281-b951-d872f2087c98
* Properly parse UTF8Strings in certificates on Windows.rsleevi@chromium.org2012-02-151-124/+11
| | | | | | | | | | BUG=114168 TEST=https://www.verisign.co.jp appears correctly regardless of system locale. Additionally, net_unittests:X509TypesTest* should cover this. Review URL: https://chromiumcodereview.appspot.com/9358080 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@122053 0039d316-1c4b-4281-b951-d872f2087c98
* Convert all remaining explicit LeakyLazyInstanceTraits users to ::Leakyfischman@chromium.org2012-01-261-2/+1
| | | | | | | | | | | | | and hide LeakyLazyInstanceTraits in base::internal to discourage cargo-culting new users. BUG=none TEST=none Review URL: http://codereview.chromium.org/9117038 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@119173 0039d316-1c4b-4281-b951-d872f2087c98
* Cleanup after debugging with the XP builder.agl@chromium.org2012-01-121-14/+0
| | | | git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117437 0039d316-1c4b-4281-b951-d872f2087c98
* Continuing to debug with the XP builders.agl@chromium.org2012-01-111-0/+10
| | | | | | (There aren't any XP/Vista trybots any more.) git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117298 0039d316-1c4b-4281-b951-d872f2087c98
* Add debugging to trace down a problem on WinXP/Vista.agl@chromium.org2012-01-111-1/+70
| | | | | | (We don't have trybots any longer for those platforms.) git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117265 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 117225 - Implement CRLSet checking on Windows.flackr@chromium.org2012-01-111-65/+1
| | | | | | | | | | | | BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/9153014 TBR=agl@chromium.org Review URL: http://codereview.chromium.org/9186009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117236 0039d316-1c4b-4281-b951-d872f2087c98
* Implement CRLSet checking on Windows.agl@chromium.org2012-01-111-1/+65
| | | | | | | | | BUG=none TEST=net_unittests Review URL: http://codereview.chromium.org/9153014 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117225 0039d316-1c4b-4281-b951-d872f2087c98
* Reject certificate chains containing small RSA and DSA keys.palmer@chromium.org2011-12-151-0/+36
| | | | | | | | | | | "Small" means less than 1024 bits. BUG=102949 TEST=net_unittests, X509CertificateTest.* Review URL: http://codereview.chromium.org/8568040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114709 0039d316-1c4b-4281-b951-d872f2087c98
* When encountering certificates signed with md2/md4, make it a fatal error.rsleevi@chromium.org2011-12-141-8/+2
| | | | | | | | | | | | | When encountering certificates signed with md5, interstitial the page with an error about md5 being a weak signing algorithm. This excludes checking the signatures of root certificates (trust anchors), as their self-signed signatures are not relevant to the security of the chain. R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8374020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114432 0039d316-1c4b-4281-b951-d872f2087c98
* Parse individual X.509 name components on Windows, rather than parsing the ↵rsleevi@chromium.org2011-12-021-89/+109
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | stringified form On Windows, rather than converting the entire certificate name to a string and attempting to parse out the components and values, iterate through the relativeDistinguishedName and AttributeTypeAndValue pairs to extract each name component. This is to ensure that: 1) When multiple AVAs are present in an RDN, ALL AVAs are parsed. 2) When converting an AVA to a string, no extra escaping is applied. This also fixes domainComponent parsing on OS X, so that unittests with a domainComponent can pass. BUG=101009, 102839 TEST=net_unittests:X509CertificateTest has two new regression tests. Additionally, sample a variety of SSL sites and ensure no regressions, paying attention to internationalized domains. Review URL: http://codereview.chromium.org/8608003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112650 0039d316-1c4b-4281-b951-d872f2087c98
* ake string_util::WriteInto() DCHECK() that the supplied |length_with_null| > ↵pkasting@chromium.org2011-11-291-8/+12
| | | | | | | | | | | | 1, meaning that the without-'\0' string is non-empty. This replaces the conditional code added recently that makes this case return NULL. It's easier to understand if it's simply an error to call WriteInto() in this case at all. Add DCHECK()s or conditionals as appropriate to callers in order to ensure this assertion holds. BUG=none TEST=none Review URL: http://codereview.chromium.org/8418034 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112005 0039d316-1c4b-4281-b951-d872f2087c98
* Allow linker initialization of lazy instancejoth@chromium.org2011-11-151-1/+1
| | | | | | | | | | | | | | Using the initializer list construct = {0} allows the object to be linker initialized. Modify the LazyInstance class design to make it a pod aggregate type that can be linker initialized this way. Also combines the instance and state members, in line with the Singleton<> class design. Introduces a new LAZY_INSTANCE_INITIALIZER macro specifically for using to init all lazy instances + modify all existing callsites to use it. (Old code would no longer compile) BUG=94925 TEST=existing tests pass. http://build.chromium.org/f/chromium/perf/linux-release/sizes/report.html?history=150&header=chrome-si&graph=chrome-si&rev=-1 should step downward. TBR=jam@chromium.org,rvargas@chromium.org,darin@chromium.org,ben@chromium.org,apatrick@chromium.org,akalin@chromium.org Review URL: http://codereview.chromium.org/8491043 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@110076 0039d316-1c4b-4281-b951-d872f2087c98
* Do not hash the certificate twice.wtc@chromium.org2011-11-051-6/+6
| | | | | | | | | | | | | | | | | | Change X509Certificate::chain_fingerprint_ to X509Certificate::ca_fingerprint_ to exclude the certificate from this fingerprint. This fingerprint covers the intermediate CA certificates only. This requires identifying an X509Certificate object by two fingerprints: cert->fingerprint() and cert->ca_fingerprint(). R=agl@chromium.org,rsleevi@chromium.org BUG=101555 TEST=unit tests updated Review URL: http://codereview.chromium.org/8449004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108756 0039d316-1c4b-4281-b951-d872f2087c98
* Record when certificates signed with md[2,4,5] are encountered on OS X.rsleevi@chromium.org2011-11-021-3/+3
| | | | | | | | | | | R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8374019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108308 0039d316-1c4b-4281-b951-d872f2087c98
* Consider the signature algorithms of incomplete chains on Windowsrsleevi@chromium.org2011-11-011-6/+17
| | | | | | | | | | | R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8382026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108082 0039d316-1c4b-4281-b951-d872f2087c98
* Make X509Certificate::GetDEREncoded a static function taking an OSCertHandlersleevi@chromium.org2011-11-011-5/+6
| | | | | | | | | | | | | | | | Rather than require an X509Certificate*, which has additional processing overhead, make X509Certificate::GetDEREncoded a static function which takes an OSCertHandle. Callers which already have an X509Certificate* can easily use ->os_cert_handle(), while those that have an OSCertHandle, such as by way of GetIntermediateCertificates(), can use the OSCertHandle directly. BUG=91464 TEST=none Review URL: http://codereview.chromium.org/8414047 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108067 0039d316-1c4b-4281-b951-d872f2087c98
* Ensure X509Certificate::OSCertHandles are safe to be used on both UI, IO, ↵rsleevi@chromium.org2011-11-011-11/+69
| | | | | | | | | | | | | | | and Worker threads on Win. Mirror the behaviour of SChannel by creating a new in-memory HCERTSTORE containing the certificate and its intermediate CA certificates whenever it is necessary to pass in a PCCERT_CONTEXT to a Windows API that may need to access the PCCERT_CONTEXT->hCertStore - such as certificate chain verification or display. This also paves the way for removing the GlobalCertStore on Windows, which was necessary in order to link certificates with their intermediates for these same APIs. BUG=47648 TEST=net_unittests:X509CertificateTest.* should cover this. Additionally, on a fresh profile, navigate to different HTTPS sites. From the Page Info Bubble, select Certificate Information, and in the Windows Certificate Viewer, click "Certification Path" and confirm the entire certificate chain is displayed. This is a variation of testing for http://crbug.com/45706, which should not regress. Review URL: http://codereview.chromium.org/7324039 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108056 0039d316-1c4b-4281-b951-d872f2087c98
* net: retain leading zero bytes in X.509 serial numbers.agl@chromium.org2011-10-311-3/+0
| | | | | | | | | | | | | | | | | | | | | | X.509 serial numbers should be a positive numbers according to the spec. However, certificates have been issued with negative serial numbers. Negative serial numbers are indicated with a most-significant bit of one. Positive numbers which would have a MSB of 1 have a zero byte prepended to avoid the ambiguity. Previously we removing leading zero bytes because we were only matching against a blacklist of serial numbers, none of which were negative. This change moves the handling of serial numbers to the place where they are used, rather than where they are parsed. BUG=none TEST=none Review URL: http://codereview.chromium.org/8381017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107956 0039d316-1c4b-4281-b951-d872f2087c98
* Fix the "certificate is not yet valid" error for server certificateswtc@chromium.org2011-10-291-0/+28
| | | | | | | | | | | | | | | | | | | | issued by a VeriSign intermediate CA. Change the CertVerifier cache to identify a certificate chain by the hash of the entire chain rather than just the server certificate. This requires adding X509Certificate::chain_fingerprint(), and the X509Certificate::CalculateChainFingerprint() method to compute the chain fingerprint. R=agl@chromium.org,rsleevi@chromium.org BUG=101555 TEST=X509CertificateTest.ChainFingerprints and CertVerifierTest.DifferentCACerts in net_unittests Review URL: http://codereview.chromium.org/8400075 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107888 0039d316-1c4b-4281-b951-d872f2087c98
* net: enable CRL sets behind a command line flag.agl@chromium.org2011-10-251-0/+1
| | | | | | | | | | | | | | | | This change introduces a command line flag for enabling CRL sets while the serving side is still in development. It contains code for NSS (revocation checking will proceed as normal on other platforms). BUG=none TEST=none Review URL: http://codereview.chromium.org/8342054 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107131 0039d316-1c4b-4281-b951-d872f2087c98
* Use NSS to generate Origin-Bound Certs on Win and Mac.mattm@chromium.org2011-10-181-10/+0
| | | | | | | | | | | | The platform RSAPrivateKey is used to generate the private key, which is then imported into NSS to generate the certificate. X509Certificate::CreateOriginBound is moved to x509_util::CreateOriginBoundCert so it can be shared by those platforms, and removes the unnecessary X509Certificate generation step. BUG=88782 TEST=X509UtilNSSTest.CreateOriginBoundCert & manual testing: try on win or mac, check if generated cert has the OBC extension. Review URL: http://codereview.chromium.org/8296014 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@105997 0039d316-1c4b-4281-b951-d872f2087c98
* For the SSL cert status, convert anonymous enum that gives bit values into a ↵pkasting@chromium.org2011-09-231-1/+1
| | | | | | | | | | | | | | typedefed uint32. This allows code all over Chromium to use an explicit type instead of "int". This also means the individual named bit constants themselves have the same explicit type. I find the resulting code to be noticeably clearer. This also exposed a bug in SSLErrorInfo::GetErrorsForCertStatus() where not having an explicit type allowed a function argument ordering bug to creep in, so I claim this is safer too. Normally this makes things like DCHECK_EQ() unhappy, but when I'd originally tested this I didn't seem to need to make any changes due to that. Will be watching the trybots... The original motiviation for this change was to find a way to eliminate some cases of passing anonymous-typed values as template arguments (which happens when you use a value from the enum in e.g. EXPECT_EQ()), which is technically illegal in C++03, though we don't warn about it. Simply naming the enum would have done this, but this would have encouraged readers to actually use the enum name as a type, which for a bitfield is inappropriate for the reason given in the first paragraph. BUG=92247 TEST=Compiles Review URL: http://codereview.chromium.org/7969023 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102415 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 102322 - For the SSL cert status, convert anonymous enum that gives ↵pkasting@chromium.org2011-09-221-1/+1
| | | | | | | | | | | | | | | | | | | bit values into a typedefed uint32. This allows code all over Chromium to use an explicit type instead of "int". (This isn't possible by simply naming the enum as technically the enum doesn't define all of the possible combinations of bits.) This also means the individual named bit constants themselves have the same explicit type. I find the resulting code to be noticeably clearer. This also exposed a bug in SSLErrorInfo::GetErrorsForCertStatus() where not having an explicit type allowed a function argument ordering bug to creep in, so I claim this is safer too. I also added CERT_STATUS_NO_ERROR in place of "0" as a magic number. Normally this makes things like DCHECK_EQ() unhappy, but when I'd originally tested this I didn't seem to need to make any changes due to that. Will be watching the trybots... The original motiviation for this change was to find a way to eliminate some cases of passing anonymous-typed values as template arguments (which happens when you use a value from the enum in e.g. EXPECT_EQ()), which is technically illegal in C++03, though we don't warn about it. Simply naming the enum would have done this, but this would have encouraged readers to actually use the enum name as a type, which for a bitfield is inappropriate for the reason given in the first paragraph. BUG=92247 TEST=Compiles Review URL: http://codereview.chromium.org/7819009 TBR=pkasting@chromium.org Review URL: http://codereview.chromium.org/7995014 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102325 0039d316-1c4b-4281-b951-d872f2087c98
* For the SSL cert status, convert anonymous enum that gives bit values into a ↵pkasting@chromium.org2011-09-221-1/+1
| | | | | | | | | | | | | | | | typedefed uint32. This allows code all over Chromium to use an explicit type instead of "int". (This isn't possible by simply naming the enum as technically the enum doesn't define all of the possible combinations of bits.) This also means the individual named bit constants themselves have the same explicit type. I find the resulting code to be noticeably clearer. This also exposed a bug in SSLErrorInfo::GetErrorsForCertStatus() where not having an explicit type allowed a function argument ordering bug to creep in, so I claim this is safer too. I also added CERT_STATUS_NO_ERROR in place of "0" as a magic number. Normally this makes things like DCHECK_EQ() unhappy, but when I'd originally tested this I didn't seem to need to make any changes due to that. Will be watching the trybots... The original motiviation for this change was to find a way to eliminate some cases of passing anonymous-typed values as template arguments (which happens when you use a value from the enum in e.g. EXPECT_EQ()), which is technically illegal in C++03, though we don't warn about it. Simply naming the enum would have done this, but this would have encouraged readers to actually use the enum name as a type, which for a bitfield is inappropriate for the reason given in the first paragraph. BUG=92247 TEST=Compiles Review URL: http://codereview.chromium.org/7819009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102322 0039d316-1c4b-4281-b951-d872f2087c98
* Resubmission of r98288: Added CreateOriginBound method to x509_certificate.hmdietz@google.com2011-09-081-0/+10
| | | | | | | | | | | | Previous review URL: http://codereview.chromium.org/7384002 BUG=88782 TEST=net_unittests --gtest_filter=X509CertificateTest.CreateOriginBound Review URL: http://codereview.chromium.org/7763001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@100264 0039d316-1c4b-4281-b951-d872f2087c98
* Revert 98288 - Added CreateOriginBound method to x509_certificate.h.jbates@chromium.org2011-08-251-10/+0
| | | | | | | | | | | | | | | This static method branches the CreateSelfSigned code to create a self signed certificate that contains an X509v3 extension that indicates the ASCII weborigin that is bound to the generated certificate. BUG=88782 TEST= Review URL: http://codereview.chromium.org/7384002 TBR=mdietz@google.com Review URL: http://codereview.chromium.org/7740034 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98293 0039d316-1c4b-4281-b951-d872f2087c98
* Added CreateOriginBound method to x509_certificate.h.mdietz@google.com2011-08-251-0/+10
| | | | | | | | | | | | This static method branches the CreateSelfSigned code to create a self signed certificate that contains an X509v3 extension that indicates the ASCII weborigin that is bound to the generated certificate. BUG=88782 TEST= Review URL: http://codereview.chromium.org/7384002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98288 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-02-13 02:24:04 +0000