From 146cb7d13ce0b53c7516d87e0a08009adb47db55 Mon Sep 17 00:00:00 2001 From: "joth@chromium.org" Date: Wed, 13 Apr 2011 12:35:00 +0000 Subject: Fix openssl build Tests ExtractSPKIFromDERCert & PublicKeyHashes are failing (you can see them here: http://goo.gl/Rc3OA ) Follow up to http://src.chromium.org/viewvc/chrome?view=rev&revision=81259 - implements GetDEREncoded for opensll - adds public_key_hashes support in openssl X509Certificate::Verify - small change to unit test to make it much easier to diagnose failures. BUG=None TEST=net_unittests --gtest_filter=X509Certificate* Review URL: http://codereview.chromium.org/6826065 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81398 0039d316-1c4b-4281-b951-d872f2087c98 --- net/base/x509_certificate_openssl.cc | 29 +++++++++++++++++++++++++++-- net/base/x509_certificate_unittest.cc | 13 +++++++------ 2 files changed, 34 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc index 433ca0d..687cfb5 100644 --- a/net/base/x509_certificate_openssl.cc +++ b/net/base/x509_certificate_openssl.cc @@ -16,7 +16,9 @@ #include "base/memory/singleton.h" #include "base/openssl_util.h" #include "base/pickle.h" +#include "base/sha1.h" #include "base/string_number_conversions.h" +#include "net/base/asn1_util.h" #include "net/base/cert_status_flags.h" #include "net/base/cert_verify_result.h" #include "net/base/net_errors.h" @@ -475,6 +477,25 @@ int X509Certificate::Verify(const std::string& hostname, if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); + STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); + for (int i = 0; i < sk_X509_num(chain); ++i) { + X509* cert = sk_X509_value(chain, i); + DERCache der_cache; + if (!GetDERAndCacheIfNeeded(cert, &der_cache)) + continue; + + base::StringPiece der_bytes(reinterpret_cast(der_cache.data), + der_cache.data_length); + base::StringPiece spki_bytes; + if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) + continue; + + SHA1Fingerprint hash; + base::SHA1HashBytes(reinterpret_cast(spki_bytes.data()), + spki_bytes.size(), hash.data); + verify_result->public_key_hashes.push_back(hash); + } + // Currently we only ues OpenSSL's default root CA paths, so treat all // correctly verified certs as being from a known root. TODO(joth): if the // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 @@ -486,8 +507,12 @@ int X509Certificate::Verify(const std::string& hostname, } bool X509Certificate::GetDEREncoded(std::string* encoded) { - // TODO(port): Implement. - return false; + DERCache der_cache; + if (!GetDERAndCacheIfNeeded(cert_handle_, &der_cache)) + return false; + encoded->assign(reinterpret_cast(der_cache.data), + der_cache.data_length); + return true; } // static diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 47a931a..e7f924f 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -8,6 +8,7 @@ #include "base/path_service.h" #include "base/pickle.h" #include "base/sha1.h" +#include "base/string_number_conversions.h" #include "base/string_split.h" #include "net/base/asn1_util.h" #include "net/base/cert_status_flags.h" @@ -30,6 +31,8 @@ #define TEST_EV 1 // Test CERT_STATUS_IS_EV #endif +using base::HexEncode; +using base::SHA1_LENGTH; using base::Time; namespace net { @@ -566,12 +569,10 @@ TEST(X509CertificateTest, PublicKeyHashes) { EXPECT_EQ(OK, error); EXPECT_EQ(0, verify_result.cert_status); ASSERT_LE(2u, verify_result.public_key_hashes.size()); - EXPECT_TRUE(0 == memcmp(verify_result.public_key_hashes[0].data, - nistSPKIHash, base::SHA1_LENGTH)); - EXPECT_TRUE(0 == memcmp(verify_result.public_key_hashes[1].data, - "\x83\x24\x42\x23\xd6\xcb\xf0\xa2\x6f\xc7" - "\xde\x27\xce\xbc\xa4\xbd\xa3\x26\x12\xad", - base::SHA1_LENGTH)); + EXPECT_EQ(HexEncode(nistSPKIHash, base::SHA1_LENGTH), + HexEncode(verify_result.public_key_hashes[0].data, SHA1_LENGTH)); + EXPECT_EQ("83244223D6CBF0A26FC7DE27CEBCA4BDA32612AD", + HexEncode(verify_result.public_key_hashes[1].data, SHA1_LENGTH)); TestRootCerts::GetInstance()->Clear(); } -- cgit v1.1