| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc_openssl.h" | 5 #include "net/base/cert_verify_proc_openssl.h" |
| 6 | 6 |
| 7 #include <openssl/x509v3.h> | 7 #include <openssl/x509v3.h> |
| 8 | 8 |
| 9 #include <string> |
| 10 #include <vector> |
| 11 |
| 9 #include "base/logging.h" | 12 #include "base/logging.h" |
| 10 #include "base/sha1.h" | 13 #include "base/sha1.h" |
| 11 #include "crypto/openssl_util.h" | 14 #include "crypto/openssl_util.h" |
| 15 #include "crypto/sha2.h" |
| 12 #include "net/base/asn1_util.h" | 16 #include "net/base/asn1_util.h" |
| 13 #include "net/base/cert_status_flags.h" | 17 #include "net/base/cert_status_flags.h" |
| 14 #include "net/base/cert_verify_result.h" | 18 #include "net/base/cert_verify_result.h" |
| 15 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 16 #include "net/base/x509_certificate.h" | 20 #include "net/base/x509_certificate.h" |
| 17 | 21 |
| 18 #if defined(OS_ANDROID) | 22 #if defined(OS_ANDROID) |
| 19 #include "net/android/network_library.h" | 23 #include "net/android/network_library.h" |
| 20 #endif | 24 #endif |
| 21 | 25 |
| (...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 125 } | 129 } |
| 126 } | 130 } |
| 127 | 131 |
| 128 if (verified_cert) { | 132 if (verified_cert) { |
| 129 verify_result->verified_cert = | 133 verify_result->verified_cert = |
| 130 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 134 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 131 } | 135 } |
| 132 } | 136 } |
| 133 | 137 |
| 134 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, | 138 void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, |
| 135 std::vector<SHA1Fingerprint>* hashes) { | 139 std::vector<HashValueVector>* hashes) { |
| 136 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); | 140 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); |
| 137 for (int i = 0; i < sk_X509_num(chain); ++i) { | 141 for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 138 X509* cert = sk_X509_value(chain, i); | 142 X509* cert = sk_X509_value(chain, i); |
| 139 | 143 |
| 140 std::string der_data; | 144 std::string der_data; |
| 141 if (!X509Certificate::GetDEREncoded(cert, &der_data)) | 145 if (!X509Certificate::GetDEREncoded(cert, &der_data)) |
| 142 continue; | 146 continue; |
| 143 | 147 |
| 144 base::StringPiece der_bytes(der_data); | 148 base::StringPiece der_bytes(der_data); |
| 145 base::StringPiece spki_bytes; | 149 base::StringPiece spki_bytes; |
| 146 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 150 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
| 147 continue; | 151 continue; |
| 148 | 152 |
| 149 SHA1Fingerprint hash; | 153 HashValue sha1; |
| 154 sha1.tag = HASH_VALUE_SHA1; |
| 150 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 155 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
| 151 spki_bytes.size(), hash.data); | 156 spki_bytes.size(), sha1.data()); |
| 152 hashes->push_back(hash); | 157 (*hashes)[HASH_VALUE_SHA1].push_back(sha1); |
| 158 |
| 159 HashValue sha256; |
| 160 sha256.tag = HASH_VALUE_SHA256; |
| 161 crypto::SHA256HashString(spki_bytes, sha1.data(), crypto::kSHA256Length); |
| 162 (*hashes)[HASH_VALUE_SHA256].push_back(sha256); |
| 153 } | 163 } |
| 154 } | 164 } |
| 155 | 165 |
| 156 #if defined(OS_ANDROID) | 166 #if defined(OS_ANDROID) |
| 157 // Returns true if we have verification result in |verify_result| from Android | 167 // Returns true if we have verification result in |verify_result| from Android |
| 158 // Trust Manager. Otherwise returns false. | 168 // Trust Manager. Otherwise returns false. |
| 159 bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes, | 169 bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes, |
| 160 CertVerifyResult* verify_result) { | 170 CertVerifyResult* verify_result) { |
| 161 // TODO(joth): Fetch the authentication type from SSL rather than hardcode. | 171 // TODO(joth): Fetch the authentication type from SSL rather than hardcode. |
| 162 bool verified = true; | 172 bool verified = true; |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 269 // TODO(joth): if the motivations described in | 279 // TODO(joth): if the motivations described in |
| 270 // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an | 280 // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an |
| 271 // issue on OpenSSL builds, we will need to embed a hardcoded list of well | 281 // issue on OpenSSL builds, we will need to embed a hardcoded list of well |
| 272 // known root CAs, as per the _mac and _win versions. | 282 // known root CAs, as per the _mac and _win versions. |
| 273 verify_result->is_issued_by_known_root = true; | 283 verify_result->is_issued_by_known_root = true; |
| 274 | 284 |
| 275 return OK; | 285 return OK; |
| 276 } | 286 } |
| 277 | 287 |
| 278 } // namespace net | 288 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10545166:
Support SHA-256 in public key pins for HTTPS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/