| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/ev_root_ca_metadata.h" | 5 #include "net/base/ev_root_ca_metadata.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS) | 7 #if defined(USE_NSS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pkcs11n.h> | 9 #include <pkcs11n.h> |
| 10 #include <secerr.h> | 10 #include <secerr.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At | 26 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At |
| 27 // least one CA has different EV policies for businuss vs government | 27 // least one CA has different EV policies for businuss vs government |
| 28 // entities and, in the case of cross-signing, we might need to list another | 28 // entities and, in the case of cross-signing, we might need to list another |
| 29 // CA's policy OID under the cross-signing root. | 29 // CA's policy OID under the cross-signing root. |
| 30 static const size_t kMaxOIDsPerCA = 2; | 30 static const size_t kMaxOIDsPerCA = 2; |
| 31 // This is the maximum length of an OID string (including the trailing NUL). | 31 // This is the maximum length of an OID string (including the trailing NUL). |
| 32 static const size_t kMaxOIDLength = 32; | 32 static const size_t kMaxOIDLength = 32; |
| 33 | 33 |
| 34 // The SHA-1 fingerprint of the root CA certificate, used as a unique | 34 // The SHA-1 fingerprint of the root CA certificate, used as a unique |
| 35 // identifier for a root CA certificate. | 35 // identifier for a root CA certificate. |
| 36 SHA1Fingerprint fingerprint; | 36 SHA1HashValue fingerprint; |
| 37 | 37 |
| 38 // The EV policy OIDs of the root CA. | 38 // The EV policy OIDs of the root CA. |
| 39 const char policy_oids[kMaxOIDsPerCA][kMaxOIDLength]; | 39 const char policy_oids[kMaxOIDsPerCA][kMaxOIDLength]; |
| 40 }; | 40 }; |
| 41 | 41 |
| 42 static const EVMetadata ev_root_ca_metadata[] = { | 42 static const EVMetadata ev_root_ca_metadata[] = { |
| 43 // AddTrust External CA Root | 43 // AddTrust External CA Root |
| 44 // https://addtrustexternalcaroot-ev.comodoca.com | 44 // https://addtrustexternalcaroot-ev.comodoca.com |
| 45 { { { 0x02, 0xfa, 0xf3, 0xe2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78, | 45 { { { 0x02, 0xfa, 0xf3, 0xe2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78, |
| 46 0x57, 0x69, 0x4d, 0xf5, 0xe4, 0x5b, 0x68, 0x85, 0x18, 0x68 } }, | 46 0x57, 0x69, 0x4d, 0xf5, 0xe4, 0x5b, 0x68, 0x85, 0x18, 0x68 } }, |
| (...skipping 19 matching lines...) Expand all Loading... |
| 66 // AffirmTrust Premium | 66 // AffirmTrust Premium |
| 67 // https://premium.affirmtrust.com:4432/ | 67 // https://premium.affirmtrust.com:4432/ |
| 68 { { { 0xd8, 0xa6, 0x33, 0x2c, 0xe0, 0x03, 0x6f, 0xb1, 0x85, 0xf6, | 68 { { { 0xd8, 0xa6, 0x33, 0x2c, 0xe0, 0x03, 0x6f, 0xb1, 0x85, 0xf6, |
| 69 0x63, 0x4f, 0x7d, 0x6a, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 } }, | 69 0x63, 0x4f, 0x7d, 0x6a, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 } }, |
| 70 {"1.3.6.1.4.1.34697.2.3", ""}, | 70 {"1.3.6.1.4.1.34697.2.3", ""}, |
| 71 }, | 71 }, |
| 72 // AffirmTrust Premium ECC | 72 // AffirmTrust Premium ECC |
| 73 // https://premiumecc.affirmtrust.com:4433/ | 73 // https://premiumecc.affirmtrust.com:4433/ |
| 74 { { { 0xb8, 0x23, 0x6b, 0x00, 0x2f, 0x1d, 0x16, 0x86, 0x53, 0x01, | 74 { { { 0xb8, 0x23, 0x6b, 0x00, 0x2f, 0x1d, 0x16, 0x86, 0x53, 0x01, |
| 75 0x55, 0x6c, 0x11, 0xa4, 0x37, 0xca, 0xeb, 0xff, 0xc3, 0xbb } }, | 75 0x55, 0x6c, 0x11, 0xa4, 0x37, 0xca, 0xeb, 0xff, 0xc3, 0xbb } }, |
| 76 {"1.3.6.1.4.1.34697.2.4", ""}, | 76 {"1.3.6.1.4.1.34697.2.4", ""}, |
| 77 }, | 77 }, |
| 78 // CertPlus Class 2 Primary CA (KEYNECTIS) | 78 // CertPlus Class 2 Primary CA (KEYNECTIS) |
| 79 // https://www.keynectis.com/ | 79 // https://www.keynectis.com/ |
| 80 { { { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9c, 0xdd, 0x92, 0xec, 0x79, | 80 { { { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9c, 0xdd, 0x92, 0xec, 0x79, |
| 81 0x31, 0xd8, 0x23, 0x10, 0x8d, 0xc2, 0x81, 0x92, 0xe2, 0xbb } }, | 81 0x31, 0xd8, 0x23, 0x10, 0x8d, 0xc2, 0x81, 0x92, 0xe2, 0xbb } }, |
| 82 {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, | 82 {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, |
| 83 }, | 83 }, |
| 84 // Certum Trusted Network CA | 84 // Certum Trusted Network CA |
| 85 // https://juice.certum.pl/ | 85 // https://juice.certum.pl/ |
| 86 { { { 0x07, 0xe0, 0x32, 0xe0, 0x20, 0xb7, 0x2c, 0x3f, 0x19, 0x2f, | 86 { { { 0x07, 0xe0, 0x32, 0xe0, 0x20, 0xb7, 0x2c, 0x3f, 0x19, 0x2f, |
| (...skipping 228 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 315 g_ev_root_ca_metadata = LAZY_INSTANCE_INITIALIZER; | 315 g_ev_root_ca_metadata = LAZY_INSTANCE_INITIALIZER; |
| 316 | 316 |
| 317 // static | 317 // static |
| 318 EVRootCAMetadata* EVRootCAMetadata::GetInstance() { | 318 EVRootCAMetadata* EVRootCAMetadata::GetInstance() { |
| 319 return g_ev_root_ca_metadata.Pointer(); | 319 return g_ev_root_ca_metadata.Pointer(); |
| 320 } | 320 } |
| 321 | 321 |
| 322 #if defined(USE_NSS) | 322 #if defined(USE_NSS) |
| 323 | 323 |
| 324 bool EVRootCAMetadata::GetPolicyOIDsForCA( | 324 bool EVRootCAMetadata::GetPolicyOIDsForCA( |
| 325 const SHA1Fingerprint& fingerprint, | 325 const SHA1HashValue& fingerprint, |
| 326 std::vector<PolicyOID>* policy_oids) const { | 326 std::vector<PolicyOID>* policy_oids) const { |
| 327 PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); | 327 PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); |
| 328 if (iter == ev_policy_.end()) | 328 if (iter == ev_policy_.end()) |
| 329 return false; | 329 return false; |
| 330 for (std::vector<PolicyOID>::const_iterator | 330 for (std::vector<PolicyOID>::const_iterator |
| 331 j = iter->second.begin(); j != iter->second.end(); ++j) { | 331 j = iter->second.begin(); j != iter->second.end(); ++j) { |
| 332 policy_oids->push_back(*j); | 332 policy_oids->push_back(*j); |
| 333 } | 333 } |
| 334 return true; | 334 return true; |
| 335 } | 335 } |
| 336 | 336 |
| 337 const EVRootCAMetadata::PolicyOID* EVRootCAMetadata::GetPolicyOIDs() const { | 337 const EVRootCAMetadata::PolicyOID* EVRootCAMetadata::GetPolicyOIDs() const { |
| 338 return &policy_oids_[0]; | 338 return &policy_oids_[0]; |
| 339 } | 339 } |
| 340 | 340 |
| 341 int EVRootCAMetadata::NumPolicyOIDs() const { | 341 int EVRootCAMetadata::NumPolicyOIDs() const { |
| 342 return policy_oids_.size(); | 342 return policy_oids_.size(); |
| 343 } | 343 } |
| 344 | 344 |
| 345 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 345 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 346 const char* policy) { | 346 const char* policy) { |
| 347 if (ev_policy_.find(fingerprint) != ev_policy_.end()) | 347 if (ev_policy_.find(fingerprint) != ev_policy_.end()) |
| 348 return false; | 348 return false; |
| 349 | 349 |
| 350 PolicyOID oid; | 350 PolicyOID oid; |
| 351 if (!RegisterOID(policy, &oid)) | 351 if (!RegisterOID(policy, &oid)) |
| 352 return false; | 352 return false; |
| 353 | 353 |
| 354 ev_policy_[fingerprint].push_back(oid); | 354 ev_policy_[fingerprint].push_back(oid); |
| 355 policy_oids_.push_back(oid); | 355 policy_oids_.push_back(oid); |
| 356 | 356 |
| 357 return true; | 357 return true; |
| 358 } | 358 } |
| 359 | 359 |
| 360 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 360 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 361 PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); | 361 PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); |
| 362 if (it == ev_policy_.end()) | 362 if (it == ev_policy_.end()) |
| 363 return false; | 363 return false; |
| 364 PolicyOID oid = it->second[0]; | 364 PolicyOID oid = it->second[0]; |
| 365 ev_policy_.erase(it); | 365 ev_policy_.erase(it); |
| 366 | 366 |
| 367 std::vector<PolicyOID>::iterator it2 = std::find( | 367 std::vector<PolicyOID>::iterator it2 = std::find( |
| 368 policy_oids_.begin(), policy_oids_.end(), oid); | 368 policy_oids_.begin(), policy_oids_.end(), oid); |
| 369 if (it2 == policy_oids_.end()) | 369 if (it2 == policy_oids_.end()) |
| 370 return false; | 370 return false; |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 409 | 409 |
| 410 for (ExtraEVCAMap::const_iterator i = extra_cas_.begin(); | 410 for (ExtraEVCAMap::const_iterator i = extra_cas_.begin(); |
| 411 i != extra_cas_.end(); i++) { | 411 i != extra_cas_.end(); i++) { |
| 412 if (i->second == policy_oid) | 412 if (i->second == policy_oid) |
| 413 return true; | 413 return true; |
| 414 } | 414 } |
| 415 | 415 |
| 416 return false; | 416 return false; |
| 417 } | 417 } |
| 418 | 418 |
| 419 bool EVRootCAMetadata::HasEVPolicyOID(const SHA1Fingerprint& fingerprint, | 419 bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint, |
| 420 PolicyOID policy_oid) const { | 420 PolicyOID policy_oid) const { |
| 421 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { | 421 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { |
| 422 if (!fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) | 422 if (!fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) |
| 423 continue; | 423 continue; |
| 424 for (size_t j = 0; j < arraysize(ev_root_ca_metadata[i].policy_oids); j++) { | 424 for (size_t j = 0; j < arraysize(ev_root_ca_metadata[i].policy_oids); j++) { |
| 425 if (ev_root_ca_metadata[i].policy_oids[j][0] == '\0') | 425 if (ev_root_ca_metadata[i].policy_oids[j][0] == '\0') |
| 426 break; | 426 break; |
| 427 if (strcmp(policy_oid, ev_root_ca_metadata[i].policy_oids[j]) == 0) | 427 if (strcmp(policy_oid, ev_root_ca_metadata[i].policy_oids[j]) == 0) |
| 428 return true; | 428 return true; |
| 429 } | 429 } |
| 430 return false; | 430 return false; |
| 431 } | 431 } |
| 432 | 432 |
| 433 ExtraEVCAMap::const_iterator it = extra_cas_.find(fingerprint); | 433 ExtraEVCAMap::const_iterator it = extra_cas_.find(fingerprint); |
| 434 return it != extra_cas_.end() && it->second == policy_oid; | 434 return it != extra_cas_.end() && it->second == policy_oid; |
| 435 } | 435 } |
| 436 | 436 |
| 437 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 437 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 438 const char* policy) { | 438 const char* policy) { |
| 439 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { | 439 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { |
| 440 if (fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) | 440 if (fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) |
| 441 return false; | 441 return false; |
| 442 } | 442 } |
| 443 | 443 |
| 444 if (extra_cas_.find(fingerprint) != extra_cas_.end()) | 444 if (extra_cas_.find(fingerprint) != extra_cas_.end()) |
| 445 return false; | 445 return false; |
| 446 | 446 |
| 447 extra_cas_[fingerprint] = policy; | 447 extra_cas_[fingerprint] = policy; |
| 448 return true; | 448 return true; |
| 449 } | 449 } |
| 450 | 450 |
| 451 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 451 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 452 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); | 452 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); |
| 453 if (it == extra_cas_.end()) | 453 if (it == extra_cas_.end()) |
| 454 return false; | 454 return false; |
| 455 extra_cas_.erase(it); | 455 extra_cas_.erase(it); |
| 456 return true; | 456 return true; |
| 457 } | 457 } |
| 458 | 458 |
| 459 #else | 459 #else |
| 460 | 460 |
| 461 // These are just stub functions for platforms where we don't use this EV | 461 // These are just stub functions for platforms where we don't use this EV |
| 462 // metadata. | 462 // metadata. |
| 463 | 463 |
| 464 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 464 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 465 const char* policy) { | 465 const char* policy) { |
| 466 return true; | 466 return true; |
| 467 } | 467 } |
| 468 | 468 |
| 469 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 469 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 470 return true; | 470 return true; |
| 471 } | 471 } |
| 472 | 472 |
| 473 #endif | 473 #endif |
| 474 | 474 |
| 475 EVRootCAMetadata::EVRootCAMetadata() { | 475 EVRootCAMetadata::EVRootCAMetadata() { |
| 476 // Constructs the object from the raw metadata in ev_root_ca_metadata. | 476 // Constructs the object from the raw metadata in ev_root_ca_metadata. |
| 477 #if defined(USE_NSS) | 477 #if defined(USE_NSS) |
| 478 crypto::EnsureNSSInit(); | 478 crypto::EnsureNSSInit(); |
| 479 | 479 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 493 ev_policy_[metadata.fingerprint].push_back(policy); | 493 ev_policy_[metadata.fingerprint].push_back(policy); |
| 494 policy_oids_.push_back(policy); | 494 policy_oids_.push_back(policy); |
| 495 } | 495 } |
| 496 } | 496 } |
| 497 #endif | 497 #endif |
| 498 } | 498 } |
| 499 | 499 |
| 500 EVRootCAMetadata::~EVRootCAMetadata() { } | 500 EVRootCAMetadata::~EVRootCAMetadata() { } |
| 501 | 501 |
| 502 } // namespace net | 502 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10825211:
Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/