Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(801)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_mac.cc

Issue 10826257: Implement SHA-256 fingerprint support (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | net/base/x509_cert_types.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_mac.h" 5 #include "net/base/cert_verify_proc_mac.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h> 8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h> 9 #include <Security/Security.h>
10 10
11 #include <string>
12 #include <vector>
13
11 #include "base/logging.h" 14 #include "base/logging.h"
12 #include "base/mac/mac_logging.h" 15 #include "base/mac/mac_logging.h"
13 #include "base/mac/scoped_cftyperef.h" 16 #include "base/mac/scoped_cftyperef.h"
14 #include "base/sha1.h" 17 #include "base/sha1.h"
15 #include "base/string_piece.h" 18 #include "base/string_piece.h"
16 #include "crypto/nss_util.h" 19 #include "crypto/nss_util.h"
17 #include "crypto/sha2.h" 20 #include "crypto/sha2.h"
18 #include "net/base/asn1_util.h" 21 #include "net/base/asn1_util.h"
19 #include "net/base/cert_status_flags.h" 22 #include "net/base/cert_status_flags.h"
20 #include "net/base/cert_verify_result.h" 23 #include "net/base/cert_verify_result.h"
(...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after
225 } 228 }
226 } 229 }
227 if (!verified_cert) 230 if (!verified_cert)
228 return; 231 return;
229 232
230 verify_result->verified_cert = 233 verify_result->verified_cert =
231 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 234 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
232 } 235 }
233 236
234 void AppendPublicKeyHashes(CFArrayRef chain, 237 void AppendPublicKeyHashes(CFArrayRef chain,
235 std::vector<SHA1Fingerprint>* hashes) { 238 HashValueVector* hashes) {
236 const CFIndex n = CFArrayGetCount(chain); 239 const CFIndex n = CFArrayGetCount(chain);
237 for (CFIndex i = 0; i < n; i++) { 240 for (CFIndex i = 0; i < n; i++) {
238 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( 241 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
239 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); 242 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
240 243
241 CSSM_DATA cert_data; 244 CSSM_DATA cert_data;
242 OSStatus err = SecCertificateGetData(cert, &cert_data); 245 OSStatus err = SecCertificateGetData(cert, &cert_data);
243 DCHECK_EQ(err, noErr); 246 DCHECK_EQ(err, noErr);
244 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data), 247 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
245 cert_data.Length); 248 cert_data.Length);
246 base::StringPiece spki_bytes; 249 base::StringPiece spki_bytes;
247 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) 250 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
248 continue; 251 continue;
249 252
250 SHA1Fingerprint hash; 253 HashValue sha1(HASH_VALUE_SHA1);
251 CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data); 254 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
252 hashes->push_back(hash); 255 hashes->push_back(sha1);
256
257 HashValue sha256(HASH_VALUE_SHA256);
258 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
259 hashes->push_back(sha256);
253 } 260 }
254 } 261 }
255 262
256 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) { 263 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
257 if (CFArrayGetCount(chain) == 0) 264 if (CFArrayGetCount(chain) == 0)
258 return true; 265 return true;
259 266
260 // We iterate from the root certificate down to the leaf, keeping track of 267 // We iterate from the root certificate down to the leaf, keeping track of
261 // the issuer's SPKI at each step. 268 // the issuer's SPKI at each step.
262 std::string issuer_spki_hash; 269 std::string issuer_spki_hash;
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
319 326
320 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA 327 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
321 // that we recognise as a standard root. 328 // that we recognise as a standard root.
322 // static 329 // static
323 bool IsIssuedByKnownRoot(CFArrayRef chain) { 330 bool IsIssuedByKnownRoot(CFArrayRef chain) {
324 int n = CFArrayGetCount(chain); 331 int n = CFArrayGetCount(chain);
325 if (n < 1) 332 if (n < 1)
326 return false; 333 return false;
327 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( 334 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
328 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); 335 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
329 SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref); 336 SHA1HashValue hash = X509Certificate::CalculateFingerprint(root_ref);
330 return IsSHA1HashInSortedArray( 337 return IsSHA1HashInSortedArray(
331 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); 338 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
332 } 339 }
333 340
334 } // namespace 341 } // namespace
335 342
336 CertVerifyProcMac::CertVerifyProcMac() {} 343 CertVerifyProcMac::CertVerifyProcMac() {}
337 344
338 CertVerifyProcMac::~CertVerifyProcMac() {} 345 CertVerifyProcMac::~CertVerifyProcMac() {}
339 346
(...skipping 235 matching lines...) Expand 10 before | Expand all | Expand 10 after
575 } 582 }
576 } 583 }
577 584
578 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); 585 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
579 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); 586 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
580 587
581 return OK; 588 return OK;
582 } 589 }
583 590
584 } // namespace net 591 } // namespace net
OLDNEW
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | net/base/x509_cert_types.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698