| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verify_proc_win.h" | 5 #include "net/base/cert_verify_proc_win.h" |
| 6 | 6 |
| 7 #include <string> |
| 8 #include <vector> |
| 9 |
| 7 #include "base/memory/scoped_ptr.h" | 10 #include "base/memory/scoped_ptr.h" |
| 8 #include "base/sha1.h" | 11 #include "base/sha1.h" |
| 9 #include "base/string_util.h" | 12 #include "base/string_util.h" |
| 10 #include "base/utf_string_conversions.h" | 13 #include "base/utf_string_conversions.h" |
| 11 #include "crypto/capi_util.h" | 14 #include "crypto/capi_util.h" |
| 12 #include "crypto/scoped_capi_types.h" | 15 #include "crypto/scoped_capi_types.h" |
| 13 #include "crypto/sha2.h" | 16 #include "crypto/sha2.h" |
| 14 #include "net/base/asn1_util.h" | 17 #include "net/base/asn1_util.h" |
| 15 #include "net/base/cert_status_flags.h" | 18 #include "net/base/cert_status_flags.h" |
| 16 #include "net/base/cert_verify_result.h" | 19 #include "net/base/cert_verify_result.h" |
| (...skipping 258 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 275 // which we recognise as a standard root. | 278 // which we recognise as a standard root. |
| 276 // static | 279 // static |
| 277 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { | 280 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { |
| 278 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; | 281 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; |
| 279 int num_elements = first_chain->cElement; | 282 int num_elements = first_chain->cElement; |
| 280 if (num_elements < 1) | 283 if (num_elements < 1) |
| 281 return false; | 284 return false; |
| 282 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; | 285 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; |
| 283 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; | 286 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; |
| 284 | 287 |
| 285 SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(cert); | 288 SHA1HashValue hash = X509Certificate::CalculateFingerprint(cert); |
| 286 return IsSHA1HashInSortedArray( | 289 return IsSHA1HashInSortedArray( |
| 287 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); | 290 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); |
| 288 } | 291 } |
| 289 | 292 |
| 290 // Saves some information about the certificate chain |chain_context| in | 293 // Saves some information about the certificate chain |chain_context| in |
| 291 // |*verify_result|. The caller MUST initialize |*verify_result| before | 294 // |*verify_result|. The caller MUST initialize |*verify_result| before |
| 292 // calling this function. | 295 // calling this function. |
| 293 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, | 296 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, |
| 294 CertVerifyResult* verify_result) { | 297 CertVerifyResult* verify_result) { |
| 295 if (chain_context->cChain == 0) | 298 if (chain_context->cChain == 0) |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 434 default: | 437 default: |
| 435 NOTREACHED(); | 438 NOTREACHED(); |
| 436 continue; | 439 continue; |
| 437 } | 440 } |
| 438 } | 441 } |
| 439 | 442 |
| 440 return true; | 443 return true; |
| 441 } | 444 } |
| 442 | 445 |
| 443 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain, | 446 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain, |
| 444 std::vector<SHA1Fingerprint>* hashes) { | 447 HashValueVector* hashes) { |
| 445 if (chain->cChain == 0) | 448 if (chain->cChain == 0) |
| 446 return; | 449 return; |
| 447 | 450 |
| 448 PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0]; | 451 PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0]; |
| 449 PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement; | 452 PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement; |
| 450 | 453 |
| 451 const DWORD num_elements = first_chain->cElement; | 454 const DWORD num_elements = first_chain->cElement; |
| 452 for (DWORD i = 0; i < num_elements; i++) { | 455 for (DWORD i = 0; i < num_elements; i++) { |
| 453 PCCERT_CONTEXT cert = element[i]->pCertContext; | 456 PCCERT_CONTEXT cert = element[i]->pCertContext; |
| 454 | 457 |
| 455 base::StringPiece der_bytes( | 458 base::StringPiece der_bytes( |
| 456 reinterpret_cast<const char*>(cert->pbCertEncoded), | 459 reinterpret_cast<const char*>(cert->pbCertEncoded), |
| 457 cert->cbCertEncoded); | 460 cert->cbCertEncoded); |
| 458 base::StringPiece spki_bytes; | 461 base::StringPiece spki_bytes; |
| 459 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 462 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
| 460 continue; | 463 continue; |
| 461 | 464 |
| 462 SHA1Fingerprint hash; | 465 HashValue sha1(HASH_VALUE_SHA1); |
| 463 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), | 466 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), |
| 464 spki_bytes.size(), hash.data); | 467 spki_bytes.size(), sha1.data()); |
| 465 hashes->push_back(hash); | 468 hashes->push_back(sha1); |
| 469 |
| 470 HashValue sha256(HASH_VALUE_SHA256); |
| 471 crypto::SHA256HashString(spki_bytes, sha1.data(), crypto::kSHA256Length); |
| 472 hashes->push_back(sha256); |
| 466 } | 473 } |
| 467 } | 474 } |
| 468 | 475 |
| 469 // Returns true if the certificate is an extended-validation certificate. | 476 // Returns true if the certificate is an extended-validation certificate. |
| 470 // | 477 // |
| 471 // This function checks the certificatePolicies extensions of the | 478 // This function checks the certificatePolicies extensions of the |
| 472 // certificates in the certificate chain according to Section 7 (pp. 11-12) | 479 // certificates in the certificate chain according to Section 7 (pp. 11-12) |
| 473 // of the EV Certificate Guidelines Version 1.0 at | 480 // of the EV Certificate Guidelines Version 1.0 at |
| 474 // http://cabforum.org/EV_Certificate_Guidelines.pdf. | 481 // http://cabforum.org/EV_Certificate_Guidelines.pdf. |
| 475 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, | 482 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, |
| (...skipping 20 matching lines...) Expand all Loading... |
| 496 // Check the end certificate simple chain (chain_context->rgpChain[0]). | 503 // Check the end certificate simple chain (chain_context->rgpChain[0]). |
| 497 // If the end certificate's certificatePolicies extension contains the | 504 // If the end certificate's certificatePolicies extension contains the |
| 498 // EV policy OID of the root CA, return true. | 505 // EV policy OID of the root CA, return true. |
| 499 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; | 506 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; |
| 500 int num_elements = chain_context->rgpChain[0]->cElement; | 507 int num_elements = chain_context->rgpChain[0]->cElement; |
| 501 if (num_elements < 2) | 508 if (num_elements < 2) |
| 502 return false; | 509 return false; |
| 503 | 510 |
| 504 // Look up the EV policy OID of the root CA. | 511 // Look up the EV policy OID of the root CA. |
| 505 PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext; | 512 PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext; |
| 506 SHA1Fingerprint fingerprint = | 513 SHA1HashValue fingerprint = |
| 507 X509Certificate::CalculateFingerprint(root_cert); | 514 X509Certificate::CalculateFingerprint(root_cert); |
| 508 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); | 515 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); |
| 509 return metadata->HasEVPolicyOID(fingerprint, policy_oid); | 516 return metadata->HasEVPolicyOID(fingerprint, policy_oid); |
| 510 } | 517 } |
| 511 | 518 |
| 512 } // namespace | 519 } // namespace |
| 513 | 520 |
| 514 CertVerifyProcWin::CertVerifyProcWin() {} | 521 CertVerifyProcWin::CertVerifyProcWin() {} |
| 515 | 522 |
| 516 CertVerifyProcWin::~CertVerifyProcWin() {} | 523 CertVerifyProcWin::~CertVerifyProcWin() {} |
| (...skipping 219 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 736 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); | 743 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); |
| 737 | 744 |
| 738 if (ev_policy_oid && | 745 if (ev_policy_oid && |
| 739 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { | 746 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { |
| 740 verify_result->cert_status |= CERT_STATUS_IS_EV; | 747 verify_result->cert_status |= CERT_STATUS_IS_EV; |
| 741 } | 748 } |
| 742 return OK; | 749 return OK; |
| 743 } | 750 } |
| 744 | 751 |
| 745 } // namespace net | 752 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10826257:
Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/