| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/ev_root_ca_metadata.h" | 5 #include "net/base/ev_root_ca_metadata.h" |
| 6 | 6 |
| 7 #if defined(USE_NSS) | 7 #if defined(USE_NSS) |
| 8 #include <cert.h> | 8 #include <cert.h> |
| 9 #include <pkcs11n.h> | 9 #include <pkcs11n.h> |
| 10 #include <secerr.h> | 10 #include <secerr.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At | 26 // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At |
| 27 // least one CA has different EV policies for businuss vs government | 27 // least one CA has different EV policies for businuss vs government |
| 28 // entities and, in the case of cross-signing, we might need to list another | 28 // entities and, in the case of cross-signing, we might need to list another |
| 29 // CA's policy OID under the cross-signing root. | 29 // CA's policy OID under the cross-signing root. |
| 30 static const size_t kMaxOIDsPerCA = 2; | 30 static const size_t kMaxOIDsPerCA = 2; |
| 31 // This is the maximum length of an OID string (including the trailing NUL). | 31 // This is the maximum length of an OID string (including the trailing NUL). |
| 32 static const size_t kMaxOIDLength = 32; | 32 static const size_t kMaxOIDLength = 32; |
| 33 | 33 |
| 34 // The SHA-1 fingerprint of the root CA certificate, used as a unique | 34 // The SHA-1 fingerprint of the root CA certificate, used as a unique |
| 35 // identifier for a root CA certificate. | 35 // identifier for a root CA certificate. |
| 36 SHA1Fingerprint fingerprint; | 36 SHA1HashValue fingerprint; |
| 37 | 37 |
| 38 // The EV policy OIDs of the root CA. | 38 // The EV policy OIDs of the root CA. |
| 39 const char policy_oids[kMaxOIDsPerCA][kMaxOIDLength]; | 39 const char policy_oids[kMaxOIDsPerCA][kMaxOIDLength]; |
| 40 }; | 40 }; |
| 41 | 41 |
| 42 static const EVMetadata ev_root_ca_metadata[] = { | 42 static const EVMetadata ev_root_ca_metadata[] = { |
| 43 // AddTrust External CA Root | 43 // AddTrust External CA Root |
| 44 // https://addtrustexternalcaroot-ev.comodoca.com | 44 // https://addtrustexternalcaroot-ev.comodoca.com |
| 45 { { { 0x02, 0xfa, 0xf3, 0xe2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78, | 45 { { { 0x02, 0xfa, 0xf3, 0xe2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78, |
| 46 0x57, 0x69, 0x4d, 0xf5, 0xe4, 0x5b, 0x68, 0x85, 0x18, 0x68 } }, | 46 0x57, 0x69, 0x4d, 0xf5, 0xe4, 0x5b, 0x68, 0x85, 0x18, 0x68 } }, |
| (...skipping 19 matching lines...) Expand all Loading... |
| 66 // AffirmTrust Premium | 66 // AffirmTrust Premium |
| 67 // https://premium.affirmtrust.com:4432/ | 67 // https://premium.affirmtrust.com:4432/ |
| 68 { { { 0xd8, 0xa6, 0x33, 0x2c, 0xe0, 0x03, 0x6f, 0xb1, 0x85, 0xf6, | 68 { { { 0xd8, 0xa6, 0x33, 0x2c, 0xe0, 0x03, 0x6f, 0xb1, 0x85, 0xf6, |
| 69 0x63, 0x4f, 0x7d, 0x6a, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 } }, | 69 0x63, 0x4f, 0x7d, 0x6a, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 } }, |
| 70 {"1.3.6.1.4.1.34697.2.3", ""}, | 70 {"1.3.6.1.4.1.34697.2.3", ""}, |
| 71 }, | 71 }, |
| 72 // AffirmTrust Premium ECC | 72 // AffirmTrust Premium ECC |
| 73 // https://premiumecc.affirmtrust.com:4433/ | 73 // https://premiumecc.affirmtrust.com:4433/ |
| 74 { { { 0xb8, 0x23, 0x6b, 0x00, 0x2f, 0x1d, 0x16, 0x86, 0x53, 0x01, | 74 { { { 0xb8, 0x23, 0x6b, 0x00, 0x2f, 0x1d, 0x16, 0x86, 0x53, 0x01, |
| 75 0x55, 0x6c, 0x11, 0xa4, 0x37, 0xca, 0xeb, 0xff, 0xc3, 0xbb } }, | 75 0x55, 0x6c, 0x11, 0xa4, 0x37, 0xca, 0xeb, 0xff, 0xc3, 0xbb } }, |
| 76 {"1.3.6.1.4.1.34697.2.4", ""}, | 76 {"1.3.6.1.4.1.34697.2.4", ""}, |
| 77 }, | 77 }, |
| 78 // CertPlus Class 2 Primary CA (KEYNECTIS) | 78 // CertPlus Class 2 Primary CA (KEYNECTIS) |
| 79 // https://www.keynectis.com/ | 79 // https://www.keynectis.com/ |
| 80 { { { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9c, 0xdd, 0x92, 0xec, 0x79, | 80 { { { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9c, 0xdd, 0x92, 0xec, 0x79, |
| 81 0x31, 0xd8, 0x23, 0x10, 0x8d, 0xc2, 0x81, 0x92, 0xe2, 0xbb } }, | 81 0x31, 0xd8, 0x23, 0x10, 0x8d, 0xc2, 0x81, 0x92, 0xe2, 0xbb } }, |
| 82 {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, | 82 {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, |
| 83 }, | 83 }, |
| 84 // Certum Trusted Network CA | 84 // Certum Trusted Network CA |
| 85 // https://juice.certum.pl/ | 85 // https://juice.certum.pl/ |
| 86 { { { 0x07, 0xe0, 0x32, 0xe0, 0x20, 0xb7, 0x2c, 0x3f, 0x19, 0x2f, | 86 { { { 0x07, 0xe0, 0x32, 0xe0, 0x20, 0xb7, 0x2c, 0x3f, 0x19, 0x2f, |
| (...skipping 231 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 EVRootCAMetadata* EVRootCAMetadata::GetInstance() { | 318 EVRootCAMetadata* EVRootCAMetadata::GetInstance() { |
| 319 return g_ev_root_ca_metadata.Pointer(); | 319 return g_ev_root_ca_metadata.Pointer(); |
| 320 } | 320 } |
| 321 | 321 |
| 322 #if defined(USE_NSS) | 322 #if defined(USE_NSS) |
| 323 bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { | 323 bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { |
| 324 return policy_oids_.find(policy_oid) != policy_oids_.end(); | 324 return policy_oids_.find(policy_oid) != policy_oids_.end(); |
| 325 } | 325 } |
| 326 | 326 |
| 327 bool EVRootCAMetadata::HasEVPolicyOID( | 327 bool EVRootCAMetadata::HasEVPolicyOID( |
| 328 const SHA1Fingerprint& fingerprint, | 328 const SHA1HashValue& fingerprint, |
| 329 PolicyOID policy_oid) const { | 329 PolicyOID policy_oid) const { |
| 330 PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); | 330 PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); |
| 331 if (iter == ev_policy_.end()) | 331 if (iter == ev_policy_.end()) |
| 332 return false; | 332 return false; |
| 333 for (std::vector<PolicyOID>::const_iterator | 333 for (std::vector<PolicyOID>::const_iterator |
| 334 j = iter->second.begin(); j != iter->second.end(); ++j) { | 334 j = iter->second.begin(); j != iter->second.end(); ++j) { |
| 335 if (*j == policy_oid) | 335 if (*j == policy_oid) |
| 336 return true; | 336 return true; |
| 337 } | 337 } |
| 338 return false; | 338 return false; |
| 339 } | 339 } |
| 340 | 340 |
| 341 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 341 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 342 const char* policy) { | 342 const char* policy) { |
| 343 if (ev_policy_.find(fingerprint) != ev_policy_.end()) | 343 if (ev_policy_.find(fingerprint) != ev_policy_.end()) |
| 344 return false; | 344 return false; |
| 345 | 345 |
| 346 PolicyOID oid; | 346 PolicyOID oid; |
| 347 if (!RegisterOID(policy, &oid)) | 347 if (!RegisterOID(policy, &oid)) |
| 348 return false; | 348 return false; |
| 349 | 349 |
| 350 ev_policy_[fingerprint].push_back(oid); | 350 ev_policy_[fingerprint].push_back(oid); |
| 351 policy_oids_.insert(oid); | 351 policy_oids_.insert(oid); |
| 352 | 352 |
| 353 return true; | 353 return true; |
| 354 } | 354 } |
| 355 | 355 |
| 356 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 356 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 357 PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); | 357 PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); |
| 358 if (it == ev_policy_.end()) | 358 if (it == ev_policy_.end()) |
| 359 return false; | 359 return false; |
| 360 PolicyOID oid = it->second[0]; | 360 PolicyOID oid = it->second[0]; |
| 361 ev_policy_.erase(it); | 361 ev_policy_.erase(it); |
| 362 policy_oids_.erase(oid); | 362 policy_oids_.erase(oid); |
| 363 return true; | 363 return true; |
| 364 } | 364 } |
| 365 | 365 |
| 366 // static | 366 // static |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 400 | 400 |
| 401 for (ExtraEVCAMap::const_iterator i = extra_cas_.begin(); | 401 for (ExtraEVCAMap::const_iterator i = extra_cas_.begin(); |
| 402 i != extra_cas_.end(); i++) { | 402 i != extra_cas_.end(); i++) { |
| 403 if (i->second == policy_oid) | 403 if (i->second == policy_oid) |
| 404 return true; | 404 return true; |
| 405 } | 405 } |
| 406 | 406 |
| 407 return false; | 407 return false; |
| 408 } | 408 } |
| 409 | 409 |
| 410 bool EVRootCAMetadata::HasEVPolicyOID(const SHA1Fingerprint& fingerprint, | 410 bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint, |
| 411 PolicyOID policy_oid) const { | 411 PolicyOID policy_oid) const { |
| 412 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { | 412 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { |
| 413 if (!fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) | 413 if (!fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) |
| 414 continue; | 414 continue; |
| 415 for (size_t j = 0; j < arraysize(ev_root_ca_metadata[i].policy_oids); j++) { | 415 for (size_t j = 0; j < arraysize(ev_root_ca_metadata[i].policy_oids); j++) { |
| 416 if (ev_root_ca_metadata[i].policy_oids[j][0] == '\0') | 416 if (ev_root_ca_metadata[i].policy_oids[j][0] == '\0') |
| 417 break; | 417 break; |
| 418 if (strcmp(policy_oid, ev_root_ca_metadata[i].policy_oids[j]) == 0) | 418 if (strcmp(policy_oid, ev_root_ca_metadata[i].policy_oids[j]) == 0) |
| 419 return true; | 419 return true; |
| 420 } | 420 } |
| 421 return false; | 421 return false; |
| 422 } | 422 } |
| 423 | 423 |
| 424 ExtraEVCAMap::const_iterator it = extra_cas_.find(fingerprint); | 424 ExtraEVCAMap::const_iterator it = extra_cas_.find(fingerprint); |
| 425 return it != extra_cas_.end() && it->second == policy_oid; | 425 return it != extra_cas_.end() && it->second == policy_oid; |
| 426 } | 426 } |
| 427 | 427 |
| 428 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 428 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 429 const char* policy) { | 429 const char* policy) { |
| 430 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { | 430 for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { |
| 431 if (fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) | 431 if (fingerprint.Equals(ev_root_ca_metadata[i].fingerprint)) |
| 432 return false; | 432 return false; |
| 433 } | 433 } |
| 434 | 434 |
| 435 if (extra_cas_.find(fingerprint) != extra_cas_.end()) | 435 if (extra_cas_.find(fingerprint) != extra_cas_.end()) |
| 436 return false; | 436 return false; |
| 437 | 437 |
| 438 extra_cas_[fingerprint] = policy; | 438 extra_cas_[fingerprint] = policy; |
| 439 return true; | 439 return true; |
| 440 } | 440 } |
| 441 | 441 |
| 442 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 442 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 443 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); | 443 ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint); |
| 444 if (it == extra_cas_.end()) | 444 if (it == extra_cas_.end()) |
| 445 return false; | 445 return false; |
| 446 extra_cas_.erase(it); | 446 extra_cas_.erase(it); |
| 447 return true; | 447 return true; |
| 448 } | 448 } |
| 449 | 449 |
| 450 #else | 450 #else |
| 451 | 451 |
| 452 // These are just stub functions for platforms where we don't use this EV | 452 // These are just stub functions for platforms where we don't use this EV |
| 453 // metadata. | 453 // metadata. |
| 454 | 454 |
| 455 bool EVRootCAMetadata::AddEVCA(const SHA1Fingerprint& fingerprint, | 455 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, |
| 456 const char* policy) { | 456 const char* policy) { |
| 457 return true; | 457 return true; |
| 458 } | 458 } |
| 459 | 459 |
| 460 bool EVRootCAMetadata::RemoveEVCA(const SHA1Fingerprint& fingerprint) { | 460 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { |
| 461 return true; | 461 return true; |
| 462 } | 462 } |
| 463 | 463 |
| 464 #endif | 464 #endif |
| 465 | 465 |
| 466 EVRootCAMetadata::EVRootCAMetadata() { | 466 EVRootCAMetadata::EVRootCAMetadata() { |
| 467 // Constructs the object from the raw metadata in ev_root_ca_metadata. | 467 // Constructs the object from the raw metadata in ev_root_ca_metadata. |
| 468 #if defined(USE_NSS) | 468 #if defined(USE_NSS) |
| 469 crypto::EnsureNSSInit(); | 469 crypto::EnsureNSSInit(); |
| 470 | 470 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 484 ev_policy_[metadata.fingerprint].push_back(policy); | 484 ev_policy_[metadata.fingerprint].push_back(policy); |
| 485 policy_oids_.insert(policy); | 485 policy_oids_.insert(policy); |
| 486 } | 486 } |
| 487 } | 487 } |
| 488 #endif | 488 #endif |
| 489 } | 489 } |
| 490 | 490 |
| 491 EVRootCAMetadata::~EVRootCAMetadata() { } | 491 EVRootCAMetadata::~EVRootCAMetadata() { } |
| 492 | 492 |
| 493 } // namespace net | 493 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10826257:
Implement SHA-256 fingerprint support (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/