Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_mac.cc

Issue 10826257: Implement SHA-256 fingerprint support (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_mac.h" 5 #include "net/base/cert_verify_proc_mac.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h> 8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h> 9 #include <Security/Security.h>
10 10
11 #include <string>
12 #include <vector>
13
11 #include "base/logging.h" 14 #include "base/logging.h"
12 #include "base/mac/mac_logging.h" 15 #include "base/mac/mac_logging.h"
13 #include "base/mac/scoped_cftyperef.h" 16 #include "base/mac/scoped_cftyperef.h"
14 #include "base/sha1.h" 17 #include "base/sha1.h"
15 #include "base/string_piece.h" 18 #include "base/string_piece.h"
16 #include "crypto/nss_util.h" 19 #include "crypto/nss_util.h"
17 #include "crypto/sha2.h" 20 #include "crypto/sha2.h"
18 #include "net/base/asn1_util.h" 21 #include "net/base/asn1_util.h"
19 #include "net/base/cert_status_flags.h" 22 #include "net/base/cert_status_flags.h"
20 #include "net/base/cert_verifier.h" 23 #include "net/base/cert_verifier.h"
(...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after
226 } 229 }
227 } 230 }
228 if (!verified_cert) 231 if (!verified_cert)
229 return; 232 return;
230 233
231 verify_result->verified_cert = 234 verify_result->verified_cert =
232 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 235 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
233 } 236 }
234 237
235 void AppendPublicKeyHashes(CFArrayRef chain, 238 void AppendPublicKeyHashes(CFArrayRef chain,
236 std::vector<SHA1Fingerprint>* hashes) { 239 HashValueVector* hashes) {
237 const CFIndex n = CFArrayGetCount(chain); 240 const CFIndex n = CFArrayGetCount(chain);
238 for (CFIndex i = 0; i < n; i++) { 241 for (CFIndex i = 0; i < n; i++) {
239 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( 242 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
240 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); 243 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
241 244
242 CSSM_DATA cert_data; 245 CSSM_DATA cert_data;
243 OSStatus err = SecCertificateGetData(cert, &cert_data); 246 OSStatus err = SecCertificateGetData(cert, &cert_data);
244 DCHECK_EQ(err, noErr); 247 DCHECK_EQ(err, noErr);
245 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data), 248 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
246 cert_data.Length); 249 cert_data.Length);
247 base::StringPiece spki_bytes; 250 base::StringPiece spki_bytes;
248 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) 251 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
249 continue; 252 continue;
250 253
251 SHA1Fingerprint hash; 254 HashValue sha1(HASH_VALUE_SHA1);
252 CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data); 255 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data());
253 hashes->push_back(hash); 256 hashes->push_back(sha1);
257
258 HashValue sha256(HASH_VALUE_SHA256);
259 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
260 hashes->push_back(sha256);
254 } 261 }
255 } 262 }
256 263
257 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) { 264 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
258 if (CFArrayGetCount(chain) == 0) 265 if (CFArrayGetCount(chain) == 0)
259 return true; 266 return true;
260 267
261 // We iterate from the root certificate down to the leaf, keeping track of 268 // We iterate from the root certificate down to the leaf, keeping track of
262 // the issuer's SPKI at each step. 269 // the issuer's SPKI at each step.
263 std::string issuer_spki_hash; 270 std::string issuer_spki_hash;
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
320 327
321 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA 328 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
322 // that we recognise as a standard root. 329 // that we recognise as a standard root.
323 // static 330 // static
324 bool IsIssuedByKnownRoot(CFArrayRef chain) { 331 bool IsIssuedByKnownRoot(CFArrayRef chain) {
325 int n = CFArrayGetCount(chain); 332 int n = CFArrayGetCount(chain);
326 if (n < 1) 333 if (n < 1)
327 return false; 334 return false;
328 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>( 335 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
329 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1))); 336 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
330 SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref); 337 SHA1HashValue hash = X509Certificate::CalculateFingerprint(root_ref);
331 return IsSHA1HashInSortedArray( 338 return IsSHA1HashInSortedArray(
332 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); 339 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
333 } 340 }
334 341
335 } // namespace 342 } // namespace
336 343
337 CertVerifyProcMac::CertVerifyProcMac() {} 344 CertVerifyProcMac::CertVerifyProcMac() {}
338 345
339 CertVerifyProcMac::~CertVerifyProcMac() {} 346 CertVerifyProcMac::~CertVerifyProcMac() {}
340 347
(...skipping 235 matching lines...) Expand 10 before | Expand all | Expand 10 after
576 } 583 }
577 } 584 }
578 585
579 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); 586 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
580 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); 587 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
581 588
582 return OK; 589 return OK;
583 } 590 }
584 591
585 } // namespace net 592 } // namespace net
OLDNEW
« no previous file with comments | « net/base/cert_verify_proc.cc ('k') | net/base/cert_verify_proc_nss.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698