Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(48)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_win.cc

Issue 10826257: Implement SHA-256 fingerprint support (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_proc_unittest.cc ('k') | net/base/cert_verify_result.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_win.h" 5 #include "net/base/cert_verify_proc_win.h"
6 6
7 #include <string>
8 #include <vector>
9
7 #include "base/memory/scoped_ptr.h" 10 #include "base/memory/scoped_ptr.h"
8 #include "base/sha1.h" 11 #include "base/sha1.h"
9 #include "base/string_util.h" 12 #include "base/string_util.h"
10 #include "base/utf_string_conversions.h" 13 #include "base/utf_string_conversions.h"
11 #include "crypto/capi_util.h" 14 #include "crypto/capi_util.h"
12 #include "crypto/scoped_capi_types.h" 15 #include "crypto/scoped_capi_types.h"
13 #include "crypto/sha2.h" 16 #include "crypto/sha2.h"
14 #include "net/base/asn1_util.h" 17 #include "net/base/asn1_util.h"
15 #include "net/base/cert_status_flags.h" 18 #include "net/base/cert_status_flags.h"
16 #include "net/base/cert_verifier.h" 19 #include "net/base/cert_verifier.h"
(...skipping 259 matching lines...) Expand 10 before | Expand all | Expand 10 after
276 // which we recognise as a standard root. 279 // which we recognise as a standard root.
277 // static 280 // static
278 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) { 281 bool IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) {
279 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0]; 282 PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
280 int num_elements = first_chain->cElement; 283 int num_elements = first_chain->cElement;
281 if (num_elements < 1) 284 if (num_elements < 1)
282 return false; 285 return false;
283 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement; 286 PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
284 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext; 287 PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext;
285 288
286 SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(cert); 289 SHA1HashValue hash = X509Certificate::CalculateFingerprint(cert);
287 return IsSHA1HashInSortedArray( 290 return IsSHA1HashInSortedArray(
288 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes)); 291 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
289 } 292 }
290 293
291 // Saves some information about the certificate chain |chain_context| in 294 // Saves some information about the certificate chain |chain_context| in
292 // |*verify_result|. The caller MUST initialize |*verify_result| before 295 // |*verify_result|. The caller MUST initialize |*verify_result| before
293 // calling this function. 296 // calling this function.
294 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, 297 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
295 CertVerifyResult* verify_result) { 298 CertVerifyResult* verify_result) {
296 if (chain_context->cChain == 0) 299 if (chain_context->cChain == 0)
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after
435 default: 438 default:
436 NOTREACHED(); 439 NOTREACHED();
437 continue; 440 continue;
438 } 441 }
439 } 442 }
440 443
441 return true; 444 return true;
442 } 445 }
443 446
444 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain, 447 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,
445 std::vector<SHA1Fingerprint>* hashes) { 448 HashValueVector* hashes) {
446 if (chain->cChain == 0) 449 if (chain->cChain == 0)
447 return; 450 return;
448 451
449 PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0]; 452 PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0];
450 PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement; 453 PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement;
451 454
452 const DWORD num_elements = first_chain->cElement; 455 const DWORD num_elements = first_chain->cElement;
453 for (DWORD i = 0; i < num_elements; i++) { 456 for (DWORD i = 0; i < num_elements; i++) {
454 PCCERT_CONTEXT cert = element[i]->pCertContext; 457 PCCERT_CONTEXT cert = element[i]->pCertContext;
455 458
456 base::StringPiece der_bytes( 459 base::StringPiece der_bytes(
457 reinterpret_cast<const char*>(cert->pbCertEncoded), 460 reinterpret_cast<const char*>(cert->pbCertEncoded),
458 cert->cbCertEncoded); 461 cert->cbCertEncoded);
459 base::StringPiece spki_bytes; 462 base::StringPiece spki_bytes;
460 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) 463 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
461 continue; 464 continue;
462 465
463 SHA1Fingerprint hash; 466 HashValue sha1(HASH_VALUE_SHA1);
464 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), 467 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
465 spki_bytes.size(), hash.data); 468 spki_bytes.size(), sha1.data());
466 hashes->push_back(hash); 469 hashes->push_back(sha1);
470
471 HashValue sha256(HASH_VALUE_SHA256);
472 crypto::SHA256HashString(spki_bytes, sha1.data(), crypto::kSHA256Length);
473 hashes->push_back(sha256);
467 } 474 }
468 } 475 }
469 476
470 // Returns true if the certificate is an extended-validation certificate. 477 // Returns true if the certificate is an extended-validation certificate.
471 // 478 //
472 // This function checks the certificatePolicies extensions of the 479 // This function checks the certificatePolicies extensions of the
473 // certificates in the certificate chain according to Section 7 (pp. 11-12) 480 // certificates in the certificate chain according to Section 7 (pp. 11-12)
474 // of the EV Certificate Guidelines Version 1.0 at 481 // of the EV Certificate Guidelines Version 1.0 at
475 // http://cabforum.org/EV_Certificate_Guidelines.pdf. 482 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
476 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context, 483 bool CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
(...skipping 20 matching lines...) Expand all
497 // Check the end certificate simple chain (chain_context->rgpChain[0]). 504 // Check the end certificate simple chain (chain_context->rgpChain[0]).
498 // If the end certificate's certificatePolicies extension contains the 505 // If the end certificate's certificatePolicies extension contains the
499 // EV policy OID of the root CA, return true. 506 // EV policy OID of the root CA, return true.
500 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; 507 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
501 int num_elements = chain_context->rgpChain[0]->cElement; 508 int num_elements = chain_context->rgpChain[0]->cElement;
502 if (num_elements < 2) 509 if (num_elements < 2)
503 return false; 510 return false;
504 511
505 // Look up the EV policy OID of the root CA. 512 // Look up the EV policy OID of the root CA.
506 PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext; 513 PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
507 SHA1Fingerprint fingerprint = 514 SHA1HashValue fingerprint =
508 X509Certificate::CalculateFingerprint(root_cert); 515 X509Certificate::CalculateFingerprint(root_cert);
509 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); 516 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
510 return metadata->HasEVPolicyOID(fingerprint, policy_oid); 517 return metadata->HasEVPolicyOID(fingerprint, policy_oid);
511 } 518 }
512 519
513 } // namespace 520 } // namespace
514 521
515 CertVerifyProcWin::CertVerifyProcWin() {} 522 CertVerifyProcWin::CertVerifyProcWin() {}
516 523
517 CertVerifyProcWin::~CertVerifyProcWin() {} 524 CertVerifyProcWin::~CertVerifyProcWin() {}
(...skipping 219 matching lines...) Expand 10 before | Expand all | Expand 10 after
737 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); 744 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
738 745
739 if (ev_policy_oid && 746 if (ev_policy_oid &&
740 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) { 747 CheckEV(chain_context, rev_checking_enabled, ev_policy_oid)) {
741 verify_result->cert_status |= CERT_STATUS_IS_EV; 748 verify_result->cert_status |= CERT_STATUS_IS_EV;
742 } 749 }
743 return OK; 750 return OK;
744 } 751 }
745 752
746 } // namespace net 753 } // namespace net
OLDNEW
« no previous file with comments | « net/base/cert_verify_proc_unittest.cc ('k') | net/base/cert_verify_result.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698