| Index: net/base/cert_verify_proc_nss.cc
|
| diff --git a/net/base/cert_verify_proc_nss.cc b/net/base/cert_verify_proc_nss.cc
|
| index 4fed28853c7752a8762395a4a4abb5ade37f5520..b1b1d35a154120fd467ca3a52d6e938aedb1e606 100644
|
| --- a/net/base/cert_verify_proc_nss.cc
|
| +++ b/net/base/cert_verify_proc_nss.cc
|
| @@ -28,6 +28,11 @@
|
| #include "net/base/x509_certificate.h"
|
| #include "net/base/x509_util_nss.h"
|
|
|
| +#if defined(OS_IOS)
|
| +#include <CommonCrypto/CommonDigest.h>
|
| +#include "net/base/x509_util_ios.h"
|
| +#endif // defined(OS_IOS)
|
| +
|
| namespace net {
|
|
|
| namespace {
|
| @@ -227,8 +232,13 @@ void GetCertChainInfo(CERTCertList* cert_list,
|
|
|
| if (root_cert)
|
| verified_chain.push_back(root_cert);
|
| +#if defined(OS_IOS)
|
| + verify_result->verified_cert =
|
| + x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain);
|
| +#else
|
| verify_result->verified_cert =
|
| X509Certificate::CreateFromHandle(verified_cert, verified_chain);
|
| +#endif // defined(OS_IOS)
|
| }
|
|
|
| // IsKnownRoot returns true if the given certificate is one that we believe
|
| @@ -314,17 +324,17 @@ CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
|
|
|
| // Forward declarations.
|
| SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| - X509Certificate::OSCertHandle cert_handle, int num_policy_oids,
|
| + CERTCertificate* cert_handle, int num_policy_oids,
|
| bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
|
| CERTValOutParam* cvout);
|
| -SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle);
|
| +SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
|
|
|
| // Call CERT_PKIXVerifyCert for the cert_handle.
|
| // Verification results are stored in an array of CERTValOutParam.
|
| // If policy_oids is not NULL and num_policy_oids is positive, policies
|
| // are also checked.
|
| // Caller must initialize cvout before calling this function.
|
| -SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
|
| +SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
|
| bool check_revocation,
|
| bool cert_io_enabled,
|
| const SECOidTag* policy_oids,
|
| @@ -447,7 +457,7 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
|
| // CERT_PKIXVerifyCert. All the arguments of this function are either the
|
| // arguments or local variables of PKIXVerifyCert.
|
| SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| - X509Certificate::OSCertHandle cert_handle, int num_policy_oids,
|
| + CERTCertificate* cert_handle, int num_policy_oids,
|
| bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
|
| CERTValOutParam* cvout) {
|
| // We call this function when the first CERT_PKIXVerifyCert call in
|
| @@ -528,7 +538,7 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds(
|
| // be decoded. The returned value must be freed with a
|
| // CERT_DestroyCertificatePoliciesExtension call.
|
| CERTCertificatePolicies* DecodeCertPolicies(
|
| - X509Certificate::OSCertHandle cert_handle) {
|
| + CERTCertificate* cert_handle) {
|
| SECItem policy_ext;
|
| SECStatus rv = CERT_FindCertExtension(cert_handle,
|
| SEC_OID_X509_CERTIFICATE_POLICIES,
|
| @@ -544,7 +554,7 @@ CERTCertificatePolicies* DecodeCertPolicies(
|
| // Returns the OID tag for the first certificate policy in the certificate's
|
| // certificatePolicies extension. Returns SEC_OID_UNKNOWN if the certificate
|
| // has no certificate policy.
|
| -SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle) {
|
| +SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) {
|
| ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
|
| if (!policies.get())
|
| return SEC_OID_UNKNOWN;
|
| @@ -572,17 +582,25 @@ SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle) {
|
|
|
| HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
|
| HashValue hash(HASH_VALUE_SHA1);
|
| +#if defined(OS_IOS)
|
| + CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
|
| +#else
|
| SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
|
| cert->derPublicKey.data, cert->derPublicKey.len);
|
| DCHECK_EQ(SECSuccess, rv);
|
| +#endif
|
| return hash;
|
| }
|
|
|
| HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
|
| HashValue hash(HASH_VALUE_SHA256);
|
| +#if defined(OS_IOS)
|
| + CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
|
| +#else
|
| SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
|
| cert->derPublicKey.data, cert->derPublicKey.len);
|
| DCHECK_EQ(rv, SECSuccess);
|
| +#endif
|
| return hash;
|
| }
|
|
|
| @@ -686,8 +704,12 @@ bool VerifyEV(CERTCertificate* cert_handle,
|
| return false;
|
| }
|
|
|
| +#if defined(OS_IOS)
|
| + SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
|
| +#else
|
| SHA1HashValue fingerprint =
|
| X509Certificate::CalculateFingerprint(root_ca);
|
| +#endif
|
| return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
|
| }
|
|
|
| @@ -702,7 +724,15 @@ int CertVerifyProcNSS::VerifyInternal(X509Certificate* cert,
|
| int flags,
|
| CRLSet* crl_set,
|
| CertVerifyResult* verify_result) {
|
| +#if defined(OS_IOS)
|
| + // For iOS, the entire chain must be loaded into NSS's in-memory certificate
|
| + // store.
|
| + x509_util_ios::NSSCertChain scoped_chain(cert);
|
| + CERTCertificate* cert_handle = scoped_chain.cert_handle();
|
| +#else
|
| CERTCertificate* cert_handle = cert->os_cert_handle();
|
| +#endif // defined(OS_IOS)
|
| +
|
| // Make sure that the hostname matches with the common name of the cert.
|
| SECStatus status = CERT_VerifyCertName(cert_handle, hostname.c_str());
|
| if (status != SECSuccess)
|
|
|
Chromium Code Reviews
Issue 10983023:
Port certificate verification to iOS. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master