OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
8 #include <openssl/crypto.h> | 8 #include <openssl/crypto.h> |
9 #include <openssl/obj_mac.h> | 9 #include <openssl/obj_mac.h> |
10 #include <openssl/pem.h> | 10 #include <openssl/pem.h> |
11 #include <openssl/pkcs7.h> | 11 #include <openssl/pkcs7.h> |
12 #include <openssl/sha.h> | 12 #include <openssl/sha.h> |
13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
14 #include <openssl/x509v3.h> | 14 #include <openssl/x509v3.h> |
15 | 15 |
16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
17 #include "base/pickle.h" | 17 #include "base/pickle.h" |
18 #include "base/sha1.h" | 18 #include "base/sha1.h" |
19 #include "base/string_number_conversions.h" | 19 #include "base/string_number_conversions.h" |
20 #include "base/string_util.h" | 20 #include "base/string_util.h" |
21 #include "crypto/openssl_util.h" | 21 #include "crypto/openssl_util.h" |
22 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
23 #include "net/base/net_util.h" | 23 #include "net/base/net_util.h" |
| 24 #include "net/base/ssl_cert_request_info.h" |
| 25 #include "net/base/x509_cert_types.h" |
24 #include "net/base/x509_util_openssl.h" | 26 #include "net/base/x509_util_openssl.h" |
25 | 27 |
26 #if defined(OS_ANDROID) | 28 #if defined(OS_ANDROID) |
27 #include "base/logging.h" | 29 #include "base/logging.h" |
28 #include "net/android/network_library.h" | 30 #include "net/android/network_library.h" |
29 #endif | 31 #endif |
30 | 32 |
31 namespace net { | 33 namespace net { |
32 | 34 |
33 namespace { | 35 namespace { |
(...skipping 430 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
464 *type = kPublicKeyTypeECDSA; | 466 *type = kPublicKeyTypeECDSA; |
465 *size_bits = EVP_PKEY_size(key); | 467 *size_bits = EVP_PKEY_size(key); |
466 break; | 468 break; |
467 case EVP_PKEY_DH: | 469 case EVP_PKEY_DH: |
468 *type = kPublicKeyTypeDH; | 470 *type = kPublicKeyTypeDH; |
469 *size_bits = EVP_PKEY_size(key) * 8; | 471 *size_bits = EVP_PKEY_size(key) * 8; |
470 break; | 472 break; |
471 } | 473 } |
472 } | 474 } |
473 | 475 |
| 476 bool X509Certificate::IsValidClientCertificate( |
| 477 const SSLCertRequestInfo& cert_info) { |
| 478 |
| 479 bool cert_still_valid = true; |
| 480 |
| 481 // Some unit tests can explicitely set |no_client_certs| to false |
| 482 // and fill up |client_certs|, so handle this here. |
| 483 if (!cert_info.no_client_certs) { |
| 484 const std::vector<scoped_refptr<X509Certificate> >& client_certs = |
| 485 cert_info.client_certs; |
| 486 for (size_t i = 0; i < client_certs.size(); ++i) { |
| 487 if (Equals(client_certs[i])) { |
| 488 return true; |
| 489 } |
| 490 } |
| 491 return false; |
| 492 } |
| 493 |
| 494 DCHECK(cert_info.no_client_certs == true); |
| 495 |
| 496 // TODO(digit): Check certificate authorities. |
| 497 // It's unclear what the best way to do this is, i.e. the specication |
| 498 // states that about the "certificate_authorities" field of a |
| 499 // CertificateRequest message: |
| 500 // |
| 501 // A list of the distinguished names of acceptable certificate |
| 502 // authorities. These distinguished names may specify a desired |
| 503 // distinguished name for a root CA or for a subordinate CA; |
| 504 // thus, this message can be used both to describe known roots |
| 505 // and a desired authorization space. |
| 506 // |
| 507 // The "authorization space" seems to indicate that each listed |
| 508 // distinguished name may only include a small set of strings that |
| 509 // need to be matched against those in the certificate chain. |
| 510 // |
| 511 // For now, ignore this step, and assume that the server will |
| 512 // perform the verification itself. |
| 513 // |
| 514 |
| 515 // Check the key type |
| 516 crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> scoped_key( |
| 517 X509_get_pubkey(cert_handle_)); |
| 518 if (!scoped_key.get()) |
| 519 return false; |
| 520 |
| 521 SSLClientCertType key_type; |
| 522 switch (scoped_key.get()->type) { |
| 523 case EVP_PKEY_RSA: |
| 524 key_type = CLIENT_CERT_RSA_SIGN; |
| 525 break; |
| 526 #if 0 |
| 527 // TODO(digit): Add CLIENT_CERT_DSA_SIGN to SSLClientCertType. |
| 528 case EVP_PKEY_DSA: |
| 529 key_type = CLIENT_CERT_DSA_SIGN; |
| 530 break; |
| 531 #endif |
| 532 case EVP_PKEY_EC: |
| 533 key_type = CLIENT_CERT_ECDSA_SIGN; |
| 534 break; |
| 535 default: |
| 536 // Unknown key type |
| 537 return false; |
| 538 } |
| 539 |
| 540 cert_still_valid = false; |
| 541 for (size_t n = 0; n < cert_info.valid_key_types.size(); ++n) { |
| 542 if (cert_info.valid_key_types[n] == key_type) { |
| 543 cert_still_valid = true; |
| 544 break; |
| 545 } |
| 546 } |
| 547 |
| 548 return cert_still_valid; |
| 549 } |
| 550 |
474 } // namespace net | 551 } // namespace net |
OLD | NEW |