OLD | NEW |
---|---|
1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_ios.h" | 5 #include "net/cert/cert_verify_proc_ios.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/mac/scoped_cftyperef.h" | 10 #include "base/mac/scoped_cftyperef.h" |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
109 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { | 109 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { |
110 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( | 110 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( |
111 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); | 111 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); |
112 if (i == 0) { | 112 if (i == 0) { |
113 verified_cert = chain_cert; | 113 verified_cert = chain_cert; |
114 } else { | 114 } else { |
115 verified_chain.push_back(chain_cert); | 115 verified_chain.push_back(chain_cert); |
116 } | 116 } |
117 | 117 |
118 std::string der_bytes; | 118 std::string der_bytes; |
119 if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) | 119 if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes)) { |
120 verify_result->cert_status |= CERT_STATUS_INVALID; | |
120 return; | 121 return; |
122 } | |
121 | 123 |
122 base::StringPiece spki_bytes; | 124 base::StringPiece spki_bytes; |
123 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | 125 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) { |
124 continue; | 126 verify_result->cert_status |= CERT_STATUS_INVALID; |
127 return; | |
128 } | |
125 | 129 |
126 HashValue sha1(HASH_VALUE_SHA1); | 130 HashValue sha1(HASH_VALUE_SHA1); |
127 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data()); | 131 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data()); |
128 verify_result->public_key_hashes.push_back(sha1); | 132 verify_result->public_key_hashes.push_back(sha1); |
129 | 133 |
130 HashValue sha256(HASH_VALUE_SHA256); | 134 HashValue sha256(HASH_VALUE_SHA256); |
131 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data()); | 135 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data()); |
132 verify_result->public_key_hashes.push_back(sha256); | 136 verify_result->public_key_hashes.push_back(sha256); |
133 | 137 |
134 // Ignore the signature algorithm for the trust anchor. | 138 // Ignore the signature algorithm for the trust anchor. |
135 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 && | 139 if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 && |
136 i == count - 1) { | 140 i == count - 1) { |
137 continue; | 141 continue; |
138 } | 142 } |
139 } | 143 } |
140 if (!verified_cert) { | 144 if (!verified_cert) { |
141 NOTREACHED(); | 145 NOTREACHED(); |
146 verify_result->cert_status |= CERT_STATUS_INVALID; | |
eroman
2017/03/24 22:07:23
I don't know about this one, as reaching it means
mattm
2017/03/27 23:24:37
Yeah, on this and the mac one, due to the presence
| |
142 return; | 147 return; |
143 } | 148 } |
144 | 149 |
145 verify_result->verified_cert = | 150 scoped_refptr<X509Certificate> verified_cert_with_chain = |
146 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 151 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
152 if (verified_cert_with_chain) | |
153 verify_result->verified_cert = std::move(verified_cert_with_chain); | |
154 else | |
155 verify_result->cert_status |= CERT_STATUS_INVALID; | |
147 } | 156 } |
148 | 157 |
149 } // namespace | 158 } // namespace |
150 | 159 |
151 CertVerifyProcIOS::CertVerifyProcIOS() {} | 160 CertVerifyProcIOS::CertVerifyProcIOS() {} |
152 | 161 |
153 // The iOS APIs don't expose an API-stable set of reasons for certificate | 162 // The iOS APIs don't expose an API-stable set of reasons for certificate |
154 // validation failures. However, internally, the reason is tracked, and it's | 163 // validation failures. However, internally, the reason is tracked, and it's |
155 // converted to user-facing localized strings. | 164 // converted to user-facing localized strings. |
156 // | 165 // |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
271 // roots. | 280 // roots. |
272 verify_result->is_issued_by_known_root = false; | 281 verify_result->is_issued_by_known_root = false; |
273 | 282 |
274 if (IsCertStatusError(verify_result->cert_status)) | 283 if (IsCertStatusError(verify_result->cert_status)) |
275 return MapCertStatusToNetError(verify_result->cert_status); | 284 return MapCertStatusToNetError(verify_result->cert_status); |
276 | 285 |
277 return OK; | 286 return OK; |
278 } | 287 } |
279 | 288 |
280 } // namespace net | 289 } // namespace net |
OLD | NEW |