Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(177)

Side by Side Diff: net/base/x509_certificate_win.cc

Issue 9619007: net: allow EV indication on Windows when the local OCSP/CRL cache is stale. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #define PRArenaPool PLArenaPool // Required by <blapi.h>. 7 #define PRArenaPool PLArenaPool // Required by <blapi.h>.
8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS. 8 #include <blapi.h> // Implement CalculateChainFingerprint() with NSS.
9 9
10 #include "base/lazy_instance.h" 10 #include "base/lazy_instance.h"
(...skipping 897 matching lines...) Expand 10 before | Expand all | Expand 10 after
908 // statuses from the offline checks so we squash this error. 908 // statuses from the offline checks so we squash this error.
909 verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION; 909 verify_result->cert_status &= ~CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
910 } 910 }
911 911
912 if (IsCertStatusError(verify_result->cert_status)) 912 if (IsCertStatusError(verify_result->cert_status))
913 return MapCertStatusToNetError(verify_result->cert_status); 913 return MapCertStatusToNetError(verify_result->cert_status);
914 914
915 AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes); 915 AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
916 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context); 916 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
917 917
918 if (ev_policy_oid && CheckEV(chain_context, ev_policy_oid)) 918 if (ev_policy_oid && CheckEV(chain_context, flags, ev_policy_oid))
919 verify_result->cert_status |= CERT_STATUS_IS_EV; 919 verify_result->cert_status |= CERT_STATUS_IS_EV;
920 return OK; 920 return OK;
921 } 921 }
922 922
923 // static 923 // static
924 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, 924 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
925 std::string* encoded) { 925 std::string* encoded) {
926 if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded) 926 if (!cert_handle->pbCertEncoded || !cert_handle->cbCertEncoded)
927 return false; 927 return false;
928 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded), 928 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded),
929 cert_handle->cbCertEncoded); 929 cert_handle->cbCertEncoded);
930 return true; 930 return true;
931 } 931 }
932 932
933 // Returns true if the certificate is an extended-validation certificate. 933 // Returns true if the certificate is an extended-validation certificate.
934 // 934 //
935 // This function checks the certificatePolicies extensions of the 935 // This function checks the certificatePolicies extensions of the
936 // certificates in the certificate chain according to Section 7 (pp. 11-12) 936 // certificates in the certificate chain according to Section 7 (pp. 11-12)
937 // of the EV Certificate Guidelines Version 1.0 at 937 // of the EV Certificate Guidelines Version 1.0 at
938 // http://cabforum.org/EV_Certificate_Guidelines.pdf. 938 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
939 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context, 939 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
940 int flags,
940 const char* policy_oid) const { 941 const char* policy_oid) const {
941 DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain); 942 DCHECK_NE(static_cast<DWORD>(0), chain_context->cChain);
942 // If the cert doesn't match any of the policies, the 943 // If the cert doesn't match any of the policies, the
943 // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in 944 // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in
944 // chain_context->TrustStatus.dwErrorStatus is set. 945 // chain_context->TrustStatus.dwErrorStatus is set.
945 DWORD error_status = chain_context->TrustStatus.dwErrorStatus; 946 DWORD error_status = chain_context->TrustStatus.dwErrorStatus;
946 DWORD info_status = chain_context->TrustStatus.dwInfoStatus; 947
948 if (!(flags & VERIFY_REV_CHECKING_ENABLED)) {
949 // If online revocation checking is disabled then we will have still
950 // requested that the revocation cache be checked. However, that will often
951 // cause the following two error bits to be set. Since they are expected,
952 // we mask them away.
953 error_status &= ~(CERT_TRUST_IS_OFFLINE_REVOCATION |
954 CERT_TRUST_REVOCATION_STATUS_UNKNOWN);
955 }
947 if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR) 956 if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR)
948 return false; 957 return false;
949 958
950 // Check the end certificate simple chain (chain_context->rgpChain[0]). 959 // Check the end certificate simple chain (chain_context->rgpChain[0]).
951 // If the end certificate's certificatePolicies extension contains the 960 // If the end certificate's certificatePolicies extension contains the
952 // EV policy OID of the root CA, return true. 961 // EV policy OID of the root CA, return true.
953 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement; 962 PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
954 int num_elements = chain_context->rgpChain[0]->cElement; 963 int num_elements = chain_context->rgpChain[0]->cElement;
955 if (num_elements < 2) 964 if (num_elements < 2)
956 return false; 965 return false;
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after
1128 *type = kPublicKeyTypeECDH; 1137 *type = kPublicKeyTypeECDH;
1129 break; 1138 break;
1130 default: 1139 default:
1131 *type = kPublicKeyTypeUnknown; 1140 *type = kPublicKeyTypeUnknown;
1132 *size_bits = 0; 1141 *size_bits = 0;
1133 break; 1142 break;
1134 } 1143 }
1135 } 1144 }
1136 1145
1137 } // namespace net 1146 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698