| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <map> | 10 #include <map> |
| 11 #include <string> | 11 #include <string> |
| 12 #include <vector> | 12 #include <vector> |
| 13 | 13 |
| 14 #include "base/base64.h" | 14 #include "base/base64.h" |
| 15 #include "base/lazy_instance.h" | 15 #include "base/lazy_instance.h" |
| 16 #include "base/logging.h" | 16 #include "base/logging.h" |
| 17 #include "base/memory/singleton.h" | 17 #include "base/memory/singleton.h" |
| 18 #include "base/metrics/histogram.h" | 18 #include "base/metrics/histogram.h" |
| 19 #include "base/pickle.h" | 19 #include "base/pickle.h" |
| 20 #include "base/sha1.h" | 20 #include "base/sha1.h" |
| 21 #include "base/string_piece.h" | 21 #include "base/string_piece.h" |
| 22 #include "base/string_util.h" | 22 #include "base/string_util.h" |
| 23 #include "base/synchronization/lock.h" | 23 #include "base/synchronization/lock.h" |
| 24 #include "base/time.h" | 24 #include "base/time.h" |
| 25 #include "googleurl/src/url_canon_ip.h" | 25 #include "googleurl/src/url_canon_ip.h" |
| 26 #include "net/base/cert_status_flags.h" | 26 #include "net/base/cert_status_flags.h" |
| 27 #include "net/base/cert_verify_result.h" | 27 #include "net/base/cert_verify_result.h" |
| 28 #include "net/base/crl_set.h" |
| 28 #include "net/base/net_errors.h" | 29 #include "net/base/net_errors.h" |
| 29 #include "net/base/net_util.h" | 30 #include "net/base/net_util.h" |
| 30 #include "net/base/pem_tokenizer.h" | 31 #include "net/base/pem_tokenizer.h" |
| 31 | 32 |
| 32 namespace net { | 33 namespace net { |
| 33 | 34 |
| 34 namespace { | 35 namespace { |
| 35 | 36 |
| 36 // Indicates the order to use when trying to decode binary data, which is | 37 // Indicates the order to use when trying to decode binary data, which is |
| 37 // based on (speculation) as to what will be most common -> least common | 38 // based on (speculation) as to what will be most common -> least common |
| (...skipping 560 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 598 CRLSet* crl_set, | 599 CRLSet* crl_set, |
| 599 CertVerifyResult* verify_result) const { | 600 CertVerifyResult* verify_result) const { |
| 600 verify_result->Reset(); | 601 verify_result->Reset(); |
| 601 verify_result->verified_cert = const_cast<X509Certificate*>(this); | 602 verify_result->verified_cert = const_cast<X509Certificate*>(this); |
| 602 | 603 |
| 603 if (IsBlacklisted()) { | 604 if (IsBlacklisted()) { |
| 604 verify_result->cert_status |= CERT_STATUS_REVOKED; | 605 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 605 return ERR_CERT_REVOKED; | 606 return ERR_CERT_REVOKED; |
| 606 } | 607 } |
| 607 | 608 |
| 609 // If EV verification was requested and no CRLSet is present, or if the |
| 610 // CRLSet has expired, then enable online revocation checks. If the online |
| 611 // check fails, EV status won't be shown. |
| 612 // |
| 613 // A possible optimisation is to only enable online revocation checking in |
| 614 // the event that the leaf certificate appears to include a EV policy ID. |
| 615 // However, it's expected that having a current CRLSet will be very common. |
| 616 if ((flags & VERIFY_EV_CERT) && (!crl_set || crl_set->IsExpired())) |
| 617 flags |= VERIFY_REV_CHECKING_ENABLED; |
| 618 |
| 608 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 619 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
| 609 | 620 |
| 610 // This check is done after VerifyInternal so that VerifyInternal can fill in | 621 // This check is done after VerifyInternal so that VerifyInternal can fill in |
| 611 // the list of public key hashes. | 622 // the list of public key hashes. |
| 612 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 623 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
| 613 verify_result->cert_status |= CERT_STATUS_REVOKED; | 624 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 614 rv = MapCertStatusToNetError(verify_result->cert_status); | 625 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 615 } | 626 } |
| 616 | 627 |
| 617 // Check for weak keys in the entire verified chain. | 628 // Check for weak keys in the entire verified chain. |
| (...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 862 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 873 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
| 863 const uint8* array, | 874 const uint8* array, |
| 864 size_t array_byte_len) { | 875 size_t array_byte_len) { |
| 865 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 876 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
| 866 const size_t arraylen = array_byte_len / base::kSHA1Length; | 877 const size_t arraylen = array_byte_len / base::kSHA1Length; |
| 867 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 878 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
| 868 CompareSHA1Hashes); | 879 CompareSHA1Hashes); |
| 869 } | 880 } |
| 870 | 881 |
| 871 } // namespace net | 882 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9699043:
net: fallback to online revocation checks for EV status when CRLSet has expired. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src