net/base/x509_certificate_mac.cc - Issue 9699043: net: fallback to online revocation checks for EV status when CRLSet has expired.

Side by Side Diff: net/base/x509_certificate_mac.cc

Issue 9699043: net: fallback to online revocation checks for EV status when CRLSet has expired. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <CoreServices/CoreServices.h>	8 #include <CoreServices/CoreServices.h>

9 #include <Security/Security.h>	9 #include <Security/Security.h>

10 #include <time.h>	10 #include <time.h>

(...skipping 669 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
680 base::StringPiece spki_bytes;	680 base::StringPiece spki_bytes;

681 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))	681 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))

682 continue;	682 continue;

683	683

684 SHA1Fingerprint hash;	684 SHA1Fingerprint hash;

685 CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data);	685 CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data);

686 hashes->push_back(hash);	686 hashes->push_back(hash);

687 }	687 }

688 }	688 }

689	689

690 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {	690 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
	wtc 2012/03/16 00:33:10 Just curious: why does this function return bool h Just curious: why does this function return bool here and in x509_certificate_win.cc, but return CRLSetResult in x509_certificate_nss.cc? agl 2012/03/20 20:02:19 Probably a mistake that I should clean up. Origina Show quoted text On 2012/03/16 00:33:10, wtc wrote: > > Just curious: why does this function return bool here and in > x509_certificate_win.cc, but return CRLSetResult in > x509_certificate_nss.cc? Probably a mistake that I should clean up. Originally some plans included more granular processing in the x509_certificate_*.cc files and NSS was the first one that I wrote. In the end, a bool was sufficient however.
691 if (CFArrayGetCount(chain) == 0)	691 if (CFArrayGetCount(chain) == 0)

692 return true;	692 return true;

693	693

694 // We iterate from the root certificate down to the leaf, keeping track of	694 // We iterate from the root certificate down to the leaf, keeping track of

695 // the issuer's SPKI at each step.	695 // the issuer's SPKI at each step.

696 std::string issuer_spki_hash;	696 std::string issuer_spki_hash;

697 for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {	697 for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {

698 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(	698 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(

699 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));	699 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));

700	700

(...skipping 24 matching lines...) Expand all Loading...
725 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())	725 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())

726 result = crl_set->CheckSerial(serial, issuer_spki_hash);	726 result = crl_set->CheckSerial(serial, issuer_spki_hash);

727	727

728 issuer_spki_hash = spki_hash;	728 issuer_spki_hash = spki_hash;

729	729

730 switch (result) {	730 switch (result) {

731 case CRLSet::REVOKED:	731 case CRLSet::REVOKED:

732 return false;	732 return false;

733 case CRLSet::UNKNOWN:	733 case CRLSet::UNKNOWN:

734 case CRLSet::GOOD:	734 case CRLSet::GOOD:

735 case CRLSet::CRL_SET_EXPIRED:

736 continue;	735 continue;

737 default:	736 default:

738 NOTREACHED();	737 NOTREACHED();

739 return false;	738 return false;

740 }	739 }

741 }	740 }

742	741

743 return true;	742 return true;

744 }	743 }

745	744

(...skipping 880 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1626 *type = kPublicKeyTypeDH;	1625 *type = kPublicKeyTypeDH;

1627 break;	1626 break;

1628 default:	1627 default:

1629 *type = kPublicKeyTypeUnknown;	1628 *type = kPublicKeyTypeUnknown;

1630 *size_bits = 0;	1629 *size_bits = 0;

1631 break;	1630 break;

1632 }	1631 }

1633 }	1632 }

1634	1633

1635 } // namespace net	1634 } // namespace net

OLD	NEW

« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate.cc ('k') | net/base/x509_certificate_nss.cc » ('j') | net/base/x509_certificate_win.cc » ('J')