diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-11-28 16:14:41 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-12-13 15:19:41 +0000 |
commit | 61d9742824d54be5693191fe502325a909feca59 (patch) | |
tree | cbf28e779b11338fe52eb75b915684cd8955542c /chromium/net/cert/pki | |
parent | 45f9ded08bb7526984b24ccb5a5327aaf6821676 (diff) | |
download | qtwebengine-chromium-61d9742824d54be5693191fe502325a909feca59.tar.gz |
BASELINE: Update Chromium to 108.0.5359.70
Change-Id: I77334ff232b819600f275bd3cfe41fbaa3619230
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/445904
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/net/cert/pki')
84 files changed, 523 insertions, 391 deletions
diff --git a/chromium/net/cert/pki/cert_error_id.cc b/chromium/net/cert/pki/cert_error_id.cc index 793b92ffb2c..8e185cdf5bd 100644 --- a/chromium/net/cert/pki/cert_error_id.cc +++ b/chromium/net/cert/pki/cert_error_id.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_error_id.h b/chromium/net/cert/pki/cert_error_id.h index 1c0e4ec947b..bc410b15a07 100644 --- a/chromium/net/cert/pki/cert_error_id.h +++ b/chromium/net/cert/pki/cert_error_id.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_error_params.cc b/chromium/net/cert/pki/cert_error_params.cc index 0d4f2b61d83..bbb39d4daa4 100644 --- a/chromium/net/cert/pki/cert_error_params.cc +++ b/chromium/net/cert/pki/cert_error_params.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,7 +6,6 @@ #include <memory> -#include "base/check.h" #include "base/strings/string_number_conversions.h" #include "net/der/input.h" diff --git a/chromium/net/cert/pki/cert_error_params.h b/chromium/net/cert/pki/cert_error_params.h index b00d0f2e8a4..371ac25b908 100644 --- a/chromium/net/cert/pki/cert_error_params.h +++ b/chromium/net/cert/pki/cert_error_params.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_errors.cc b/chromium/net/cert/pki/cert_errors.cc index 833fb1d3638..843967426f9 100644 --- a/chromium/net/cert/pki/cert_errors.cc +++ b/chromium/net/cert/pki/cert_errors.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_errors.h b/chromium/net/cert/pki/cert_errors.h index 98f635da34b..6e783bcb119 100644 --- a/chromium/net/cert/pki/cert_errors.h +++ b/chromium/net/cert/pki/cert_errors.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source.h b/chromium/net/cert/pki/cert_issuer_source.h index 1568cd058f3..875aeb5a6ee 100644 --- a/chromium/net/cert/pki/cert_issuer_source.h +++ b/chromium/net/cert/pki/cert_issuer_source.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source_static.cc b/chromium/net/cert/pki/cert_issuer_source_static.cc index c41aede9d6f..5b6147d5ef3 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static.cc +++ b/chromium/net/cert/pki/cert_issuer_source_static.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,7 +11,7 @@ CertIssuerSourceStatic::~CertIssuerSourceStatic() = default; void CertIssuerSourceStatic::AddCert(scoped_refptr<ParsedCertificate> cert) { intermediates_.insert(std::make_pair( - cert->normalized_subject().AsStringPiece(), std::move(cert))); + cert->normalized_subject().AsStringView(), std::move(cert))); } void CertIssuerSourceStatic::Clear() { @@ -21,7 +21,7 @@ void CertIssuerSourceStatic::Clear() { void CertIssuerSourceStatic::SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) { auto range = - intermediates_.equal_range(cert->normalized_issuer().AsStringPiece()); + intermediates_.equal_range(cert->normalized_issuer().AsStringView()); for (auto it = range.first; it != range.second; ++it) issuers->push_back(it->second); } diff --git a/chromium/net/cert/pki/cert_issuer_source_static.h b/chromium/net/cert/pki/cert_issuer_source_static.h index c3be882d023..5fedd7491e6 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static.h +++ b/chromium/net/cert/pki/cert_issuer_source_static.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -30,6 +30,8 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource { // Clears the set of certificates. void Clear(); + size_t size() const { return intermediates_.size(); } + // CertIssuerSource implementation: void SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) override; @@ -39,9 +41,7 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource { private: // The certificates that the CertIssuerSourceStatic can return, keyed on the // normalized subject value. - std::unordered_multimap<base::StringPiece, - scoped_refptr<ParsedCertificate>, - base::StringPieceHash> + std::unordered_multimap<std::string_view, scoped_refptr<ParsedCertificate>> intermediates_; }; diff --git a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc index 02727cc6724..eab8e6710ce 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc +++ b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h index e3f165036db..1b5dfc6f9c7 100644 --- a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h +++ b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies.cc b/chromium/net/cert/pki/certificate_policies.cc index e7a3c17e435..a6943c38507 100644 --- a/chromium/net/cert/pki/certificate_policies.cc +++ b/chromium/net/cert/pki/certificate_policies.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies.h b/chromium/net/cert/pki/certificate_policies.h index 182bf9a82f5..60451b4c5da 100644 --- a/chromium/net/cert/pki/certificate_policies.h +++ b/chromium/net/cert/pki/certificate_policies.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies_unittest.cc b/chromium/net/cert/pki/certificate_policies_unittest.cc index b38aff49a73..710f480d209 100644 --- a/chromium/net/cert/pki/certificate_policies_unittest.cc +++ b/chromium/net/cert/pki/certificate_policies_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/common_cert_errors.cc b/chromium/net/cert/pki/common_cert_errors.cc index d282999c472..6cf4803c09b 100644 --- a/chromium/net/cert/pki/common_cert_errors.cc +++ b/chromium/net/cert/pki/common_cert_errors.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/common_cert_errors.h b/chromium/net/cert/pki/common_cert_errors.h index 2819671f4c9..1422b479e07 100644 --- a/chromium/net/cert/pki/common_cert_errors.h +++ b/chromium/net/cert/pki/common_cert_errors.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/crl.cc b/chromium/net/cert/pki/crl.cc index c3a0c9dc5fa..dc4839c6cd5 100644 --- a/chromium/net/cert/pki/crl.cc +++ b/chromium/net/cert/pki/crl.cc @@ -1,10 +1,11 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/crl.h" #include "base/stl_util.h" +#include "base/types/optional_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/revocation_util.h" #include "net/cert/pki/signature_algorithm.h" @@ -33,12 +34,11 @@ inline constexpr uint8_t kIssuingDistributionPointOid[] = {0x55, 0x1d, 0x1c}; !parser.HasMore(); } -bool ContainsExactMatchingName(std::vector<base::StringPiece> a, - std::vector<base::StringPiece> b) { +bool ContainsExactMatchingName(std::vector<std::string_view> a, + std::vector<std::string_view> b) { std::sort(a.begin(), a.end()); std::sort(b.begin(), b.end()); - return !base::STLSetIntersection<std::vector<base::StringPiece>>(a, b) - .empty(); + return !base::STLSetIntersection<std::vector<std::string_view>>(a, b).empty(); } } // namespace @@ -361,7 +361,7 @@ CRLRevocationStatus GetCRLStatusForCert( ParsedCrlTbsCertList::ParsedCrlTbsCertList() = default; ParsedCrlTbsCertList::~ParsedCrlTbsCertList() = default; -CRLRevocationStatus CheckCRL(base::StringPiece raw_crl, +CRLRevocationStatus CheckCRL(std::string_view raw_crl, const ParsedCertificateList& valid_chain, size_t target_cert_index, const ParsedDistributionPoint& cert_dp, @@ -422,10 +422,9 @@ CRLRevocationStatus CheckCRL(base::StringPiece raw_crl, // Check CRL dates. Roughly corresponds to 6.3.3 (a) (1) but does not attempt // to update the CRL if it is out of date. - if (!CheckRevocationDateValid( - tbs_cert_list.this_update, - base::OptionalOrNullptr(tbs_cert_list.next_update), verify_time, - max_age)) { + if (!CheckRevocationDateValid(tbs_cert_list.this_update, + base::OptionalToPtr(tbs_cert_list.next_update), + verify_time, max_age)) { return CRLRevocationStatus::UNKNOWN; } diff --git a/chromium/net/cert/pki/crl.h b/chromium/net/cert/pki/crl.h index e6add49add4..325b45deb9f 100644 --- a/chromium/net/cert/pki/crl.h +++ b/chromium/net/cert/pki/crl.h @@ -1,11 +1,10 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_CERT_PKI_CRL_H_ #define NET_CERT_PKI_CRL_H_ -#include "base/strings/string_piece_forward.h" #include "base/time/time.h" #include "net/base/net_export.h" #include "net/cert/pki/general_names.h" @@ -212,7 +211,7 @@ GetCRLStatusForCert(const der::Input& cert_serial, // the |thisUpdate| field in the CRL TBSCertList. Responses older than // |max_age| will be considered invalid. [[nodiscard]] NET_EXPORT CRLRevocationStatus -CheckCRL(base::StringPiece raw_crl, +CheckCRL(std::string_view raw_crl, const ParsedCertificateList& valid_chain, size_t target_cert_index, const ParsedDistributionPoint& cert_dp, diff --git a/chromium/net/cert/pki/extended_key_usage.cc b/chromium/net/cert/pki/extended_key_usage.cc index e4e97b30175..297a95c1f90 100644 --- a/chromium/net/cert/pki/extended_key_usage.cc +++ b/chromium/net/cert/pki/extended_key_usage.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/extended_key_usage.h b/chromium/net/cert/pki/extended_key_usage.h index f2ce9eb3e36..c4834d49e3c 100644 --- a/chromium/net/cert/pki/extended_key_usage.h +++ b/chromium/net/cert/pki/extended_key_usage.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/extended_key_usage_unittest.cc b/chromium/net/cert/pki/extended_key_usage_unittest.cc index f98ad799882..9a17c53dfc9 100644 --- a/chromium/net/cert/pki/extended_key_usage_unittest.cc +++ b/chromium/net/cert/pki/extended_key_usage_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/general_names.cc b/chromium/net/cert/pki/general_names.cc index 0a598dd24fe..d2bbd25ef51 100644 --- a/chromium/net/cert/pki/general_names.cc +++ b/chromium/net/cert/pki/general_names.cc @@ -1,13 +1,12 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/general_names.h" -#include "base/check_op.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" +#include "net/cert/pki/string_util.h" #include "net/der/input.h" #include "net/der/parser.h" #include "net/der/tag.h" @@ -130,8 +129,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(1)) { // rfc822Name [1] IA5String, name_type = GENERAL_NAME_RFC822_NAME; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kRFC822NameNotAscii); return false; } @@ -139,8 +138,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(2)) { // dNSName [2] IA5String, name_type = GENERAL_NAME_DNS_NAME; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kDnsNameNotAscii); return false; } @@ -167,8 +166,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(6)) { // uniformResourceIdentifier [6] IA5String, name_type = GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kURINotAscii); return false; } diff --git a/chromium/net/cert/pki/general_names.h b/chromium/net/cert/pki/general_names.h index 0bacddfe98e..c5c32d00428 100644 --- a/chromium/net/cert/pki/general_names.h +++ b/chromium/net/cert/pki/general_names.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,7 +8,6 @@ #include <memory> #include <vector> -#include "base/strings/string_piece_forward.h" #include "net/base/ip_address.h" #include "net/base/net_export.h" #include "net/cert/pki/cert_error_id.h" @@ -76,10 +75,10 @@ struct NET_EXPORT GeneralNames { std::vector<der::Input> other_names; // ASCII rfc822names. - std::vector<base::StringPiece> rfc822_names; + std::vector<std::string_view> rfc822_names; // ASCII hostnames. - std::vector<base::StringPiece> dns_names; + std::vector<std::string_view> dns_names; // DER-encoded ORAddress values. std::vector<der::Input> x400_addresses; @@ -91,7 +90,7 @@ struct NET_EXPORT GeneralNames { std::vector<der::Input> edi_party_names; // ASCII URIs. - std::vector<base::StringPiece> uniform_resource_identifiers; + std::vector<std::string_view> uniform_resource_identifiers; // iPAddresses as sequences of octets in network byte order. This will be // populated if the GeneralNames represents a Subject Alternative Name. diff --git a/chromium/net/cert/pki/name_constraints.cc b/chromium/net/cert/pki/name_constraints.cc index b66abdbef6c..eed0741d200 100644 --- a/chromium/net/cert/pki/name_constraints.cc +++ b/chromium/net/cert/pki/name_constraints.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,11 +8,10 @@ #include <memory> -#include "base/check.h" #include "base/numerics/clamped_math.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/common_cert_errors.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/verify_name_match.h" #include "net/der/input.h" #include "net/der/parser.h" @@ -52,8 +51,8 @@ enum WildcardMatchType { WILDCARD_PARTIAL_MATCH, WILDCARD_FULL_MATCH }; // |wildcard_matching| controls handling of wildcard names (|name| starts with // "*."). Wildcard handling is not specified by RFC 5280, but certificate // verification allows it, name constraints must check it similarly. -bool DNSNameMatches(base::StringPiece name, - base::StringPiece dns_constraint, +bool DNSNameMatches(std::string_view name, + std::string_view dns_constraint, WildcardMatchType wildcard_matching) { // Everything matches the empty DNS name constraint. if (dns_constraint.empty()) @@ -74,20 +73,20 @@ bool DNSNameMatches(base::StringPiece name, name[0] == '*' && name[1] == '.') { size_t dns_constraint_dot_pos = dns_constraint.find('.'); if (dns_constraint_dot_pos != std::string::npos) { - base::StringPiece dns_constraint_domain = + std::string_view dns_constraint_domain = dns_constraint.substr(dns_constraint_dot_pos + 1); - base::StringPiece wildcard_domain = name.substr(2); - if (base::EqualsCaseInsensitiveASCII(wildcard_domain, - dns_constraint_domain)) { + std::string_view wildcard_domain = name.substr(2); + if (net::string_util::IsEqualNoCase(wildcard_domain, + dns_constraint_domain)) { return true; } } } - if (!base::EndsWith(name, dns_constraint, - base::CompareCase::INSENSITIVE_ASCII)) { + if (!net::string_util::EndsWithNoCase(name, dns_constraint)) { return false; } + // Exact match. if (name.size() == dns_constraint.size()) return true; @@ -361,7 +360,7 @@ void NameConstraints::IsPermittedCert(const der::Input& subject_rdn_sequence, } } -bool NameConstraints::IsPermittedDNSName(base::StringPiece name) const { +bool NameConstraints::IsPermittedDNSName(std::string_view name) const { for (const auto& excluded_name : excluded_subtrees_.dns_names) { // When matching wildcard hosts against excluded subtrees, consider it a // match if the constraint would match any expansion of the wildcard. Eg, diff --git a/chromium/net/cert/pki/name_constraints.h b/chromium/net/cert/pki/name_constraints.h index 0fe0452da51..ea472a0ec33 100644 --- a/chromium/net/cert/pki/name_constraints.h +++ b/chromium/net/cert/pki/name_constraints.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,7 +9,6 @@ #include <memory> -#include "base/strings/string_piece_forward.h" #include "net/base/ip_address.h" #include "net/base/net_export.h" #include "net/cert/pki/general_names.h" @@ -56,7 +55,7 @@ class NET_EXPORT NameConstraints { // would not be permitted if "bar.com" is permitted and "foo.bar.com" is // excluded, while "*.baz.com" would only be permitted if "baz.com" is // permitted. - bool IsPermittedDNSName(base::StringPiece name) const; + bool IsPermittedDNSName(std::string_view name) const; // Returns true if the directoryName |name_rdn_sequence| is permitted. // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not diff --git a/chromium/net/cert/pki/name_constraints_unittest.cc b/chromium/net/cert/pki/name_constraints_unittest.cc index 32a97af4f4b..b69a376f5d2 100644 --- a/chromium/net/cert/pki/name_constraints_unittest.cc +++ b/chromium/net/cert/pki/name_constraints_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/nist_pkits_unittest.cc b/chromium/net/cert/pki/nist_pkits_unittest.cc index f2309349fba..20b48923db4 100644 --- a/chromium/net/cert/pki/nist_pkits_unittest.cc +++ b/chromium/net/cert/pki/nist_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/nist_pkits_unittest.h b/chromium/net/cert/pki/nist_pkits_unittest.h index bf4d16485c9..8e4c2cb38eb 100644 --- a/chromium/net/cert/pki/nist_pkits_unittest.h +++ b/chromium/net/cert/pki/nist_pkits_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -97,7 +97,7 @@ class PkitsTest : public ::testing::Test { crl_ders.push_back(net::ReadTestFileToString( "net/third_party/nist-pkits/crls/" + s + ".crl")); - base::StringPiece test_number = info.test_number; + std::string_view test_number = info.test_number; // Some of the PKITS tests are intentionally given different expectations // from PKITS.pdf. diff --git a/chromium/net/cert/pki/ocsp.cc b/chromium/net/cert/pki/ocsp.cc index 46fd72f7109..816a7840c83 100644 --- a/chromium/net/cert/pki/ocsp.cc +++ b/chromium/net/cert/pki/ocsp.cc @@ -1,19 +1,17 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/ocsp.h" -#include <algorithm> - -#include "base/base64.h" -#include "base/strings/string_util.h" +#include "base/containers/contains.h" #include "base/time/time.h" #include "net/cert/asn1_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/extended_key_usage.h" #include "net/cert/pki/parsed_certificate.h" #include "net/cert/pki/revocation_util.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/verify_name_match.h" #include "net/cert/pki/verify_signed_data.h" #include "net/cert/x509_util.h" @@ -466,19 +464,20 @@ bool VerifyHash(const EVP_MD* type, // subjectPublicKey BIT STRING // } bool GetSubjectPublicKeyBytes(const der::Input& spki_tlv, der::Input* spk_tlv) { + // TODO(bbe) decide what to do with the asn1 utilities, bring them into pki + // or use the boringssl stuff internally.. base::StringPiece spk_strpiece; if (!asn1::ExtractSubjectPublicKeyFromSPKI(spki_tlv.AsStringPiece(), &spk_strpiece)) { return false; } - // ExtractSubjectPublicKeyFromSPKI() includes the unused bit count. For this // application, the unused bit count must be zero, and is not included in the // result. - if (!base::StartsWith(spk_strpiece, "\0")) + if (!net::string_util::StartsWith( + std::string_view(spk_strpiece.data(), spk_strpiece.size()), "\0")) return false; spk_strpiece.remove_prefix(1); - *spk_tlv = der::Input(spk_strpiece); return true; } @@ -525,15 +524,16 @@ bool CheckCertIDMatchesCertificate( // TODO(eroman): Revisit how certificate parsing is used by this file. Ideally // would either pass in the parsed bits, or have a better abstraction for lazily // parsing. -scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { +scoped_refptr<ParsedCertificate> OCSPParseCertificate(std::string_view der) { ParseCertificateOptions parse_options; parse_options.allow_invalid_serial_numbers = true; // TODO(eroman): Swallows the parsing errors. However uses a permissive // parsing model. CertErrors errors; - return ParsedCertificate::Create(x509_util::CreateCryptoBuffer(der), {}, - &errors); + return ParsedCertificate::Create( + x509_util::CreateCryptoBuffer(base::StringPiece(der.data(), der.size())), + {}, &errors); } // Checks that the ResponderID |id| matches the certificate |cert| either @@ -578,7 +578,8 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // The Authorized Responder must be directly signed by the issuer of the // certificate being checked. // TODO(eroman): Must check the signature algorithm against policy. - if (!VerifySignedData(responder_certificate->signature_algorithm(), + if (!responder_certificate->signature_algorithm().has_value() || + !VerifySignedData(*responder_certificate->signature_algorithm(), responder_certificate->tbs_certificate_tlv(), responder_certificate->signature_value(), issuer_certificate->tbs().spki_tlv)) { @@ -589,14 +590,9 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // part of the extended key usage extension. if (!responder_certificate->has_extended_key_usage()) return false; - const std::vector<der::Input>& ekus = - responder_certificate->extended_key_usage(); - if (std::find(ekus.begin(), ekus.end(), der::Input(kOCSPSigning)) == - ekus.end()) { - return false; - } - return true; + return base::Contains(responder_certificate->extended_key_usage(), + der::Input(kOCSPSigning)); } [[nodiscard]] bool VerifyOCSPResponseSignatureGivenCert( @@ -631,7 +627,7 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // (3) Has signed the OCSP response using its public key. for (const auto& responder_cert_tlv : response.certs) { scoped_refptr<ParsedCertificate> cur_responder_certificate = - OCSPParseCertificate(responder_cert_tlv.AsStringPiece()); + OCSPParseCertificate(responder_cert_tlv.AsStringView()); // If failed parsing the certificate, keep looking. if (!cur_responder_certificate) @@ -787,10 +783,10 @@ OCSPRevocationStatus GetRevocationStatusForCert( } OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, - base::StringPiece certificate_der, + std::string_view raw_response, + std::string_view certificate_der, const ParsedCertificate* certificate, - base::StringPiece issuer_certificate_der, + std::string_view issuer_certificate_der, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, const base::TimeDelta& max_age, @@ -891,9 +887,9 @@ OCSPRevocationStatus CheckOCSP( } // namespace OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, - base::StringPiece certificate_der, - base::StringPiece issuer_certificate_der, + std::string_view raw_response, + std::string_view certificate_der, + std::string_view issuer_certificate_der, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details) { @@ -903,15 +899,15 @@ OCSPRevocationStatus CheckOCSP( } OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, + std::string_view raw_response, const ParsedCertificate* certificate, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details) { - return CheckOCSP(raw_response, base::StringPiece(), certificate, - base::StringPiece(), issuer_certificate, verify_time, - max_age, response_details); + return CheckOCSP(raw_response, std::string_view(), certificate, + std::string_view(), issuer_certificate, verify_time, max_age, + response_details); } bool CreateOCSPRequest(const ParsedCertificate* cert, @@ -1007,7 +1003,7 @@ bool CreateOCSPRequest(const ParsedCertificate* cert, // the OCSPRequest} GURL CreateOCSPGetURL(const ParsedCertificate* cert, const ParsedCertificate* issuer, - base::StringPiece ocsp_responder_url) { + std::string_view ocsp_responder_url) { std::vector<uint8_t> ocsp_request_der; if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) { // Unexpected (means BoringSSL failed an operation). @@ -1015,19 +1011,23 @@ GURL CreateOCSPGetURL(const ParsedCertificate* cert, } // Base64 encode the request data. - std::string b64_encoded; - base::Base64Encode( - base::StringPiece(reinterpret_cast<const char*>(ocsp_request_der.data()), - ocsp_request_der.size()), - &b64_encoded); + size_t len; + if (!EVP_EncodedLength(&len, ocsp_request_der.size())) { + return GURL(); + } + std::vector<uint8_t> encoded(len); + len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(), + ocsp_request_der.size()); + + std::string b64_encoded(encoded.begin(), encoded.begin() + len); // In theory +, /, and = are valid in paths and don't need to be escaped. // However from the example in RFC 5019 section 5 it is clear that the intent // is to escape non-alphanumeric characters (the example conclusively escapes // '/' and '=', but doesn't clarify '+'). - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "+", "%2B"); - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "/", "%2F"); - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "=", "%3D"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "+", "%2B"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "/", "%2F"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "=", "%3D"); // No attempt is made to collapse double slashes for URLs that end in slash, // since the spec doesn't do that. diff --git a/chromium/net/cert/pki/ocsp.h b/chromium/net/cert/pki/ocsp.h index 6a2a5e5b7d3..7464a033d19 100644 --- a/chromium/net/cert/pki/ocsp.h +++ b/chromium/net/cert/pki/ocsp.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,7 +8,6 @@ #include <memory> #include <vector> -#include "base/strings/string_piece_forward.h" #include "base/time/time.h" #include "net/base/net_export.h" #include "net/cert/ocsp_revocation_status.h" @@ -287,9 +286,9 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, // |max_age| will be considered invalid. // * |response_details|: Additional details about failures. [[nodiscard]] NET_EXPORT OCSPRevocationStatus -CheckOCSP(base::StringPiece raw_response, - base::StringPiece certificate_der, - base::StringPiece issuer_certificate_der, +CheckOCSP(std::string_view raw_response, + std::string_view certificate_der, + std::string_view issuer_certificate_der, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details); @@ -300,7 +299,7 @@ CheckOCSP(base::StringPiece raw_response, // Arguments are the same as above, except that it takes already parsed // instances of the certificate and issuer certificate. [[nodiscard]] NET_EXPORT OCSPRevocationStatus -CheckOCSP(base::StringPiece raw_response, +CheckOCSP(std::string_view raw_response, const ParsedCertificate* certificate, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, @@ -321,7 +320,7 @@ NET_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert, // Creates a URL to issue a GET request for OCSP information for |cert|. NET_EXPORT GURL CreateOCSPGetURL(const ParsedCertificate* cert, const ParsedCertificate* issuer, - base::StringPiece ocsp_responder_url); + std::string_view ocsp_responder_url); } // namespace net diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc index 1d23453d0b5..6158c1cf923 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc index d312f0fae1b..bf701d8a0e0 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc index f3673aeec7a..df8e88487ce 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc index 872e2680a4e..d3289c7e29d 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_unittest.cc b/chromium/net/cert/pki/ocsp_unittest.cc index 6b3ae13a68d..bd1b25d4959 100644 --- a/chromium/net/cert/pki/ocsp_unittest.cc +++ b/chromium/net/cert/pki/ocsp_unittest.cc @@ -1,15 +1,15 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/ocsp.h" -#include "base/base64.h" #include "base/strings/string_piece.h" -#include "base/strings/string_util.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/test_helpers.h" #include "net/der/encode_values.h" #include "testing/gtest/include/gtest/gtest.h" +#include "third_party/boringssl/src/include/openssl/base64.h" #include "third_party/boringssl/src/include/openssl/pool.h" #include "url/gurl.h" @@ -23,7 +23,7 @@ std::string GetFilePath(const std::string& file_name) { return std::string("net/data/ocsp_unittest/") + file_name; } -scoped_refptr<ParsedCertificate> ParseCertificate(base::StringPiece data) { +scoped_refptr<ParsedCertificate> ParseCertificate(std::string_view data) { CertErrors errors; return ParsedCertificate::Create( bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( @@ -124,7 +124,7 @@ const TestParams kTestParams[] = { // Parameterised test name generator for tests depending on RenderTextBackend. struct PrintTestName { std::string operator()(const testing::TestParamInfo<TestParams>& info) const { - base::StringPiece name(info.param.file_name); + std::string_view name(info.param.file_name); // Strip ".pem" from the end as GTest names cannot contain period. name.remove_suffix(4); return std::string(name); @@ -178,7 +178,7 @@ TEST_P(CheckOCSPTest, FromFile) { der::Input(&request_data)); } -base::StringPiece kGetURLTestParams[] = { +std::string_view kGetURLTestParams[] = { "http://www.example.com/", "http://www.example.com/path/", "http://www.example.com/path", @@ -186,8 +186,8 @@ base::StringPiece kGetURLTestParams[] = { "http://user:pass@www.example.com/path?query", }; -class CreateOCSPGetURLTest - : public ::testing::TestWithParam<base::StringPiece> {}; +class CreateOCSPGetURLTest : public ::testing::TestWithParam<std::string_view> { +}; INSTANTIATE_TEST_SUITE_P(All, CreateOCSPGetURLTest, @@ -223,15 +223,20 @@ TEST_P(CreateOCSPGetURLTest, Basic) { std::string b64 = url.spec().substr(GetParam().size() + 1); // Hex un-escape the data. - base::ReplaceSubstringsAfterOffset(&b64, 0, "%2B", "+"); - base::ReplaceSubstringsAfterOffset(&b64, 0, "%2F", "/"); - base::ReplaceSubstringsAfterOffset(&b64, 0, "%3D", "="); + b64 = net::string_util::FindAndReplace(b64, "%2B", "+"); + b64 = net::string_util::FindAndReplace(b64, "%2F", "/"); + b64 = net::string_util::FindAndReplace(b64, "%3D", "="); // Base64 decode the data. - std::string decoded; - ASSERT_TRUE(base::Base64Decode(b64, &decoded)); - - EXPECT_EQ(request_data, decoded); + size_t len; + EXPECT_TRUE(EVP_DecodedLength(&len, b64.size())); + std::vector<uint8_t> decoded(len); + EXPECT_TRUE(EVP_DecodeBase64(decoded.data(), &len, len, + reinterpret_cast<const uint8_t*>(b64.data()), + b64.size())); + std::string decoded_string(decoded.begin(), decoded.begin() + len); + + EXPECT_EQ(request_data, decoded_string); } } // namespace diff --git a/chromium/net/cert/pki/parse_certificate.cc b/chromium/net/cert/pki/parse_certificate.cc index d206ec897e6..7be07772fd6 100644 --- a/chromium/net/cert/pki/parse_certificate.cc +++ b/chromium/net/cert/pki/parse_certificate.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,10 +6,10 @@ #include <utility> -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/general_names.h" +#include "net/cert/pki/string_util.h" #include "net/der/input.h" #include "net/der/parse_values.h" #include "net/der/parser.h" @@ -805,8 +805,8 @@ bool ParseAuthorityInfoAccess( bool ParseAuthorityInfoAccessURIs( const der::Input& authority_info_access_tlv, - std::vector<base::StringPiece>* out_ca_issuers_uris, - std::vector<base::StringPiece>* out_ocsp_uris) { + std::vector<std::string_view>* out_ca_issuers_uris, + std::vector<std::string_view>* out_ocsp_uris) { std::vector<AuthorityInfoAccessDescription> access_descriptions; if (!ParseAuthorityInfoAccess(authority_info_access_tlv, &access_descriptions)) { @@ -825,8 +825,8 @@ bool ParseAuthorityInfoAccessURIs( // GeneralName ::= CHOICE { if (access_location_tag == der::ContextSpecificPrimitive(6)) { // uniformResourceIdentifier [6] IA5String, - base::StringPiece uri = access_location_value.AsStringPiece(); - if (!base::IsStringASCII(uri)) + std::string_view uri = access_location_value.AsStringView(); + if (!net::string_util::IsAscii(uri)) return false; if (access_description.access_method_oid == der::Input(kAdCaIssuersOid)) diff --git a/chromium/net/cert/pki/parse_certificate.h b/chromium/net/cert/pki/parse_certificate.h index d71dda139b5..960244ce8e6 100644 --- a/chromium/net/cert/pki/parse_certificate.h +++ b/chromium/net/cert/pki/parse_certificate.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -535,8 +535,8 @@ struct AuthorityInfoAccessDescription { // ignored. [[nodiscard]] NET_EXPORT bool ParseAuthorityInfoAccessURIs( const der::Input& authority_info_access_tlv, - std::vector<base::StringPiece>* out_ca_issuers_uris, - std::vector<base::StringPiece>* out_ocsp_uris); + std::vector<std::string_view>* out_ca_issuers_uris, + std::vector<std::string_view>* out_ocsp_uris); // ParsedDistributionPoint represents a parsed DistributionPoint from RFC 5280. // diff --git a/chromium/net/cert/pki/parse_certificate_fuzzer.cc b/chromium/net/cert/pki/parse_certificate_fuzzer.cc index b73eb018a24..95ddc39c3e4 100644 --- a/chromium/net/cert/pki/parse_certificate_fuzzer.cc +++ b/chromium/net/cert/pki/parse_certificate_fuzzer.cc @@ -1,11 +1,10 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <stddef.h> #include <stdint.h> -#include "base/check_op.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/parsed_certificate.h" #include "net/cert/x509_util.h" diff --git a/chromium/net/cert/pki/parse_certificate_unittest.cc b/chromium/net/cert/pki/parse_certificate_unittest.cc index 7f5c48efe3e..f22c45fdb19 100644 --- a/chromium/net/cert/pki/parse_certificate_unittest.cc +++ b/chromium/net/cert/pki/parse_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -536,7 +536,7 @@ TEST(ParseAuthorityInfoAccess, BasicTests) { EXPECT_EQ(der::Input(location_der), desc.access_location); } - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); ASSERT_EQ(1u, ca_issuers_uris.size()); @@ -578,7 +578,7 @@ TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) { 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f}; EXPECT_EQ(der::Input(location_der), desc.access_location); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; // ParseAuthorityInfoAccessURIs should still return success since it was a // valid AuthorityInfoAccess extension, even though it did not contain any // elements we care about, and both output vectors should be empty. @@ -610,7 +610,7 @@ TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } @@ -633,7 +633,7 @@ TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } @@ -645,7 +645,7 @@ TEST(ParseAuthorityInfoAccess, EmptySequence) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } diff --git a/chromium/net/cert/pki/parse_name.cc b/chromium/net/cert/pki/parse_name.cc index 5cd4516890c..5e8459aa0d8 100644 --- a/chromium/net/cert/pki/parse_name.cc +++ b/chromium/net/cert/pki/parse_name.cc @@ -1,11 +1,9 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/parse_name.h" -#include "base/check_op.h" -#include "base/notreached.h" #include "base/strings/string_number_conversions.h" #include "net/der/parse_values.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" @@ -72,7 +70,7 @@ bool X509NameAttribute::ValueAsStringUnsafe(std::string* out) const { case der::kBmpString: return der::ParseBmpString(value, out); default: - NOTREACHED(); + assert(0); // NOTREACHED return false; } } diff --git a/chromium/net/cert/pki/parse_name.h b/chromium/net/cert/pki/parse_name.h index e44833a9b30..93d8db53d67 100644 --- a/chromium/net/cert/pki/parse_name.h +++ b/chromium/net/cert/pki/parse_name.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/parse_name_unittest.cc b/chromium/net/cert/pki/parse_name_unittest.cc index 3e29b808c4e..81064e07a64 100644 --- a/chromium/net/cert/pki/parse_name_unittest.cc +++ b/chromium/net/cert/pki/parse_name_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/parsed_certificate.cc b/chromium/net/cert/pki/parsed_certificate.cc index a1268a127b6..367bce786a0 100644 --- a/chromium/net/cert/pki/parsed_certificate.cc +++ b/chromium/net/cert/pki/parsed_certificate.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -20,8 +20,6 @@ namespace { DEFINE_CERT_ERROR_ID(kFailedParsingCertificate, "Failed parsing Certificate"); DEFINE_CERT_ERROR_ID(kFailedParsingTbsCertificate, "Failed parsing TBSCertificate"); -DEFINE_CERT_ERROR_ID(kFailedParsingSignatureAlgorithm, - "Failed parsing SignatureAlgorithm"); DEFINE_CERT_ERROR_ID(kFailedReadingIssuerOrSubject, "Failed reading issuer or subject"); DEFINE_CERT_ERROR_ID(kFailedNormalizingSubject, "Failed normalizing subject"); @@ -106,13 +104,8 @@ scoped_refptr<ParsedCertificate> ParsedCertificate::Create( } // Attempt to parse the signature algorithm contained in the Certificate. - absl::optional<SignatureAlgorithm> sigalg = + result->signature_algorithm_ = ParseSignatureAlgorithm(result->signature_algorithm_tlv_, errors); - if (!sigalg) { - errors->AddError(kFailedParsingSignatureAlgorithm); - return nullptr; - } - result->signature_algorithm_ = *sigalg; der::Input subject_value; if (!GetSequenceValue(result->tbs_.subject_tlv, &subject_value)) { diff --git a/chromium/net/cert/pki/parsed_certificate.h b/chromium/net/cert/pki/parsed_certificate.h index d02c4bf5129..e777228fc32 100644 --- a/chromium/net/cert/pki/parsed_certificate.h +++ b/chromium/net/cert/pki/parsed_certificate.h @@ -1,5 +1,4 @@ - -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,7 +9,6 @@ #include <memory> #include <vector> -#include "base/check.h" #include "base/memory/ref_counted.h" #include "net/base/net_export.h" #include "net/cert/pki/certificate_policies.h" @@ -86,7 +84,8 @@ class NET_EXPORT ParsedCertificate const ParsedTbsCertificate& tbs() const { return tbs_; } // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate). - SignatureAlgorithm signature_algorithm() const { + // If the signature algorithm is unknown/unsupported, this returns nullopt. + absl::optional<SignatureAlgorithm> signature_algorithm() const { return signature_algorithm_; } @@ -176,12 +175,12 @@ class NET_EXPORT ParsedCertificate } // Returns any caIssuers URIs from the AuthorityInfoAccess extension. - const std::vector<base::StringPiece>& ca_issuers_uris() const { + const std::vector<std::string_view>& ca_issuers_uris() const { return ca_issuers_uris_; } // Returns any OCSP URIs from the AuthorityInfoAccess extension. - const std::vector<base::StringPiece>& ocsp_uris() const { return ocsp_uris_; } + const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; } // Returns true if the certificate has a Policies extension. bool has_policy_oids() const { return has_policy_oids_; } @@ -261,14 +260,7 @@ class NET_EXPORT ParsedCertificate ParsedTbsCertificate tbs_; // The signatureAlgorithm from the Certificate. - // - // TODO(crbug.com/1321688): This class requires that we recognize the - // signature algorithm, but there are some self-signed root certificates with - // weak signature algorithms like MD2. We never verify those signatures, but - // this means we must include MD2, etc., in the `SignatureAlgorithm` enum. - // Instead, make this an `absl::optional<SignatureAlgorithm>` and make the - // call sites handle recognized and unrecognized algorithms. - SignatureAlgorithm signature_algorithm_; + absl::optional<SignatureAlgorithm> signature_algorithm_; // Normalized DER-encoded Subject (not including outer Sequence tag). std::string normalized_subject_; @@ -301,8 +293,8 @@ class NET_EXPORT ParsedCertificate // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note // that the AuthorityInfoAccess may have contained other AccessDescriptions // which are not represented here. - std::vector<base::StringPiece> ca_issuers_uris_; - std::vector<base::StringPiece> ocsp_uris_; + std::vector<std::string_view> ca_issuers_uris_; + std::vector<std::string_view> ocsp_uris_; // Policies extension. bool has_policy_oids_ = false; diff --git a/chromium/net/cert/pki/parsed_certificate_unittest.cc b/chromium/net/cert/pki/parsed_certificate_unittest.cc index b33520910b3..bd08592a66c 100644 --- a/chromium/net/cert/pki/parsed_certificate_unittest.cc +++ b/chromium/net/cert/pki/parsed_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -148,7 +148,10 @@ TEST(ParsedCertificateTest, BadPolicyQualifiers) { // Parses a certificate that uses an unknown signature algorithm OID (00). TEST(ParsedCertificateTest, BadSignatureAlgorithmOid) { - ASSERT_FALSE(ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {})); + scoped_refptr<ParsedCertificate> cert = + ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {}); + ASSERT_TRUE(cert); + ASSERT_FALSE(cert->signature_algorithm()); } // The validity encodes time as UTCTime but following the BER rules rather than @@ -159,7 +162,10 @@ TEST(ParsedCertificateTest, BadValidity) { // The signature algorithm contains an unexpected parameters field. TEST(ParsedCertificateTest, FailedSignatureAlgorithm) { - ASSERT_FALSE(ParseCertificateFromFile("failed_signature_algorithm.pem", {})); + scoped_refptr<ParsedCertificate> cert = + ParseCertificateFromFile("failed_signature_algorithm.pem", {}); + ASSERT_TRUE(cert); + ASSERT_FALSE(cert->signature_algorithm()); } TEST(ParsedCertificateTest, IssuerBadPrintableString) { diff --git a/chromium/net/cert/pki/path_builder.cc b/chromium/net/cert/pki/path_builder.cc index cdb9ede48dd..c73d033dd7d 100644 --- a/chromium/net/cert/pki/path_builder.cc +++ b/chromium/net/cert/pki/path_builder.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,9 +11,7 @@ #include "base/logging.h" #include "base/memory/raw_ptr.h" #include "base/metrics/histogram_functions.h" -#include "base/notreached.h" #include "base/strings/string_number_conversions.h" -#include "crypto/sha2.h" #include "net/base/net_errors.h" #include "net/cert/pki/cert_issuer_source.h" #include "net/cert/pki/certificate_policies.h" @@ -25,6 +23,7 @@ #include "net/cert/pki/verify_name_match.h" #include "net/der/parser.h" #include "net/der/tag.h" +#include "third_party/boringssl/src/include/openssl/sha.h" namespace net { @@ -34,8 +33,10 @@ using CertIssuerSources = std::vector<CertIssuerSource*>; // Returns a hex-encoded sha256 of the DER-encoding of |cert|. std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) { - std::string hash = crypto::SHA256HashString(cert->der_cert().AsStringPiece()); - return base::HexEncode(hash.data(), hash.size()); + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256(cert->der_cert().AsSpan().data(), cert->der_cert().AsSpan().size(), + digest); + return base::HexEncode(digest, sizeof(digest)); } // TODO(mattm): decide how much debug logging to keep. @@ -225,7 +226,7 @@ class CertIssuersIter { // duplicates. This is based on the full DER of the cert to allow different // versions of the same certificate to be tried in different candidate paths. // This points to data owned by |issuers_|. - std::unordered_set<base::StringPiece, base::StringPieceHash> present_issuers_; + std::unordered_set<std::string_view> present_issuers_; // Tracks which requests have been made yet. bool did_initial_query_ = false; @@ -304,10 +305,10 @@ void CertIssuersIter::GetNextIssuer(IssuerEntry* out) { void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) { for (scoped_refptr<ParsedCertificate>& issuer : new_issuers) { - if (present_issuers_.find(issuer->der_cert().AsStringPiece()) != + if (present_issuers_.find(issuer->der_cert().AsStringView()) != present_issuers_.end()) continue; - present_issuers_.insert(issuer->der_cert().AsStringPiece()); + present_issuers_.insert(issuer->der_cert().AsStringView()); // Look up the trust for this issuer. IssuerEntry entry; @@ -420,8 +421,7 @@ class CertIssuerIterPath { } private: - using Key = - std::tuple<base::StringPiece, base::StringPiece, base::StringPiece>; + using Key = std::tuple<std::string_view, std::string_view, std::string_view>; static Key GetKey(const ParsedCertificate* cert) { // TODO(mattm): ideally this would use a normalized version of @@ -430,9 +430,9 @@ class CertIssuerIterPath { // Note that subject_alt_names_extension().value will be empty if the cert // had no SubjectAltName extension, so there is no need for a condition on // has_subject_alt_names(). - return Key(cert->normalized_subject().AsStringPiece(), - cert->subject_alt_names_extension().value.AsStringPiece(), - cert->tbs().spki_tlv.AsStringPiece()); + return Key(cert->normalized_subject().AsStringView(), + cert->subject_alt_names_extension().value.AsStringView(), + cert->tbs().spki_tlv.AsStringView()); } std::vector<std::unique_ptr<CertIssuersIter>> cur_path_; @@ -458,7 +458,7 @@ const ParsedCertificate* CertPathBuilderResultPath::GetTrustedCert() const { return nullptr; } - NOTREACHED(); + assert(0); // NOTREACHED return nullptr; } diff --git a/chromium/net/cert/pki/path_builder.h b/chromium/net/cert/pki/path_builder.h index c4bd8a72581..01fc9eb6301 100644 --- a/chromium/net/cert/pki/path_builder.h +++ b/chromium/net/cert/pki/path_builder.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/path_builder_pkits_unittest.cc b/chromium/net/cert/pki/path_builder_pkits_unittest.cc index e082f7d55fc..0939aa6bd4a 100644 --- a/chromium/net/cert/pki/path_builder_pkits_unittest.cc +++ b/chromium/net/cert/pki/path_builder_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -162,7 +162,7 @@ class PathBuilderPkitsTestDelegate { crl_ders, verify_time, /*max_age=*/base::Days(365 * 2), 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); - base::StringPiece test_number = info.test_number; + std::string_view test_number = info.test_number; if (test_number == "4.4.19" || test_number == "4.5.3" || test_number == "4.5.4" || test_number == "4.5.6") { // 4.4.19 - fails since CRL is signed by a certificate that is not part diff --git a/chromium/net/cert/pki/path_builder_unittest.cc b/chromium/net/cert/pki/path_builder_unittest.cc index 80c5baa5eae..f31c6a5f7a2 100644 --- a/chromium/net/cert/pki/path_builder_unittest.cc +++ b/chromium/net/cert/pki/path_builder_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include "base/containers/span.h" #include "base/files/file_util.h" #include "base/path_service.h" +#include "base/ranges/algorithm.h" #include "base/test/bind.h" #include "base/test/metrics/histogram_tester.h" #include "base/test/task_environment.h" @@ -917,7 +918,7 @@ bool AreCertsEq(const scoped_refptr<ParsedCertificate> cert_1, } // Test to ensure that path building stops when an intermediate cert is -// encountered that is not usable for TLS because of EKU restrictions. +// encountered that is not usable for TLS because it is explicitly distrusted. TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -932,7 +933,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { szOID_PKIX_KP_SERVER_AUTH); AddToStoreWithEKURestriction(intermediate_store.get(), c_by_e_, szOID_PKIX_KP_SERVER_AUTH); - AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr); + AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr); std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting( std::move(root_store), std::move(intermediate_store), @@ -948,7 +949,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { auto result = path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); - ASSERT_EQ(2U, result.paths.size()); + ASSERT_EQ(1U, result.paths.size()); const auto& path = *result.GetBestValidPath(); ASSERT_EQ(3U, path.certs.size()); EXPECT_TRUE(AreCertsEq(b_by_c_, path.certs[0])); @@ -956,14 +957,12 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { EXPECT_TRUE(AreCertsEq(e_by_e_, path.certs[2])); // Should only be one valid path, the one above. - int valid_paths = 0; - for (auto&& path : result.paths) { - valid_paths += path->IsValid() ? 1 : 0; - } + int valid_paths = + base::ranges::count_if(result.paths, &CertPathBuilderResultPath::IsValid); ASSERT_EQ(1, valid_paths); } -// Test that if an intermediate is disabled for TLS, and it is the only +// Test that if an intermediate is untrusted, and it is the only // path, then path building should fail, even if the root is enabled for // TLS. TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) { @@ -976,7 +975,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) { AddToStoreWithEKURestriction(root_store.get(), d_by_d_, szOID_PKIX_KP_SERVER_AUTH); - AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr); + AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr); std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting( std::move(root_store), std::move(intermediate_store), std::move(disallowed_store)); diff --git a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc index 1db806bb67a..a3f1530e541 100644 --- a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc +++ b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,8 +17,7 @@ class PathBuilderTestDelegate { public: static void Verify(const VerifyCertChainTest& test, const std::string& test_file_path) { - SimplePathBuilderDelegate path_builder_delegate( - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + SimplePathBuilderDelegate path_builder_delegate(1024, test.digest_policy); ASSERT_FALSE(test.chain.empty()); TrustStoreInMemory trust_store; diff --git a/chromium/net/cert/pki/revocation_util.cc b/chromium/net/cert/pki/revocation_util.cc index 17a75b03c8e..afbc7290adc 100644 --- a/chromium/net/cert/pki/revocation_util.cc +++ b/chromium/net/cert/pki/revocation_util.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/revocation_util.h b/chromium/net/cert/pki/revocation_util.h index 2966a0542de..1cd5ce81e8b 100644 --- a/chromium/net/cert/pki/revocation_util.h +++ b/chromium/net/cert/pki/revocation_util.h @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/signature_algorithm.cc b/chromium/net/cert/pki/signature_algorithm.cc index a7ff1852587..0b913bb72b4 100644 --- a/chromium/net/cert/pki/signature_algorithm.cc +++ b/chromium/net/cert/pki/signature_algorithm.cc @@ -1,10 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/signature_algorithm.h" -#include "base/check.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/der/input.h" @@ -17,21 +16,6 @@ namespace net { namespace { -// md2WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.2 -const uint8_t kOidMd2WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x02}; - -// md4WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.3 -const uint8_t kOidMd4WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x03}; - -// md5WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.4 -const uint8_t kOidMd5WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04}; - // From RFC 5912: // // sha1WithRSAEncryption OBJECT IDENTIFIER ::= { @@ -134,24 +118,6 @@ const uint8_t kOidRsaSsaPss[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, // From RFC 5912: // -// dsa-with-sha1 OBJECT IDENTIFIER ::= { -// iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } -// -// In dotted notation: 1.2.840.10040.4.3 -const uint8_t kOidDsaWithSha1[] = {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03}; - -// From RFC 5912: -// -// dsa-with-sha256 OBJECT IDENTIFIER ::= { -// joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) -// csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } -// -// In dotted notation: 2.16.840.1.101.3.4.3.2 -const uint8_t kOidDsaWithSha256[] = {0x60, 0x86, 0x48, 0x01, 0x65, - 0x03, 0x04, 0x03, 0x02}; - -// From RFC 5912: -// // id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } // // In dotted notation: 1.2.840.113549.1.1.8 @@ -391,15 +357,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm( if (oid == der::Input(kOidSha1WithRsaSignature) && IsNullOrEmpty(params)) { return SignatureAlgorithm::kRsaPkcs1Sha1; } - if (oid == der::Input(kOidMd2WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md2; - } - if (oid == der::Input(kOidMd4WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md4; - } - if (oid == der::Input(kOidMd5WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md5; - } // RFC 5912 requires that the parameters for ECDSA algorithms be absent // ("PARAMS TYPE NULL ARE absent"): @@ -420,16 +377,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm( return ParseRsaPss(params); } - // RFC 5912 requires that the parameters for DSA algorithms be absent. - // - // TODO(svaldez): Add warning about non-strict parsing. - if (oid == der::Input(kOidDsaWithSha1) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kDsaSha1; - } - if (oid == der::Input(kOidDsaWithSha256) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kDsaSha256; - } - // Unknown signature algorithm. if (errors) { errors->AddError(kUnknownSignatureAlgorithm, @@ -446,8 +393,7 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm( // implement this within the library, so callers do not need to condition over // all algorithms. switch (alg) { - // If the single digest algorithm is MD5 or SHA-1, use SHA-256. - case SignatureAlgorithm::kRsaPkcs1Md5: + // If the single digest algorithm is SHA-1, use SHA-256. case SignatureAlgorithm::kRsaPkcs1Sha1: case SignatureAlgorithm::kEcdsaSha1: return DigestAlgorithm::Sha256; @@ -473,13 +419,6 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm( return DigestAlgorithm::Sha384; case SignatureAlgorithm::kRsaPssSha512: return DigestAlgorithm::Sha512; - - // Do not return anything for these legacy algorithms. - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - return absl::nullopt; } return absl::nullopt; } diff --git a/chromium/net/cert/pki/signature_algorithm.h b/chromium/net/cert/pki/signature_algorithm.h index e6e2569bbae..8e3ad573f5b 100644 --- a/chromium/net/cert/pki/signature_algorithm.h +++ b/chromium/net/cert/pki/signature_algorithm.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include "net/base/net_export.h" #include "third_party/abseil-cpp/absl/types/optional.h" +#include "third_party/boringssl/src/include/openssl/evp.h" namespace net { @@ -45,13 +46,6 @@ enum class SignatureAlgorithm { kRsaPssSha256, kRsaPssSha384, kRsaPssSha512, - // These algorithms can be parsed but are not supported. - // TODO(https://crbug.com/1321688): Remove these. - kRsaPkcs1Md2, - kRsaPkcs1Md4, - kRsaPkcs1Md5, - kDsaSha1, - kDsaSha256, }; // Parses AlgorithmIdentifier as defined by RFC 5280 section 4.1.1.2: diff --git a/chromium/net/cert/pki/signature_algorithm_unittest.cc b/chromium/net/cert/pki/signature_algorithm_unittest.cc index 2247675ca76..3997ffc505d 100644 --- a/chromium/net/cert/pki/signature_algorithm_unittest.cc +++ b/chromium/net/cert/pki/signature_algorithm_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -1373,8 +1373,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd5WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md5); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a md4WithRSAEncryption which contains a NULL parameters field. @@ -1391,8 +1390,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd4WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md4); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a md2WithRSAEncryption which contains a NULL parameters field. @@ -1409,8 +1407,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd2WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md2); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha1 which contains no parameters field. @@ -1425,8 +1422,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NoParams) { 0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03, }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha1); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha1 which contains a NULL parameters field. @@ -1443,8 +1439,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha1); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha256 which contains no parameters field. @@ -1459,8 +1454,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha256NoParams) { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha256); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } } // namespace diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.cc b/chromium/net/cert/pki/simple_path_builder_delegate.cc index aa961254d3a..06dfabff957 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate.cc +++ b/chromium/net/cert/pki/simple_path_builder_delegate.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -70,16 +70,6 @@ bool SimplePathBuilderDelegate::IsSignatureAlgorithmAcceptable( case SignatureAlgorithm::kRsaPssSha384: case SignatureAlgorithm::kRsaPssSha512: return true; - - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - case SignatureAlgorithm::kRsaPkcs1Md5: - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - // TODO(https://crbug.com/1321688): We do not implement DSA, MD2, MD4, or - // MD5 anyway. Remove them from the parser altogether, so code does not - // need to handle them. - return false; } } diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.h b/chromium/net/cert/pki/simple_path_builder_delegate.h index db1b368c215..d1f7bf5e0b5 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate.h +++ b/chromium/net/cert/pki/simple_path_builder_delegate.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc index e9613a1e61f..440dafe1c21 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc +++ b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/simple_path_builder_delegate.h" diff --git a/chromium/net/cert/pki/string_util.cc b/chromium/net/cert/pki/string_util.cc new file mode 100644 index 00000000000..4fc00a62b36 --- /dev/null +++ b/chromium/net/cert/pki/string_util.cc @@ -0,0 +1,75 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/pki/string_util.h" + +#include "third_party/boringssl/src/include/openssl/mem.h" + +#include <algorithm> +#include <string> + +namespace net::string_util { + +bool IsAscii(std::string_view str) { + for (unsigned char c : str) { + if (c > 127) { + return false; + } + } + return true; +} + +bool IsEqualNoCase(std::string_view str1, std::string_view str2) { + if (str1.size() != str2.size()) { + return false; + } + return std::equal(str2.cbegin(), str2.cend(), str1.cbegin(), + [](const unsigned char a, const unsigned char b) { + return OPENSSL_tolower(a) == OPENSSL_tolower(b); + }); +} + +bool EndsWithNoCase(std::string_view str, std::string_view suffix) { + return suffix.size() <= str.size() && + IsEqualNoCase(suffix, str.substr(str.size() - suffix.size())); +} + +bool StartsWithNoCase(std::string_view str, std::string_view prefix) { + return prefix.size() <= str.size() && + IsEqualNoCase(prefix, str.substr(0, prefix.size())); +} + +std::string FindAndReplace(std::string_view str, + std::string_view find, + std::string_view replace) { + std::string ret; + + if (find.empty()) { + return std::string(str); + } + while (!str.empty()) { + size_t index = str.find(find); + if (index == std::string_view::npos) { + ret.append(str); + break; + } + ret.append(str.substr(0, index)); + ret.append(replace); + str = str.substr(index + find.size()); + } + return ret; +} + +// TODO(bbe) get rid of this once we can c++20. +bool EndsWith(std::string_view str, std::string_view suffix) { + return suffix.size() <= str.size() && + suffix == str.substr(str.size() - suffix.size()); +} + +// TODO(bbe) get rid of this once we can c++20. +bool StartsWith(std::string_view str, std::string_view prefix) { + return prefix.size() <= str.size() && prefix == str.substr(0, prefix.size()); +} + +} // namespace net::string_util diff --git a/chromium/net/cert/pki/string_util.h b/chromium/net/cert/pki/string_util.h new file mode 100644 index 00000000000..da3a72af2b9 --- /dev/null +++ b/chromium/net/cert/pki/string_util.h @@ -0,0 +1,49 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_CERT_PKI_STRING_UTIL_H_ +#define NET_CERT_PKI_STRING_UTIL_H_ + +#include "net/base/net_export.h" + +#include <string_view> + +namespace net::string_util { + +// Returns true if the characters in |str| are all ASCII, false otherwise. +NET_EXPORT_PRIVATE bool IsAscii(std::string_view str); + +// Compares |str1| and |str2| ASCII case insensitively (independent of locale). +// Returns true if |str1| and |str2| match. +NET_EXPORT_PRIVATE bool IsEqualNoCase(std::string_view str1, + std::string_view str2); + +// Compares |str1| and |prefix| ASCII case insensitively (independent of +// locale). Returns true if |str1| starts with |prefix|. +NET_EXPORT_PRIVATE bool StartsWithNoCase(std::string_view str, + std::string_view prefix); + +// Compares |str1| and |suffix| ASCII case insensitively (independent of +// locale). Returns true if |str1| starts with |suffix|. +NET_EXPORT_PRIVATE bool EndsWithNoCase(std::string_view str, + std::string_view suffix); + +// Finds and replaces all occurrences of |find| of non zero length with +// |replace| in |str|, returning the result. +NET_EXPORT_PRIVATE std::string FindAndReplace(std::string_view str, + std::string_view find, + std::string_view replace); + +// TODO(bbe) transition below to c++20 +// Compares |str1| and |prefix|. Returns true if |str1| starts with |prefix|. +NET_EXPORT_PRIVATE bool StartsWith(std::string_view str, + std::string_view prefix); + +// TODO(bbe) transition below to c++20 +// Compares |str1| and |suffix|. Returns true if |str1| ends with |suffix|. +NET_EXPORT_PRIVATE bool EndsWith(std::string_view str, std::string_view suffix); + +} // namespace net::string_util + +#endif // NET_CERT_PKI_STRING_UTIL_H_ diff --git a/chromium/net/cert/pki/string_util_unittest.cc b/chromium/net/cert/pki/string_util_unittest.cc new file mode 100644 index 00000000000..5a376321908 --- /dev/null +++ b/chromium/net/cert/pki/string_util_unittest.cc @@ -0,0 +1,103 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/pki/string_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace net { + +namespace { + +TEST(StringUtilTest, IsAscii) { + EXPECT_TRUE(net::string_util::IsAscii("")); + EXPECT_TRUE(net::string_util::IsAscii("mail.google.com")); + EXPECT_TRUE(net::string_util::IsAscii("mail.google.com\x7F")); + EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\x80")); + EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\xFF")); +} + +TEST(StringUtilTest, IsEqualNoCase) { + EXPECT_TRUE(net::string_util::IsEqualNoCase("", "")); + EXPECT_TRUE( + net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("MAil~-.google.cOm", + "maIL~-.gOoGlE.CoM")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\x80.google.com", + "maIL\x80.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\xFF.google.com", + "maIL\xFF.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::IsEqualNoCase("mail.google.co", "maIL.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cO")); +} + +TEST(StringUtilTest, EndsWithNoCase) { + EXPECT_TRUE(net::string_util::EndsWithNoCase("", "")); + EXPECT_TRUE(net::string_util::EndsWithNoCase("mail.google.com", "")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("mail.google.com", ".gOoGlE.cOm")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("MAil~-.google.cOm", "-.gOoGlE.CoM")); + EXPECT_TRUE(net::string_util::EndsWithNoCase("mail\x80.google.com", + "\x80.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "pOoGlE.com")); + EXPECT_FALSE(net::string_util::EndsWithNoCase("mail\x80.google.com", + "\x81.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.co", ".GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", ".GOoGlE.cO")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "mail.google.com1")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "1mail.google.com")); +} + +TEST(StringUtilTest, FindAndReplace) { + std::string tester = "hoobla derp hoobla derp porkrind"; + tester = net::string_util::FindAndReplace(tester, "blah", "woof"); + EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "", "yeet"); + EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "hoobla", "derp"); + EXPECT_EQ(tester, "derp derp derp derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "derp", "a"); + EXPECT_EQ(tester, "a a a a porkrind"); + tester = net::string_util::FindAndReplace(tester, "a ", ""); + EXPECT_EQ(tester, "porkrind"); + tester = net::string_util::FindAndReplace(tester, "porkrind", ""); + EXPECT_EQ(tester, ""); +} + +TEST(StringUtilTest, StartsWithNoCase) { + EXPECT_TRUE(net::string_util::StartsWithNoCase("", "")); + EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", "")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", "MaIL.")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("MAil~-.google.cOm", "maiL~-.Goo")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("mail\x80.google.com", "MAIL\x80.")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail.google.com", "maIl.MoO")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail\x80.google.com", "Mail\x81")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mai.google.co", "MAiL.GoogLE")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail.google.com", "MaI.GooGLE")); + EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com", + "mail.google.com1")); + EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com", + "1mail.google.com")); +} + +} // namespace + +} // namespace net diff --git a/chromium/net/cert/pki/test_helpers.cc b/chromium/net/cert/pki/test_helpers.cc index 50cc1ba5105..151633f5e4d 100644 --- a/chromium/net/cert/pki/test_helpers.cc +++ b/chromium/net/cert/pki/test_helpers.cc @@ -1,18 +1,18 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/test_helpers.h" -#include "base/base64.h" #include "base/base_paths.h" #include "base/files/file_util.h" #include "base/path_service.h" #include "base/strings/string_piece.h" -#include "base/strings/string_util.h" #include "net/cert/pem.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" +#include "net/cert/pki/simple_path_builder_delegate.h" +#include "net/cert/pki/string_util.h" #include "net/der/parser.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/boringssl/src/include/openssl/pool.h" @@ -23,11 +23,11 @@ namespace net { namespace { -bool GetValue(base::StringPiece prefix, - base::StringPiece line, +bool GetValue(std::string_view prefix, + std::string_view line, std::string* value, bool* has_value) { - if (!base::StartsWith(line, prefix)) + if (!net::string_util::StartsWith(line, prefix)) return false; if (*has_value) { @@ -45,13 +45,16 @@ bool GetValue(base::StringPiece prefix, namespace der { void PrintTo(const Input& data, ::std::ostream* os) { - std::string b64; - base::Base64Encode( - base::StringPiece(reinterpret_cast<const char*>(data.UnsafeData()), - data.Length()), - &b64); - - *os << "[" << b64 << "]"; + size_t len; + if (!EVP_EncodedLength(&len, data.Length())) { + *os << "[]"; + return; + } + std::vector<uint8_t> encoded(len); + len = EVP_EncodeBlock(encoded.data(), data.UnsafeData(), data.Length()); + // Skip the trailing \0. + std::string b64_encoded(encoded.begin(), encoded.begin() + len); + *os << "[" << b64_encoded << "]"; } } // namespace der @@ -201,8 +204,9 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, bool has_time = false; bool has_errors = false; bool has_key_purpose = false; + bool has_digest_policy = false; - base::StringPiece kExpectedErrors = "expected_errors:"; + std::string kExpectedErrors = "expected_errors:"; std::istringstream stream(file_data); for (std::string line; std::getline(stream, line, '\n');) { @@ -218,7 +222,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, if (line.empty()) { continue; } - base::StringPiece line_piece(line); + std::string_view line_piece(line); std::string value; @@ -236,7 +240,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, ReadCertChainFromFile(chain_path, &test->chain); } else if (GetValue("utc_time: ", line_piece, &value, &has_time)) { if (value == "DEFAULT") { - value = "221005120000Z"; + value = "211005120000Z"; } if (!der::ParseUTCTime(der::Input(&value), &test->time)) { ADD_FAILURE() << "Failed parsing UTC time"; @@ -271,7 +275,18 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, ADD_FAILURE() << "Unrecognized last_cert_trust: " << value; return false; } - } else if (base::StartsWith(line_piece, "#")) { + } else if (GetValue("digest_policy: ", line_piece, &value, + &has_digest_policy)) { + if (value == "STRONG") { + test->digest_policy = SimplePathBuilderDelegate::DigestPolicy::kStrong; + } else if (value == "ALLOW_SHA_1") { + test->digest_policy = + SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1; + } else { + ADD_FAILURE() << "Unrecognized digest_policy: " << value; + return false; + } + } else if (net::string_util::StartsWith(line_piece, "#")) { // Skip comments. continue; } else if (line_piece == kExpectedErrors) { @@ -279,7 +294,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, // The errors start on the next line, and extend until the end of the // file. std::string prefix = - std::string("\n") + std::string(kExpectedErrors) + std::string("\n"); + std::string("\n") + kExpectedErrors + std::string("\n"); size_t errors_start = file_data.find(prefix); if (errors_start == std::string::npos) { ADD_FAILURE() << "expected_errors not found"; diff --git a/chromium/net/cert/pki/test_helpers.h b/chromium/net/cert/pki/test_helpers.h index 0fe301af316..de2fceed4dd 100644 --- a/chromium/net/cert/pki/test_helpers.h +++ b/chromium/net/cert/pki/test_helpers.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -13,6 +13,7 @@ #include "base/memory/raw_ptr.h" #include "net/cert/pki/parsed_certificate.h" +#include "net/cert/pki/simple_path_builder_delegate.h" #include "net/cert/pki/trust_store.h" #include "net/cert/pki/verify_certificate_chain.h" #include "net/der/input.h" @@ -109,6 +110,9 @@ struct VerifyCertChainTest { // The expected errors/warnings from verification (as a string). std::string expected_errors; + SimplePathBuilderDelegate::DigestPolicy digest_policy = + SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1; + // Returns true if |expected_errors| contains any high severity errors (a // non-empty expected_errors doesn't necessarily mean verification is // expected to fail, as it may have contained warnings). diff --git a/chromium/net/cert/pki/trust_store.cc b/chromium/net/cert/pki/trust_store.cc index ee504bff53f..0f0858cdef3 100644 --- a/chromium/net/cert/pki/trust_store.cc +++ b/chromium/net/cert/pki/trust_store.cc @@ -1,11 +1,9 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/trust_store.h" -#include "base/notreached.h" - namespace net { CertificateTrust CertificateTrust::ForTrustAnchor() { @@ -49,7 +47,7 @@ bool CertificateTrust::IsTrustAnchor() const { return true; } - NOTREACHED(); + assert(0); // NOTREACHED return false; } @@ -64,7 +62,7 @@ bool CertificateTrust::IsDistrusted() const { return false; } - NOTREACHED(); + assert(0); // NOTREACHED return false; } @@ -79,7 +77,7 @@ bool CertificateTrust::HasUnspecifiedTrust() const { return false; } - NOTREACHED(); + assert(0); // NOTREACHED return true; } diff --git a/chromium/net/cert/pki/trust_store.h b/chromium/net/cert/pki/trust_store.h index 1c3a721ea29..e5718d02d77 100644 --- a/chromium/net/cert/pki/trust_store.h +++ b/chromium/net/cert/pki/trust_store.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection.cc b/chromium/net/cert/pki/trust_store_collection.cc index 03657c4d4a0..d7a3530f5c6 100644 --- a/chromium/net/cert/pki/trust_store_collection.cc +++ b/chromium/net/cert/pki/trust_store_collection.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection.h b/chromium/net/cert/pki/trust_store_collection.h index 4d168aa6cfb..472feac2629 100644 --- a/chromium/net/cert/pki/trust_store_collection.h +++ b/chromium/net/cert/pki/trust_store_collection.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection_unittest.cc b/chromium/net/cert/pki/trust_store_collection_unittest.cc index 8b17c5a8d8d..90131bea9ac 100644 --- a/chromium/net/cert/pki/trust_store_collection_unittest.cc +++ b/chromium/net/cert/pki/trust_store_collection_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_in_memory.cc b/chromium/net/cert/pki/trust_store_in_memory.cc index 7769b992429..b0d9be4b9b4 100644 --- a/chromium/net/cert/pki/trust_store_in_memory.cc +++ b/chromium/net/cert/pki/trust_store_in_memory.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -45,7 +45,7 @@ void TrustStoreInMemory::AddCertificateWithUnspecifiedTrust( void TrustStoreInMemory::SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) { - auto range = entries_.equal_range(cert->normalized_issuer().AsStringPiece()); + auto range = entries_.equal_range(cert->normalized_issuer().AsStringView()); for (auto it = range.first; it != range.second; ++it) issuers->push_back(it->second.cert); } @@ -73,12 +73,12 @@ void TrustStoreInMemory::AddCertificate(scoped_refptr<ParsedCertificate> cert, // TODO(mattm): should this check for duplicate certificates? entries_.insert( - std::make_pair(entry.cert->normalized_subject().AsStringPiece(), entry)); + std::make_pair(entry.cert->normalized_subject().AsStringView(), entry)); } const TrustStoreInMemory::Entry* TrustStoreInMemory::GetEntry( const ParsedCertificate* cert) const { - auto range = entries_.equal_range(cert->normalized_subject().AsStringPiece()); + auto range = entries_.equal_range(cert->normalized_subject().AsStringView()); for (auto it = range.first; it != range.second; ++it) { if (cert == it->second.cert.get() || cert->der_cert() == it->second.cert->der_cert()) { diff --git a/chromium/net/cert/pki/trust_store_in_memory.h b/chromium/net/cert/pki/trust_store_in_memory.h index 1d6a7c69257..021d40d28f7 100644 --- a/chromium/net/cert/pki/trust_store_in_memory.h +++ b/chromium/net/cert/pki/trust_store_in_memory.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -73,8 +73,7 @@ class NET_EXPORT TrustStoreInMemory : public TrustStore { }; // Multimap from normalized subject -> Entry. - std::unordered_multimap<base::StringPiece, Entry, base::StringPieceHash> - entries_; + std::unordered_multimap<std::string_view, Entry> entries_; // Adds a certificate with the specified trust settings. Both trusted and // distrusted certificates require a full DER match. diff --git a/chromium/net/cert/pki/verify_certificate_chain.cc b/chromium/net/cert/pki/verify_certificate_chain.cc index 5fea3878087..216d8309850 100644 --- a/chromium/net/cert/pki/verify_certificate_chain.cc +++ b/chromium/net/cert/pki/verify_certificate_chain.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,7 +6,6 @@ #include <algorithm> -#include "base/check.h" #include "base/memory/raw_ptr.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" @@ -812,16 +811,18 @@ void PathVerifier::BasicCertificateProcessing( } // Check whether this signature algorithm is allowed. - if (!delegate_->IsSignatureAlgorithmAcceptable(cert.signature_algorithm(), + if (!cert.signature_algorithm().has_value() || + !delegate_->IsSignatureAlgorithmAcceptable(*cert.signature_algorithm(), errors)) { *shortcircuit_chain_validation = true; errors->AddError(cert_errors::kUnacceptableSignatureAlgorithm); + return; } if (working_public_key_) { // Verify the digital signature using the previous certificate's key (RFC // 5280 section 6.1.3 step a.1). - if (!VerifySignedData(cert.signature_algorithm(), + if (!VerifySignedData(*cert.signature_algorithm(), cert.tbs_certificate_tlv(), cert.signature_value(), working_public_key_.get())) { *shortcircuit_chain_validation = true; diff --git a/chromium/net/cert/pki/verify_certificate_chain.h b/chromium/net/cert/pki/verify_certificate_chain.h index 3dd187e6ff2..a67816f9d8a 100644 --- a/chromium/net/cert/pki/verify_certificate_chain.h +++ b/chromium/net/cert/pki/verify_certificate_chain.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc index 7a2a4aa32ec..e72a721ad33 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc +++ b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h index c563f17ffa0..e7d49876cd8 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h +++ b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -7,6 +7,7 @@ #include "net/cert/pem.h" #include "net/cert/pki/parsed_certificate.h" +#include "net/cert/pki/simple_path_builder_delegate.h" #include "net/cert/pki/test_helpers.h" #include "net/cert/pki/trust_store.h" #include "net/cert/pki/verify_certificate_chain.h" @@ -74,8 +75,8 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, UnknownExtension) { } TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WeakSignature) { - this->RunTest("target-signed-with-md5/main.test"); - this->RunTest("intermediate-signed-with-md5/main.test"); + this->RunTest("target-signed-with-sha1/main.test"); + this->RunTest("intermediate-signed-with-sha1/main.test"); } TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WrongSignature) { diff --git a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc index a98532ebc0a..3af510d0646 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc +++ b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,8 +17,7 @@ class VerifyCertificateChainTestDelegate { public: static void Verify(const VerifyCertChainTest& test, const std::string& test_file_path) { - SimplePathBuilderDelegate delegate( - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + SimplePathBuilderDelegate delegate(1024, test.digest_policy); CertPathErrors errors; // TODO(eroman): Check user_constrained_policy_set. diff --git a/chromium/net/cert/pki/verify_name_match.cc b/chromium/net/cert/pki/verify_name_match.cc index b17ab7e2296..9fa1043663f 100644 --- a/chromium/net/cert/pki/verify_name_match.cc +++ b/chromium/net/cert/pki/verify_name_match.cc @@ -1,12 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_name_match.h" -#include "base/check.h" -#include "base/notreached.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/parse_name.h" @@ -77,7 +74,7 @@ enum CharsetEnforcement { std::string::const_iterator next_iter = read_iter + 1; if (next_iter != output->end() && *next_iter != ' ') *(write_iter++) = ' '; - } else if (base::IsAsciiUpper(c)) { + } else if (c >= 'A' && c <= 'Z') { // Fold case. *(write_iter++) = c + ('a' - 'A'); } else { @@ -87,7 +84,7 @@ enum CharsetEnforcement { case ENFORCE_PRINTABLE_STRING: // See NormalizePrintableStringValue comment for the acceptable list // of characters. - if (!(base::IsAsciiLower(c) || (c >= '\'' && c <= ':') || c == '=' || + if (!((c >= 'a' && c <= 'z') || (c >= '\'' && c <= ':') || c == '=' || c == '?')) return false; break; @@ -139,7 +136,7 @@ enum CharsetEnforcement { success = NormalizeDirectoryString(ENFORCE_ASCII, output); break; default: - NOTREACHED(); + // NOTREACHED success = false; break; } diff --git a/chromium/net/cert/pki/verify_name_match.h b/chromium/net/cert/pki/verify_name_match.h index 4e49d435df5..1110a5376f2 100644 --- a/chromium/net/cert/pki/verify_name_match.h +++ b/chromium/net/cert/pki/verify_name_match.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_fuzzer.cc index 02ae46f62bd..87310f23455 100644 --- a/chromium/net/cert/pki/verify_name_match_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc index dc5c810c501..cd8b3518efc 100644 --- a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_unittest.cc b/chromium/net/cert/pki/verify_name_match_unittest.cc index 59660c0c936..75e840711e8 100644 --- a/chromium/net/cert/pki/verify_name_match_unittest.cc +++ b/chromium/net/cert/pki/verify_name_match_unittest.cc @@ -1,11 +1,10 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_name_match.h" #include "base/strings/string_number_conversions.h" -#include "base/strings/string_util.h" #include "net/cert/pki/test_helpers.h" #include "testing/gtest/include/gtest/gtest.h" @@ -330,8 +329,10 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) { ASSERT_NE(std::string::npos, replace_location); for (int c = 0; c < 256; ++c) { SCOPED_TRACE(base::NumberToString(c)); - if (base::IsAsciiAlpha(c) || base::IsAsciiDigit(c)) + if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || + (c >= '0' && c <= '9')) { continue; + } switch (c) { case ' ': case '\'': diff --git a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc index 996a6353342..c755fba6626 100644 --- a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_signed_data.cc b/chromium/net/cert/pki/verify_signed_data.cc index 5dc399129a2..7200b555f7f 100644 --- a/chromium/net/cert/pki/verify_signed_data.cc +++ b/chromium/net/cert/pki/verify_signed_data.cc @@ -1,10 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_signed_data.h" -#include "base/numerics/safe_math.h" #include "crypto/openssl_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/signature_algorithm.h" @@ -155,15 +154,6 @@ bool VerifySignedData(SignatureAlgorithm algorithm, digest = EVP_sha512(); is_rsa_pss = true; break; - - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - case SignatureAlgorithm::kRsaPkcs1Md5: - // DSA, MD2, MD4, and MD5 are not supported. See - // https://crbug.com/1321688. - return false; } if (expected_pkey_id != EVP_PKEY_id(public_key)) diff --git a/chromium/net/cert/pki/verify_signed_data.h b/chromium/net/cert/pki/verify_signed_data.h index b904992dc1c..9e30ef9a252 100644 --- a/chromium/net/cert/pki/verify_signed_data.h +++ b/chromium/net/cert/pki/verify_signed_data.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_signed_data_unittest.cc b/chromium/net/cert/pki/verify_signed_data_unittest.cc index 8a0a26e9cb0..a351fb38100 100644 --- a/chromium/net/cert/pki/verify_signed_data_unittest.cc +++ b/chromium/net/cert/pki/verify_signed_data_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. |