diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-11-28 16:14:41 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-12-13 15:19:41 +0000 |
commit | 61d9742824d54be5693191fe502325a909feca59 (patch) | |
tree | cbf28e779b11338fe52eb75b915684cd8955542c /chromium/net/cert | |
parent | 45f9ded08bb7526984b24ccb5a5327aaf6821676 (diff) | |
download | qtwebengine-chromium-61d9742824d54be5693191fe502325a909feca59.tar.gz |
BASELINE: Update Chromium to 108.0.5359.70
Change-Id: I77334ff232b819600f275bd3cfe41fbaa3619230
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/445904
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/net/cert')
288 files changed, 1865 insertions, 1806 deletions
diff --git a/chromium/net/cert/BUILD.gn b/chromium/net/cert/BUILD.gn index d5ab77000de..98c67ba3174 100644 --- a/chromium/net/cert/BUILD.gn +++ b/chromium/net/cert/BUILD.gn @@ -1,4 +1,4 @@ -# Copyright 2022 The Chromium Authors. All rights reserved. +# Copyright 2022 The Chromium Authors # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. diff --git a/chromium/net/cert/asn1_util.cc b/chromium/net/cert/asn1_util.cc index 15393d933f4..3317f91f59e 100644 --- a/chromium/net/cert/asn1_util.cc +++ b/chromium/net/cert/asn1_util.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/asn1_util.h b/chromium/net/cert/asn1_util.h index 349b554b39a..c150068c219 100644 --- a/chromium/net/cert/asn1_util.h +++ b/chromium/net/cert/asn1_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/caching_cert_verifier.cc b/chromium/net/cert/caching_cert_verifier.cc index d2c1ead3399..25292129933 100644 --- a/chromium/net/cert/caching_cert_verifier.cc +++ b/chromium/net/cert/caching_cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/caching_cert_verifier.h b/chromium/net/cert/caching_cert_verifier.h index ce06e6eb840..aab0b2cba7f 100644 --- a/chromium/net/cert/caching_cert_verifier.h +++ b/chromium/net/cert/caching_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/caching_cert_verifier_unittest.cc b/chromium/net/cert/caching_cert_verifier_unittest.cc index ba1dbd68759..81cd7aa9830 100644 --- a/chromium/net/cert/caching_cert_verifier_unittest.cc +++ b/chromium/net/cert/caching_cert_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_and_ct_verifier.cc b/chromium/net/cert/cert_and_ct_verifier.cc index 1ddb9f1efe5..1c2136cd5e4 100644 --- a/chromium/net/cert/cert_and_ct_verifier.cc +++ b/chromium/net/cert/cert_and_ct_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2020 The Chromium Authors. All rights reserved. +// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_and_ct_verifier.h b/chromium/net/cert/cert_and_ct_verifier.h index cfcefaa1f86..4308e200952 100644 --- a/chromium/net/cert/cert_and_ct_verifier.h +++ b/chromium/net/cert/cert_and_ct_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2020 The Chromium Authors. All rights reserved. +// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_and_ct_verifier_unittest.cc b/chromium/net/cert/cert_and_ct_verifier_unittest.cc index 858a95250cd..ddb43875287 100644 --- a/chromium/net/cert/cert_and_ct_verifier_unittest.cc +++ b/chromium/net/cert/cert_and_ct_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2020 The Chromium Authors. All rights reserved. +// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_database.cc b/chromium/net/cert/cert_database.cc index 7e8220b4c14..728d9e443b0 100644 --- a/chromium/net/cert/cert_database.cc +++ b/chromium/net/cert/cert_database.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_database.h b/chromium/net/cert/cert_database.h index 0ffb928c9da..03c4f6aa8c3 100644 --- a/chromium/net/cert/cert_database.h +++ b/chromium/net/cert/cert_database.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_database_mac.cc b/chromium/net/cert/cert_database_mac.cc index f561550305f..e210e05e2cf 100644 --- a/chromium/net/cert/cert_database_mac.cc +++ b/chromium/net/cert/cert_database_mac.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_net_fetcher.h b/chromium/net/cert/cert_net_fetcher.h index 3ac71321b22..e0ab43f9538 100644 --- a/chromium/net/cert/cert_net_fetcher.h +++ b/chromium/net/cert/cert_net_fetcher.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_status_flags.cc b/chromium/net/cert/cert_status_flags.cc index 5476b699af8..278c48ad3e4 100644 --- a/chromium/net/cert/cert_status_flags.cc +++ b/chromium/net/cert/cert_status_flags.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_status_flags.h b/chromium/net/cert/cert_status_flags.h index 4bd35186a33..20e648a81c3 100644 --- a/chromium/net/cert/cert_status_flags.h +++ b/chromium/net/cert/cert_status_flags.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_status_flags_list.h b/chromium/net/cert/cert_status_flags_list.h index cd998473990..d5ab73cf40c 100644 --- a/chromium/net/cert/cert_status_flags_list.h +++ b/chromium/net/cert/cert_status_flags_list.h @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_type.h b/chromium/net/cert/cert_type.h index 84fc44ab1d5..accb2173e35 100644 --- a/chromium/net/cert/cert_type.h +++ b/chromium/net/cert/cert_type.h @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright 2010 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verifier.cc b/chromium/net/cert/cert_verifier.cc index fed64dcccc6..1868cd7542f 100644 --- a/chromium/net/cert/cert_verifier.cc +++ b/chromium/net/cert/cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,13 +9,14 @@ #include "base/strings/string_util.h" #include "build/build_config.h" #include "net/base/features.h" +#include "net/cert/caching_cert_verifier.h" #include "net/cert/cert_verify_proc.h" +#include "net/cert/coalescing_cert_verifier.h" #include "net/cert/crl_set.h" +#include "net/cert/multi_threaded_cert_verifier.h" +#include "net/net_buildflags.h" #include "third_party/boringssl/src/include/openssl/pool.h" #include "third_party/boringssl/src/include/openssl/sha.h" -#include "net/cert/caching_cert_verifier.h" -#include "net/cert/coalescing_cert_verifier.h" -#include "net/cert/multi_threaded_cert_verifier.h" namespace net { @@ -78,21 +79,22 @@ bool CertVerifier::RequestParams::operator<( std::unique_ptr<CertVerifier> CertVerifier::CreateDefaultWithoutCaching( scoped_refptr<CertNetFetcher> cert_net_fetcher) { scoped_refptr<CertVerifyProc> verify_proc; +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) + if (!verify_proc && + base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) { + verify_proc = CertVerifyProc::CreateBuiltinWithChromeRootStore( + std::move(cert_net_fetcher)); + } +#endif + if (!verify_proc) { #if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - verify_proc = - CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher)); -#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) - if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) { verify_proc = CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher)); - } else { +#else verify_proc = CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher)); - } -#else - verify_proc = - CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher)); #endif + } return std::make_unique<MultiThreadedCertVerifier>(std::move(verify_proc)); } diff --git a/chromium/net/cert/cert_verifier.h b/chromium/net/cert/cert_verifier.h index cc03c8dc133..515fd040515 100644 --- a/chromium/net/cert/cert_verifier.h +++ b/chromium/net/cert/cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verifier_unittest.cc b/chromium/net/cert/cert_verifier_unittest.cc index 9a996fb8ffd..48531c891b2 100644 --- a/chromium/net/cert/cert_verifier_unittest.cc +++ b/chromium/net/cert/cert_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc index eaeb8416f8b..4443323d356 100644 --- a/chromium/net/cert/cert_verify_proc.cc +++ b/chromium/net/cert/cert_verify_proc.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -48,14 +48,18 @@ #include "net/log/net_log_event_type.h" #include "net/log/net_log_values.h" #include "net/log/net_log_with_source.h" -#include "net/net_buildflags.h" #include "third_party/boringssl/src/include/openssl/pool.h" #include "url/url_canon.h" -#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC) +#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC) || \ + BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) #include "net/cert/cert_verify_proc_builtin.h" #endif +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) +#include "net/cert/internal/trust_store_chrome.h" +#endif // CHROME_ROOT_STORE_SUPPORTED + #if BUILDFLAG(IS_ANDROID) #include "net/cert/cert_verify_proc_android.h" #elif BUILDFLAG(IS_IOS) @@ -226,9 +230,10 @@ void BestEffortCheckOCSP(const std::string& raw_response, certificate.intermediate_buffers().front().get()); } - verify_result->revocation_status = - CheckOCSP(raw_response, cert_der, issuer_der, base::Time::Now(), - kMaxRevocationLeafUpdateAge, &verify_result->response_status); + verify_result->revocation_status = CheckOCSP( + raw_response, std::string_view(cert_der.data(), cert_der.size()), + std::string_view(issuer_der.data(), issuer_der.size()), base::Time::Now(), + kMaxRevocationLeafUpdateAge, &verify_result->response_status); } // Records details about the most-specific trust anchor in |hashes|, which is @@ -387,17 +392,9 @@ bool AreSHA1IntermediatesAllowed() { switch (*cert_algorithm) { case SignatureAlgorithm::kRsaPkcs1Sha1: case SignatureAlgorithm::kEcdsaSha1: - case SignatureAlgorithm::kDsaSha1: verify_result->has_sha1 = true; return true; // For now. - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - case SignatureAlgorithm::kRsaPkcs1Md5: - // TODO(https://crbug.com/1321688): Remove these from the parser - // altogether. - return false; - case SignatureAlgorithm::kRsaPkcs1Sha256: case SignatureAlgorithm::kRsaPkcs1Sha384: case SignatureAlgorithm::kRsaPkcs1Sha512: @@ -407,7 +404,6 @@ bool AreSHA1IntermediatesAllowed() { case SignatureAlgorithm::kRsaPssSha256: case SignatureAlgorithm::kRsaPssSha384: case SignatureAlgorithm::kRsaPssSha512: - case SignatureAlgorithm::kDsaSha256: return true; } @@ -529,7 +525,7 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateSystemVerifyProc( } #endif -#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC) +#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) // static scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinVerifyProc( scoped_refptr<CertNetFetcher> cert_net_fetcher) { @@ -538,6 +534,17 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinVerifyProc( } #endif +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) +// static +scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinWithChromeRootStore( + scoped_refptr<CertNetFetcher> cert_net_fetcher) { + return CreateCertVerifyProcBuiltin( + std::move(cert_net_fetcher), + CreateSslSystemTrustStoreChromeRoot( + std::make_unique<net::TrustStoreChrome>())); +} +#endif + CertVerifyProc::CertVerifyProc() = default; CertVerifyProc::~CertVerifyProc() = default; diff --git a/chromium/net/cert/cert_verify_proc.h b/chromium/net/cert/cert_verify_proc.h index 32e9fb1f8b0..0ffd5567020 100644 --- a/chromium/net/cert/cert_verify_proc.h +++ b/chromium/net/cert/cert_verify_proc.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -15,6 +15,7 @@ #include "crypto/crypto_buildflags.h" #include "net/base/hash_value.h" #include "net/base/net_export.h" +#include "net/net_buildflags.h" namespace net { @@ -87,12 +88,19 @@ class NET_EXPORT CertVerifyProc scoped_refptr<CertNetFetcher> cert_net_fetcher); #endif -#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC) +#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) // Creates and returns a CertVerifyProcBuiltin using the SSL SystemTrustStore. static scoped_refptr<CertVerifyProc> CreateBuiltinVerifyProc( scoped_refptr<CertNetFetcher> cert_net_fetcher); #endif +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) + // Creates and returns a CertVerifyProcBuiltin using the Chrome Root Store + // SystemTrustStore. + static scoped_refptr<CertVerifyProc> CreateBuiltinWithChromeRootStore( + scoped_refptr<CertNetFetcher> cert_net_fetcher); +#endif + CertVerifyProc(const CertVerifyProc&) = delete; CertVerifyProc& operator=(const CertVerifyProc&) = delete; diff --git a/chromium/net/cert/cert_verify_proc_android.cc b/chromium/net/cert/cert_verify_proc_android.cc index 95ec17f5ff2..c4e732c8f09 100644 --- a/chromium/net/cert/cert_verify_proc_android.cc +++ b/chromium/net/cert/cert_verify_proc_android.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -97,9 +97,9 @@ scoped_refptr<ParsedCertificate> FindLastCertWithUnknownIssuer( // successful and the result could be parsed as a certificate, and false // otherwise. bool PerformAIAFetchAndAddResultToVector(scoped_refptr<CertNetFetcher> fetcher, - base::StringPiece uri, + std::string_view uri, ParsedCertificateList* cert_list) { - GURL url(uri); + GURL url(base::StringPiece(uri.data(), uri.size())); if (!url.is_valid()) return false; std::unique_ptr<CertNetFetcher::Request> request(fetcher->FetchCaIssuers( diff --git a/chromium/net/cert/cert_verify_proc_android.h b/chromium/net/cert/cert_verify_proc_android.h index 9e8f2cc9660..394a25c931f 100644 --- a/chromium/net/cert/cert_verify_proc_android.h +++ b/chromium/net/cert/cert_verify_proc_android.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_android_unittest.cc b/chromium/net/cert/cert_verify_proc_android_unittest.cc index 2b3e37f544b..96a72b901f8 100644 --- a/chromium/net/cert/cert_verify_proc_android_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_android_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,6 +17,7 @@ #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "net/log/net_log_with_source.h" +#include "net/test/cert_builder.h" #include "net/test/cert_test_util.h" #include "net/test/test_certificate_data.h" #include "net/test/test_data_directory.h" @@ -33,64 +34,15 @@ namespace net { namespace { +const char kHostname[] = "example.com"; +const GURL kRootURL("http://aia.test/root"); +const GURL kIntermediateURL("http://aia.test/intermediate"); + std::unique_ptr<CertNetFetcher::Request> CreateMockRequestWithInvalidCertificate() { return MockCertNetFetcherRequest::Create(std::vector<uint8_t>({1, 2, 3})); } -::testing::AssertionResult ReadTestPem(const std::string& file_name, - const std::string& block_name, - std::string* result) { - const PemBlockMapping mappings[] = { - {block_name.c_str(), result}, - }; - - return ReadTestDataFromPemFile(file_name, mappings); -} - -::testing::AssertionResult ReadTestCert( - const std::string& file_name, - scoped_refptr<X509Certificate>* result) { - std::string der; - ::testing::AssertionResult r = - ReadTestPem("net/data/cert_issuer_source_aia_unittest/" + file_name, - "CERTIFICATE", &der); - if (!r) - return r; - *result = - X509Certificate::CreateFromBytes(base::as_bytes(base::make_span(der))); - if (!result) { - return ::testing::AssertionFailure() - << "X509Certificate::CreateFromBytes() failed"; - } - return ::testing::AssertionSuccess(); -} - -::testing::AssertionResult ReadTestAIARoot( - scoped_refptr<X509Certificate>* result) { - return ReadTestCert("root.pem", result); -} - -::testing::AssertionResult CreateCertificateChainFromFiles( - const std::vector<std::string>& files, - scoped_refptr<X509Certificate>* result) { - scoped_refptr<X509Certificate> leaf; - ::testing::AssertionResult r = ReadTestCert(files[0], &leaf); - if (!r) - return r; - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_buffers; - for (size_t i = 1; i < files.size(); i++) { - scoped_refptr<X509Certificate> intermediate; - r = ReadTestCert(files[i], &intermediate); - if (!r) - return r; - intermediate_buffers.push_back(bssl::UpRef(intermediate->cert_buffer())); - } - *result = X509Certificate::CreateFromBuffer(bssl::UpRef(leaf->cert_buffer()), - std::move(intermediate_buffers)); - return ::testing::AssertionSuccess(); -} - // A test fixture for testing CertVerifyProcAndroid AIA fetching. It creates, // sets up, and shuts down a MockCertNetFetcher for CertVerifyProcAndroid to // use, and enables the field trial for AIA fetching. @@ -98,6 +50,15 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test { public: void SetUp() override { fetcher_ = base::MakeRefCounted<MockCertNetFetcher>(); + + // Generate a certificate chain with AIA pointers. Tests can modify these + // if testing a different scenario. + CertBuilder::CreateSimpleChain(&leaf_, &intermediate_, &root_); + ASSERT_TRUE(leaf_ && intermediate_ && root_); + root_->SetCaIssuersUrl(kRootURL); + intermediate_->SetCaIssuersUrl(kRootURL); + leaf_->SetCaIssuersUrl(kIntermediateURL); + leaf_->SetSubjectAltName(kHostname); } void TearDown() override { @@ -106,21 +67,27 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test { ASSERT_TRUE(testing::Mock::VerifyAndClearExpectations(fetcher_.get())); } + scoped_refptr<X509Certificate> LeafOnly() { + return leaf_->GetX509Certificate(); + } + + scoped_refptr<X509Certificate> LeafWithIntermediate() { + return leaf_->GetX509CertificateChain(); + } + protected: - ::testing::AssertionResult SetUpTestRoot() { - ::testing::AssertionResult r = ReadTestAIARoot(&root_); - if (!r) - return r; - scoped_test_root_ = std::make_unique<ScopedTestRoot>(root_.get()); - return ::testing::AssertionSuccess(); + void TrustTestRoot() { + scoped_test_root_.Reset({root_->GetX509Certificate()}); } scoped_refptr<MockCertNetFetcher> fetcher_; const CertificateList empty_cert_list_; + std::unique_ptr<CertBuilder> root_; + std::unique_ptr<CertBuilder> intermediate_; + std::unique_ptr<CertBuilder> leaf_; private: - scoped_refptr<X509Certificate> root_; - std::unique_ptr<ScopedTestRoot> scoped_test_root_; + ScopedTestRoot scoped_test_root_; }; } // namespace @@ -129,32 +96,28 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test { // no AIA fetch occurs. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoFetchIfProperIntermediatesSupplied) { - ASSERT_TRUE(SetUpTestRoot()); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> leaf; - ASSERT_TRUE( - CreateCertificateChainFromFiles({"target_one_aia.pem", "i.pem"}, &leaf)); CertVerifyResult verify_result; - EXPECT_EQ( - OK, - proc->Verify(leaf.get(), "target", /*ocsp_response=*/std::string(), - /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), - empty_cert_list_, &verify_result, NetLogWithSource())); + EXPECT_EQ(OK, proc->Verify(LeafWithIntermediate().get(), kHostname, + /*ocsp_response=*/std::string(), + /*sct_list=*/std::string(), 0, + CRLSet::BuiltinCRLSet().get(), empty_cert_list_, + &verify_result, NetLogWithSource())); } // Tests that if the certificate does not contain an AIA URL, no AIA fetch // occurs. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) { - ASSERT_TRUE(SetUpTestRoot()); + leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/{}, /*ocsp_urls=*/{}); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_no_aia.pem", &cert)); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -163,30 +126,29 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) { // there are two fetches, with the latter resulting in a successful // verification. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) { - ASSERT_TRUE(SetUpTestRoot()); + const GURL kFileURL("file:///dev/null"); + leaf_->SetCaIssuersAndOCSPUrls( + /*ca_issuers_urls=*/{kFileURL, kIntermediateURL}, + /*ocsp_urls=*/{}); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_file_and_http_aia.pem", &cert)); - scoped_refptr<X509Certificate> intermediate; - ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate)); // Expect two fetches: the file:// URL (which returns an error), and the // http:// URL that returns a valid intermediate signed by |root_|. Though the // intermediate itself contains an AIA URL, it should not be fetched because // |root_| is in the test trust store. - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("file:///dev/null"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kFileURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(ERR_DISALLOWED_URL_SCHEME)))); - EXPECT_CALL(*fetcher_, - FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( - MockCertNetFetcherRequest::Create(intermediate->cert_buffer())))); + MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); CertVerifyResult verify_result; EXPECT_EQ( OK, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -195,22 +157,20 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) { // verification should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnly) { - ASSERT_TRUE(SetUpTestRoot()); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert)); const scoped_refptr<X509Certificate> bad_intermediate = ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( MockCertNetFetcherRequest::Create(bad_intermediate->cert_buffer())))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -219,19 +179,17 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, // should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnlyAndErrorOnFetch) { - ASSERT_TRUE(SetUpTestRoot()); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert)); - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -240,19 +198,17 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, // verification should fail. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, UnsuccessfulVerificationWithLeafOnlyAndUnparseableFetch) { - ASSERT_TRUE(SetUpTestRoot()); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert)); - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove(CreateMockRequestWithInvalidCertificate()))); CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -261,33 +217,34 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, // one serves an unrelated certificate and one serves a proper intermediate, the // latter should be used to build a valid chain. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) { - ASSERT_TRUE(SetUpTestRoot()); + const GURL kUnrelatedURL("http://aia.test/unrelated"); + leaf_->SetCaIssuersAndOCSPUrls( + /*ca_issuers_urls=*/{kUnrelatedURL, kIntermediateURL}, + /*ocsp_urls=*/{}); + scoped_refptr<X509Certificate> unrelated = + ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"); + ASSERT_TRUE(unrelated); + + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_two_aia.pem", &cert)); - scoped_refptr<X509Certificate> intermediate; - ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate)); - scoped_refptr<X509Certificate> unrelated; - ASSERT_TRUE(ReadTestCert("target_three_aia.pem", &unrelated)); // Expect two fetches, the first of which returns an unrelated certificate // that is not useful in chain-building, and the second of which returns a // valid intermediate signed by |root_|. Though the intermediate itself // contains an AIA URL, it should not be fetched because |root_| is in the // trust store. - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kUnrelatedURL, _, _)) .WillOnce(Return( ByMove(MockCertNetFetcherRequest::Create(unrelated->cert_buffer())))); - EXPECT_CALL(*fetcher_, - FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( - MockCertNetFetcherRequest::Create(intermediate->cert_buffer())))); + MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); CertVerifyResult verify_result; EXPECT_EQ( OK, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -297,33 +254,27 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) { TEST_F(CertVerifyProcAndroidTestWithAIAFetching, AIAFetchForFetchedIntermediate) { // Do not set up the test root to be trusted. If the test root were trusted, - // then the intermediate i2.pem would not require an AIA fetch. With the test - // root untrusted, i2.pem does not verify and so it will trigger an AIA fetch. + // then the intermediate would not require an AIA fetch. With the test root + // untrusted, the intermediate does not verify and so it will trigger an AIA + // fetch. scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert)); - scoped_refptr<X509Certificate> intermediate; - ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate)); - scoped_refptr<X509Certificate> root; - ASSERT_TRUE(ReadTestAIARoot(&root)); // Expect two fetches, the first of which returns an intermediate that itself // has an AIA URL. - EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _)) + EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _)) .WillOnce(Return(ByMove( - MockCertNetFetcherRequest::Create(intermediate->cert_buffer())))); - EXPECT_CALL(*fetcher_, - FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _)) + MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer())))); + EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _)) .WillOnce(Return( - ByMove(MockCertNetFetcherRequest::Create(root->cert_buffer())))); + ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer())))); CertVerifyResult verify_result; // This chain results in an AUTHORITY_INVALID root because |root_| is not // trusted. EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -331,11 +282,15 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, // Tests that if a certificate contains six AIA URLs, only the first five are // fetched, since the maximum number of fetches per Verify() call is five. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) { - ASSERT_TRUE(SetUpTestRoot()); + leaf_->SetCaIssuersAndOCSPUrls( + /*ca_issuers_urls=*/{GURL("http://aia.test/1"), GURL("http://aia.test/2"), + GURL("http://aia.test/3"), GURL("http://aia.test/4"), + GURL("http://aia.test/5"), + GURL("http://aia.test/6")}, + /*ocsp_urls=*/{}); + TrustTestRoot(); scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> cert; - ASSERT_TRUE(ReadTestCert("target_six_aia.pem", &cert)); EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _)) .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED)))) @@ -347,7 +302,7 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) { CertVerifyResult verify_result; EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } @@ -356,27 +311,23 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) { // that AIA URL is fetched if necessary. TEST_F(CertVerifyProcAndroidTestWithAIAFetching, FetchForSuppliedIntermediate) { // Do not set up the test root to be trusted. If the test root were trusted, - // then the intermediate i.pem would not require an AIA fetch. With the test - // root untrusted, i.pem does not verify and so it will trigger an AIA fetch. + // then the intermediate would not require an AIA fetch. With the test root + // untrusted, the intermediate does not verify and so it will trigger an AIA + // fetch. scoped_refptr<CertVerifyProcAndroid> proc = base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_); - scoped_refptr<X509Certificate> leaf; - ASSERT_TRUE( - CreateCertificateChainFromFiles({"target_one_aia.pem", "i.pem"}, &leaf)); - scoped_refptr<X509Certificate> root; - ASSERT_TRUE(ReadTestAIARoot(&root)); - - EXPECT_CALL(*fetcher_, - FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _)) + + EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _)) .WillOnce(Return( - ByMove(MockCertNetFetcherRequest::Create(root->cert_buffer())))); + ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer())))); CertVerifyResult verify_result; // This chain results in an AUTHORITY_INVALID root because |root_| is not // trusted. EXPECT_EQ( ERR_CERT_AUTHORITY_INVALID, - proc->Verify(leaf.get(), "target", /*ocsp_response=*/std::string(), + proc->Verify(LeafWithIntermediate().get(), kHostname, + /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), empty_cert_list_, &verify_result, NetLogWithSource())); } diff --git a/chromium/net/cert/cert_verify_proc_blocklist.inc b/chromium/net/cert/cert_verify_proc_blocklist.inc index b2806489b89..f543de9fc1e 100644 --- a/chromium/net/cert/cert_verify_proc_blocklist.inc +++ b/chromium/net/cert/cert_verify_proc_blocklist.inc @@ -1,4 +1,4 @@ -// Copyright (c) 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_builtin.cc b/chromium/net/cert/cert_verify_proc_builtin.cc index afe1bc86066..6cf4ae8ee5f 100644 --- a/chromium/net/cert/cert_verify_proc_builtin.cc +++ b/chromium/net/cert/cert_verify_proc_builtin.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -493,7 +493,7 @@ void MapPathBuilderErrorsToCertStatus(const CertPathErrors& errors, // IMPORTANT: If the path was invalid for a reason that was not // explicity checked above, set a general error. This is important as // |cert_status| is what ultimately indicates whether verification was - // successful or not (absense of errors implies success). + // successful or not (absence of errors implies success). if (!IsCertStatusError(*cert_status)) *cert_status |= CERT_STATUS_INVALID; } @@ -742,7 +742,7 @@ int CertVerifyProcBuiltin::VerifyInternal( net_log.AddEvent(NetLogEventType::CERT_VERIFY_PROC_TARGET_CERT, [&] { return NetLogCertParams(input_cert->cert_buffer(), parsing_errors); }); - if (!target) { + if (!target || !target->signature_algorithm()) { verify_result->cert_status |= CERT_STATUS_INVALID; return ERR_CERT_INVALID; } diff --git a/chromium/net/cert/cert_verify_proc_builtin.h b/chromium/net/cert/cert_verify_proc_builtin.h index 74400831b98..dc87a500343 100644 --- a/chromium/net/cert/cert_verify_proc_builtin.h +++ b/chromium/net/cert/cert_verify_proc_builtin.h @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc index a69e47a46e5..02702f453eb 100644 --- a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,6 +6,7 @@ #include "base/memory/raw_ptr.h" #include "base/numerics/safe_conversions.h" +#include "base/ranges/algorithm.h" #include "base/run_loop.h" #include "base/strings/stringprintf.h" #include "base/task/thread_pool.h" @@ -530,25 +531,25 @@ TEST_F(CertVerifyProcBuiltinTest, EVNoOCSPRevocationChecks) { auto events = net_log_observer.GetEntriesForSource(verify_net_log_source); - auto event = std::find_if(events.begin(), events.end(), [](const auto& e) { - return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT; - }); + auto event = base::ranges::find( + events, NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT, + &NetLogEntry::type); ASSERT_NE(event, events.end()); EXPECT_EQ(net::NetLogEventPhase::BEGIN, event->phase); ASSERT_TRUE(event->params.is_dict()); EXPECT_EQ(true, event->params.FindBoolKey("is_ev_attempt")); - event = std::find_if(++event, events.end(), [](const auto& e) { - return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILT; - }); + event = base::ranges::find(++event, events.end(), + NetLogEventType::CERT_VERIFY_PROC_PATH_BUILT, + &NetLogEntry::type); ASSERT_NE(event, events.end()); EXPECT_EQ(net::NetLogEventPhase::NONE, event->phase); ASSERT_TRUE(event->params.is_dict()); EXPECT_FALSE(event->params.FindStringKey("errors")); - event = std::find_if(++event, events.end(), [](const auto& e) { - return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT; - }); + event = base::ranges::find( + ++event, events.end(), + NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT, &NetLogEntry::type); ASSERT_NE(event, events.end()); EXPECT_EQ(net::NetLogEventPhase::END, event->phase); ASSERT_TRUE(event->params.is_dict()); @@ -640,6 +641,22 @@ TEST_F(CertVerifyProcBuiltinTest, DebugData) { namespace { +// Returns a TLV to use as an unknown signature algorithm when building a cert. +// The specific contents are as follows (the OID is from +// https://davidben.net/oid): +// +// SEQUENCE { +// OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.0 } +// NULL {} +// } +std::string UnknownSignatureAlgorithmTLV() { + const uint8_t kInvalidSignatureAlgorithmTLV[] = { + 0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x12, 0x04, 0x01, 0x84, 0xb7, 0x09, 0x00, 0x05, 0x00}; + return std::string(std::begin(kInvalidSignatureAlgorithmTLV), + std::end(kInvalidSignatureAlgorithmTLV)); +} + // Returns a TLV to use as an invalid signature algorithm when building a cert. // This is a SEQUENCE so that it will pass the ParseCertificate code // and fail inside ParseSignatureAlgorithm. @@ -655,6 +672,30 @@ std::string InvalidSignatureAlgorithmTLV() { } // namespace +TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmTarget) { + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CreateChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + leaf->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV()); + + // Trust the root and build a chain to verify that includes the intermediate. + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); + scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain(); + ASSERT_TRUE(chain.get()); + + int flags = 0; + CertVerifyResult verify_result; + NetLogSource verify_net_log_source; + TestCompletionCallback callback; + Verify(chain.get(), "www.example.com", flags, CertificateList(), + &verify_result, &verify_net_log_source, callback.callback()); + int error = callback.WaitForResult(); + // Unknown signature algorithm in the leaf cert should result in the cert + // being invalid. + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); + EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); +} + TEST_F(CertVerifyProcBuiltinTest, UnparsableMismatchedTBSSignatureAlgorithmTarget) { std::unique_ptr<CertBuilder> leaf, root; @@ -681,6 +722,30 @@ TEST_F(CertVerifyProcBuiltinTest, EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); } +TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmIntermediate) { + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CreateChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + intermediate->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV()); + + // Trust the root and build a chain to verify that includes the intermediate. + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); + scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain(); + ASSERT_TRUE(chain.get()); + + int flags = 0; + CertVerifyResult verify_result; + NetLogSource verify_net_log_source; + TestCompletionCallback callback; + Verify(chain.get(), "www.example.com", flags, CertificateList(), + &verify_result, &verify_net_log_source, callback.callback()); + int error = callback.WaitForResult(); + // Unknown signature algorithm in the intermediate cert should result in the + // cert being invalid. + EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID); + EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); +} + TEST_F(CertVerifyProcBuiltinTest, UnparsableMismatchedTBSSignatureAlgorithmIntermediate) { std::unique_ptr<CertBuilder> leaf, intermediate, root; @@ -708,6 +773,29 @@ TEST_F(CertVerifyProcBuiltinTest, EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); } +TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmRoot) { + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CreateChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + root->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV()); + + // Trust the root and build a chain to verify that includes the intermediate. + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); + scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain(); + ASSERT_TRUE(chain.get()); + + int flags = 0; + CertVerifyResult verify_result; + NetLogSource verify_net_log_source; + TestCompletionCallback callback; + Verify(chain.get(), "www.example.com", flags, CertificateList(), + &verify_result, &verify_net_log_source, callback.callback()); + int error = callback.WaitForResult(); + // Unknown signature algorithm in the root cert should have no effect on + // verification. + EXPECT_THAT(error, IsOk()); +} + // This test is disabled on Android as adding the invalid root through // ScopedTestRoot causes it to be parsed by the Java X509 code which barfs. We // could re-enable if Chrome on Android has fully switched to the diff --git a/chromium/net/cert/cert_verify_proc_ios.cc b/chromium/net/cert/cert_verify_proc_ios.cc index 634266c003b..cfd7a34dbc3 100644 --- a/chromium/net/cert/cert_verify_proc_ios.cc +++ b/chromium/net/cert/cert_verify_proc_ios.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_ios.h b/chromium/net/cert/cert_verify_proc_ios.h index 9a097add531..5c4cb1c603b 100644 --- a/chromium/net/cert/cert_verify_proc_ios.h +++ b/chromium/net/cert/cert_verify_proc_ios.h @@ -1,4 +1,4 @@ -// Copyright (c) 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_mac.cc b/chromium/net/cert/cert_verify_proc_mac.cc index 395c467be7e..c8016cd15b2 100644 --- a/chromium/net/cert/cert_verify_proc_mac.cc +++ b/chromium/net/cert/cert_verify_proc_mac.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_mac.h b/chromium/net/cert/cert_verify_proc_mac.h index 84ea532464f..848af12dfdf 100644 --- a/chromium/net/cert/cert_verify_proc_mac.h +++ b/chromium/net/cert/cert_verify_proc_mac.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_mac_unittest.cc b/chromium/net/cert/cert_verify_proc_mac_unittest.cc index 908d5fccd15..0432999eecb 100644 --- a/chromium/net/cert/cert_verify_proc_mac_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_mac_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc index edbe04abeda..0fadd0cf800 100644 --- a/chromium/net/cert/cert_verify_proc_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -15,6 +15,7 @@ #include "base/memory/raw_ptr.h" #include "base/message_loop/message_pump_type.h" #include "base/rand_util.h" +#include "base/ranges/algorithm.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_piece.h" #include "base/strings/string_util.h" @@ -63,11 +64,11 @@ #include "net/url_request/url_request_context_getter.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" +#include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/mem.h" #include "third_party/boringssl/src/include/openssl/pool.h" #if BUILDFLAG(IS_ANDROID) -#include "base/android/build_info.h" #include "net/cert/cert_verify_proc_android.h" #elif BUILDFLAG(IS_IOS) #include "base/ios/ios_util.h" @@ -203,9 +204,11 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProc( case CERT_VERIFY_PROC_WIN: return base::MakeRefCounted<CertVerifyProcWin>(); #endif +#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) case CERT_VERIFY_PROC_BUILTIN: return CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher), CreateSslSystemTrustStore()); +#endif #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS: return CreateCertVerifyProcBuiltin( @@ -230,7 +233,7 @@ const std::vector<CertVerifyProcType> kAllCertVerifiers = { #elif BUILDFLAG(IS_IOS) CERT_VERIFY_PROC_IOS #elif BUILDFLAG(IS_MAC) - CERT_VERIFY_PROC_MAC, CERT_VERIFY_PROC_BUILTIN, + CERT_VERIFY_PROC_MAC, #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS #endif @@ -350,19 +353,6 @@ class CertVerifyProcInternalTest return verify_proc_->SupportsAdditionalTrustAnchors(); } - bool SupportsReturningVerifiedChain() const { -#if BUILDFLAG(IS_ANDROID) - // Before API level 17 (SDK_VERSION_JELLY_BEAN_MR1), Android does - // not expose the APIs necessary to get at the verified - // certificate chain. - if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID && - base::android::BuildInfo::GetInstance()->sdk_int() < - base::android::SDK_VERSION_JELLY_BEAN_MR1) - return false; -#endif - return true; - } - // Returns true if the RSA/DSA keysize will be considered weak on the current // platform. IsInvalidRsaDsaKeySize should be checked prior, since some very // weak keys may be considered invalid. @@ -502,13 +492,18 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) { return; } - scoped_refptr<X509Certificate> cert = - ImportCertFromFile(GetTestCertsDirectory(), "ev-multi-oid.pem"); - scoped_refptr<X509Certificate> root = - ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); - ASSERT_TRUE(cert); - ASSERT_TRUE(root); - ScopedTestRoot test_root(root.get()); + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + ASSERT_TRUE(leaf && root); + + // The policies that target certificate asserts. + static const char kOtherTestCertPolicy[] = "2.23.140.1.1"; + static const char kEVTestCertPolicy[] = "1.2.3.4"; + // Specify the extraneous policy first, then the actual policy. + leaf->SetCertificatePolicies({kOtherTestCertPolicy, kEVTestCertPolicy}); + + scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate(); + ScopedTestRoot test_root(root->GetX509Certificate().get()); // Build a CRLSet that covers the target certificate. // @@ -516,26 +511,23 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) { // so this test does not depend on online revocation checking. base::StringPiece spki; ASSERT_TRUE(asn1::ExtractSPKIFromDERCert( - x509_util::CryptoBufferAsStringPiece(root->cert_buffer()), &spki)); + x509_util::CryptoBufferAsStringPiece(root->GetCertBuffer()), &spki)); SHA256HashValue spki_sha256; crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data)); scoped_refptr<CRLSet> crl_set( CRLSet::ForTesting(false, &spki_sha256, "", "", {})); - // The policies that "ev-multi-oid.pem" target certificate asserts. - static const char kOtherTestCertPolicy[] = "2.23.140.1.1"; - static const char kEVTestCertPolicy[] = "1.2.3.4"; // Consider the root of the test chain a valid EV root for the test policy. ScopedTestEVPolicy scoped_test_ev_policy( EVRootCAMetadata::GetInstance(), - X509Certificate::CalculateFingerprint256(root->cert_buffer()), + X509Certificate::CalculateFingerprint256(root->GetCertBuffer()), kEVTestCertPolicy); ScopedTestEVPolicy scoped_test_other_policy( EVRootCAMetadata::GetInstance(), SHA256HashValue(), kOtherTestCertPolicy); CertVerifyResult verify_result; int flags = 0; - int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(), + int error = Verify(cert.get(), "www.example.com", flags, crl_set.get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()); EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); @@ -545,20 +537,22 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) { // length 1 because the target cert was directly trusted in the trust store. // Should verify OK but not with STATUS_IS_EV. TEST_P(CertVerifyProcInternalTest, TrustedTargetCertWithEVPolicy) { - // The policy that "explicit-policy-chain.pem" target certificate asserts. + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + ASSERT_TRUE(leaf && root); + static const char kEVTestCertPolicy[] = "1.2.3.4"; + leaf->SetCertificatePolicies({kEVTestCertPolicy}); ScopedTestEVPolicy scoped_test_ev_policy( EVRootCAMetadata::GetInstance(), SHA256HashValue(), kEVTestCertPolicy); - scoped_refptr<X509Certificate> cert = - ImportCertFromFile(GetTestCertsDirectory(), "explicit-policy-chain.pem"); - ASSERT_TRUE(cert); + scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate(); ScopedTestRoot scoped_test_root(cert.get()); CertVerifyResult verify_result; int flags = 0; int error = - Verify(cert.get(), "policy_test.example", flags, + Verify(cert.get(), "www.example.com", flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); if (ScopedTestRootCanTrustTargetCert(verify_proc_type())) { EXPECT_THAT(error, IsOk()); @@ -576,27 +570,23 @@ TEST_P(CertVerifyProcInternalTest, TrustedTargetCertWithEVPolicy) { // explode if it does. TEST_P(CertVerifyProcInternalTest, TrustedTargetCertWithEVPolicyAndEVFingerprint) { - // The policy that "explicit-policy-chain.pem" target certificate asserts. + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + ASSERT_TRUE(leaf && root); + static const char kEVTestCertPolicy[] = "1.2.3.4"; - // This the fingerprint of the "explicit-policy-chain.pem" target certificate. - // See net/data/ssl/certificates/explicit-policy-chain.pem - static const SHA256HashValue kEVTestCertFingerprint = { - {0x71, 0xac, 0xfa, 0x12, 0xa4, 0x42, 0x31, 0x3c, 0xff, 0x10, 0xd2, - 0x9d, 0xb6, 0x1b, 0x4a, 0xe8, 0x25, 0x4e, 0x77, 0xd3, 0x9f, 0xa3, - 0x2f, 0xb3, 0x19, 0x8d, 0x46, 0x9f, 0xb7, 0x73, 0x07, 0x30}}; - ScopedTestEVPolicy scoped_test_ev_policy(EVRootCAMetadata::GetInstance(), - kEVTestCertFingerprint, - kEVTestCertPolicy); - - scoped_refptr<X509Certificate> cert = - ImportCertFromFile(GetTestCertsDirectory(), "explicit-policy-chain.pem"); - ASSERT_TRUE(cert); + leaf->SetCertificatePolicies({kEVTestCertPolicy}); + ScopedTestEVPolicy scoped_test_ev_policy( + EVRootCAMetadata::GetInstance(), + X509Certificate::CalculateFingerprint256(leaf->GetCertBuffer()), + kEVTestCertPolicy); + scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate(); ScopedTestRoot scoped_test_root(cert.get()); CertVerifyResult verify_result; int flags = 0; int error = - Verify(cert.get(), "policy_test.example", flags, + Verify(cert.get(), "www.example.com", flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); if (ScopedTestRootCanTrustTargetCert(verify_proc_type())) { EXPECT_THAT(error, IsOk()); @@ -623,59 +613,32 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) { return; } - CertificateList orig_certs = CreateCertificateListFromFile( - GetTestCertsDirectory(), "explicit-policy-chain.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3U, orig_certs.size()); - for (bool trust_the_intermediate : {false, true}) { SCOPED_TRACE(trust_the_intermediate); // Need to build unique certs for each try otherwise caching can break // things. - CertBuilder root(orig_certs[2]->cert_buffer(), nullptr); - root.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - root.GenerateECKey(); - CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root); - intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - intermediate.GenerateECKey(); - CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate); - leaf.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - leaf.GenerateECKey(); - - // The policy that "explicit-policy-chain.pem" target certificate asserts. + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + static const char kEVTestCertPolicy[] = "1.2.3.4"; + leaf->SetCertificatePolicies({kEVTestCertPolicy}); + intermediate->SetCertificatePolicies({kEVTestCertPolicy}); // Consider the root of the test chain a valid EV root for the test policy. ScopedTestEVPolicy scoped_test_ev_policy( EVRootCAMetadata::GetInstance(), - X509Certificate::CalculateFingerprint256(root.GetCertBuffer()), + X509Certificate::CalculateFingerprint256(root->GetCertBuffer()), kEVTestCertPolicy); - // CRLSet which covers the leaf. - base::StringPiece intermediate_spki; - ASSERT_TRUE(asn1::ExtractSPKIFromDERCert( - x509_util::CryptoBufferAsStringPiece(intermediate.GetCertBuffer()), - &intermediate_spki)); - SHA256HashValue intermediate_spki_hash; - crypto::SHA256HashString(intermediate_spki, &intermediate_spki_hash, - sizeof(SHA256HashValue)); - scoped_refptr<CRLSet> crl_set = - CRLSet::ForTesting(false, &intermediate_spki_hash, "", "", {}); - - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; - intermediates.push_back(bssl::UpRef(intermediate.GetCertBuffer())); - scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer( - bssl::UpRef(leaf.GetCertBuffer()), std::move(intermediates)); + scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain(); ASSERT_TRUE(cert.get()); scoped_refptr<X509Certificate> intermediate_cert = - X509Certificate::CreateFromBuffer( - bssl::UpRef(intermediate.GetCertBuffer()), {}); + intermediate->GetX509Certificate(); ASSERT_TRUE(intermediate_cert.get()); - scoped_refptr<X509Certificate> root_cert = - X509Certificate::CreateFromBuffer(bssl::UpRef(root.GetCertBuffer()), - {}); + scoped_refptr<X509Certificate> root_cert = root->GetX509Certificate(); ASSERT_TRUE(root_cert.get()); if (!trust_the_intermediate) { @@ -684,8 +647,9 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) { ScopedTestRoot scoped_test_root({root_cert}); CertVerifyResult verify_result; int flags = 0; - int error = Verify(cert.get(), "policy_test.example", flags, - crl_set.get(), CertificateList(), &verify_result); + int error = Verify(cert.get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), + &verify_result); EXPECT_THAT(error, IsOk()); ASSERT_TRUE(verify_result.verified_cert); // Verified chain should include the intermediate and the root. @@ -697,8 +661,9 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) { ScopedTestRoot scoped_test_root({intermediate_cert, root_cert}); CertVerifyResult verify_result; int flags = 0; - int error = Verify(cert.get(), "policy_test.example", flags, - crl_set.get(), CertificateList(), &verify_result); + int error = Verify(cert.get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), + &verify_result); EXPECT_THAT(error, IsOk()); ASSERT_TRUE(verify_result.verified_cert); // Verified chain should only go to the trusted intermediate, not the @@ -865,9 +830,8 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) { auto events = net_log_observer.GetEntriesForSource(net_log.source()); EXPECT_FALSE(events.empty()); - auto event = std::find_if(events.begin(), events.end(), [](const auto& e) { - return e.type == NetLogEventType::CERT_VERIFY_PROC; - }); + auto event = base::ranges::find(events, NetLogEventType::CERT_VERIFY_PROC, + &NetLogEntry::type); ASSERT_NE(event, events.end()); EXPECT_EQ(net::NetLogEventPhase::BEGIN, event->phase); ASSERT_TRUE(event->params.is_dict()); @@ -876,9 +840,9 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) { EXPECT_EQ("127.0.0.1", *host); if (VerifyProcTypeIsBuiltin()) { - event = std::find_if(events.begin(), events.end(), [](const auto& e) { - return e.type == NetLogEventType::CERT_VERIFY_PROC_INPUT_CERT; - }); + event = + base::ranges::find(events, NetLogEventType::CERT_VERIFY_PROC_INPUT_CERT, + &NetLogEntry::type); ASSERT_NE(event, events.end()); EXPECT_EQ(net::NetLogEventPhase::NONE, event->phase); ASSERT_TRUE(event->params.is_dict()); @@ -891,7 +855,11 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) { } } -// A regression test for http://crbug.com/31497. +// A regression test for https://crbug.com/31497: If an intermediate has +// requireExplicitPolicy in its policyConstraints extension, verification +// should still succeed as long as some policy is valid for the chain, since +// Chrome does not specify any required policy as an input to certificate +// verification (allows anyPolicy). TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) { if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) { // Disabled on Android, as the Android verification libraries require an @@ -900,28 +868,39 @@ TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) { return; } - base::FilePath certs_dir = GetTestCertsDirectory(); + for (bool leaf_has_policy : {false, true}) { + SCOPED_TRACE(leaf_has_policy); - CertificateList certs = CreateCertificateListFromFile( - certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3U, certs.size()); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; - intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer())); + static const char kPolicy1[] = "1.2.3.4"; + static const char kPolicy2[] = "1.2.3.4.5"; + static const char kPolicy3[] = "1.2.3.5"; + intermediate->SetCertificatePolicies({kPolicy1, kPolicy2, kPolicy3}); + intermediate->SetPolicyConstraints( + /*require_explicit_policy=*/0, + /*inhibit_policy_mapping=*/absl::nullopt); - scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer( - bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates)); - ASSERT_TRUE(cert.get()); + if (leaf_has_policy) + leaf->SetCertificatePolicies({kPolicy1}); - ScopedTestRoot scoped_root(certs[2].get()); + scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain(); + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); - int flags = 0; - CertVerifyResult verify_result; - int error = - Verify(cert.get(), "policy_test.example", flags, - CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); - EXPECT_THAT(error, IsOk()); - EXPECT_EQ(0u, verify_result.cert_status); + int flags = 0; + CertVerifyResult verify_result; + int error = Verify(cert.get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), + &verify_result); + if (leaf_has_policy) { + EXPECT_THAT(error, IsOk()); + EXPECT_EQ(0u, verify_result.cert_status); + } else { + EXPECT_THAT(error, IsError(ERR_CERT_INVALID)); + } + } } TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) { @@ -1013,11 +992,6 @@ TEST_P(CertVerifyProcInternalTest, RejectWeakKeys) { // Regression test for http://crbug.com/108514. TEST_P(CertVerifyProcInternalTest, ExtraneousMD5RootCert) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - if (verify_proc_type() == CERT_VERIFY_PROC_MAC) { // Disabled on OS X - Security.framework doesn't ignore superflous // certificates provided by servers. @@ -1099,33 +1073,65 @@ TEST_P(CertVerifyProcInternalTest, GoogleDigiNotarTest) { } TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) { - CertificateList ca_cert_list = - CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_cert_list.size()); - ScopedTestRoot test_root(ca_cert_list[0].get()); + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + ASSERT_TRUE(leaf && root); - scoped_refptr<X509Certificate> leaf = CreateCertificateChainFromFile( - GetTestCertsDirectory(), "name_constraint_good.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_TRUE(leaf); - ASSERT_EQ(0U, leaf->intermediate_buffers().size()); + // Use the private key matching the public_key_hash of the kDomainsTest + // constraint in CertVerifyProc::HasNameConstraintsViolation. + ASSERT_TRUE(leaf->UseKeyFromFile( + GetTestCertsDirectory().AppendASCII("name_constrained_key.pem"))); + // example.com is allowed by kDomainsTest, and notarealtld is not a known + // TLD, so that's allowed too. + leaf->SetSubjectAltNames({"test.ExAmPlE.CoM", "example.notarealtld", + "*.test2.ExAmPlE.CoM", "*.example2.notarealtld"}, + {}); + + ScopedTestRoot test_root(root->GetX509Certificate().get()); + + scoped_refptr<X509Certificate> leaf_cert = leaf->GetX509Certificate(); int flags = 0; CertVerifyResult verify_result; int error = - Verify(leaf.get(), "test.example.com", flags, + Verify(leaf_cert.get(), "test.example.com", flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()); EXPECT_EQ(0U, verify_result.cert_status); error = - Verify(leaf.get(), "foo.test2.example.com", flags, + Verify(leaf_cert.get(), "foo.test2.example.com", flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()); EXPECT_EQ(0U, verify_result.cert_status); } +TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) { + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + ASSERT_TRUE(leaf && root); + + // Use the private key matching the public_key_hash of the kDomainsTest + // constraint in CertVerifyProc::HasNameConstraintsViolation. + ASSERT_TRUE(leaf->UseKeyFromFile( + GetTestCertsDirectory().AppendASCII("name_constrained_key.pem"))); + // example.com is allowed by kDomainsTest, but example.org is not. + leaf->SetSubjectAltNames({"test.ExAmPlE.CoM", "test.ExAmPlE.OrG"}, {}); + + ScopedTestRoot test_root(root->GetX509Certificate().get()); + + scoped_refptr<X509Certificate> leaf_cert = leaf->GetX509Certificate(); + + int flags = 0; + CertVerifyResult verify_result; + int error = + Verify(leaf_cert.get(), "test.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); + EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION)); + EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, + verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); +} + // This fixture is for testing the verification of a certificate chain which // has some sort of mismatched signature algorithm (i.e. // Certificate.signatureAlgorithm and TBSCertificate.algorithm are different). @@ -1194,8 +1200,8 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test { // Manufactures a certificate chain where each certificate has the indicated // signature algorithms, and then returns the result of verifying this chain. // - // TODO(eroman): Instead of building certificates at runtime, move their - // generation to external scripts. + // TODO(mattm): Replace the custom cert mangling code in this test with + // CertBuilder. [[nodiscard]] int VerifyChain(const std::vector<CertParams>& chain_params) { auto chain = CreateChain(chain_params); if (!chain) { @@ -1210,7 +1216,7 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test { auto verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result); return verify_proc->Verify( - chain.get(), "test.example.com", /*ocsp_response=*/std::string(), + chain.get(), "127.0.0.1", /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result, NetLogWithSource()); } @@ -1293,7 +1299,7 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test { // Dosn't really matter which base certificate is used, so long as it is // valid and uses a signature AlgorithmIdentifier with the same encoded // length as sha1WithRSASignature. - const char* kLeafFilename = "name_constraint_good.pem"; + const char* kLeafFilename = "ok_cert.pem"; auto cert = CreateCertificateChainFromFile( GetTestCertsDirectory(), kLeafFilename, X509Certificate::FORMAT_AUTO); @@ -1484,37 +1490,6 @@ TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, RootUnknownSha256) { ASSERT_THAT(rv, IsOk()); } -TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - - CertificateList ca_cert_list = - CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, ca_cert_list.size()); - ScopedTestRoot test_root(ca_cert_list[0].get()); - - CertificateList cert_list = CreateCertificateListFromFile( - GetTestCertsDirectory(), "name_constraint_bad.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, cert_list.size()); - - scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromBuffer( - bssl::UpRef(cert_list[0]->cert_buffer()), {}); - ASSERT_TRUE(leaf); - - int flags = 0; - CertVerifyResult verify_result; - int error = - Verify(leaf.get(), "test.example.com", flags, - CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); - EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION)); - EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION, - verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION); -} - TEST(CertVerifyProcTest, TestHasTooLongValidity) { struct { const char* const file; @@ -1621,16 +1596,16 @@ TEST(CertVerifyProcTest, VerifyCertValidityTooLong) { TEST_P(CertVerifyProcInternalTest, TestKnownRoot) { base::FilePath certs_dir = GetTestCertsDirectory(); scoped_refptr<X509Certificate> cert_chain = CreateCertificateChainFromFile( - certs_dir, "thepaverbros.com.pem", X509Certificate::FORMAT_AUTO); + certs_dir, "caninesonduty.com.pem", X509Certificate::FORMAT_AUTO); ASSERT_TRUE(cert_chain); int flags = 0; CertVerifyResult verify_result; int error = - Verify(cert_chain.get(), "thepaverbros.com", flags, + Verify(cert_chain.get(), "caninesonduty.com", flags, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()) << "This test relies on a real certificate that " - << "expires on Mar 26, 2023. If failing on/after " + << "expires on Nov 6 2023. If failing on/after " << "that date, please disable and file a bug " << "against mattm."; EXPECT_TRUE(verify_result.is_issued_by_known_root); @@ -1651,11 +1626,6 @@ TEST_P(CertVerifyProcInternalTest, TestKnownRoot) { // CertVerifyResult::public_key_hashes is filled with a SHA256 hash for each // of the certificates in the chain. TEST_P(CertVerifyProcInternalTest, PublicKeyHashes) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList certs = CreateCertificateListFromFile( certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); @@ -1760,27 +1730,30 @@ TEST_P(CertVerifyProcInternalTest, MAYBE_WrongKeyPurpose) { // serverAuth EKU. // TODO(crbug.com/843735): Deprecate support for this. TEST_P(CertVerifyProcInternalTest, Sha1IntermediateUsesServerGatedCrypto) { - base::FilePath certs_dir = - GetTestNetDataDirectory() - .AppendASCII("verify_certificate_chain_unittest") - .AppendASCII("intermediate-eku-server-gated-crypto"); - - scoped_refptr<X509Certificate> cert_chain = CreateCertificateChainFromFile( - certs_dir, "sha1-chain.pem", X509Certificate::FORMAT_AUTO); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); - ASSERT_TRUE(cert_chain); - ASSERT_FALSE(cert_chain->intermediate_buffers().empty()); + root->GenerateRSAKey(); + root->SetSignatureAlgorithm(SignatureAlgorithm::kRsaPkcs1Sha1); - auto root = X509Certificate::CreateFromBuffer( - bssl::UpRef(cert_chain->intermediate_buffers().back().get()), {}); + intermediate->SetExtendedKeyUsages({der::Input(kNetscapeServerGatedCrypto)}); + intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kRsaPkcs1Sha1); - ScopedTestRoot scoped_root(root.get()); + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; - int error = - Verify(cert_chain.get(), "test.example", flags, - CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); + // The cert chain including the root is passed to Verify, as on recent + // Android versions (something like 11+) the verifier fails on SHA1 certs and + // then the CertVerifyProc wrapper just returns the input chain, which this + // test then depends on for its expectations. (This is all kind of silly, but + // this is just matching how the test was originally written, and we'll + // delete this sometime soon anyway so there's not much benefit to thinking + // about it too hard.) + int error = Verify(leaf->GetX509CertificateFullChain().get(), + "www.example.com", flags, CRLSet::BuiltinCRLSet().get(), + CertificateList(), &verify_result); if (AreSHA1IntermediatesAllowed()) { EXPECT_THAT(error, IsOk()); @@ -1800,11 +1773,6 @@ TEST_P(CertVerifyProcInternalTest, Sha1IntermediateUsesServerGatedCrypto) { // used to ensure that the actual, verified chain is being returned by // Verify(). TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList certs = CreateCertificateListFromFile( certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); @@ -1850,11 +1818,13 @@ TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) { // CAs are flagged appropriately, while certificates that are issued by // internal CAs are not flagged. TEST(CertVerifyProcTest, IntranetHostsRejected) { - CertificateList cert_list = CreateCertificateListFromFile( - GetTestCertsDirectory(), "reject_intranet_hosts.pem", - X509Certificate::FORMAT_AUTO); - ASSERT_EQ(1U, cert_list.size()); - scoped_refptr<X509Certificate> cert(cert_list[0]); + const std::string kIntranetHostname = "webmail"; + + std::unique_ptr<CertBuilder> leaf, root; + CertBuilder::CreateSimpleChain(&leaf, &root); + leaf->SetSubjectAltName(kIntranetHostname); + + scoped_refptr<X509Certificate> cert(leaf->GetX509Certificate()); CertVerifyResult verify_result; int error = 0; @@ -1864,7 +1834,7 @@ TEST(CertVerifyProcTest, IntranetHostsRejected) { dummy_result.is_issued_by_known_root = true; auto verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result); error = verify_proc->Verify( - cert.get(), "webmail", /*ocsp_response=*/std::string(), + cert.get(), kIntranetHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result, NetLogWithSource()); EXPECT_THAT(error, IsOk()); @@ -1875,7 +1845,7 @@ TEST(CertVerifyProcTest, IntranetHostsRejected) { dummy_result.is_issued_by_known_root = false; verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result); error = verify_proc->Verify( - cert.get(), "webmail", /*ocsp_response=*/std::string(), + cert.get(), kIntranetHostname, /*ocsp_response=*/std::string(), /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result, NetLogWithSource()); EXPECT_THAT(error, IsOk()); @@ -2014,11 +1984,6 @@ TEST(CertVerifyProcTest, SymantecCertsRejected) { // of intermediate certificates are combined, it's possible that order may // not be maintained. TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList certs = CreateCertificateListFromFile( certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); @@ -2061,11 +2026,6 @@ TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) { // Test that Verify() filters out certificates which are not related to // or part of the certificate chain being verified. TEST_P(CertVerifyProcInternalTest, VerifyReturnChainFiltersUnrelatedCerts) { - if (!SupportsReturningVerifiedChain()) { - LOG(INFO) << "Skipping this test in this platform."; - return; - } - base::FilePath certs_dir = GetTestCertsDirectory(); CertificateList certs = CreateCertificateListFromFile( certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO); @@ -2806,31 +2766,30 @@ TEST_P(CertVerifyProcInternalTest, ValidityJustAfterNotAfter) { } TEST_P(CertVerifyProcInternalTest, FailedIntermediateSignatureValidation) { - base::FilePath certs_dir = - GetTestNetDataDirectory() - .AppendASCII("verify_certificate_chain_unittest") - .AppendASCII( - "intermediate-wrong-signature-no-authority-key-identifier"); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); - CertificateList certs = CreateCertificateListFromFile( - certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3U, certs.size()); + // Intermediate has no authorityKeyIdentifier. Also remove + // subjectKeyIdentifier from root for good measure. + intermediate->EraseExtension(der::Input(kAuthorityKeyIdentifierOid)); + root->EraseExtension(der::Input(kSubjectKeyIdentifierOid)); - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; - intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer())); + // Get the chain with the leaf and the intermediate signed by the original + // key of |root|. + scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain(); - scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer( - bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates)); - ASSERT_TRUE(cert.get()); + // Generate a new key for root. + root->GenerateECKey(); - // Trust the root certificate. - ScopedTestRoot scoped_root(certs.back().get()); + // Trust the new root certificate. + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; int error = - Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(), - CertificateList(), &verify_result); + Verify(cert.get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); // The intermediate was signed by a different root with a different key but // with the same name as the trusted one, and the intermediate has no @@ -2841,30 +2800,38 @@ TEST_P(CertVerifyProcInternalTest, FailedIntermediateSignatureValidation) { } TEST_P(CertVerifyProcInternalTest, FailedTargetSignatureValidation) { - base::FilePath certs_dir = - GetTestNetDataDirectory() - .AppendASCII("verify_certificate_chain_unittest") - .AppendASCII("target-wrong-signature-no-authority-key-identifier"); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); - CertificateList certs = CreateCertificateListFromFile( - certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3U, certs.size()); + // Leaf has no authorityKeyIdentifier. Also remove subjectKeyIdentifier from + // intermediate for good measure. + leaf->EraseExtension(der::Input(kAuthorityKeyIdentifierOid)); + intermediate->EraseExtension(der::Input(kSubjectKeyIdentifierOid)); + + // Get a copy of the leaf signed by the original key of intermediate. + bssl::UniquePtr<CRYPTO_BUFFER> leaf_wrong_signature = leaf->DupCertBuffer(); + // Generate a new key for intermediate. + intermediate->GenerateECKey(); + + // Make a chain that includes the original leaf with the wrong signature and + // the new intermediate. std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; - intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer())); + intermediates.push_back(intermediate->DupCertBuffer()); scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer( - bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates)); + bssl::UpRef(leaf_wrong_signature), std::move(intermediates)); ASSERT_TRUE(cert.get()); // Trust the root certificate. - ScopedTestRoot scoped_root(certs.back().get()); + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; int error = - Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(), - CertificateList(), &verify_result); + Verify(cert.get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); // The leaf was signed by a different intermediate with a different key but // with the same name as the one in the chain, and the leaf has no @@ -2876,15 +2843,6 @@ TEST_P(CertVerifyProcInternalTest, FailedTargetSignatureValidation) { class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest { protected: - void SetUp() override { - CertVerifyProcInternalTest::SetUp(); - - scoped_refptr<X509Certificate> root_cert = - ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); - ASSERT_TRUE(root_cert); - test_root_ = std::make_unique<ScopedTestRoot>(root_cert.get()); - } - std::string HistogramName() const { std::string prefix("Net.CertVerifier.NameNormalizationPrivateRoots."); switch (verify_proc_type()) { @@ -2919,7 +2877,6 @@ class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest { } private: - std::unique_ptr<ScopedTestRoot> test_root_; base::HistogramTester histograms_; }; @@ -2932,24 +2889,31 @@ INSTANTIATE_TEST_SUITE_P(All, // the intermediate's subject CN is UTF8String, and verifies the proper // histogram is logged. TEST_P(CertVerifyProcNameNormalizationTest, StringType) { - scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile( - GetTestCertsDirectory(), "name-normalization-printable-utf8.pem", - X509Certificate::FORMAT_PEM_CERT_SEQUENCE); - ASSERT_TRUE(chain); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + + std::string issuer_cn = CertBuilder::MakeRandomHexString(12); + leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType( + issuer_cn, CBS_ASN1_PRINTABLESTRING)); + intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType( + issuer_cn, CBS_ASN1_UTF8STRING)); + + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; int error = - Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(), - CertificateList(), &verify_result); + Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); switch (verify_proc_type()) { case CERT_VERIFY_PROC_IOS: case CERT_VERIFY_PROC_MAC: - case CERT_VERIFY_PROC_WIN: EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); break; case CERT_VERIFY_PROC_ANDROID: + case CERT_VERIFY_PROC_WIN: case CERT_VERIFY_PROC_BUILTIN: case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS: EXPECT_THAT(error, IsOk()); @@ -2963,52 +2927,62 @@ TEST_P(CertVerifyProcNameNormalizationTest, StringType) { // subject CN are both PrintableString but have differing case on the first // character, and verifies the proper histogram is logged. TEST_P(CertVerifyProcNameNormalizationTest, CaseFolding) { - scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile( - GetTestCertsDirectory(), "name-normalization-case-folding.pem", - X509Certificate::FORMAT_PEM_CERT_SEQUENCE); - ASSERT_TRUE(chain); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + + std::string issuer_hex = CertBuilder::MakeRandomHexString(12); + leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType( + "Z" + issuer_hex, CBS_ASN1_PRINTABLESTRING)); + intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType( + "z" + issuer_hex, CBS_ASN1_PRINTABLESTRING)); + + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; int error = - Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(), - CertificateList(), &verify_result); - - switch (verify_proc_type()) { - case CERT_VERIFY_PROC_WIN: - EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); - break; - case CERT_VERIFY_PROC_ANDROID: - case CERT_VERIFY_PROC_IOS: - case CERT_VERIFY_PROC_MAC: - case CERT_VERIFY_PROC_BUILTIN: - case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS: - EXPECT_THAT(error, IsOk()); - break; - } + Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); + EXPECT_THAT(error, IsOk()); ExpectNormalizationHistogram(error); } -// Confirms that a chain generated by the generate-name-normalization-certs.py -// script which does not require normalization validates ok, and that the -// ByteEqual histogram is logged. +// Confirms that a chain generated by the same pattern as the other +// NameNormalizationTest cases which does not require normalization validates +// ok, and that the ByteEqual histogram is logged. TEST_P(CertVerifyProcNameNormalizationTest, ByteEqual) { - scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile( - GetTestCertsDirectory(), "name-normalization-byteequal.pem", - X509Certificate::FORMAT_PEM_CERT_SEQUENCE); - ASSERT_TRUE(chain); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); + + std::string issuer_hex = CertBuilder::MakeRandomHexString(12); + leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType( + issuer_hex, CBS_ASN1_PRINTABLESTRING)); + intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType( + issuer_hex, CBS_ASN1_PRINTABLESTRING)); + + ScopedTestRoot scoped_root(root->GetX509Certificate().get()); int flags = 0; CertVerifyResult verify_result; int error = - Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(), - CertificateList(), &verify_result); + Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags, + CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result); EXPECT_THAT(error, IsOk()); ExpectByteEqualHistogram(); } +std::string Md5WithRSAEncryption() { + const uint8_t kMd5WithRSAEncryption[] = {0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x04, 0x05, 0x00}; + return std::string(std::begin(kMd5WithRSAEncryption), + std::end(kMd5WithRSAEncryption)); +} + // This is the same as CertVerifyProcInternalTest, but it additionally sets up // networking capabilities for the cert verifiers, and a test server that can be // used to serve mock responses for AIA/OCSP/CRL. @@ -3138,6 +3112,19 @@ class CertVerifyProcInternalWithNetFetchingTest "application/pkix-crl", crl); } + GURL CreateAndServeCrlWithAlgorithmTlvAndDigest( + CertBuilder* crl_issuer, + const std::vector<uint64_t>& revoked_serials, + const std::string& signature_algorithm_tlv, + const EVP_MD* digest) { + std::string crl = BuildCrlWithAlgorithmTlvAndDigest( + crl_issuer->GetSubject(), crl_issuer->GetKey(), revoked_serials, + signature_algorithm_tlv, digest); + std::string crl_path = MakeRandomPath(".crl"); + return RegisterSimpleTestServerHandler(crl_path, HTTP_OK, + "application/pkix-crl", crl); + } + private: std::unique_ptr<test_server::HttpResponse> DispatchToRequestHandler( const test_server::HttpRequest& request) { @@ -3230,7 +3217,8 @@ INSTANTIATE_TEST_SUITE_P(All, #else #define MAYBE_IntermediateFromAia404 IntermediateFromAia404 #endif -TEST_P(CertVerifyProcInternalWithNetFetchingTest, MAYBE_IntermediateFromAia404) { +TEST_P(CertVerifyProcInternalWithNetFetchingTest, + MAYBE_IntermediateFromAia404) { const char kHostname[] = "www.example.com"; // Create a chain where the leaf has an AIA that points to test server. @@ -3431,47 +3419,32 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest, Sha1IntermediateButAIAHasSha256) { const char kHostname[] = "www.example.com"; - base::FilePath certs_dir = - GetTestNetDataDirectory() - .AppendASCII("verify_certificate_chain_unittest") - .AppendASCII("target-and-intermediate"); - - CertificateList orig_certs = CreateCertificateListFromFile( - certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3U, orig_certs.size()); - - // Build slightly modified variants of |orig_certs|. - CertBuilder root(orig_certs[2]->cert_buffer(), nullptr); - root.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - root.GenerateECKey(); - CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root); - intermediate.GenerateECKey(); - CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate); - leaf.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - leaf.GenerateECKey(); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); // Make the leaf certificate have an AIA (CA Issuers) that points to the // embedded test server. This uses a random URL for predictable behavior in // the presence of global caching. std::string ca_issuers_path = MakeRandomPath(".cer"); GURL ca_issuers_url = GetTestServerAbsoluteUrl(ca_issuers_path); - leaf.SetCaIssuersUrl(ca_issuers_url); - leaf.SetSubjectAltName(kHostname); + leaf->SetCaIssuersUrl(ca_issuers_url); + leaf->SetSubjectAltName(kHostname); // Make two versions of the intermediate - one that is SHA256 signed, and one // that is SHA1 signed. Note that the subjectKeyIdentifier for `intermediate` // is intentionally not changed, so that path building will consider both // certificate paths. - intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); - intermediate.SetRandomSerialNumber(); - auto intermediate_sha256 = intermediate.DupCertBuffer(); + intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256); + intermediate->SetRandomSerialNumber(); + auto intermediate_sha256 = intermediate->DupCertBuffer(); - intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha1); - intermediate.SetRandomSerialNumber(); - auto intermediate_sha1 = intermediate.DupCertBuffer(); + intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha1); + intermediate->SetRandomSerialNumber(); + auto intermediate_sha1 = intermediate->DupCertBuffer(); // Trust the root certificate. - auto root_cert = root.GetX509Certificate(); + auto root_cert = root->GetX509Certificate(); ScopedTestRoot scoped_root(root_cert.get()); // Setup the test server to reply with the SHA256 intermediate. @@ -3484,7 +3457,7 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest, std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; intermediates.push_back(bssl::UpRef(intermediate_sha1.get())); scoped_refptr<X509Certificate> chain_sha1 = X509Certificate::CreateFromBuffer( - leaf.DupCertBuffer(), std::move(intermediates)); + leaf->DupCertBuffer(), std::move(intermediates)); ASSERT_TRUE(chain_sha1.get()); const int flags = 0; @@ -4068,9 +4041,9 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest, // Leaf is revoked by intermediate issued CRL which is signed with // md5WithRSAEncryption. - leaf->SetCrlDistributionPointUrl( - CreateAndServeCrl(intermediate.get(), {leaf->GetSerialNumber()}, - SignatureAlgorithm::kRsaPkcs1Md5)); + leaf->SetCrlDistributionPointUrl(CreateAndServeCrlWithAlgorithmTlvAndDigest( + intermediate.get(), {leaf->GetSerialNumber()}, Md5WithRSAEncryption(), + EVP_md5())); // Trust the root and build a chain to verify that includes the intermediate. ScopedTestRoot scoped_root(root->GetX509Certificate().get()); diff --git a/chromium/net/cert/cert_verify_proc_win.cc b/chromium/net/cert/cert_verify_proc_win.cc index 9d767d0e216..d6c165fba6a 100644 --- a/chromium/net/cert/cert_verify_proc_win.cc +++ b/chromium/net/cert/cert_verify_proc_win.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -286,7 +286,7 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context, const_cast<PCERT_CONTEXT>(cert), CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, const_cast<PCERT_CONTEXT>(issuer), 0, nullptr)) { - verify_result->cert_status |= CERT_STATUS_INVALID; + verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; break; } } diff --git a/chromium/net/cert/cert_verify_proc_win.h b/chromium/net/cert/cert_verify_proc_win.h index d79c788b6cd..eee4c6eb812 100644 --- a/chromium/net/cert/cert_verify_proc_win.h +++ b/chromium/net/cert/cert_verify_proc_win.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_proc_win_unittest.cc b/chromium/net/cert/cert_verify_proc_win_unittest.cc index 7f5d3f4e38b..b54b1ff7311 100644 --- a/chromium/net/cert/cert_verify_proc_win_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_win_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_result.cc b/chromium/net/cert/cert_verify_result.cc index 6126e3655c0..13d00cde1a8 100644 --- a/chromium/net/cert/cert_verify_result.cc +++ b/chromium/net/cert/cert_verify_result.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/cert_verify_result.h b/chromium/net/cert/cert_verify_result.h index 82164642b01..669de12f282 100644 --- a/chromium/net/cert/cert_verify_result.h +++ b/chromium/net/cert/cert_verify_result.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/client_cert_verifier.h b/chromium/net/cert/client_cert_verifier.h index b29d61875ba..def4cec57f7 100644 --- a/chromium/net/cert/client_cert_verifier.h +++ b/chromium/net/cert/client_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/coalescing_cert_verifier.cc b/chromium/net/cert/coalescing_cert_verifier.cc index a8878f0e5ed..ed1bc1860c3 100644 --- a/chromium/net/cert/coalescing_cert_verifier.cc +++ b/chromium/net/cert/coalescing_cert_verifier.cc @@ -1,17 +1,16 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/coalescing_cert_verifier.h" -#include <algorithm> - #include "base/bind.h" #include "base/containers/linked_list.h" #include "base/containers/unique_ptr_adapters.h" #include "base/memory/raw_ptr.h" #include "base/memory/weak_ptr.h" #include "base/metrics/histogram_macros.h" +#include "base/ranges/algorithm.h" #include "base/strings/string_number_conversions.h" #include "base/time/time.h" #include "net/base/net_errors.h" @@ -452,8 +451,8 @@ void CoalescingCertVerifier::RemoveJob(Job* job) { } // Otherwise, it MUST have been a job from a previous generation. - auto inflight_it = std::find_if(inflight_jobs_.begin(), inflight_jobs_.end(), - base::MatchesUniquePtr(job)); + auto inflight_it = + base::ranges::find_if(inflight_jobs_, base::MatchesUniquePtr(job)); DCHECK(inflight_it != inflight_jobs_.end()); inflight_jobs_.erase(inflight_it); return; diff --git a/chromium/net/cert/coalescing_cert_verifier.h b/chromium/net/cert/coalescing_cert_verifier.h index 1625a86b76e..2135e692c71 100644 --- a/chromium/net/cert/coalescing_cert_verifier.h +++ b/chromium/net/cert/coalescing_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/coalescing_cert_verifier_unittest.cc b/chromium/net/cert/coalescing_cert_verifier_unittest.cc index 124444bcfcc..ab5f647bc40 100644 --- a/chromium/net/cert/coalescing_cert_verifier_unittest.cc +++ b/chromium/net/cert/coalescing_cert_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/crl_set.cc b/chromium/net/cert/crl_set.cc index d60b386396f..e7d5066cbcf 100644 --- a/chromium/net/cert/crl_set.cc +++ b/chromium/net/cert/crl_set.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -65,7 +65,7 @@ std::unique_ptr<base::Value> ReadHeader(base::StringPiece* data) { if (data->size() < header_len) return nullptr; - const base::StringPiece header_bytes(data->data(), header_len); + const base::StringPiece header_bytes = data->substr(0, header_len); data->remove_prefix(header_len); std::unique_ptr<base::Value> header = base::JSONReader::ReadDeprecated( @@ -87,7 +87,7 @@ bool ReadCRL(base::StringPiece* data, std::vector<std::string>* out_serials) { if (data->size() < crypto::kSHA256Length) return false; - out_parent_spki_hash->assign(data->data(), crypto::kSHA256Length); + *out_parent_spki_hash = std::string(data->substr(0, crypto::kSHA256Length)); data->remove_prefix(crypto::kSHA256Length); uint32_t num_serials; @@ -106,14 +106,14 @@ bool ReadCRL(base::StringPiece* data, if (data->size() < sizeof(uint8_t)) return false; - uint8_t serial_length = data->data()[0]; + uint8_t serial_length = (*data)[0]; data->remove_prefix(sizeof(uint8_t)); if (data->size() < serial_length) return false; out_serials->push_back(std::string()); - out_serials->back().assign(data->data(), serial_length); + out_serials->back() = std::string(data->substr(0, serial_length)); data->remove_prefix(serial_length); } @@ -303,15 +303,15 @@ bool CRLSet::ParseAndStoreUnparsedData(std::string data, return true; } -CRLSet::Result CRLSet::CheckSPKI(const base::StringPiece& spki_hash) const { +CRLSet::Result CRLSet::CheckSPKI(base::StringPiece spki_hash) const { if (std::binary_search(blocked_spkis_.begin(), blocked_spkis_.end(), spki_hash)) return REVOKED; return GOOD; } -CRLSet::Result CRLSet::CheckSubject(const base::StringPiece& encoded_subject, - const base::StringPiece& spki_hash) const { +CRLSet::Result CRLSet::CheckSubject(base::StringPiece encoded_subject, + base::StringPiece spki_hash) const { const std::string digest(crypto::SHA256HashString(encoded_subject)); const auto i = limited_subjects_.find(digest); if (i == limited_subjects_.end()) { @@ -327,9 +327,8 @@ CRLSet::Result CRLSet::CheckSubject(const base::StringPiece& encoded_subject, return REVOKED; } -CRLSet::Result CRLSet::CheckSerial( - const base::StringPiece& serial_number, - const base::StringPiece& issuer_spki_hash) const { +CRLSet::Result CRLSet::CheckSerial(base::StringPiece serial_number, + base::StringPiece issuer_spki_hash) const { base::StringPiece serial(serial_number); if (!serial.empty() && (serial[0] & 0x80) != 0) { @@ -403,9 +402,9 @@ scoped_refptr<CRLSet> CRLSet::ExpiredCRLSetForTesting() { scoped_refptr<CRLSet> CRLSet::ForTesting( bool is_expired, const SHA256HashValue* issuer_spki, - const std::string& serial_number, - const std::string utf8_common_name, - const std::vector<std::string> acceptable_spki_hashes_for_cn) { + base::StringPiece serial_number, + base::StringPiece utf8_common_name, + const std::vector<std::string>& acceptable_spki_hashes_for_cn) { std::string subject_hash; if (!utf8_common_name.empty()) { CBB cbb, top_level, set, inner_seq, oid, cn; @@ -445,7 +444,7 @@ scoped_refptr<CRLSet> CRLSet::ForTesting( sizeof(issuer_spki->data)); std::vector<std::string> serials; if (!serial_number.empty()) { - serials.push_back(serial_number); + serials.push_back(std::string(serial_number)); // |serial_number| is in DER-encoded form, which means it may have a // leading 0x00 to indicate it is a positive INTEGER. CRLSets are stored // without these leading 0x00, as handled in CheckSerial(), so remove diff --git a/chromium/net/cert/crl_set.h b/chromium/net/cert/crl_set.h index b629ea46afd..e504c332cf9 100644 --- a/chromium/net/cert/crl_set.h +++ b/chromium/net/cert/crl_set.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -23,7 +23,6 @@ namespace net { // A CRLSet is a structure that lists the serial numbers of revoked // certificates from a number of issuers where issuers are identified by the // SHA256 of their SubjectPublicKeyInfo. -// CRLSetStorage is responsible for creating CRLSet instances. class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { public: enum Result { @@ -41,7 +40,7 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // CheckSPKI checks whether the given SPKI has been listed as blocked. // spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate. - Result CheckSPKI(const base::StringPiece& spki_hash) const; + Result CheckSPKI(base::StringPiece spki_hash) const; // CheckSerial returns the information contained in the set for a given // certificate: @@ -49,14 +48,14 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // value // issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL // signer - Result CheckSerial(const base::StringPiece& serial_number, - const base::StringPiece& issuer_spki_hash) const; + Result CheckSerial(base::StringPiece serial_number, + base::StringPiece issuer_spki_hash) const; // CheckSubject returns the information contained in the set for a given, - // encoded subject name and SPKI hash. The subject name is encoded as a DER - // X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4). - Result CheckSubject(const base::StringPiece& asn1_subject, - const base::StringPiece& spki_hash) const; + // encoded subject name and SPKI SHA-256 hash. The subject name is encoded as + // a DER X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4). + Result CheckSubject(base::StringPiece asn1_subject, + base::StringPiece spki_hash) const; // Returns true if |spki_hash|, the SHA256 of the SubjectPublicKeyInfo, // is known to be used for interception by a party other than the device @@ -76,7 +75,7 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { // CRLList contains a map of (issuer SPKI hash, revoked serial numbers) // pairs. - typedef std::unordered_map<std::string, std::vector<std::string>> CRLList; + using CRLList = std::unordered_map<std::string, std::vector<std::string>>; // crls returns the internal state of this CRLSet. It should only be used in // testing. @@ -104,9 +103,9 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> { static scoped_refptr<CRLSet> ForTesting( bool is_expired, const SHA256HashValue* issuer_spki, - const std::string& serial_number, - const std::string utf8_common_name, - const std::vector<std::string> acceptable_spki_hashes_for_cn); + base::StringPiece serial_number, + base::StringPiece utf8_common_name, + const std::vector<std::string>& acceptable_spki_hashes_for_cn); private: CRLSet(); diff --git a/chromium/net/cert/crl_set_fuzzer.cc b/chromium/net/cert/crl_set_fuzzer.cc index 9461db4c790..75f3f2f5616 100644 --- a/chromium/net/cert/crl_set_fuzzer.cc +++ b/chromium/net/cert/crl_set_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/crl_set_unittest.cc b/chromium/net/cert/crl_set_unittest.cc index bec0d8b56c0..11c20675543 100644 --- a/chromium/net/cert/crl_set_unittest.cc +++ b/chromium/net/cert/crl_set_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_response_parser.cc b/chromium/net/cert/ct_log_response_parser.cc index 614a56b252f..ffe55eac09e 100644 --- a/chromium/net/cert/ct_log_response_parser.cc +++ b/chromium/net/cert/ct_log_response_parser.cc @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_response_parser.h b/chromium/net/cert/ct_log_response_parser.h index c5ece4ef53a..eb31c91c80c 100644 --- a/chromium/net/cert/ct_log_response_parser.h +++ b/chromium/net/cert/ct_log_response_parser.h @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_response_parser_unittest.cc b/chromium/net/cert/ct_log_response_parser_unittest.cc index ce479ef99ad..ee2f35fb2c1 100644 --- a/chromium/net/cert/ct_log_response_parser_unittest.cc +++ b/chromium/net/cert/ct_log_response_parser_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_verifier.cc b/chromium/net/cert/ct_log_verifier.cc index f231491fa81..44eb1ab87d0 100644 --- a/chromium/net/cert/ct_log_verifier.cc +++ b/chromium/net/cert/ct_log_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_verifier.h b/chromium/net/cert/ct_log_verifier.h index 09a69a901b8..a2aa546c2de 100644 --- a/chromium/net/cert/ct_log_verifier.h +++ b/chromium/net/cert/ct_log_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_verifier_unittest.cc b/chromium/net/cert/ct_log_verifier_unittest.cc index 2faf373297c..5a32586d803 100644 --- a/chromium/net/cert/ct_log_verifier_unittest.cc +++ b/chromium/net/cert/ct_log_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_verifier_util.cc b/chromium/net/cert/ct_log_verifier_util.cc index 0a74dac7b32..ea67bb3c5bb 100644 --- a/chromium/net/cert/ct_log_verifier_util.cc +++ b/chromium/net/cert/ct_log_verifier_util.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_log_verifier_util.h b/chromium/net/cert/ct_log_verifier_util.h index 2149e942cff..c9dfb37c720 100644 --- a/chromium/net/cert/ct_log_verifier_util.h +++ b/chromium/net/cert/ct_log_verifier_util.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_objects_extractor.cc b/chromium/net/cert/ct_objects_extractor.cc index 25ccf2d2986..4e4cb475573 100644 --- a/chromium/net/cert/ct_objects_extractor.cc +++ b/chromium/net/cert/ct_objects_extractor.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_objects_extractor.h b/chromium/net/cert/ct_objects_extractor.h index d51ddbaf103..b4d2b5a15ba 100644 --- a/chromium/net/cert/ct_objects_extractor.h +++ b/chromium/net/cert/ct_objects_extractor.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_objects_extractor_unittest.cc b/chromium/net/cert/ct_objects_extractor_unittest.cc index 56e42cedd19..3a4b2bbed2e 100644 --- a/chromium/net/cert/ct_objects_extractor_unittest.cc +++ b/chromium/net/cert/ct_objects_extractor_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_policy_enforcer.cc b/chromium/net/cert/ct_policy_enforcer.cc index 4749c19925f..717d022a5da 100644 --- a/chromium/net/cert/ct_policy_enforcer.cc +++ b/chromium/net/cert/ct_policy_enforcer.cc @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_policy_enforcer.h b/chromium/net/cert/ct_policy_enforcer.h index 8e68fbe154c..47be4b74ae6 100644 --- a/chromium/net/cert/ct_policy_enforcer.h +++ b/chromium/net/cert/ct_policy_enforcer.h @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_policy_status.h b/chromium/net/cert/ct_policy_status.h index bb077c226db..3a23276b88c 100644 --- a/chromium/net/cert/ct_policy_status.h +++ b/chromium/net/cert/ct_policy_status.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_sct_to_string.cc b/chromium/net/cert/ct_sct_to_string.cc index 43d863466ba..3d0f3ae3c7d 100644 --- a/chromium/net/cert/ct_sct_to_string.cc +++ b/chromium/net/cert/ct_sct_to_string.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_sct_to_string.h b/chromium/net/cert/ct_sct_to_string.h index d22ecec7487..6d2b985c7e1 100644 --- a/chromium/net/cert/ct_sct_to_string.h +++ b/chromium/net/cert/ct_sct_to_string.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_serialization.cc b/chromium/net/cert/ct_serialization.cc index 1147a3785fc..89c77d31e77 100644 --- a/chromium/net/cert/ct_serialization.cc +++ b/chromium/net/cert/ct_serialization.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_serialization.h b/chromium/net/cert/ct_serialization.h index 37003245209..c3aded55f37 100644 --- a/chromium/net/cert/ct_serialization.h +++ b/chromium/net/cert/ct_serialization.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_serialization_unittest.cc b/chromium/net/cert/ct_serialization_unittest.cc index e70d473af9a..7d4fde49cfd 100644 --- a/chromium/net/cert/ct_serialization_unittest.cc +++ b/chromium/net/cert/ct_serialization_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc index 5721f68f589..c75f5a17de6 100644 --- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc +++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h index 41c6709227a..dad83fc0781 100644 --- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h +++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ct_verifier.h b/chromium/net/cert/ct_verifier.h index a0103c9e9f9..406df5b7b4b 100644 --- a/chromium/net/cert/ct_verifier.h +++ b/chromium/net/cert/ct_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc b/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc index ad4c151cfc3..a2228142df1 100644 --- a/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc +++ b/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/do_nothing_ct_verifier.cc b/chromium/net/cert/do_nothing_ct_verifier.cc index 596c8e7bf43..4a61452c2df 100644 --- a/chromium/net/cert/do_nothing_ct_verifier.cc +++ b/chromium/net/cert/do_nothing_ct_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/do_nothing_ct_verifier.h b/chromium/net/cert/do_nothing_ct_verifier.h index 6d6285ef2f5..30715d68268 100644 --- a/chromium/net/cert/do_nothing_ct_verifier.h +++ b/chromium/net/cert/do_nothing_ct_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ev_root_ca_metadata.cc b/chromium/net/cert/ev_root_ca_metadata.cc index 95350d62fa2..343c648374c 100644 --- a/chromium/net/cert/ev_root_ca_metadata.cc +++ b/chromium/net/cert/ev_root_ca_metadata.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,8 +10,7 @@ #include <stdlib.h> #endif -#include <algorithm> - +#include "base/containers/contains.h" #include "base/lazy_instance.h" #include "base/logging.h" #include "base/strings/string_piece.h" @@ -41,7 +40,7 @@ struct EVMetadata { const base::StringPiece policy_oids[kMaxOIDsPerCA]; }; -#include "net/data/ssl/ev_roots/chrome-ev-root-store-inc.cc" +#include "net/data/ssl/chrome_root_store/chrome-ev-roots-inc.cc" #endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA) } // namespace @@ -73,9 +72,7 @@ bool ConvertBytesToDottedString(const der::Input& policy_oid, bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { for (const auto& ev_root : kEvRootCaMetadata) { - if (std::find(std::begin(ev_root.policy_oids), - std::end(ev_root.policy_oids), - policy_oid) != std::end(ev_root.policy_oids)) { + if (base::Contains(ev_root.policy_oids, policy_oid)) { return true; } } @@ -100,9 +97,7 @@ bool EVRootCAMetadata::HasEVPolicyOID(const SHA256HashValue& fingerprint, for (const auto& ev_root : kEvRootCaMetadata) { if (fingerprint != ev_root.fingerprint) continue; - return std::find(std::begin(ev_root.policy_oids), - std::end(ev_root.policy_oids), - policy_oid) != std::end(ev_root.policy_oids); + return base::Contains(ev_root.policy_oids, policy_oid); } auto it = extra_cas_.find(fingerprint); diff --git a/chromium/net/cert/ev_root_ca_metadata.h b/chromium/net/cert/ev_root_ca_metadata.h index 9ce78dcb32d..c568c640f4a 100644 --- a/chromium/net/cert/ev_root_ca_metadata.h +++ b/chromium/net/cert/ev_root_ca_metadata.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ev_root_ca_metadata_unittest.cc b/chromium/net/cert/ev_root_ca_metadata_unittest.cc index c364a34c1be..e73b50c01c1 100644 --- a/chromium/net/cert/ev_root_ca_metadata_unittest.cc +++ b/chromium/net/cert/ev_root_ca_metadata_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/cert_issuer_source_aia.cc b/chromium/net/cert/internal/cert_issuer_source_aia.cc index 22411efff84..855fa44480b 100644 --- a/chromium/net/cert/internal/cert_issuer_source_aia.cc +++ b/chromium/net/cert/internal/cert_issuer_source_aia.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -177,7 +177,7 @@ void CertIssuerSourceAia::AsyncGetIssuersOf(const ParsedCertificate* cert, std::vector<GURL> urls; for (const auto& uri : cert->ca_issuers_uris()) { - GURL url(uri); + GURL url(base::StringPiece(uri.data(), uri.size())); if (url.is_valid()) { // TODO(mattm): do the kMaxFetchesPerCert check only on the number of // supported URL schemes, not all the URLs. diff --git a/chromium/net/cert/internal/cert_issuer_source_aia.h b/chromium/net/cert/internal/cert_issuer_source_aia.h index 4247bc50a73..9431bbcb90d 100644 --- a/chromium/net/cert/internal/cert_issuer_source_aia.h +++ b/chromium/net/cert/internal/cert_issuer_source_aia.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc index 344ad413f84..fe29d366ee9 100644 --- a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc +++ b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc b/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc index da758ca71d9..3b842545cf2 100644 --- a/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc +++ b/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc index 06a1321bfdd..11d39439953 100644 --- a/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc +++ b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc index b90164de4b3..290adf48a04 100644 --- a/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc +++ b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc index 4a82b035e43..cdd28714d92 100644 --- a/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc +++ b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc index e4aaeb00308..f79b3dd5b0c 100644 --- a/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc +++ b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/crl_unittest.cc b/chromium/net/cert/internal/crl_unittest.cc index b1f9ee7ca98..44eba27705b 100644 --- a/chromium/net/cert/internal/crl_unittest.cc +++ b/chromium/net/cert/internal/crl_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/general_names_unittest.cc b/chromium/net/cert/internal/general_names_unittest.cc index 927b4f574c5..2c4c347d783 100644 --- a/chromium/net/cert/internal/general_names_unittest.cc +++ b/chromium/net/cert/internal/general_names_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc index e3deecab6e1..b6aafbfd56a 100644 --- a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc +++ b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/revocation_checker.cc b/chromium/net/cert/internal/revocation_checker.cc index 174c2287c2f..e7bb72c4ab3 100644 --- a/chromium/net/cert/internal/revocation_checker.cc +++ b/chromium/net/cert/internal/revocation_checker.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -51,9 +51,10 @@ bool CheckCertRevocation(const ParsedCertificateList& certs, // Check using stapled OCSP, if available. if (!stapled_ocsp_response.empty() && issuer_cert) { OCSPVerifyResult::ResponseStatus response_details; - OCSPRevocationStatus ocsp_status = - CheckOCSP(stapled_ocsp_response, cert, issuer_cert, base::Time::Now(), - max_age, &response_details); + OCSPRevocationStatus ocsp_status = CheckOCSP( + std::string_view(stapled_ocsp_response.data(), + stapled_ocsp_response.size()), + cert, issuer_cert, base::Time::Now(), max_age, &response_details); if (stapled_ocsp_verify_result) { stapled_ocsp_verify_result->response_status = response_details; stapled_ocsp_verify_result->revocation_status = ocsp_status; @@ -86,7 +87,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs, for (const auto& ocsp_uri : cert->ocsp_uris()) { // Only consider http:// URLs (https:// could create a circular // dependency). - GURL parsed_ocsp_url(ocsp_uri); + GURL parsed_ocsp_url(base::StringPiece(ocsp_uri.data(), ocsp_uri.size())); if (!parsed_ocsp_url.is_valid() || !parsed_ocsp_url.SchemeIs(url::kHttpScheme)) { continue; @@ -135,7 +136,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs, OCSPVerifyResult::ResponseStatus response_details; OCSPRevocationStatus ocsp_status = CheckOCSP( - base::StringPiece( + std::string_view( reinterpret_cast<const char*>(ocsp_response_bytes.data()), ocsp_response_bytes.size()), cert, issuer_cert, base::Time::Now(), max_age, &response_details); @@ -186,7 +187,8 @@ bool CheckCertRevocation(const ParsedCertificateList& certs, ->uniform_resource_identifiers) { // Only consider http:// URLs (https:// could create a circular // dependency). - GURL parsed_crl_url(crl_uri); + GURL parsed_crl_url( + base::StringPiece(crl_uri.data(), crl_uri.size())); if (!parsed_crl_url.is_valid() || !parsed_crl_url.SchemeIs(url::kHttpScheme)) { continue; @@ -224,7 +226,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs, continue; CRLRevocationStatus crl_status = CheckCRL( - base::StringPiece( + std::string_view( reinterpret_cast<const char*>(crl_response_bytes.data()), crl_response_bytes.size()), certs, target_cert_index, distribution_point, base::Time::Now(), diff --git a/chromium/net/cert/internal/revocation_checker.h b/chromium/net/cert/internal/revocation_checker.h index 78ae5aa9a68..d3043e2a78c 100644 --- a/chromium/net/cert/internal/revocation_checker.h +++ b/chromium/net/cert/internal/revocation_checker.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/revocation_checker_unittest.cc b/chromium/net/cert/internal/revocation_checker_unittest.cc index 1ad965057da..a0b22ba32d4 100644 --- a/chromium/net/cert/internal/revocation_checker_unittest.cc +++ b/chromium/net/cert/internal/revocation_checker_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/revocation_util_unittest.cc b/chromium/net/cert/internal/revocation_util_unittest.cc index fd1b0389748..ab8397b19d5 100644 --- a/chromium/net/cert/internal/revocation_util_unittest.cc +++ b/chromium/net/cert/internal/revocation_util_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/system_trust_store.cc b/chromium/net/cert/internal/system_trust_store.cc index fc21d3633a2..1ebd9213fa1 100644 --- a/chromium/net/cert/internal/system_trust_store.cc +++ b/chromium/net/cert/internal/system_trust_store.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -218,6 +218,13 @@ CreateSslSystemTrustStoreNSSWithUserSlotRestriction( #elif BUILDFLAG(IS_MAC) +// Using the Builtin Verifier w/o the Chrome Root Store is unsupported on +// Mac. +std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { + return std::make_unique<DummySystemTrustStore>(); +} + +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) namespace { TrustStoreMac::TrustImplType ParamToTrustImplType( @@ -249,8 +256,8 @@ TrustStoreMac::TrustImplType GetTrustStoreImplParam( // If handling that becomes necessary, the flags should be checked in the // higher level code (maybe in cert_verifier_creation.cc) so that each // type of CertVerifyProc could be created with the appropriate flags. - if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) { - return ParamToTrustImplType(features::kCertVerifierBuiltinImpl.Get(), + if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) { + return ParamToTrustImplType(features::kChromeRootStoreSysImpl.Get(), default_impl); } if (base::FeatureList::IsEnabled( @@ -262,9 +269,9 @@ TrustStoreMac::TrustImplType GetTrustStoreImplParam( } size_t GetTrustStoreCacheSize() { - if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature) && - features::kCertVerifierBuiltinCacheSize.Get() > 0) { - return features::kCertVerifierBuiltinCacheSize.Get(); + if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed) && + features::kChromeRootStoreSysCacheSize.Get() > 0) { + return features::kChromeRootStoreSysCacheSize.Get(); } if (base::FeatureList::IsEnabled( features::kCertDualVerificationTrialFeature) && @@ -275,55 +282,12 @@ size_t GetTrustStoreCacheSize() { return kDefaultCacheSize; } -} // namespace - -class SystemTrustStoreMac : public SystemTrustStore { - public: - SystemTrustStoreMac() = default; - - TrustStore* GetTrustStore() override { return GetGlobalTrustStoreMac(); } - - bool UsesSystemTrustStore() const override { return true; } - - // IsKnownRoot returns true if the given trust anchor is a standard one (as - // opposed to a user-installed root) - bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override { - return GetGlobalTrustStoreMac()->IsKnownRoot(trust_anchor); - } - - static void InitializeTrustCacheOnWorkerThread() { - GetGlobalTrustStoreMac()->InitializeTrustCache(); - } - -#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) - int64_t chrome_root_store_version() override { return 0; } -#endif - - private: - static constexpr TrustStoreMac::TrustImplType kDefaultTrustImpl = - TrustStoreMac::TrustImplType::kLruCache; - - static TrustStoreMac* GetGlobalTrustStoreMac() { - static base::NoDestructor<TrustStoreMac> static_trust_store_mac( - kSecPolicyAppleSSL, GetTrustStoreImplParam(kDefaultTrustImpl), - GetTrustStoreCacheSize(), TrustStoreMac::TrustDomains::kAll); - return static_trust_store_mac.get(); - } -}; - -std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() { - return std::make_unique<SystemTrustStoreMac>(); -} - -#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) -namespace { - TrustStoreMac* GetGlobalTrustStoreMacForCRS() { constexpr TrustStoreMac::TrustImplType kDefaultMacTrustImplForCRS = TrustStoreMac::TrustImplType::kDomainCacheFullCerts; static base::NoDestructor<TrustStoreMac> static_trust_store_mac( kSecPolicyAppleSSL, GetTrustStoreImplParam(kDefaultMacTrustImplForCRS), - GetTrustStoreCacheSize(), TrustStoreMac::TrustDomains::kUserAndAdmin); + GetTrustStoreCacheSize()); return static_trust_store_mac.get(); } @@ -350,15 +314,6 @@ void InitializeTrustStoreMacCache() { return; } #endif // CHROME_ROOT_STORE_SUPPORTED - if (base::FeatureList::IsEnabled( - net::features::kCertVerifierBuiltinFeature)) { - base::ThreadPool::PostTask( - FROM_HERE, - {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN}, - base::BindOnce( - &SystemTrustStoreMac::InitializeTrustCacheOnWorkerThread)); - return; - } } #elif BUILDFLAG(IS_FUCHSIA) diff --git a/chromium/net/cert/internal/system_trust_store.h b/chromium/net/cert/internal/system_trust_store.h index 9a965013ffe..bf7ebff3e80 100644 --- a/chromium/net/cert/internal/system_trust_store.h +++ b/chromium/net/cert/internal/system_trust_store.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/system_trust_store_nss.h b/chromium/net/cert/internal/system_trust_store_nss.h index 70b3052d444..dfd5a69f52c 100644 --- a/chromium/net/cert/internal/system_trust_store_nss.h +++ b/chromium/net/cert/internal/system_trust_store_nss.h @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/system_trust_store_nss_unittest.cc b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc index ae343e796aa..c05c2218c5f 100644 --- a/chromium/net/cert/internal/system_trust_store_nss_unittest.cc +++ b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/system_trust_store_unittest.cc b/chromium/net/cert/internal/system_trust_store_unittest.cc index 902b40b3c8f..1a78d1f9957 100644 --- a/chromium/net/cert/internal/system_trust_store_unittest.cc +++ b/chromium/net/cert/internal/system_trust_store_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2022 The Chromium Authors. All rights reserved. +// Copyright 2022 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -19,7 +19,7 @@ namespace net { #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) -#include "net/data/ssl/chrome_root_store/chrome-root-store-test-data-inc.cc" +#include "net/data/ssl/chrome_root_store/chrome-root-store-test-data-inc.cc" // nogncheck TEST(SystemTrustStoreChrome, SystemDistrustOverridesChromeTrust) { CertificateList certs = CreateCertificateListFromFile( diff --git a/chromium/net/cert/internal/trust_store_chrome.cc b/chromium/net/cert/internal/trust_store_chrome.cc index 56f9d497f0f..a46ada86caa 100644 --- a/chromium/net/cert/internal/trust_store_chrome.cc +++ b/chromium/net/cert/internal/trust_store_chrome.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_chrome.h b/chromium/net/cert/internal/trust_store_chrome.h index 0d7acc591a5..86e4020e4e1 100644 --- a/chromium/net/cert/internal/trust_store_chrome.h +++ b/chromium/net/cert/internal/trust_store_chrome.h @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_chrome_unittest.cc b/chromium/net/cert/internal/trust_store_chrome_unittest.cc index 7ba40227386..ad58476e523 100644 --- a/chromium/net/cert/internal/trust_store_chrome_unittest.cc +++ b/chromium/net/cert/internal/trust_store_chrome_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -48,9 +48,11 @@ TEST(TrustStoreChromeTestNoFixture, ContainsCert) { EXPECT_EQ(CertificateTrustType::TRUSTED_ANCHOR, trust.type); } - // Other certificates should not be included. + // Other certificates should not be included. Which test cert used here isn't + // important as long as it isn't one of the certificates in the + // chrome_root_store/test_store.certs. scoped_refptr<X509Certificate> other_cert = - ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem"); + ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"); ASSERT_TRUE(other_cert); scoped_refptr<ParsedCertificate> other_parsed = ToParsedCertificate(*other_cert); diff --git a/chromium/net/cert/internal/trust_store_mac.cc b/chromium/net/cert/internal/trust_store_mac.cc index f3b6e2a53d5..121fcb4bbb1 100644 --- a/chromium/net/cert/internal/trust_store_mac.cc +++ b/chromium/net/cert/internal/trust_store_mac.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include "base/atomicops.h" #include "base/bind.h" #include "base/callback_list.h" +#include "base/containers/contains.h" #include "base/containers/flat_map.h" #include "base/containers/lru_cache.h" #include "base/logging.h" @@ -18,12 +19,13 @@ #include "base/no_destructor.h" #include "base/strings/strcat.h" #include "base/synchronization/lock.h" +#include "base/timer/elapsed_timer.h" #include "crypto/mac_security_services_lock.h" #include "net/base/hash_value.h" #include "net/base/network_notification_thread_mac.h" -#include "net/cert/known_roots_mac.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/cert_issuer_source_static.h" +#include "net/cert/pki/extended_key_usage.h" #include "net/cert/pki/parse_name.h" #include "net/cert/pki/parsed_certificate.h" #include "net/cert/test_keychain_search_list_mac.h" @@ -51,12 +53,6 @@ enum class TrustStatus { DISTRUSTED }; -enum class KnownRootStatus { - UNKNOWN, - IS_KNOWN_ROOT, - NOT_KNOWN_ROOT, -}; - const void* kResultDebugDataKey = &kResultDebugDataKey; // Returns trust status of usage constraints dictionary |trust_dict| for a @@ -270,35 +266,9 @@ TrustStatus IsCertificateTrustedForPolicyInDomain( cert_handle, is_self_issued, policy_oid, trust_domain, debug_info); } -KnownRootStatus IsCertificateKnownRoot(const ParsedCertificate* cert) { - base::ScopedCFTypeRef<SecCertificateRef> cert_handle = - x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(), - cert->der_cert().Length()); - if (!cert_handle) - return KnownRootStatus::NOT_KNOWN_ROOT; - - base::ScopedCFTypeRef<CFArrayRef> trust_settings; - OSStatus err; - { - base::AutoLock lock(crypto::GetMacSecurityServicesLock()); - err = SecTrustSettingsCopyTrustSettings(cert_handle, - kSecTrustSettingsDomainSystem, - trust_settings.InitializeInto()); - } - return (err == errSecSuccess) ? KnownRootStatus::IS_KNOWN_ROOT - : KnownRootStatus::NOT_KNOWN_ROOT; -} - TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert, const CFStringRef policy_oid, - TrustStoreMac::TrustDomains domains, - int* debug_info, - KnownRootStatus* out_is_known_root) { - // |*out_is_known_root| is intentionally not cleared before starting, as - // there may have been a value already calculated and cached independently. - // The caller is expected to initialize |*out_is_known_root| to UNKNOWN if - // the value has not been calculated. - + int* debug_info) { base::ScopedCFTypeRef<SecCertificateRef> cert_handle = x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(), cert->der_cert().Length()); @@ -308,15 +278,10 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert, const bool is_self_issued = cert->normalized_subject() == cert->normalized_issuer(); - // Evaluate trust domains in user, admin, system order. Admin settings can - // override system ones, and user settings can override both admin and system. + // Evaluate user trust domain, then admin. User settings can override + // admin (and both override the system domain, but we don't check that). for (const auto& trust_domain : - {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, - kSecTrustSettingsDomainSystem}) { - if (domains == TrustStoreMac::TrustDomains::kUserAndAdmin && - trust_domain == kSecTrustSettingsDomainSystem) { - continue; - } + {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin}) { base::ScopedCFTypeRef<CFArrayRef> trust_settings; OSStatus err; { @@ -325,11 +290,6 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert, trust_settings.InitializeInto()); } if (err != errSecSuccess) { - if (out_is_known_root && trust_domain == kSecTrustSettingsDomainSystem) { - // If trust settings are not present for |cert| in the system domain, - // record it as not a known root. - *out_is_known_root = KnownRootStatus::NOT_KNOWN_ROOT; - } if (err == errSecItemNotFound) { // No trust settings for that domain.. try the next. continue; @@ -338,11 +298,6 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert, *debug_info |= TrustStoreMac::COPY_TRUST_SETTINGS_ERROR; continue; } - if (out_is_known_root && trust_domain == kSecTrustSettingsDomainSystem) { - // If trust settings are present for |cert| in the system domain, record - // it as a known root. - *out_is_known_root = KnownRootStatus::IS_KNOWN_ROOT; - } TrustStatus trust = IsTrustSettingsTrustedForPolicy( trust_settings, is_self_issued, policy_oid, debug_info); if (trust != TrustStatus::UNSPECIFIED) @@ -568,7 +523,7 @@ class TrustDomainCacheFullCerts { domain_name = "Admin"; break; case kSecTrustSettingsDomainSystem: - domain_name = "System"; + NOTREACHED(); break; } base::UmaHistogramCounts1000( @@ -589,17 +544,16 @@ SHA256HashValue CalculateFingerprint256(const der::Input& buffer) { return sha256; } -// Watches macOS keychain for trust setting changes, and notifies any +// Watches macOS keychain for |event_mask| notifications, and notifies any // registered callbacks. This is necessary as the keychain callback API is // keyed only on the callback function pointer rather than function pointer + // context, so it cannot be safely registered multiple callbacks with the same // function pointer and different contexts. -class KeychainTrustSettingsChangedNotifier { +template <SecKeychainEventMask event_mask> +class KeychainChangedNotifier { public: - KeychainTrustSettingsChangedNotifier( - const KeychainTrustSettingsChangedNotifier&) = delete; - KeychainTrustSettingsChangedNotifier& operator=( - const KeychainTrustSettingsChangedNotifier&) = delete; + KeychainChangedNotifier(const KeychainChangedNotifier&) = delete; + KeychainChangedNotifier& operator=(const KeychainChangedNotifier&) = delete; // Registers |callback| to be run when the keychain trust settings change. // Must be called on the network notification thread. |callback| will be run @@ -612,7 +566,7 @@ class KeychainTrustSettingsChangedNotifier { } private: - friend base::NoDestructor<KeychainTrustSettingsChangedNotifier>; + friend base::NoDestructor<KeychainChangedNotifier>; // Much of the Keychain API was marked deprecated as of the macOS 13 SDK. // Removal of its use is tracked in https://crbug.com/1348251 but deprecation @@ -620,30 +574,34 @@ class KeychainTrustSettingsChangedNotifier { #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" - KeychainTrustSettingsChangedNotifier() { + KeychainChangedNotifier() { DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence()); - OSStatus status = SecKeychainAddCallback( - &KeychainTrustSettingsChangedNotifier::KeychainCallback, - kSecTrustSettingsChangedEventMask, this); + OSStatus status = + SecKeychainAddCallback(&KeychainChangedNotifier::KeychainCallback, + event_mask, /*context=*/nullptr); if (status != noErr) OSSTATUS_LOG(ERROR, status) << "SecKeychainAddCallback failed"; } #pragma clang diagnostic pop - ~KeychainTrustSettingsChangedNotifier() = delete; + ~KeychainChangedNotifier() = delete; static OSStatus KeychainCallback(SecKeychainEvent keychain_event, SecKeychainCallbackInfo* info, void* context) { - KeychainTrustSettingsChangedNotifier* notifier = - reinterpret_cast<KeychainTrustSettingsChangedNotifier*>(context); - notifier->callback_list_.Notify(); + // Since SecKeychainAddCallback is keyed on the function pointer only, we + // need to ensure that each template instantiation of this function has a + // different address. Calling the static Get() method here to get the + // |callback_list_| (rather than passing a |this| pointer through + // |context|) should require each instantiation of KeychainCallback to be + // unique. + Get()->callback_list_.Notify(); return errSecSuccess; } - static KeychainTrustSettingsChangedNotifier* Get() { - static base::NoDestructor<KeychainTrustSettingsChangedNotifier> notifier; + static KeychainChangedNotifier* Get() { + static base::NoDestructor<KeychainChangedNotifier> notifier; return notifier.get(); } @@ -651,23 +609,23 @@ class KeychainTrustSettingsChangedNotifier { }; // Observes keychain events and increments the value returned by Iteration() -// each time the trust settings change. -class KeychainTrustObserver { +// each time an event indicated by |event_mask| is notified. +template <SecKeychainEventMask event_mask> +class KeychainObserver { public: - KeychainTrustObserver() { + KeychainObserver() { GetNetworkNotificationThreadMac()->PostTask( FROM_HERE, - base::BindOnce( - &KeychainTrustObserver::RegisterCallbackOnNotificationThread, - base::Unretained(this))); + base::BindOnce(&KeychainObserver::RegisterCallbackOnNotificationThread, + base::Unretained(this))); } - KeychainTrustObserver(const KeychainTrustObserver&) = delete; - KeychainTrustObserver& operator=(const KeychainTrustObserver&) = delete; + KeychainObserver(const KeychainObserver&) = delete; + KeychainObserver& operator=(const KeychainObserver&) = delete; // Destroying the observer unregisters the callback. Must be destroyed on the // notification thread in order to safely release |subscription_|. - ~KeychainTrustObserver() { + ~KeychainObserver() { DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence()); } @@ -679,8 +637,8 @@ class KeychainTrustObserver { void RegisterCallbackOnNotificationThread() { DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence()); subscription_ = - KeychainTrustSettingsChangedNotifier::AddCallback(base::BindRepeating( - &KeychainTrustObserver::Increment, base::Unretained(this))); + KeychainChangedNotifier<event_mask>::AddCallback(base::BindRepeating( + &KeychainObserver::Increment, base::Unretained(this))); } void Increment() { base::subtle::Barrier_AtomicIncrement(&iteration_, 1); } @@ -691,6 +649,18 @@ class KeychainTrustObserver { base::subtle::Atomic64 iteration_ = 0; }; +using KeychainTrustObserver = + KeychainObserver<kSecTrustSettingsChangedEventMask>; + +// kSecDeleteEventMask events could also be checked here, but it's not +// necessary for correct behavior. Not including that just means the +// intermediates cache might occasionally be a little larger then necessary. +// In theory, the kSecAddEvent events could also be filtered to only notify on +// events for added certificates as opposed to other keychain objects, however +// that requires some fairly nasty CSSM hackery, so we don't do it. +using KeychainCertsObserver = + KeychainObserver<kSecAddEventMask | kSecKeychainListChangedMask>; + } // namespace // static @@ -733,7 +703,6 @@ class TrustStoreMac::TrustImpl { public: virtual ~TrustImpl() = default; - virtual bool IsKnownRoot(const ParsedCertificate* cert) = 0; virtual TrustStatus IsCertTrusted(const ParsedCertificate* cert, base::SupportsUserData* debug_data) = 0; virtual bool ImplementsSyncGetIssuersOf() const { return false; } @@ -748,14 +717,9 @@ class TrustStoreMac::TrustImpl { // modified. class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { public: - explicit TrustImplDomainCache(CFStringRef policy_oid, TrustDomains domains) - : use_system_domain_cache_(domains == TrustDomains::kAll), - admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid), + explicit TrustImplDomainCache(CFStringRef policy_oid) + : admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid), user_domain_cache_(kSecTrustSettingsDomainUser, policy_oid) { - if (use_system_domain_cache_) { - system_domain_cache_ = std::make_unique<TrustDomainCache>( - kSecTrustSettingsDomainSystem, policy_oid); - } keychain_observer_ = std::make_unique<KeychainTrustObserver>(); } @@ -767,17 +731,6 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { FROM_HERE, std::move(keychain_observer_)); } - // Returns true if |cert| is present in kSecTrustSettingsDomainSystem. - bool IsKnownRoot(const ParsedCertificate* cert) override { - if (!use_system_domain_cache_) - return false; - SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert()); - - base::AutoLock lock(cache_lock_); - MaybeInitializeCache(); - return system_domain_cache_->ContainsCert(cert_hash); - } - // Returns the trust status for |cert|. TrustStatus IsCertTrusted(const ParsedCertificate* cert, base::SupportsUserData* debug_data) override { @@ -786,9 +739,8 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { base::AutoLock lock(cache_lock_); MaybeInitializeCache(); - // Evaluate trust domains in user, admin, system order. Admin settings can - // override system ones, and user settings can override both admin and - // system. + // Evaluate user trust domain, then admin. User settings can override + // admin (and both override the system domain, but we don't check that). for (TrustDomainCache* trust_domain_cache : {&user_domain_cache_, &admin_domain_cache_}) { TrustStatus ts = @@ -796,9 +748,6 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { if (ts != TrustStatus::UNSPECIFIED) return ts; } - if (use_system_domain_cache_) { - return system_domain_cache_->IsCertTrusted(cert, cert_hash, debug_data); - } // Cert did not have trust settings in any domain. return TrustStatus::UNSPECIFIED; @@ -822,26 +771,13 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { iteration_ = keychain_iteration; user_domain_cache_.Initialize(); admin_domain_cache_.Initialize(); - if (use_system_domain_cache_ && !system_domain_initialized_) { - // In practice, the system trust domain does not change during runtime, - // and SecTrustSettingsCopyCertificates on the system domain is quite - // slow, so the system domain cache is not reset on keychain changes. - system_domain_cache_->Initialize(); - system_domain_initialized_ = true; - } } std::unique_ptr<KeychainTrustObserver> keychain_observer_; - // Store whether to use the system domain in a const bool that is initialized - // in constructor so it is safe to read without having to lock first. - const bool use_system_domain_cache_; base::Lock cache_lock_; // |cache_lock_| must be held while accessing any following members. int64_t iteration_ GUARDED_BY(cache_lock_) = -1; - bool system_domain_initialized_ GUARDED_BY(cache_lock_) = false; - std::unique_ptr<TrustDomainCache> system_domain_cache_ - GUARDED_BY(cache_lock_); TrustDomainCache admin_domain_cache_ GUARDED_BY(cache_lock_); TrustDomainCache user_domain_cache_ GUARDED_BY(cache_lock_); }; @@ -854,16 +790,12 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl { class TrustStoreMac::TrustImplDomainCacheFullCerts : public TrustStoreMac::TrustImpl { public: - explicit TrustImplDomainCacheFullCerts(CFStringRef policy_oid, - TrustDomains domains) - : use_system_domain_cache_(domains == TrustDomains::kAll), + explicit TrustImplDomainCacheFullCerts(CFStringRef policy_oid) + : policy_oid_(policy_oid, base::scoped_policy::RETAIN), admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid), user_domain_cache_(kSecTrustSettingsDomainUser, policy_oid) { - if (use_system_domain_cache_) { - system_domain_cache_ = std::make_unique<TrustDomainCacheFullCerts>( - kSecTrustSettingsDomainSystem, policy_oid); - } - keychain_observer_ = std::make_unique<KeychainTrustObserver>(); + keychain_trust_observer_ = std::make_unique<KeychainTrustObserver>(); + keychain_certs_observer_ = std::make_unique<KeychainCertsObserver>(); } TrustImplDomainCacheFullCerts(const TrustImplDomainCacheFullCerts&) = delete; @@ -872,18 +804,9 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts ~TrustImplDomainCacheFullCerts() override { GetNetworkNotificationThreadMac()->DeleteSoon( - FROM_HERE, std::move(keychain_observer_)); - } - - // Returns true if |cert| is present in kSecTrustSettingsDomainSystem. - bool IsKnownRoot(const ParsedCertificate* cert) override { - if (!use_system_domain_cache_) - return false; - SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert()); - - base::AutoLock lock(cache_lock_); - MaybeInitializeCache(); - return system_domain_cache_->ContainsCert(cert_hash); + FROM_HERE, std::move(keychain_trust_observer_)); + GetNetworkNotificationThreadMac()->DeleteSoon( + FROM_HERE, std::move(keychain_certs_observer_)); } // Returns the trust status for |cert|. @@ -894,9 +817,8 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts base::AutoLock lock(cache_lock_); MaybeInitializeCache(); - // Evaluate trust domains in user, admin, system order. Admin settings can - // override system ones, and user settings can override both admin and - // system. + // Evaluate user trust domain, then admin. User settings can override + // admin (and both override the system domain, but we don't check that). for (TrustDomainCacheFullCerts* trust_domain_cache : {&user_domain_cache_, &admin_domain_cache_}) { TrustStatus ts = @@ -904,9 +826,6 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts if (ts != TrustStatus::UNSPECIFIED) return ts; } - if (use_system_domain_cache_) { - return system_domain_cache_->IsCertTrusted(cert, cert_hash, debug_data); - } // Cert did not have trust settings in any domain. return TrustStatus::UNSPECIFIED; @@ -920,10 +839,7 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts MaybeInitializeCache(); user_domain_cache_.cert_issuer_source().SyncGetIssuersOf(cert, issuers); admin_domain_cache_.cert_issuer_source().SyncGetIssuersOf(cert, issuers); - if (system_domain_cache_) { - system_domain_cache_->cert_issuer_source().SyncGetIssuersOf(cert, - issuers); - } + intermediates_cert_issuer_source_.SyncGetIssuersOf(cert, issuers); } // Initializes the cache, if it isn't already initialized. @@ -937,65 +853,187 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts // |cache_lock_| and before accessing any of the |*_domain_cache_| members. void MaybeInitializeCache() EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) { cache_lock_.AssertAcquired(); - int64_t keychain_iteration = keychain_observer_->Iteration(); - if (iteration_ == keychain_iteration) + + const int64_t keychain_trust_iteration = + keychain_trust_observer_->Iteration(); + const bool trust_changed = trust_iteration_ != keychain_trust_iteration; + if (trust_changed) { + base::ElapsedTimer trust_domain_cache_init_timer; + trust_iteration_ = keychain_trust_iteration; + user_domain_cache_.Initialize(); + admin_domain_cache_.Initialize(); + base::UmaHistogramMediumTimes( + "Net.CertVerifier.MacTrustDomainCacheInitTime", + trust_domain_cache_init_timer.Elapsed()); + } + + const int64_t keychain_certs_iteration = + keychain_certs_observer_->Iteration(); + const bool certs_changed = certs_iteration_ != keychain_certs_iteration; + // Intermediates cache is updated on trust changes too, since the + // intermediates cache is exclusive of any certs in trust domain caches. + if (trust_changed || certs_changed) { + certs_iteration_ = keychain_certs_iteration; + IntializeIntermediatesCache(); + } + } + + void IntializeIntermediatesCache() EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) { + cache_lock_.AssertAcquired(); + + base::ElapsedTimer timer; + + intermediates_cert_issuer_source_.Clear(); + + base::ScopedCFTypeRef<CFMutableDictionaryRef> query( + CFDictionaryCreateMutable(nullptr, 0, &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks)); + + CFDictionarySetValue(query, kSecClass, kSecClassCertificate); + CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue); + CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll); + + base::AutoLock lock(crypto::GetMacSecurityServicesLock()); + + base::ScopedCFTypeRef<CFArrayRef> scoped_alternate_keychain_search_list; + if (TestKeychainSearchList::HasInstance()) { + OSStatus status = TestKeychainSearchList::GetInstance()->CopySearchList( + scoped_alternate_keychain_search_list.InitializeInto()); + if (status) { + OSSTATUS_LOG(ERROR, status) + << "TestKeychainSearchList::CopySearchList error"; + return; + } + CFDictionarySetValue(query, kSecMatchSearchList, + scoped_alternate_keychain_search_list.get()); + } + + base::ScopedCFTypeRef<CFTypeRef> matching_items; + OSStatus err = SecItemCopyMatching(query, matching_items.InitializeInto()); + if (err == errSecItemNotFound) { + RecordCachedIntermediatesHistograms(0, timer.Elapsed()); + // No matches found. return; + } + if (err) { + RecordCachedIntermediatesHistograms(0, timer.Elapsed()); + OSSTATUS_LOG(ERROR, err) << "SecItemCopyMatching error"; + return; + } + CFArrayRef matching_items_array = + base::mac::CFCastStrict<CFArrayRef>(matching_items); + for (CFIndex i = 0, item_count = CFArrayGetCount(matching_items_array); + i < item_count; ++i) { + SecCertificateRef match_cert_handle = + base::mac::CFCastStrict<SecCertificateRef>( + CFArrayGetValueAtIndex(matching_items_array, i)); + + // If cert is already in the trust domain certs cache, don't bother + // including it in the intermediates cache. + SHA256HashValue cert_hash = + x509_util::CalculateFingerprint256(match_cert_handle); + if (user_domain_cache_.ContainsCert(cert_hash) || + admin_domain_cache_.ContainsCert(cert_hash)) { + continue; + } - iteration_ = keychain_iteration; - user_domain_cache_.Initialize(); - admin_domain_cache_.Initialize(); - if (use_system_domain_cache_ && !system_domain_initialized_) { - // In practice, the system trust domain does not change during runtime, - // and SecTrustSettingsCopyCertificates on the system domain is quite - // slow, so the system domain cache is not reset on keychain changes. - system_domain_cache_->Initialize(); - system_domain_initialized_ = true; + base::ScopedCFTypeRef<CFDataRef> der_data( + SecCertificateCopyData(match_cert_handle)); + if (!der_data) { + LOG(ERROR) << "SecCertificateCopyData error"; + continue; + } + auto buffer = x509_util::CreateCryptoBuffer(base::make_span( + CFDataGetBytePtr(der_data.get()), CFDataGetLength(der_data.get()))); + CertErrors errors; + ParseCertificateOptions options; + options.allow_invalid_serial_numbers = true; + scoped_refptr<ParsedCertificate> parsed_cert = + ParsedCertificate::Create(std::move(buffer), options, &errors); + if (!parsed_cert) { + LOG(ERROR) << "Error parsing certificate:\n" << errors.ToDebugString(); + continue; + } + if (IsNotAcceptableIntermediate(parsed_cert.get())) { + continue; + } + intermediates_cert_issuer_source_.AddCert(std::move(parsed_cert)); + } + RecordCachedIntermediatesHistograms(CFArrayGetCount(matching_items_array), + timer.Elapsed()); + } + + // Returns true if |cert| would never be a valid intermediate. (A return + // value of false does not imply that it is valid.) This is an optimization + // to avoid using memory for caching certs that would never lead to a valid + // chain. It's not intended to exhaustively test everything that + // VerifyCertificateChain does, just to filter out some of the most obviously + // unusable certs. + bool IsNotAcceptableIntermediate(ParsedCertificate* cert) const { + if (!cert->has_basic_constraints() || !cert->basic_constraints().is_ca) { + return true; + } + + // EKU filter is only implemented for TLS server auth since that's all we + // actually care about. + if (cert->has_extended_key_usage() && + CFEqual(policy_oid_, kSecPolicyAppleSSL) && + !base::Contains(cert->extended_key_usage(), der::Input(kAnyEKU)) && + !base::Contains(cert->extended_key_usage(), der::Input(kServerAuth))) { + return true; } + + // TODO(mattm): filter on other things too? (key usage, ...?) + return false; } - std::unique_ptr<KeychainTrustObserver> keychain_observer_; - // Store whether to use the system domain in a const bool that is initialized - // in constructor so it is safe to read without having to lock first. - const bool use_system_domain_cache_; + void RecordCachedIntermediatesHistograms(CFIndex total_cert_count, + base::TimeDelta cache_init_time) + const EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) { + cache_lock_.AssertAcquired(); + base::UmaHistogramMediumTimes( + "Net.CertVerifier.MacKeychainCerts.IntermediateCacheInitTime", + cache_init_time); + base::UmaHistogramCounts1000("Net.CertVerifier.MacKeychainCerts.TotalCount", + total_cert_count); + base::UmaHistogramCounts1000( + "Net.CertVerifier.MacKeychainCerts.IntermediateCount", + intermediates_cert_issuer_source_.size()); + } + + std::unique_ptr<KeychainTrustObserver> keychain_trust_observer_; + std::unique_ptr<KeychainCertsObserver> keychain_certs_observer_; + const base::ScopedCFTypeRef<CFStringRef> policy_oid_; base::Lock cache_lock_; // |cache_lock_| must be held while accessing any following members. - int64_t iteration_ GUARDED_BY(cache_lock_) = -1; - bool system_domain_initialized_ GUARDED_BY(cache_lock_) = false; - std::unique_ptr<TrustDomainCacheFullCerts> system_domain_cache_ - GUARDED_BY(cache_lock_); + int64_t trust_iteration_ GUARDED_BY(cache_lock_) = -1; + int64_t certs_iteration_ GUARDED_BY(cache_lock_) = -1; + TrustDomainCacheFullCerts admin_domain_cache_ GUARDED_BY(cache_lock_); TrustDomainCacheFullCerts user_domain_cache_ GUARDED_BY(cache_lock_); + + CertIssuerSourceStatic intermediates_cert_issuer_source_ + GUARDED_BY(cache_lock_); }; // TrustImplNoCache is the simplest approach which calls // SecTrustSettingsCopyTrustSettings on every cert checked, with no caching. class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl { public: - explicit TrustImplNoCache(CFStringRef policy_oid, TrustDomains domains) - : policy_oid_(policy_oid), domains_(domains) {} + explicit TrustImplNoCache(CFStringRef policy_oid) : policy_oid_(policy_oid) {} TrustImplNoCache(const TrustImplNoCache&) = delete; TrustImplNoCache& operator=(const TrustImplNoCache&) = delete; ~TrustImplNoCache() override = default; - // Returns true if |cert| is present in kSecTrustSettingsDomainSystem. - bool IsKnownRoot(const ParsedCertificate* cert) override { - if (domains_ == TrustDomains::kUserAndAdmin) - return false; - HashValue cert_hash(CalculateFingerprint256(cert->der_cert())); - base::AutoLock lock(crypto::GetMacSecurityServicesLock()); - return net::IsKnownRoot(cert_hash); - } - // Returns the trust status for |cert|. TrustStatus IsCertTrusted(const ParsedCertificate* cert, base::SupportsUserData* debug_data) override { int debug_info = 0; TrustStatus result = - IsCertificateTrustedForPolicy(cert, policy_oid_, domains_, &debug_info, - /*out_is_known_root=*/nullptr); + IsCertificateTrustedForPolicy(cert, policy_oid_, &debug_info); UpdateUserData(debug_info, debug_data, TrustStoreMac::TrustImplType::kSimple); return result; @@ -1007,7 +1045,6 @@ class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl { private: const CFStringRef policy_oid_; - const TrustDomains domains_; }; // TrustImplLRUCache is calls SecTrustSettingsCopyTrustSettings on every cert @@ -1015,12 +1052,8 @@ class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl { // keychain updates. class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { public: - TrustImplLRUCache(CFStringRef policy_oid, - size_t cache_size, - TrustDomains domains) - : policy_oid_(policy_oid), - domains_(domains), - trust_status_cache_(cache_size) { + TrustImplLRUCache(CFStringRef policy_oid, size_t cache_size) + : policy_oid_(policy_oid), trust_status_cache_(cache_size) { keychain_observer_ = std::make_unique<KeychainTrustObserver>(); } @@ -1032,13 +1065,6 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { FROM_HERE, std::move(keychain_observer_)); } - // Returns true if |cert| has trust settings in kSecTrustSettingsDomainSystem. - bool IsKnownRoot(const ParsedCertificate* cert) override { - if (domains_ == TrustDomains::kUserAndAdmin) - return false; - return GetKnownRootStatus(cert) == KnownRootStatus::IS_KNOWN_ROOT; - } - // Returns the trust status for |cert|. TrustStatus IsCertTrusted(const ParsedCertificate* cert, base::SupportsUserData* debug_data) override { @@ -1056,49 +1082,10 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { struct TrustStatusDetails { TrustStatus trust_status = TrustStatus::UNKNOWN; int debug_info = 0; - KnownRootStatus is_known_root = KnownRootStatus::UNKNOWN; }; - KnownRootStatus GetKnownRootStatus(const ParsedCertificate* cert) { - SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert()); - - int starting_cache_iteration = -1; - { - base::AutoLock lock(cache_lock_); - MaybeResetCache(); - starting_cache_iteration = iteration_; - auto cache_iter = trust_status_cache_.Get(cert_hash); - if (cache_iter != trust_status_cache_.end() && - cache_iter->second.is_known_root != KnownRootStatus::UNKNOWN) { - return cache_iter->second.is_known_root; - } - } - - KnownRootStatus is_known_root = IsCertificateKnownRoot(cert); - - { - base::AutoLock lock(cache_lock_); - MaybeResetCache(); - if (iteration_ != starting_cache_iteration) - return is_known_root; - - auto cache_iter = trust_status_cache_.Get(cert_hash); - // Update |is_known_root| on existing cache entry if there is one, - // otherwise create a new cache entry. - if (cache_iter != trust_status_cache_.end()) { - cache_iter->second.is_known_root = is_known_root; - } else { - TrustStatusDetails trust_details; - trust_details.is_known_root = is_known_root; - trust_status_cache_.Put(cert_hash, trust_details); - } - } - return is_known_root; - } - TrustStatusDetails GetTrustStatus(const ParsedCertificate* cert) { SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert()); - TrustStatusDetails trust_details; int starting_cache_iteration = -1; { @@ -1109,15 +1096,12 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { if (cache_iter != trust_status_cache_.end()) { if (cache_iter->second.trust_status != TrustStatus::UNKNOWN) return cache_iter->second; - // If there was a cache entry but the trust status was not initialized, - // copy the existing values. (|is_known_root| might already be cached.) - trust_details = cache_iter->second; } } + TrustStatusDetails trust_details; trust_details.trust_status = IsCertificateTrustedForPolicy( - cert, policy_oid_, domains_, &trust_details.debug_info, - &trust_details.is_known_root); + cert, policy_oid_, &trust_details.debug_info); { base::AutoLock lock(cache_lock_); @@ -1139,7 +1123,6 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { } const CFStringRef policy_oid_; - const TrustDomains domains_; std::unique_ptr<KeychainTrustObserver> keychain_observer_; base::Lock cache_lock_; @@ -1157,27 +1140,24 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl { TrustStoreMac::TrustStoreMac(CFStringRef policy_oid, TrustImplType impl, - size_t cache_size, - TrustDomains domains) - : domains_(domains) { + size_t cache_size) { switch (impl) { case TrustImplType::kUnknown: DCHECK(false); break; case TrustImplType::kDomainCache: - trust_cache_ = - std::make_unique<TrustImplDomainCache>(policy_oid, domains); + trust_cache_ = std::make_unique<TrustImplDomainCache>(policy_oid); break; case TrustImplType::kSimple: - trust_cache_ = std::make_unique<TrustImplNoCache>(policy_oid, domains); + trust_cache_ = std::make_unique<TrustImplNoCache>(policy_oid); break; case TrustImplType::kLruCache: trust_cache_ = - std::make_unique<TrustImplLRUCache>(policy_oid, cache_size, domains); + std::make_unique<TrustImplLRUCache>(policy_oid, cache_size); break; case TrustImplType::kDomainCacheFullCerts: trust_cache_ = - std::make_unique<TrustImplDomainCacheFullCerts>(policy_oid, domains); + std::make_unique<TrustImplDomainCacheFullCerts>(policy_oid); break; } } @@ -1188,10 +1168,6 @@ void TrustStoreMac::InitializeTrustCache() const { trust_cache_->InitializeTrustCache(); } -bool TrustStoreMac::IsKnownRoot(const ParsedCertificate* cert) const { - return trust_cache_->IsKnownRoot(cert); -} - void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) { if (trust_cache_->ImplementsSyncGetIssuersOf()) { @@ -1204,7 +1180,7 @@ void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert, return; std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> matching_cert_buffers = - FindMatchingCertificatesForMacNormalizedSubject(name_data, domains_); + FindMatchingCertificatesForMacNormalizedSubject(name_data); // Convert to ParsedCertificate. for (auto& buffer : matching_cert_buffers) { @@ -1248,8 +1224,7 @@ CertificateTrust TrustStoreMac::GetTrust( // static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - CFDataRef name_data, - TrustDomains domains) { + CFDataRef name_data) { std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> matching_cert_buffers; base::ScopedCFTypeRef<CFMutableDictionaryRef> query( CFDictionaryCreateMutable(nullptr, 0, &kCFTypeDictionaryKeyCallBacks, @@ -1273,52 +1248,6 @@ TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( } } -// Much of the Keychain API was marked deprecated as of the macOS 13 SDK. -// Removal of its use is tracked in https://crbug.com/1348251 but deprecation -// warnings are disabled in the meanwhile. -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wdeprecated-declarations" - - if (domains == TrustDomains::kAll) { - // If a TestKeychainSearchList is present, it will have already set - // |scoped_alternate_keychain_search_list|, which will be used as the - // basis for reordering the keychain. Otherwise, get the current keychain - // search list and use that. - if (!scoped_alternate_keychain_search_list) { - OSStatus status = SecKeychainCopySearchList( - scoped_alternate_keychain_search_list.InitializeInto()); - if (status) { - OSSTATUS_LOG(ERROR, status) << "SecKeychainCopySearchList error"; - return matching_cert_buffers; - } - } - - CFMutableArrayRef mutable_keychain_search_list = CFArrayCreateMutableCopy( - kCFAllocatorDefault, - CFArrayGetCount(scoped_alternate_keychain_search_list.get()) + 1, - scoped_alternate_keychain_search_list.get()); - if (!mutable_keychain_search_list) { - LOG(ERROR) << "CFArrayCreateMutableCopy"; - return matching_cert_buffers; - } - scoped_alternate_keychain_search_list.reset(mutable_keychain_search_list); - - base::ScopedCFTypeRef<SecKeychainRef> roots_keychain; - // The System Roots keychain is not normally searched by - // SecItemCopyMatching. Get a reference to it and include in the keychain - // search list. - OSStatus status = SecKeychainOpen( - "/System/Library/Keychains/SystemRootCertificates.keychain", - roots_keychain.InitializeInto()); - if (status) { - OSSTATUS_LOG(ERROR, status) << "SecKeychainOpen error"; - return matching_cert_buffers; - } - CFArrayAppendValue(mutable_keychain_search_list, roots_keychain); - } - -#pragma clang diagnostic pop - if (scoped_alternate_keychain_search_list) { CFDictionarySetValue(query, kSecMatchSearchList, scoped_alternate_keychain_search_list.get()); diff --git a/chromium/net/cert/internal/trust_store_mac.h b/chromium/net/cert/internal/trust_store_mac.h index e7f9a964cb0..86119d55e16 100644 --- a/chromium/net/cert/internal/trust_store_mac.h +++ b/chromium/net/cert/internal/trust_store_mac.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -84,17 +84,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore { kDomainCacheFullCerts = 4, }; - enum class TrustDomains { - // Load trust settings and certificates from all three trust domains - // (user, admin, system). - kAll = 0, - - // Load trust settings and certificates from only the user and admin trust - // domains. This will find trust settings that have been set locally or by - // an enterprise, but not those distributed with the OS. - kUserAndAdmin = 1, - }; - class ResultDebugData : public base::SupportsUserData::Data { public: static const ResultDebugData* Get(const base::SupportsUserData* debug_data); @@ -125,10 +114,7 @@ class NET_EXPORT TrustStoreMac : public TrustStore { // |impl| selects which internal implementation is used for checking trust // settings, and the interpretation of |cache_size| varies depending on // |impl|. - TrustStoreMac(CFStringRef policy_oid, - TrustImplType impl, - size_t cache_size, - TrustDomains domains); + TrustStoreMac(CFStringRef policy_oid, TrustImplType impl, size_t cache_size); TrustStoreMac(const TrustStoreMac&) = delete; TrustStoreMac& operator=(const TrustStoreMac&) = delete; @@ -138,10 +124,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore { // Initializes the trust cache, if it isn't already initialized. void InitializeTrustCache() const; - // Returns true if the given certificate is present in the system trust - // domain. - bool IsKnownRoot(const ParsedCertificate* cert) const; - // TrustStore implementation: void SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) override; @@ -155,14 +137,11 @@ class NET_EXPORT TrustStoreMac : public TrustStore { class TrustImplNoCache; class TrustImplLRUCache; - FRIEND_TEST_ALL_PREFIXES(TrustStoreMacImplTest, MultiRootNotTrusted); - // Finds certificates in the OS keychains whose Subject matches |name_data|. // The result is an array of CRYPTO_BUFFERs containing the DER certificate // data. static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> - FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data, - TrustDomains domains); + FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data); // Returns the OS-normalized issuer of |cert|. // macOS internally uses a normalized form of subject/issuer names for @@ -171,7 +150,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore { static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer( const ParsedCertificate* cert); - TrustDomains domains_; std::unique_ptr<TrustImpl> trust_cache_; }; diff --git a/chromium/net/cert/internal/trust_store_mac_unittest.cc b/chromium/net/cert/internal/trust_store_mac_unittest.cc index 92383414d74..9b714f31e7d 100644 --- a/chromium/net/cert/internal/trust_store_mac_unittest.cc +++ b/chromium/net/cert/internal/trust_store_mac_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -13,15 +13,16 @@ #include "base/logging.h" #include "base/path_service.h" #include "base/process/launch.h" +#include "base/strings/strcat.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "base/synchronization/lock.h" #include "base/test/metrics/histogram_tester.h" #include "crypto/mac_security_services_lock.h" #include "crypto/sha2.h" -#include "net/cert/known_roots_mac.h" #include "net/cert/pem.h" #include "net/cert/pki/cert_errors.h" +#include "net/cert/pki/parsed_certificate.h" #include "net/cert/pki/test_helpers.h" #include "net/cert/test_keychain_search_list_mac.h" #include "net/cert/x509_certificate.h" @@ -67,19 +68,6 @@ const char kCertificateHeader[] = "CERTIFICATE"; return ::testing::AssertionSuccess(); } -// Returns the DER encodings of the in |array|. -std::vector<std::string> CryptoBufferVectorAsStringVector( - const std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>& array) { - std::vector<std::string> result; - - for (const auto& buffer : array) { - result.push_back( - std::string(x509_util::CryptoBufferAsStringPiece(buffer.get()))); - } - - return result; -} - // Returns the DER encodings of the ParsedCertificates in |list|. std::vector<std::string> ParsedCertificateListAsDER( ParsedCertificateList list) { @@ -116,17 +104,25 @@ class DebugData : public base::SupportsUserData { ~DebugData() override = default; }; -enum IsKnownRootTestOrder { - TEST_IS_KNOWN_ROOT_BEFORE, - TEST_IS_KNOWN_ROOT_AFTER, -}; +const char* TrustImplTypeToString(TrustStoreMac::TrustImplType t) { + switch (t) { + case TrustStoreMac::TrustImplType::kDomainCache: + return "DomainCache"; + case TrustStoreMac::TrustImplType::kSimple: + return "Simple"; + case TrustStoreMac::TrustImplType::kLruCache: + return "LruCache"; + case TrustStoreMac::TrustImplType::kDomainCacheFullCerts: + return "DomainCacheFullCerts"; + case TrustStoreMac::TrustImplType::kUnknown: + return "Unknown"; + } +} } // namespace class TrustStoreMacImplTest - : public testing::TestWithParam<std::tuple<TrustStoreMac::TrustImplType, - IsKnownRootTestOrder, - TrustStoreMac::TrustDomains>> {}; + : public testing::TestWithParam<TrustStoreMac::TrustImplType> {}; // Much of the Keychain API was marked deprecated as of the macOS 13 SDK. // Removal of its use is tracked in https://crbug.com/1348251 but deprecation @@ -155,11 +151,8 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) { #pragma clang diagnostic pop - const TrustStoreMac::TrustImplType trust_impl = std::get<0>(GetParam()); - const IsKnownRootTestOrder is_known_root_test_order = std::get<1>(GetParam()); - const TrustStoreMac::TrustDomains trust_domains = std::get<2>(GetParam()); - TrustStoreMac trust_store(kSecPolicyAppleSSL, trust_impl, kDefaultCacheSize, - trust_domains); + const TrustStoreMac::TrustImplType trust_impl = GetParam(); + TrustStoreMac trust_store(kSecPolicyAppleSSL, trust_impl, kDefaultCacheSize); scoped_refptr<ParsedCertificate> a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e; @@ -172,68 +165,45 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) { ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d)); ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e)); - base::ScopedCFTypeRef<CFDataRef> normalized_name_b = - TrustStoreMac::GetMacNormalizedIssuer(a_by_b.get()); - ASSERT_TRUE(normalized_name_b); - base::ScopedCFTypeRef<CFDataRef> normalized_name_c = - TrustStoreMac::GetMacNormalizedIssuer(b_by_c.get()); - ASSERT_TRUE(normalized_name_c); - base::ScopedCFTypeRef<CFDataRef> normalized_name_f = - TrustStoreMac::GetMacNormalizedIssuer(b_by_f.get()); - ASSERT_TRUE(normalized_name_f); - base::ScopedCFTypeRef<CFDataRef> normalized_name_d = - TrustStoreMac::GetMacNormalizedIssuer(c_by_d.get()); - ASSERT_TRUE(normalized_name_d); - base::ScopedCFTypeRef<CFDataRef> normalized_name_e = - TrustStoreMac::GetMacNormalizedIssuer(f_by_e.get()); - ASSERT_TRUE(normalized_name_e); - - // Test that the matching keychain items are found, even though they aren't - // trusted. - // TODO(eroman): These tests could be using TrustStore::SyncGetIssuersOf(). + // Test that the untrusted keychain certs would be found during issuer + // searching. { - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items = - TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - normalized_name_b.get(), trust_domains); - - EXPECT_THAT(CryptoBufferVectorAsStringVector(scoped_matching_items), + ParsedCertificateList found_issuers; + trust_store.SyncGetIssuersOf(a_by_b.get(), &found_issuers); + EXPECT_THAT(ParsedCertificateListAsDER(found_issuers), UnorderedElementsAreArray( ParsedCertificateListAsDER({b_by_c, b_by_f}))); } { - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items = - TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - normalized_name_c.get(), trust_domains); - EXPECT_THAT(CryptoBufferVectorAsStringVector(scoped_matching_items), + ParsedCertificateList found_issuers; + trust_store.SyncGetIssuersOf(b_by_c.get(), &found_issuers); + EXPECT_THAT(ParsedCertificateListAsDER(found_issuers), UnorderedElementsAreArray( ParsedCertificateListAsDER({c_by_d, c_by_e}))); } { - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items = - TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - normalized_name_f.get(), trust_domains); + ParsedCertificateList found_issuers; + trust_store.SyncGetIssuersOf(b_by_f.get(), &found_issuers); EXPECT_THAT( - CryptoBufferVectorAsStringVector(scoped_matching_items), + ParsedCertificateListAsDER(found_issuers), UnorderedElementsAreArray(ParsedCertificateListAsDER({f_by_e}))); } { - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items = - TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - normalized_name_d.get(), trust_domains); + ParsedCertificateList found_issuers; + trust_store.SyncGetIssuersOf(c_by_d.get(), &found_issuers); EXPECT_THAT( - CryptoBufferVectorAsStringVector(scoped_matching_items), + ParsedCertificateListAsDER(found_issuers), UnorderedElementsAreArray(ParsedCertificateListAsDER({d_by_d}))); } { - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items = - TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject( - normalized_name_e.get(), trust_domains); + ParsedCertificateList found_issuers; + trust_store.SyncGetIssuersOf(f_by_e.get(), &found_issuers); EXPECT_THAT( - CryptoBufferVectorAsStringVector(scoped_matching_items), + ParsedCertificateListAsDER(found_issuers), UnorderedElementsAreArray(ParsedCertificateListAsDER({e_by_e}))); } @@ -242,8 +212,6 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) { // added and trusted the test certs on the machine the test is being run on). for (const auto& cert : {a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e}) { - if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_BEFORE) - EXPECT_FALSE(trust_store.IsKnownRoot(cert.get())); DebugData debug_data; CertificateTrust trust = trust_store.GetTrust(cert.get(), &debug_data); EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type); @@ -254,8 +222,6 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) { ASSERT_TRUE(trust_debug_data); EXPECT_EQ(0, trust_debug_data->combined_trust_debug_info()); EXPECT_EQ(trust_impl, trust_debug_data->trust_impl()); - if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_AFTER) - EXPECT_FALSE(trust_store.IsKnownRoot(cert.get())); } } @@ -288,13 +254,11 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) { ParseFindCertificateOutputToDerCerts( find_certificate_system_roots_output); - const TrustStoreMac::TrustImplType trust_impl = std::get<0>(GetParam()); - const IsKnownRootTestOrder is_known_root_test_order = std::get<1>(GetParam()); - const TrustStoreMac::TrustDomains trust_domains = std::get<2>(GetParam()); + const TrustStoreMac::TrustImplType trust_impl = GetParam(); base::HistogramTester histogram_tester; TrustStoreMac trust_store(kSecPolicyAppleX509Basic, trust_impl, - kDefaultCacheSize, trust_domains); + kDefaultCacheSize); base::ScopedCFTypeRef<SecPolicyRef> sec_policy(SecPolicyCreateBasicX509()); ASSERT_TRUE(sec_policy); @@ -334,16 +298,6 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) { continue; } - if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_BEFORE) { - bool trust_store_is_known_root = trust_store.IsKnownRoot(cert.get()); - if (trust_domains == TrustStoreMac::TrustDomains::kAll) { - base::AutoLock lock(crypto::GetMacSecurityServicesLock()); - EXPECT_EQ(net::IsKnownRoot(cert_handle), trust_store_is_known_root); - } else { - EXPECT_FALSE(trust_store_is_known_root); - } - } - // Check if this cert is considered a trust anchor by TrustStoreMac. DebugData debug_data; CertificateTrust cert_trust = trust_store.GetTrust(cert.get(), &debug_data); @@ -365,16 +319,15 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) { kSecTrustOptionAllowExpired | kSecTrustOptionAllowExpiredRoot)); - if (trust_domains == TrustStoreMac::TrustDomains::kUserAndAdmin && - find_certificate_default_search_list_certs.count(cert_der) && + if (find_certificate_default_search_list_certs.count(cert_der) && find_certificate_system_roots_certs.count(cert_der)) { // If the same certificate is present in both the System and User/Admin // domains, and TrustStoreMac is only using trust settings from // User/Admin, then it's not possible for this test to know whether the // result from SecTrustEvaluate should match the TrustStoreMac result. // Just ignore such certificates. - } else if (trust_domains == TrustStoreMac::TrustDomains::kUserAndAdmin && - !find_certificate_default_search_list_certs.count(cert_der)) { + } else if (!find_certificate_default_search_list_certs.count(cert_der)) { + // Cert is only in the system domain. It should be untrusted. EXPECT_FALSE(is_trust_anchor); } else { SecTrustResultType trust_result; @@ -397,16 +350,6 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) { EXPECT_EQ(trust_impl, trust_debug_data->trust_impl()); } - if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_AFTER) { - bool trust_store_is_known_root = trust_store.IsKnownRoot(cert.get()); - if (trust_domains == TrustStoreMac::TrustDomains::kAll) { - base::AutoLock lock(crypto::GetMacSecurityServicesLock()); - EXPECT_EQ(net::IsKnownRoot(cert_handle), trust_store_is_known_root); - } else { - EXPECT_FALSE(trust_store_is_known_root); - } - } - // Call GetTrust again on the same cert. This should exercise the code // that checks the trust value for a cert which has already been cached. DebugData debug_data2; @@ -431,26 +374,18 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) { "Net.CertVerifier.MacTrustDomainCertCount.User", 1); histogram_tester.ExpectTotalCount( "Net.CertVerifier.MacTrustDomainCertCount.Admin", 1); - histogram_tester.ExpectTotalCount( - "Net.CertVerifier.MacTrustDomainCertCount.System", - (trust_domains == TrustStoreMac::TrustDomains::kAll) ? 1 : 0); } } INSTANTIATE_TEST_SUITE_P( Impl, TrustStoreMacImplTest, - testing::Combine( - testing::Values(TrustStoreMac::TrustImplType::kDomainCache, - TrustStoreMac::TrustImplType::kSimple, - TrustStoreMac::TrustImplType::kLruCache, - TrustStoreMac::TrustImplType::kDomainCacheFullCerts), - // Some TrustImpls may calculate/cache IsKnownRoot values and trust - // values independently, so test with calling IsKnownRoot both before - // and after GetTrust to try to ensure there is no ordering issue with - // which one initializes the cache first. - testing::Values(TEST_IS_KNOWN_ROOT_BEFORE, TEST_IS_KNOWN_ROOT_AFTER), - testing::Values(TrustStoreMac::TrustDomains::kAll, - TrustStoreMac::TrustDomains::kUserAndAdmin))); + testing::Values(TrustStoreMac::TrustImplType::kDomainCache, + TrustStoreMac::TrustImplType::kSimple, + TrustStoreMac::TrustImplType::kLruCache, + TrustStoreMac::TrustImplType::kDomainCacheFullCerts), + [](const testing::TestParamInfo<TrustStoreMacImplTest::ParamType>& info) { + return TrustImplTypeToString(info.param); + }); } // namespace net diff --git a/chromium/net/cert/internal/trust_store_nss.cc b/chromium/net/cert/internal/trust_store_nss.cc index f9d616119a4..ffdb47af3d6 100644 --- a/chromium/net/cert/internal/trust_store_nss.cc +++ b/chromium/net/cert/internal/trust_store_nss.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_nss.h b/chromium/net/cert/internal/trust_store_nss.h index 2eebd88e2bd..162aedcd97d 100644 --- a/chromium/net/cert/internal/trust_store_nss.h +++ b/chromium/net/cert/internal/trust_store_nss.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_nss_unittest.cc b/chromium/net/cert/internal/trust_store_nss_unittest.cc index 6bdd0c01a2e..d2f1f9afc03 100644 --- a/chromium/net/cert/internal/trust_store_nss_unittest.cc +++ b/chromium/net/cert/internal/trust_store_nss_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_win.cc b/chromium/net/cert/internal/trust_store_win.cc index 85159c87fa5..991a3a9804d 100644 --- a/chromium/net/cert/internal/trust_store_win.cc +++ b/chromium/net/cert/internal/trust_store_win.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -68,8 +68,9 @@ bool IsCertTrustedForServerAuth(PCCERT_CONTEXT cert) { } } for (DWORD i = 0; i < usage->cUsageIdentifier; i++) { - if (base::StringPiece(usage->rgpszUsageIdentifier[i]) == - szOID_PKIX_KP_SERVER_AUTH) { + base::StringPiece eku = base::StringPiece(usage->rgpszUsageIdentifier[i]); + if ((eku == szOID_PKIX_KP_SERVER_AUTH) || + (eku == szOID_ANY_ENHANCED_KEY_USAGE)) { return true; } } @@ -245,34 +246,26 @@ void TrustStoreWin::SyncGetIssuersOf(const ParsedCertificate* cert, // whether to continue path building, but doesn't treat the certificate // as affirmatively revoked/distrusted. // -// Rather than have these EKUs expressed during ParsedCertificate, which -// would require threading platform-specific knowledge throughout the -// CertVerifier, this is implemented via CertificateTrust: if the -// certificate has a given EKU disabled (i.e. TLS server auth), it's -// treated as if it's distrusted. This has the effect of causing path -// building to try the next path. +// This behaviour is replicated here by returning Unspecified trust if +// we find instances of the cert that do not have the correct EKUs set +// for TLS Server Auth. This allows path building to continue and allows +// us to later trust the cert if it is present in Chrome Root Store. // -// Put differently: -// - If a certificate is in the Disallowed store and usable for EKU, then -// it's affirmatively distrusted/revoked. This is checked first and -// overrides everything else. -// - If a certificate is in the ROOT store, and usable for an EKU, +// Windows does have some idiosyncrasies here, which result in the +// following treatment: +// +// - If a certificate is in the Disallowed store, it is distrusted for +// all purposes regardless of any EKUs that are set. +// - If a certificate is in the ROOT store, and usable for TLS Server Auth, // then it's trusted. -// - If a certificate is in the root store, and lacks the EKU, but in -// the intermediate store, and has the EKU, then continue path -// building, but don't treat it as trusted (aka Unspecified) -// - If a certificate is both/either in the root store and the -// intermediate store, and neither have the EKU, then treat this -// path as terminal for path building ("Distrusted", which is -// imprecise but good enough). +// - If a certificate is in the root store, and lacks the EKU, then continue +// path building, but don't treat it as trusted (aka Unspecified). // - If we can't find the cert anywhere, then continue path // building, but don't treat it as trusted (aka Unspecified). // // If a certificate is found multiple times in the ROOT store, it is trusted -// for TLS server auth if and only if every instance of the certificate found -// is usable for TLS server auth. Similar logic applies for certificates in -// the intermediate store (only return unspecified if and only if all instances -// of the certificate found are usable for TLS server auth). +// for TLS server auth if any instance of the certificate found +// is usable for TLS server auth. CertificateTrust TrustStoreWin::GetTrust( const ParsedCertificate* cert, base::SupportsUserData* debug_data) const { @@ -290,14 +283,13 @@ CertificateTrust TrustStoreWin::GetTrust( CERT_FIND_SHA1_HASH, &cert_hash_blob, cert_from_store))) { base::span<const uint8_t> cert_from_store_span = base::make_span( cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded); - if (base::ranges::equal(cert_span, cert_from_store_span) && - IsCertTrustedForServerAuth(cert_from_store)) { + // If a cert is in the windows distruted store, it is considered + // distrusted for all purporses. EKU isn't checked. See crbug.com/1355961. + if (base::ranges::equal(cert_span, cert_from_store_span)) { return CertificateTrust::ForDistrusted(); } } - bool root_found = false; - bool root_is_trusted = true; // TODO(https://crbug.com/1239270): figure out if this is thread-safe or if we // need locking here while ((cert_from_store = CertFindCertificateInStore( @@ -306,51 +298,26 @@ CertificateTrust TrustStoreWin::GetTrust( base::span<const uint8_t> cert_from_store_span = base::make_span( cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded); if (base::ranges::equal(cert_span, cert_from_store_span)) { - root_found = true; - root_is_trusted &= IsCertTrustedForServerAuth(cert_from_store); + // If we find at least one version of the cert that is trusted for TLS + // Server Auth, we will trust the cert. + if (IsCertTrustedForServerAuth(cert_from_store)) { + return CertificateTrust::ForTrustAnchorEnforcingExpiration(); + } } } - // Found at least one instance of the cert in the root store, and all - // instances found are trusted for TLS server auth. - if (root_found && root_is_trusted) { - return CertificateTrust::ForTrustAnchorEnforcingExpiration(); - } - - cert_from_store = nullptr; - bool intermediate_found = false; - bool intermediate_is_trusted = true; - while ((cert_from_store = CertFindCertificateInStore( - intermediate_cert_store_.get(), X509_ASN_ENCODING, 0, - CERT_FIND_SHA1_HASH, &cert_hash_blob, cert_from_store))) { - base::span<const uint8_t> cert_from_store_span = base::make_span( - cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded); - - if (base::ranges::equal(cert_span, cert_from_store_span)) { - // Found cert, yay! - intermediate_found = true; - intermediate_is_trusted &= IsCertTrustedForServerAuth(cert_from_store); - } - } - - // Found at least one instance of the cert in the intermediate store, and all - // instances found are trusted for TLS server auth. - if (intermediate_found && intermediate_is_trusted) { - return CertificateTrust::ForUnspecified(); - } - // If we fall through here, we've either // - // (a) found the cert in root or intermediates (or both) but neither is - // usable for server auth (in which case treat as distrusted for path - // building) + // (a) found the cert but it is not usable for server auth. Treat this as + // Unspecified trust. Originally this was treated as Distrusted, but this + // is inconsistent with how the Windows verifier works, which is to union + // all of the EKU usages for all instances of the cert, whereas sending + // back Distrusted would not do that. // // or // // (b) Haven't found the cert. Tell everyone Unspecified. - return (root_found || intermediate_found) - ? CertificateTrust::ForDistrusted() - : CertificateTrust::ForUnspecified(); + return CertificateTrust::ForUnspecified(); } } // namespace net diff --git a/chromium/net/cert/internal/trust_store_win.h b/chromium/net/cert/internal/trust_store_win.h index 4d2fe96e7e6..1782bf02cf5 100644 --- a/chromium/net/cert/internal/trust_store_win.h +++ b/chromium/net/cert/internal/trust_store_win.h @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/internal/trust_store_win_unittest.cc b/chromium/net/cert/internal/trust_store_win_unittest.cc index b1b73c4a92d..c37b88bb96d 100644 --- a/chromium/net/cert/internal/trust_store_win_unittest.cc +++ b/chromium/net/cert/internal/trust_store_win_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -150,12 +150,8 @@ TEST(TrustStoreWin, GetTrust) { // // - kMultiRootDByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set // - kMultiRootEByE: only has szOID_PKIX_KP_CLIENT_AUTH set +// - kMultiRootCByE: only has szOID_ANY_ENHANCED_KEY_USAGE set // - kMultiRootCByD: no EKU usages set -// -// And the intermediate store as follows: -// -// - kMultiRootCByE: only has szOID_PKIX_KP_CLIENT_AUTH set -// - kMultiRootCByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set TEST(TrustStoreWin, GetTrustRestrictedEKU) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -168,12 +164,10 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { szOID_PKIX_KP_SERVER_AUTH)); ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootEByE, szOID_PKIX_KP_CLIENT_AUTH)); + ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByE, + szOID_ANY_ENHANCED_KEY_USAGE)); ASSERT_TRUE( AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByD, nullptr)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByE, szOID_PKIX_KP_CLIENT_AUTH)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); std::unique_ptr<TrustStoreWin> trust_store_win = TrustStoreWin::CreateForTesting(std::move(root_store), std::move(intermediate_store), @@ -186,15 +180,14 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { // Root cert with EKU szOID_PKIX_KP_SERVER_AUTH usage set should be // trusted. {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, + // Root cert with EKU szOID_ANY_ENHANCED_KEY_USAGE usage set should be + // trusted. + {kMultiRootCByE, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, // Root cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow usage of - // cert for server auth. - {kMultiRootEByE, CertificateTrustType::DISTRUSTED}, - // Root cert with no EKU usages but is also an intermediate cert that is - // allowed for server auth, so we let it be used for path building. + // cert for server auth, return UNSPECIFIED. + {kMultiRootEByE, CertificateTrustType::UNSPECIFIED}, + // Root cert with no EKU usages, return UNSPECIFIED. {kMultiRootCByD, CertificateTrustType::UNSPECIFIED}, - // Intermediate cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow - // usage of cert for server auth. - {kMultiRootCByE, CertificateTrustType::DISTRUSTED}, // Unknown cert has unspecified trust. {kMultiRootFByE, CertificateTrustType::UNSPECIFIED}, }; @@ -209,7 +202,17 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) { } // Test if duplicate certs are added to the root and intermediate stores, -// possibly with different EKU usages. +// possibly with different EKU usages. Root store set up as follows: +// +// - kMultiRootDByD: only has szOID_PKIX_KP_CLIENT_AUTH EKU set +// - kMultiRootDByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH set +// - kMultiRootDByD (dupe 2): no EKU usages set +// +// And the intermediate store as follows: +// +// - kMultiRootCByD: only has szOID_PKIX_KP_CLIENT_AUTH set +// - kMultiRootCByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH EKU set + TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -224,10 +227,6 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { szOID_PKIX_KP_SERVER_AUTH)); ASSERT_TRUE( AddToStoreWithEKURestriction(root_store.get(), kMultiRootDByD, nullptr)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); - ASSERT_TRUE(AddToStoreWithEKURestriction( - intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH)); std::unique_ptr<TrustStoreWin> trust_store_win = TrustStoreWin::CreateForTesting(std::move(root_store), std::move(intermediate_store), @@ -237,10 +236,8 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { base::StringPiece file_name; CertificateTrustType expected_result; } kTestData[] = { - {kMultiRootDByD, CertificateTrustType::DISTRUSTED}, - // Root cert with no EKU usages but is also an intermediate cert that is - // allowed for server auth, so we let it be used for path building. - {kMultiRootCByD, CertificateTrustType::UNSPECIFIED}, + // One copy of the Root cert is trusted for TLS Server Auth. + {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, }; for (const auto& test_data : kTestData) { SCOPED_TRACE(test_data.file_name); @@ -252,8 +249,7 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) { } } -// Test that disallowed certs with the right EKU settings will be -// distrusted. +// Test that disallowed certs will be distrusted regardless of EKU settings. TEST(TrustStoreWin, GetTrustDisallowedCerts) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -277,9 +273,8 @@ TEST(TrustStoreWin, GetTrustDisallowedCerts) { base::StringPiece file_name; CertificateTrustType expected_result; } kTestData[] = { - // dByD in root, also in distrusted but without szOID_PKIX_KP_SERVER_AUTH - // set. - {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION}, + // dByD in root, distrusted but without szOID_PKIX_KP_SERVER_AUTH set. + {kMultiRootDByD, CertificateTrustType::DISTRUSTED}, // dByD in root, also in distrusted with szOID_PKIX_KP_SERVER_AUTH set. {kMultiRootEByE, CertificateTrustType::DISTRUSTED}, }; diff --git a/chromium/net/cert/known_roots.cc b/chromium/net/cert/known_roots.cc index ffa625b8c73..bab8dfa9636 100644 --- a/chromium/net/cert/known_roots.cc +++ b/chromium/net/cert/known_roots.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots.h b/chromium/net/cert/known_roots.h index d3bdbcd1a0f..02a0264f986 100644 --- a/chromium/net/cert/known_roots.h +++ b/chromium/net/cert/known_roots.h @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_mac.cc b/chromium/net/cert/known_roots_mac.cc index 383c576f8a3..ada97b821af 100644 --- a/chromium/net/cert/known_roots_mac.cc +++ b/chromium/net/cert/known_roots_mac.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_mac.h b/chromium/net/cert/known_roots_mac.h index 2ad8c57c843..d0a2429c757 100644 --- a/chromium/net/cert/known_roots_mac.h +++ b/chromium/net/cert/known_roots_mac.h @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_nss.cc b/chromium/net/cert/known_roots_nss.cc index ab3848b5cc4..93130bd3a87 100644 --- a/chromium/net/cert/known_roots_nss.cc +++ b/chromium/net/cert/known_roots_nss.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -34,7 +34,7 @@ using PK11HasAttributeSetFunction = CK_BBOOL (*)(PK11SlotInfo* slot, // IsKnownRoot returns true if the given certificate is one that we believe // is a standard (as opposed to user-installed) root. -NO_SANITIZE("cfi-icall") +DISABLE_CFI_DLSYM bool IsKnownRoot(CERTCertificate* root) { if (!root || !root->slot) return false; diff --git a/chromium/net/cert/known_roots_nss.h b/chromium/net/cert/known_roots_nss.h index 5d150d237dc..76ab823bd61 100644 --- a/chromium/net/cert/known_roots_nss.h +++ b/chromium/net/cert/known_roots_nss.h @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_unittest.cc b/chromium/net/cert/known_roots_unittest.cc index 1186757de18..bef47cdbc4b 100644 --- a/chromium/net/cert/known_roots_unittest.cc +++ b/chromium/net/cert/known_roots_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_win.cc b/chromium/net/cert/known_roots_win.cc index 89c9a41621b..c3b37acc7bf 100644 --- a/chromium/net/cert/known_roots_win.cc +++ b/chromium/net/cert/known_roots_win.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/known_roots_win.h b/chromium/net/cert/known_roots_win.h index f7417f08cdc..6033760c934 100644 --- a/chromium/net/cert/known_roots_win.h +++ b/chromium/net/cert/known_roots_win.h @@ -1,4 +1,4 @@ -// Copyright (c) 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_audit_proof.cc b/chromium/net/cert/merkle_audit_proof.cc index 46e9f32a05b..3ccd8d07f74 100644 --- a/chromium/net/cert/merkle_audit_proof.cc +++ b/chromium/net/cert/merkle_audit_proof.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_audit_proof.h b/chromium/net/cert/merkle_audit_proof.h index 6aa36205716..39fbd9d3977 100644 --- a/chromium/net/cert/merkle_audit_proof.h +++ b/chromium/net/cert/merkle_audit_proof.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_audit_proof_unittest.cc b/chromium/net/cert/merkle_audit_proof_unittest.cc index 602a58494fc..d77e0acf478 100644 --- a/chromium/net/cert/merkle_audit_proof_unittest.cc +++ b/chromium/net/cert/merkle_audit_proof_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_consistency_proof.cc b/chromium/net/cert/merkle_consistency_proof.cc index a6ac1bb173c..404ca1c599f 100644 --- a/chromium/net/cert/merkle_consistency_proof.cc +++ b/chromium/net/cert/merkle_consistency_proof.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_consistency_proof.h b/chromium/net/cert/merkle_consistency_proof.h index 457ed5284dd..a0b903c0f7e 100644 --- a/chromium/net/cert/merkle_consistency_proof.h +++ b/chromium/net/cert/merkle_consistency_proof.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_tree_leaf.cc b/chromium/net/cert/merkle_tree_leaf.cc index 70ada09872b..2e41be9c2bc 100644 --- a/chromium/net/cert/merkle_tree_leaf.cc +++ b/chromium/net/cert/merkle_tree_leaf.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_tree_leaf.h b/chromium/net/cert/merkle_tree_leaf.h index fc566e65f1b..63b93eb1ed9 100644 --- a/chromium/net/cert/merkle_tree_leaf.h +++ b/chromium/net/cert/merkle_tree_leaf.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/merkle_tree_leaf_unittest.cc b/chromium/net/cert/merkle_tree_leaf_unittest.cc index ed9feace299..776a0fc9204 100644 --- a/chromium/net/cert/merkle_tree_leaf_unittest.cc +++ b/chromium/net/cert/merkle_tree_leaf_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_cert_net_fetcher.cc b/chromium/net/cert/mock_cert_net_fetcher.cc index 686b56de1aa..179a343cb64 100644 --- a/chromium/net/cert/mock_cert_net_fetcher.cc +++ b/chromium/net/cert/mock_cert_net_fetcher.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_cert_net_fetcher.h b/chromium/net/cert/mock_cert_net_fetcher.h index e32222cb965..424615553f1 100644 --- a/chromium/net/cert/mock_cert_net_fetcher.h +++ b/chromium/net/cert/mock_cert_net_fetcher.h @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_cert_verifier.cc b/chromium/net/cert/mock_cert_verifier.cc index e47554e27d9..cdbffbb20ef 100644 --- a/chromium/net/cert/mock_cert_verifier.cc +++ b/chromium/net/cert/mock_cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_cert_verifier.h b/chromium/net/cert/mock_cert_verifier.h index de9e42e9014..84e15a1966b 100644 --- a/chromium/net/cert/mock_cert_verifier.h +++ b/chromium/net/cert/mock_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_client_cert_verifier.cc b/chromium/net/cert/mock_client_cert_verifier.cc index 3b23e51f93c..01eea2ddaf8 100644 --- a/chromium/net/cert/mock_client_cert_verifier.cc +++ b/chromium/net/cert/mock_client_cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/mock_client_cert_verifier.h b/chromium/net/cert/mock_client_cert_verifier.h index 166643f7812..ef454f78b7f 100644 --- a/chromium/net/cert/mock_client_cert_verifier.h +++ b/chromium/net/cert/mock_client_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/multi_log_ct_verifier.cc b/chromium/net/cert/multi_log_ct_verifier.cc index b13aac1bb8c..1391bac439c 100644 --- a/chromium/net/cert/multi_log_ct_verifier.cc +++ b/chromium/net/cert/multi_log_ct_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/multi_log_ct_verifier.h b/chromium/net/cert/multi_log_ct_verifier.h index c37efa24a5f..d13987a18d2 100644 --- a/chromium/net/cert/multi_log_ct_verifier.h +++ b/chromium/net/cert/multi_log_ct_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/multi_log_ct_verifier_unittest.cc b/chromium/net/cert/multi_log_ct_verifier_unittest.cc index 3e36d86face..0be1e7004bf 100644 --- a/chromium/net/cert/multi_log_ct_verifier_unittest.cc +++ b/chromium/net/cert/multi_log_ct_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -85,11 +85,11 @@ class MultiLogCTVerifierTest : public ::testing::Test { if (!parsed.params.is_dict()) return false; - const base::Value* scts = parsed.params.FindListPath("scts"); - if (!scts || scts->GetListDeprecated().size() != 1) + const base::Value::List* scts = parsed.params.GetDict().FindList("scts"); + if (!scts || scts->size() != 1) return false; - const base::Value& the_sct = scts->GetListDeprecated()[0]; + const base::Value& the_sct = (*scts)[0]; if (!the_sct.is_dict()) return false; diff --git a/chromium/net/cert/multi_threaded_cert_verifier.cc b/chromium/net/cert/multi_threaded_cert_verifier.cc index d4e137fb991..1e61c4818fb 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier.cc +++ b/chromium/net/cert/multi_threaded_cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/multi_threaded_cert_verifier.h b/chromium/net/cert/multi_threaded_cert_verifier.h index fe815a9e380..1254923c2f8 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier.h +++ b/chromium/net/cert/multi_threaded_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc b/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc index bbba76e3475..bf38709a3bd 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc +++ b/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_cert_database.cc b/chromium/net/cert/nss_cert_database.cc index 7f1c1290f3b..45e213b8950 100644 --- a/chromium/net/cert/nss_cert_database.cc +++ b/chromium/net/cert/nss_cert_database.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -434,13 +434,7 @@ bool NSSCertDatabase::IsReadOnly(const CERTCertificate* cert) { } // static -// `cfi-icall` is a clang flag to enable extra checks to prevent "Indirect call -// of a function with wrong dynamic type". To work properly it requires the -// called function or the function taking the address of the called function -// to be compiled with "-fsanitize=cfi-icall" that is not true for libnss3. -// Because of that we are getting a false positive result around using the -// dynamically loaded `pk11_has_attribute_set` method. -NO_SANITIZE("cfi-icall") +DISABLE_CFI_DLSYM bool NSSCertDatabase::IsHardwareBacked(const CERTCertificate* cert) { PK11SlotInfo* slot = cert->slot; if (!slot) diff --git a/chromium/net/cert/nss_cert_database.h b/chromium/net/cert/nss_cert_database.h index e8d45d7bbdc..9533f000c66 100644 --- a/chromium/net/cert/nss_cert_database.h +++ b/chromium/net/cert/nss_cert_database.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_cert_database_chromeos.cc b/chromium/net/cert/nss_cert_database_chromeos.cc index 11a3d93da2d..5d7a0490c4d 100644 --- a/chromium/net/cert/nss_cert_database_chromeos.cc +++ b/chromium/net/cert/nss_cert_database_chromeos.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_cert_database_chromeos.h b/chromium/net/cert/nss_cert_database_chromeos.h index 8dfb82c92bd..d060b2db600 100644 --- a/chromium/net/cert/nss_cert_database_chromeos.h +++ b/chromium/net/cert/nss_cert_database_chromeos.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_cert_database_chromeos_unittest.cc b/chromium/net/cert/nss_cert_database_chromeos_unittest.cc index 2ecd13bf428..f3b26d1a8f5 100644 --- a/chromium/net/cert/nss_cert_database_chromeos_unittest.cc +++ b/chromium/net/cert/nss_cert_database_chromeos_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_cert_database_unittest.cc b/chromium/net/cert/nss_cert_database_unittest.cc index eb191f3bce3..6808d3b79bd 100644 --- a/chromium/net/cert/nss_cert_database_unittest.cc +++ b/chromium/net/cert/nss_cert_database_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -7,6 +7,7 @@ #include <cert.h> #include <certdb.h> #include <pk11pub.h> +#include <seccomon.h> #include <algorithm> #include <memory> @@ -60,6 +61,12 @@ std::string GetSubjectCN(CERTCertificate* cert) { return s; } +bool GetCertIsPerm(const CERTCertificate* cert) { + PRBool is_perm; + CHECK_EQ(x509_util::GetCertIsPerm(cert, &is_perm), SECSuccess); + return is_perm != PR_FALSE; +} + } // namespace class CertDatabaseNSSTest : public TestWithTaskEnvironment { @@ -287,7 +294,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { GetTestCertsDirectory(), "root_ca_cert.pem", X509Certificate::FORMAT_AUTO); ASSERT_EQ(1U, certs.size()); - EXPECT_FALSE(certs[0]->isperm); + EXPECT_FALSE(GetCertIsPerm(certs[0].get())); // Import it. NSSCertDatabase::ImportCertFailureList failed; @@ -316,7 +323,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { GetTestCertsDirectory(), "root_ca_cert.pem", X509Certificate::FORMAT_AUTO); ASSERT_EQ(1U, certs.size()); - EXPECT_FALSE(certs[0]->isperm); + EXPECT_FALSE(GetCertIsPerm(certs[0].get())); // Import it. NSSCertDatabase::ImportCertFailureList failed; @@ -345,7 +352,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { GetTestCertsDirectory(), "root_ca_cert.pem", X509Certificate::FORMAT_AUTO); ASSERT_EQ(1U, certs.size()); - EXPECT_FALSE(certs[0]->isperm); + EXPECT_FALSE(GetCertIsPerm(certs[0].get())); // Import it. NSSCertDatabase::ImportCertFailureList failed; @@ -373,7 +380,7 @@ TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { ScopedCERTCertificateList certs = CreateCERTCertificateListFromFile( GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); ASSERT_EQ(1U, certs.size()); - EXPECT_FALSE(certs[0]->isperm); + EXPECT_FALSE(GetCertIsPerm(certs[0].get())); // Import it. NSSCertDatabase::ImportCertFailureList failed; diff --git a/chromium/net/cert/nss_profile_filter_chromeos.cc b/chromium/net/cert/nss_profile_filter_chromeos.cc index d85ac42b13b..0cbb6962f79 100644 --- a/chromium/net/cert/nss_profile_filter_chromeos.cc +++ b/chromium/net/cert/nss_profile_filter_chromeos.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_profile_filter_chromeos.h b/chromium/net/cert/nss_profile_filter_chromeos.h index 1bfbc159d4c..014976c2493 100644 --- a/chromium/net/cert/nss_profile_filter_chromeos.h +++ b/chromium/net/cert/nss_profile_filter_chromeos.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc b/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc index 0a21f961ce9..07fce400a46 100644 --- a/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc +++ b/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ocsp_revocation_status.h b/chromium/net/cert/ocsp_revocation_status.h index dac7a2067e6..2aa4958c670 100644 --- a/chromium/net/cert/ocsp_revocation_status.h +++ b/chromium/net/cert/ocsp_revocation_status.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ocsp_verify_result.cc b/chromium/net/cert/ocsp_verify_result.cc index 35069e711d3..92ab907d4c0 100644 --- a/chromium/net/cert/ocsp_verify_result.cc +++ b/chromium/net/cert/ocsp_verify_result.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/ocsp_verify_result.h b/chromium/net/cert/ocsp_verify_result.h index 409d4116e1c..854e9db04bc 100644 --- a/chromium/net/cert/ocsp_verify_result.h +++ b/chromium/net/cert/ocsp_verify_result.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pem.cc b/chromium/net/cert/pem.cc index fe37b197b07..82f77b50642 100644 --- a/chromium/net/cert/pem.cc +++ b/chromium/net/cert/pem.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright 2010 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pem.h b/chromium/net/cert/pem.h index b8164f6ebc3..c8cf31cb5f2 100644 --- a/chromium/net/cert/pem.h +++ b/chromium/net/cert/pem.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pem_unittest.cc b/chromium/net/cert/pem_unittest.cc index cd2ecad89b2..b85088f4314 100644 --- a/chromium/net/cert/pem_unittest.cc +++ b/chromium/net/cert/pem_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright 2010 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_error_id.cc b/chromium/net/cert/pki/cert_error_id.cc index 793b92ffb2c..8e185cdf5bd 100644 --- a/chromium/net/cert/pki/cert_error_id.cc +++ b/chromium/net/cert/pki/cert_error_id.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_error_id.h b/chromium/net/cert/pki/cert_error_id.h index 1c0e4ec947b..bc410b15a07 100644 --- a/chromium/net/cert/pki/cert_error_id.h +++ b/chromium/net/cert/pki/cert_error_id.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_error_params.cc b/chromium/net/cert/pki/cert_error_params.cc index 0d4f2b61d83..bbb39d4daa4 100644 --- a/chromium/net/cert/pki/cert_error_params.cc +++ b/chromium/net/cert/pki/cert_error_params.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,7 +6,6 @@ #include <memory> -#include "base/check.h" #include "base/strings/string_number_conversions.h" #include "net/der/input.h" diff --git a/chromium/net/cert/pki/cert_error_params.h b/chromium/net/cert/pki/cert_error_params.h index b00d0f2e8a4..371ac25b908 100644 --- a/chromium/net/cert/pki/cert_error_params.h +++ b/chromium/net/cert/pki/cert_error_params.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_errors.cc b/chromium/net/cert/pki/cert_errors.cc index 833fb1d3638..843967426f9 100644 --- a/chromium/net/cert/pki/cert_errors.cc +++ b/chromium/net/cert/pki/cert_errors.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_errors.h b/chromium/net/cert/pki/cert_errors.h index 98f635da34b..6e783bcb119 100644 --- a/chromium/net/cert/pki/cert_errors.h +++ b/chromium/net/cert/pki/cert_errors.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source.h b/chromium/net/cert/pki/cert_issuer_source.h index 1568cd058f3..875aeb5a6ee 100644 --- a/chromium/net/cert/pki/cert_issuer_source.h +++ b/chromium/net/cert/pki/cert_issuer_source.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source_static.cc b/chromium/net/cert/pki/cert_issuer_source_static.cc index c41aede9d6f..5b6147d5ef3 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static.cc +++ b/chromium/net/cert/pki/cert_issuer_source_static.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,7 +11,7 @@ CertIssuerSourceStatic::~CertIssuerSourceStatic() = default; void CertIssuerSourceStatic::AddCert(scoped_refptr<ParsedCertificate> cert) { intermediates_.insert(std::make_pair( - cert->normalized_subject().AsStringPiece(), std::move(cert))); + cert->normalized_subject().AsStringView(), std::move(cert))); } void CertIssuerSourceStatic::Clear() { @@ -21,7 +21,7 @@ void CertIssuerSourceStatic::Clear() { void CertIssuerSourceStatic::SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) { auto range = - intermediates_.equal_range(cert->normalized_issuer().AsStringPiece()); + intermediates_.equal_range(cert->normalized_issuer().AsStringView()); for (auto it = range.first; it != range.second; ++it) issuers->push_back(it->second); } diff --git a/chromium/net/cert/pki/cert_issuer_source_static.h b/chromium/net/cert/pki/cert_issuer_source_static.h index c3be882d023..5fedd7491e6 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static.h +++ b/chromium/net/cert/pki/cert_issuer_source_static.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -30,6 +30,8 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource { // Clears the set of certificates. void Clear(); + size_t size() const { return intermediates_.size(); } + // CertIssuerSource implementation: void SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) override; @@ -39,9 +41,7 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource { private: // The certificates that the CertIssuerSourceStatic can return, keyed on the // normalized subject value. - std::unordered_multimap<base::StringPiece, - scoped_refptr<ParsedCertificate>, - base::StringPieceHash> + std::unordered_multimap<std::string_view, scoped_refptr<ParsedCertificate>> intermediates_; }; diff --git a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc index 02727cc6724..eab8e6710ce 100644 --- a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc +++ b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h index e3f165036db..1b5dfc6f9c7 100644 --- a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h +++ b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies.cc b/chromium/net/cert/pki/certificate_policies.cc index e7a3c17e435..a6943c38507 100644 --- a/chromium/net/cert/pki/certificate_policies.cc +++ b/chromium/net/cert/pki/certificate_policies.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies.h b/chromium/net/cert/pki/certificate_policies.h index 182bf9a82f5..60451b4c5da 100644 --- a/chromium/net/cert/pki/certificate_policies.h +++ b/chromium/net/cert/pki/certificate_policies.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/certificate_policies_unittest.cc b/chromium/net/cert/pki/certificate_policies_unittest.cc index b38aff49a73..710f480d209 100644 --- a/chromium/net/cert/pki/certificate_policies_unittest.cc +++ b/chromium/net/cert/pki/certificate_policies_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/common_cert_errors.cc b/chromium/net/cert/pki/common_cert_errors.cc index d282999c472..6cf4803c09b 100644 --- a/chromium/net/cert/pki/common_cert_errors.cc +++ b/chromium/net/cert/pki/common_cert_errors.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/common_cert_errors.h b/chromium/net/cert/pki/common_cert_errors.h index 2819671f4c9..1422b479e07 100644 --- a/chromium/net/cert/pki/common_cert_errors.h +++ b/chromium/net/cert/pki/common_cert_errors.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/crl.cc b/chromium/net/cert/pki/crl.cc index c3a0c9dc5fa..dc4839c6cd5 100644 --- a/chromium/net/cert/pki/crl.cc +++ b/chromium/net/cert/pki/crl.cc @@ -1,10 +1,11 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/crl.h" #include "base/stl_util.h" +#include "base/types/optional_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/revocation_util.h" #include "net/cert/pki/signature_algorithm.h" @@ -33,12 +34,11 @@ inline constexpr uint8_t kIssuingDistributionPointOid[] = {0x55, 0x1d, 0x1c}; !parser.HasMore(); } -bool ContainsExactMatchingName(std::vector<base::StringPiece> a, - std::vector<base::StringPiece> b) { +bool ContainsExactMatchingName(std::vector<std::string_view> a, + std::vector<std::string_view> b) { std::sort(a.begin(), a.end()); std::sort(b.begin(), b.end()); - return !base::STLSetIntersection<std::vector<base::StringPiece>>(a, b) - .empty(); + return !base::STLSetIntersection<std::vector<std::string_view>>(a, b).empty(); } } // namespace @@ -361,7 +361,7 @@ CRLRevocationStatus GetCRLStatusForCert( ParsedCrlTbsCertList::ParsedCrlTbsCertList() = default; ParsedCrlTbsCertList::~ParsedCrlTbsCertList() = default; -CRLRevocationStatus CheckCRL(base::StringPiece raw_crl, +CRLRevocationStatus CheckCRL(std::string_view raw_crl, const ParsedCertificateList& valid_chain, size_t target_cert_index, const ParsedDistributionPoint& cert_dp, @@ -422,10 +422,9 @@ CRLRevocationStatus CheckCRL(base::StringPiece raw_crl, // Check CRL dates. Roughly corresponds to 6.3.3 (a) (1) but does not attempt // to update the CRL if it is out of date. - if (!CheckRevocationDateValid( - tbs_cert_list.this_update, - base::OptionalOrNullptr(tbs_cert_list.next_update), verify_time, - max_age)) { + if (!CheckRevocationDateValid(tbs_cert_list.this_update, + base::OptionalToPtr(tbs_cert_list.next_update), + verify_time, max_age)) { return CRLRevocationStatus::UNKNOWN; } diff --git a/chromium/net/cert/pki/crl.h b/chromium/net/cert/pki/crl.h index e6add49add4..325b45deb9f 100644 --- a/chromium/net/cert/pki/crl.h +++ b/chromium/net/cert/pki/crl.h @@ -1,11 +1,10 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_CERT_PKI_CRL_H_ #define NET_CERT_PKI_CRL_H_ -#include "base/strings/string_piece_forward.h" #include "base/time/time.h" #include "net/base/net_export.h" #include "net/cert/pki/general_names.h" @@ -212,7 +211,7 @@ GetCRLStatusForCert(const der::Input& cert_serial, // the |thisUpdate| field in the CRL TBSCertList. Responses older than // |max_age| will be considered invalid. [[nodiscard]] NET_EXPORT CRLRevocationStatus -CheckCRL(base::StringPiece raw_crl, +CheckCRL(std::string_view raw_crl, const ParsedCertificateList& valid_chain, size_t target_cert_index, const ParsedDistributionPoint& cert_dp, diff --git a/chromium/net/cert/pki/extended_key_usage.cc b/chromium/net/cert/pki/extended_key_usage.cc index e4e97b30175..297a95c1f90 100644 --- a/chromium/net/cert/pki/extended_key_usage.cc +++ b/chromium/net/cert/pki/extended_key_usage.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/extended_key_usage.h b/chromium/net/cert/pki/extended_key_usage.h index f2ce9eb3e36..c4834d49e3c 100644 --- a/chromium/net/cert/pki/extended_key_usage.h +++ b/chromium/net/cert/pki/extended_key_usage.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/extended_key_usage_unittest.cc b/chromium/net/cert/pki/extended_key_usage_unittest.cc index f98ad799882..9a17c53dfc9 100644 --- a/chromium/net/cert/pki/extended_key_usage_unittest.cc +++ b/chromium/net/cert/pki/extended_key_usage_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/general_names.cc b/chromium/net/cert/pki/general_names.cc index 0a598dd24fe..d2bbd25ef51 100644 --- a/chromium/net/cert/pki/general_names.cc +++ b/chromium/net/cert/pki/general_names.cc @@ -1,13 +1,12 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/general_names.h" -#include "base/check_op.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" +#include "net/cert/pki/string_util.h" #include "net/der/input.h" #include "net/der/parser.h" #include "net/der/tag.h" @@ -130,8 +129,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(1)) { // rfc822Name [1] IA5String, name_type = GENERAL_NAME_RFC822_NAME; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kRFC822NameNotAscii); return false; } @@ -139,8 +138,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(2)) { // dNSName [2] IA5String, name_type = GENERAL_NAME_DNS_NAME; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kDnsNameNotAscii); return false; } @@ -167,8 +166,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue( } else if (tag == der::ContextSpecificPrimitive(6)) { // uniformResourceIdentifier [6] IA5String, name_type = GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER; - const base::StringPiece s = value.AsStringPiece(); - if (!base::IsStringASCII(s)) { + const std::string_view s = value.AsStringView(); + if (!net::string_util::IsAscii(s)) { errors->AddError(kURINotAscii); return false; } diff --git a/chromium/net/cert/pki/general_names.h b/chromium/net/cert/pki/general_names.h index 0bacddfe98e..c5c32d00428 100644 --- a/chromium/net/cert/pki/general_names.h +++ b/chromium/net/cert/pki/general_names.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,7 +8,6 @@ #include <memory> #include <vector> -#include "base/strings/string_piece_forward.h" #include "net/base/ip_address.h" #include "net/base/net_export.h" #include "net/cert/pki/cert_error_id.h" @@ -76,10 +75,10 @@ struct NET_EXPORT GeneralNames { std::vector<der::Input> other_names; // ASCII rfc822names. - std::vector<base::StringPiece> rfc822_names; + std::vector<std::string_view> rfc822_names; // ASCII hostnames. - std::vector<base::StringPiece> dns_names; + std::vector<std::string_view> dns_names; // DER-encoded ORAddress values. std::vector<der::Input> x400_addresses; @@ -91,7 +90,7 @@ struct NET_EXPORT GeneralNames { std::vector<der::Input> edi_party_names; // ASCII URIs. - std::vector<base::StringPiece> uniform_resource_identifiers; + std::vector<std::string_view> uniform_resource_identifiers; // iPAddresses as sequences of octets in network byte order. This will be // populated if the GeneralNames represents a Subject Alternative Name. diff --git a/chromium/net/cert/pki/name_constraints.cc b/chromium/net/cert/pki/name_constraints.cc index b66abdbef6c..eed0741d200 100644 --- a/chromium/net/cert/pki/name_constraints.cc +++ b/chromium/net/cert/pki/name_constraints.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,11 +8,10 @@ #include <memory> -#include "base/check.h" #include "base/numerics/clamped_math.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/common_cert_errors.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/verify_name_match.h" #include "net/der/input.h" #include "net/der/parser.h" @@ -52,8 +51,8 @@ enum WildcardMatchType { WILDCARD_PARTIAL_MATCH, WILDCARD_FULL_MATCH }; // |wildcard_matching| controls handling of wildcard names (|name| starts with // "*."). Wildcard handling is not specified by RFC 5280, but certificate // verification allows it, name constraints must check it similarly. -bool DNSNameMatches(base::StringPiece name, - base::StringPiece dns_constraint, +bool DNSNameMatches(std::string_view name, + std::string_view dns_constraint, WildcardMatchType wildcard_matching) { // Everything matches the empty DNS name constraint. if (dns_constraint.empty()) @@ -74,20 +73,20 @@ bool DNSNameMatches(base::StringPiece name, name[0] == '*' && name[1] == '.') { size_t dns_constraint_dot_pos = dns_constraint.find('.'); if (dns_constraint_dot_pos != std::string::npos) { - base::StringPiece dns_constraint_domain = + std::string_view dns_constraint_domain = dns_constraint.substr(dns_constraint_dot_pos + 1); - base::StringPiece wildcard_domain = name.substr(2); - if (base::EqualsCaseInsensitiveASCII(wildcard_domain, - dns_constraint_domain)) { + std::string_view wildcard_domain = name.substr(2); + if (net::string_util::IsEqualNoCase(wildcard_domain, + dns_constraint_domain)) { return true; } } } - if (!base::EndsWith(name, dns_constraint, - base::CompareCase::INSENSITIVE_ASCII)) { + if (!net::string_util::EndsWithNoCase(name, dns_constraint)) { return false; } + // Exact match. if (name.size() == dns_constraint.size()) return true; @@ -361,7 +360,7 @@ void NameConstraints::IsPermittedCert(const der::Input& subject_rdn_sequence, } } -bool NameConstraints::IsPermittedDNSName(base::StringPiece name) const { +bool NameConstraints::IsPermittedDNSName(std::string_view name) const { for (const auto& excluded_name : excluded_subtrees_.dns_names) { // When matching wildcard hosts against excluded subtrees, consider it a // match if the constraint would match any expansion of the wildcard. Eg, diff --git a/chromium/net/cert/pki/name_constraints.h b/chromium/net/cert/pki/name_constraints.h index 0fe0452da51..ea472a0ec33 100644 --- a/chromium/net/cert/pki/name_constraints.h +++ b/chromium/net/cert/pki/name_constraints.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,7 +9,6 @@ #include <memory> -#include "base/strings/string_piece_forward.h" #include "net/base/ip_address.h" #include "net/base/net_export.h" #include "net/cert/pki/general_names.h" @@ -56,7 +55,7 @@ class NET_EXPORT NameConstraints { // would not be permitted if "bar.com" is permitted and "foo.bar.com" is // excluded, while "*.baz.com" would only be permitted if "baz.com" is // permitted. - bool IsPermittedDNSName(base::StringPiece name) const; + bool IsPermittedDNSName(std::string_view name) const; // Returns true if the directoryName |name_rdn_sequence| is permitted. // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not diff --git a/chromium/net/cert/pki/name_constraints_unittest.cc b/chromium/net/cert/pki/name_constraints_unittest.cc index 32a97af4f4b..b69a376f5d2 100644 --- a/chromium/net/cert/pki/name_constraints_unittest.cc +++ b/chromium/net/cert/pki/name_constraints_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/nist_pkits_unittest.cc b/chromium/net/cert/pki/nist_pkits_unittest.cc index f2309349fba..20b48923db4 100644 --- a/chromium/net/cert/pki/nist_pkits_unittest.cc +++ b/chromium/net/cert/pki/nist_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/nist_pkits_unittest.h b/chromium/net/cert/pki/nist_pkits_unittest.h index bf4d16485c9..8e4c2cb38eb 100644 --- a/chromium/net/cert/pki/nist_pkits_unittest.h +++ b/chromium/net/cert/pki/nist_pkits_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -97,7 +97,7 @@ class PkitsTest : public ::testing::Test { crl_ders.push_back(net::ReadTestFileToString( "net/third_party/nist-pkits/crls/" + s + ".crl")); - base::StringPiece test_number = info.test_number; + std::string_view test_number = info.test_number; // Some of the PKITS tests are intentionally given different expectations // from PKITS.pdf. diff --git a/chromium/net/cert/pki/ocsp.cc b/chromium/net/cert/pki/ocsp.cc index 46fd72f7109..816a7840c83 100644 --- a/chromium/net/cert/pki/ocsp.cc +++ b/chromium/net/cert/pki/ocsp.cc @@ -1,19 +1,17 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/ocsp.h" -#include <algorithm> - -#include "base/base64.h" -#include "base/strings/string_util.h" +#include "base/containers/contains.h" #include "base/time/time.h" #include "net/cert/asn1_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/extended_key_usage.h" #include "net/cert/pki/parsed_certificate.h" #include "net/cert/pki/revocation_util.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/verify_name_match.h" #include "net/cert/pki/verify_signed_data.h" #include "net/cert/x509_util.h" @@ -466,19 +464,20 @@ bool VerifyHash(const EVP_MD* type, // subjectPublicKey BIT STRING // } bool GetSubjectPublicKeyBytes(const der::Input& spki_tlv, der::Input* spk_tlv) { + // TODO(bbe) decide what to do with the asn1 utilities, bring them into pki + // or use the boringssl stuff internally.. base::StringPiece spk_strpiece; if (!asn1::ExtractSubjectPublicKeyFromSPKI(spki_tlv.AsStringPiece(), &spk_strpiece)) { return false; } - // ExtractSubjectPublicKeyFromSPKI() includes the unused bit count. For this // application, the unused bit count must be zero, and is not included in the // result. - if (!base::StartsWith(spk_strpiece, "\0")) + if (!net::string_util::StartsWith( + std::string_view(spk_strpiece.data(), spk_strpiece.size()), "\0")) return false; spk_strpiece.remove_prefix(1); - *spk_tlv = der::Input(spk_strpiece); return true; } @@ -525,15 +524,16 @@ bool CheckCertIDMatchesCertificate( // TODO(eroman): Revisit how certificate parsing is used by this file. Ideally // would either pass in the parsed bits, or have a better abstraction for lazily // parsing. -scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { +scoped_refptr<ParsedCertificate> OCSPParseCertificate(std::string_view der) { ParseCertificateOptions parse_options; parse_options.allow_invalid_serial_numbers = true; // TODO(eroman): Swallows the parsing errors. However uses a permissive // parsing model. CertErrors errors; - return ParsedCertificate::Create(x509_util::CreateCryptoBuffer(der), {}, - &errors); + return ParsedCertificate::Create( + x509_util::CreateCryptoBuffer(base::StringPiece(der.data(), der.size())), + {}, &errors); } // Checks that the ResponderID |id| matches the certificate |cert| either @@ -578,7 +578,8 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // The Authorized Responder must be directly signed by the issuer of the // certificate being checked. // TODO(eroman): Must check the signature algorithm against policy. - if (!VerifySignedData(responder_certificate->signature_algorithm(), + if (!responder_certificate->signature_algorithm().has_value() || + !VerifySignedData(*responder_certificate->signature_algorithm(), responder_certificate->tbs_certificate_tlv(), responder_certificate->signature_value(), issuer_certificate->tbs().spki_tlv)) { @@ -589,14 +590,9 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // part of the extended key usage extension. if (!responder_certificate->has_extended_key_usage()) return false; - const std::vector<der::Input>& ekus = - responder_certificate->extended_key_usage(); - if (std::find(ekus.begin(), ekus.end(), der::Input(kOCSPSigning)) == - ekus.end()) { - return false; - } - return true; + return base::Contains(responder_certificate->extended_key_usage(), + der::Input(kOCSPSigning)); } [[nodiscard]] bool VerifyOCSPResponseSignatureGivenCert( @@ -631,7 +627,7 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) { // (3) Has signed the OCSP response using its public key. for (const auto& responder_cert_tlv : response.certs) { scoped_refptr<ParsedCertificate> cur_responder_certificate = - OCSPParseCertificate(responder_cert_tlv.AsStringPiece()); + OCSPParseCertificate(responder_cert_tlv.AsStringView()); // If failed parsing the certificate, keep looking. if (!cur_responder_certificate) @@ -787,10 +783,10 @@ OCSPRevocationStatus GetRevocationStatusForCert( } OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, - base::StringPiece certificate_der, + std::string_view raw_response, + std::string_view certificate_der, const ParsedCertificate* certificate, - base::StringPiece issuer_certificate_der, + std::string_view issuer_certificate_der, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, const base::TimeDelta& max_age, @@ -891,9 +887,9 @@ OCSPRevocationStatus CheckOCSP( } // namespace OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, - base::StringPiece certificate_der, - base::StringPiece issuer_certificate_der, + std::string_view raw_response, + std::string_view certificate_der, + std::string_view issuer_certificate_der, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details) { @@ -903,15 +899,15 @@ OCSPRevocationStatus CheckOCSP( } OCSPRevocationStatus CheckOCSP( - base::StringPiece raw_response, + std::string_view raw_response, const ParsedCertificate* certificate, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details) { - return CheckOCSP(raw_response, base::StringPiece(), certificate, - base::StringPiece(), issuer_certificate, verify_time, - max_age, response_details); + return CheckOCSP(raw_response, std::string_view(), certificate, + std::string_view(), issuer_certificate, verify_time, max_age, + response_details); } bool CreateOCSPRequest(const ParsedCertificate* cert, @@ -1007,7 +1003,7 @@ bool CreateOCSPRequest(const ParsedCertificate* cert, // the OCSPRequest} GURL CreateOCSPGetURL(const ParsedCertificate* cert, const ParsedCertificate* issuer, - base::StringPiece ocsp_responder_url) { + std::string_view ocsp_responder_url) { std::vector<uint8_t> ocsp_request_der; if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) { // Unexpected (means BoringSSL failed an operation). @@ -1015,19 +1011,23 @@ GURL CreateOCSPGetURL(const ParsedCertificate* cert, } // Base64 encode the request data. - std::string b64_encoded; - base::Base64Encode( - base::StringPiece(reinterpret_cast<const char*>(ocsp_request_der.data()), - ocsp_request_der.size()), - &b64_encoded); + size_t len; + if (!EVP_EncodedLength(&len, ocsp_request_der.size())) { + return GURL(); + } + std::vector<uint8_t> encoded(len); + len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(), + ocsp_request_der.size()); + + std::string b64_encoded(encoded.begin(), encoded.begin() + len); // In theory +, /, and = are valid in paths and don't need to be escaped. // However from the example in RFC 5019 section 5 it is clear that the intent // is to escape non-alphanumeric characters (the example conclusively escapes // '/' and '=', but doesn't clarify '+'). - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "+", "%2B"); - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "/", "%2F"); - base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "=", "%3D"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "+", "%2B"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "/", "%2F"); + b64_encoded = net::string_util::FindAndReplace(b64_encoded, "=", "%3D"); // No attempt is made to collapse double slashes for URLs that end in slash, // since the spec doesn't do that. diff --git a/chromium/net/cert/pki/ocsp.h b/chromium/net/cert/pki/ocsp.h index 6a2a5e5b7d3..7464a033d19 100644 --- a/chromium/net/cert/pki/ocsp.h +++ b/chromium/net/cert/pki/ocsp.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,7 +8,6 @@ #include <memory> #include <vector> -#include "base/strings/string_piece_forward.h" #include "base/time/time.h" #include "net/base/net_export.h" #include "net/cert/ocsp_revocation_status.h" @@ -287,9 +286,9 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv, // |max_age| will be considered invalid. // * |response_details|: Additional details about failures. [[nodiscard]] NET_EXPORT OCSPRevocationStatus -CheckOCSP(base::StringPiece raw_response, - base::StringPiece certificate_der, - base::StringPiece issuer_certificate_der, +CheckOCSP(std::string_view raw_response, + std::string_view certificate_der, + std::string_view issuer_certificate_der, const base::Time& verify_time, const base::TimeDelta& max_age, OCSPVerifyResult::ResponseStatus* response_details); @@ -300,7 +299,7 @@ CheckOCSP(base::StringPiece raw_response, // Arguments are the same as above, except that it takes already parsed // instances of the certificate and issuer certificate. [[nodiscard]] NET_EXPORT OCSPRevocationStatus -CheckOCSP(base::StringPiece raw_response, +CheckOCSP(std::string_view raw_response, const ParsedCertificate* certificate, const ParsedCertificate* issuer_certificate, const base::Time& verify_time, @@ -321,7 +320,7 @@ NET_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert, // Creates a URL to issue a GET request for OCSP information for |cert|. NET_EXPORT GURL CreateOCSPGetURL(const ParsedCertificate* cert, const ParsedCertificate* issuer, - base::StringPiece ocsp_responder_url); + std::string_view ocsp_responder_url); } // namespace net diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc index 1d23453d0b5..6158c1cf923 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc index d312f0fae1b..bf701d8a0e0 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc index f3673aeec7a..df8e88487ce 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc index 872e2680a4e..d3289c7e29d 100644 --- a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc +++ b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/ocsp_unittest.cc b/chromium/net/cert/pki/ocsp_unittest.cc index 6b3ae13a68d..bd1b25d4959 100644 --- a/chromium/net/cert/pki/ocsp_unittest.cc +++ b/chromium/net/cert/pki/ocsp_unittest.cc @@ -1,15 +1,15 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/ocsp.h" -#include "base/base64.h" #include "base/strings/string_piece.h" -#include "base/strings/string_util.h" +#include "net/cert/pki/string_util.h" #include "net/cert/pki/test_helpers.h" #include "net/der/encode_values.h" #include "testing/gtest/include/gtest/gtest.h" +#include "third_party/boringssl/src/include/openssl/base64.h" #include "third_party/boringssl/src/include/openssl/pool.h" #include "url/gurl.h" @@ -23,7 +23,7 @@ std::string GetFilePath(const std::string& file_name) { return std::string("net/data/ocsp_unittest/") + file_name; } -scoped_refptr<ParsedCertificate> ParseCertificate(base::StringPiece data) { +scoped_refptr<ParsedCertificate> ParseCertificate(std::string_view data) { CertErrors errors; return ParsedCertificate::Create( bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new( @@ -124,7 +124,7 @@ const TestParams kTestParams[] = { // Parameterised test name generator for tests depending on RenderTextBackend. struct PrintTestName { std::string operator()(const testing::TestParamInfo<TestParams>& info) const { - base::StringPiece name(info.param.file_name); + std::string_view name(info.param.file_name); // Strip ".pem" from the end as GTest names cannot contain period. name.remove_suffix(4); return std::string(name); @@ -178,7 +178,7 @@ TEST_P(CheckOCSPTest, FromFile) { der::Input(&request_data)); } -base::StringPiece kGetURLTestParams[] = { +std::string_view kGetURLTestParams[] = { "http://www.example.com/", "http://www.example.com/path/", "http://www.example.com/path", @@ -186,8 +186,8 @@ base::StringPiece kGetURLTestParams[] = { "http://user:pass@www.example.com/path?query", }; -class CreateOCSPGetURLTest - : public ::testing::TestWithParam<base::StringPiece> {}; +class CreateOCSPGetURLTest : public ::testing::TestWithParam<std::string_view> { +}; INSTANTIATE_TEST_SUITE_P(All, CreateOCSPGetURLTest, @@ -223,15 +223,20 @@ TEST_P(CreateOCSPGetURLTest, Basic) { std::string b64 = url.spec().substr(GetParam().size() + 1); // Hex un-escape the data. - base::ReplaceSubstringsAfterOffset(&b64, 0, "%2B", "+"); - base::ReplaceSubstringsAfterOffset(&b64, 0, "%2F", "/"); - base::ReplaceSubstringsAfterOffset(&b64, 0, "%3D", "="); + b64 = net::string_util::FindAndReplace(b64, "%2B", "+"); + b64 = net::string_util::FindAndReplace(b64, "%2F", "/"); + b64 = net::string_util::FindAndReplace(b64, "%3D", "="); // Base64 decode the data. - std::string decoded; - ASSERT_TRUE(base::Base64Decode(b64, &decoded)); - - EXPECT_EQ(request_data, decoded); + size_t len; + EXPECT_TRUE(EVP_DecodedLength(&len, b64.size())); + std::vector<uint8_t> decoded(len); + EXPECT_TRUE(EVP_DecodeBase64(decoded.data(), &len, len, + reinterpret_cast<const uint8_t*>(b64.data()), + b64.size())); + std::string decoded_string(decoded.begin(), decoded.begin() + len); + + EXPECT_EQ(request_data, decoded_string); } } // namespace diff --git a/chromium/net/cert/pki/parse_certificate.cc b/chromium/net/cert/pki/parse_certificate.cc index d206ec897e6..7be07772fd6 100644 --- a/chromium/net/cert/pki/parse_certificate.cc +++ b/chromium/net/cert/pki/parse_certificate.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,10 +6,10 @@ #include <utility> -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/general_names.h" +#include "net/cert/pki/string_util.h" #include "net/der/input.h" #include "net/der/parse_values.h" #include "net/der/parser.h" @@ -805,8 +805,8 @@ bool ParseAuthorityInfoAccess( bool ParseAuthorityInfoAccessURIs( const der::Input& authority_info_access_tlv, - std::vector<base::StringPiece>* out_ca_issuers_uris, - std::vector<base::StringPiece>* out_ocsp_uris) { + std::vector<std::string_view>* out_ca_issuers_uris, + std::vector<std::string_view>* out_ocsp_uris) { std::vector<AuthorityInfoAccessDescription> access_descriptions; if (!ParseAuthorityInfoAccess(authority_info_access_tlv, &access_descriptions)) { @@ -825,8 +825,8 @@ bool ParseAuthorityInfoAccessURIs( // GeneralName ::= CHOICE { if (access_location_tag == der::ContextSpecificPrimitive(6)) { // uniformResourceIdentifier [6] IA5String, - base::StringPiece uri = access_location_value.AsStringPiece(); - if (!base::IsStringASCII(uri)) + std::string_view uri = access_location_value.AsStringView(); + if (!net::string_util::IsAscii(uri)) return false; if (access_description.access_method_oid == der::Input(kAdCaIssuersOid)) diff --git a/chromium/net/cert/pki/parse_certificate.h b/chromium/net/cert/pki/parse_certificate.h index d71dda139b5..960244ce8e6 100644 --- a/chromium/net/cert/pki/parse_certificate.h +++ b/chromium/net/cert/pki/parse_certificate.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -535,8 +535,8 @@ struct AuthorityInfoAccessDescription { // ignored. [[nodiscard]] NET_EXPORT bool ParseAuthorityInfoAccessURIs( const der::Input& authority_info_access_tlv, - std::vector<base::StringPiece>* out_ca_issuers_uris, - std::vector<base::StringPiece>* out_ocsp_uris); + std::vector<std::string_view>* out_ca_issuers_uris, + std::vector<std::string_view>* out_ocsp_uris); // ParsedDistributionPoint represents a parsed DistributionPoint from RFC 5280. // diff --git a/chromium/net/cert/pki/parse_certificate_fuzzer.cc b/chromium/net/cert/pki/parse_certificate_fuzzer.cc index b73eb018a24..95ddc39c3e4 100644 --- a/chromium/net/cert/pki/parse_certificate_fuzzer.cc +++ b/chromium/net/cert/pki/parse_certificate_fuzzer.cc @@ -1,11 +1,10 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <stddef.h> #include <stdint.h> -#include "base/check_op.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/parsed_certificate.h" #include "net/cert/x509_util.h" diff --git a/chromium/net/cert/pki/parse_certificate_unittest.cc b/chromium/net/cert/pki/parse_certificate_unittest.cc index 7f5c48efe3e..f22c45fdb19 100644 --- a/chromium/net/cert/pki/parse_certificate_unittest.cc +++ b/chromium/net/cert/pki/parse_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -536,7 +536,7 @@ TEST(ParseAuthorityInfoAccess, BasicTests) { EXPECT_EQ(der::Input(location_der), desc.access_location); } - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); ASSERT_EQ(1u, ca_issuers_uris.size()); @@ -578,7 +578,7 @@ TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) { 0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f}; EXPECT_EQ(der::Input(location_der), desc.access_location); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; // ParseAuthorityInfoAccessURIs should still return success since it was a // valid AuthorityInfoAccess extension, even though it did not contain any // elements we care about, and both output vectors should be empty. @@ -610,7 +610,7 @@ TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } @@ -633,7 +633,7 @@ TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } @@ -645,7 +645,7 @@ TEST(ParseAuthorityInfoAccess, EmptySequence) { std::vector<AuthorityInfoAccessDescription> access_descriptions; EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions)); - std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris; + std::vector<std::string_view> ca_issuers_uris, ocsp_uris; EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris, &ocsp_uris)); } diff --git a/chromium/net/cert/pki/parse_name.cc b/chromium/net/cert/pki/parse_name.cc index 5cd4516890c..5e8459aa0d8 100644 --- a/chromium/net/cert/pki/parse_name.cc +++ b/chromium/net/cert/pki/parse_name.cc @@ -1,11 +1,9 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/parse_name.h" -#include "base/check_op.h" -#include "base/notreached.h" #include "base/strings/string_number_conversions.h" #include "net/der/parse_values.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" @@ -72,7 +70,7 @@ bool X509NameAttribute::ValueAsStringUnsafe(std::string* out) const { case der::kBmpString: return der::ParseBmpString(value, out); default: - NOTREACHED(); + assert(0); // NOTREACHED return false; } } diff --git a/chromium/net/cert/pki/parse_name.h b/chromium/net/cert/pki/parse_name.h index e44833a9b30..93d8db53d67 100644 --- a/chromium/net/cert/pki/parse_name.h +++ b/chromium/net/cert/pki/parse_name.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/parse_name_unittest.cc b/chromium/net/cert/pki/parse_name_unittest.cc index 3e29b808c4e..81064e07a64 100644 --- a/chromium/net/cert/pki/parse_name_unittest.cc +++ b/chromium/net/cert/pki/parse_name_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/parsed_certificate.cc b/chromium/net/cert/pki/parsed_certificate.cc index a1268a127b6..367bce786a0 100644 --- a/chromium/net/cert/pki/parsed_certificate.cc +++ b/chromium/net/cert/pki/parsed_certificate.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -20,8 +20,6 @@ namespace { DEFINE_CERT_ERROR_ID(kFailedParsingCertificate, "Failed parsing Certificate"); DEFINE_CERT_ERROR_ID(kFailedParsingTbsCertificate, "Failed parsing TBSCertificate"); -DEFINE_CERT_ERROR_ID(kFailedParsingSignatureAlgorithm, - "Failed parsing SignatureAlgorithm"); DEFINE_CERT_ERROR_ID(kFailedReadingIssuerOrSubject, "Failed reading issuer or subject"); DEFINE_CERT_ERROR_ID(kFailedNormalizingSubject, "Failed normalizing subject"); @@ -106,13 +104,8 @@ scoped_refptr<ParsedCertificate> ParsedCertificate::Create( } // Attempt to parse the signature algorithm contained in the Certificate. - absl::optional<SignatureAlgorithm> sigalg = + result->signature_algorithm_ = ParseSignatureAlgorithm(result->signature_algorithm_tlv_, errors); - if (!sigalg) { - errors->AddError(kFailedParsingSignatureAlgorithm); - return nullptr; - } - result->signature_algorithm_ = *sigalg; der::Input subject_value; if (!GetSequenceValue(result->tbs_.subject_tlv, &subject_value)) { diff --git a/chromium/net/cert/pki/parsed_certificate.h b/chromium/net/cert/pki/parsed_certificate.h index d02c4bf5129..e777228fc32 100644 --- a/chromium/net/cert/pki/parsed_certificate.h +++ b/chromium/net/cert/pki/parsed_certificate.h @@ -1,5 +1,4 @@ - -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,7 +9,6 @@ #include <memory> #include <vector> -#include "base/check.h" #include "base/memory/ref_counted.h" #include "net/base/net_export.h" #include "net/cert/pki/certificate_policies.h" @@ -86,7 +84,8 @@ class NET_EXPORT ParsedCertificate const ParsedTbsCertificate& tbs() const { return tbs_; } // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate). - SignatureAlgorithm signature_algorithm() const { + // If the signature algorithm is unknown/unsupported, this returns nullopt. + absl::optional<SignatureAlgorithm> signature_algorithm() const { return signature_algorithm_; } @@ -176,12 +175,12 @@ class NET_EXPORT ParsedCertificate } // Returns any caIssuers URIs from the AuthorityInfoAccess extension. - const std::vector<base::StringPiece>& ca_issuers_uris() const { + const std::vector<std::string_view>& ca_issuers_uris() const { return ca_issuers_uris_; } // Returns any OCSP URIs from the AuthorityInfoAccess extension. - const std::vector<base::StringPiece>& ocsp_uris() const { return ocsp_uris_; } + const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; } // Returns true if the certificate has a Policies extension. bool has_policy_oids() const { return has_policy_oids_; } @@ -261,14 +260,7 @@ class NET_EXPORT ParsedCertificate ParsedTbsCertificate tbs_; // The signatureAlgorithm from the Certificate. - // - // TODO(crbug.com/1321688): This class requires that we recognize the - // signature algorithm, but there are some self-signed root certificates with - // weak signature algorithms like MD2. We never verify those signatures, but - // this means we must include MD2, etc., in the `SignatureAlgorithm` enum. - // Instead, make this an `absl::optional<SignatureAlgorithm>` and make the - // call sites handle recognized and unrecognized algorithms. - SignatureAlgorithm signature_algorithm_; + absl::optional<SignatureAlgorithm> signature_algorithm_; // Normalized DER-encoded Subject (not including outer Sequence tag). std::string normalized_subject_; @@ -301,8 +293,8 @@ class NET_EXPORT ParsedCertificate // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note // that the AuthorityInfoAccess may have contained other AccessDescriptions // which are not represented here. - std::vector<base::StringPiece> ca_issuers_uris_; - std::vector<base::StringPiece> ocsp_uris_; + std::vector<std::string_view> ca_issuers_uris_; + std::vector<std::string_view> ocsp_uris_; // Policies extension. bool has_policy_oids_ = false; diff --git a/chromium/net/cert/pki/parsed_certificate_unittest.cc b/chromium/net/cert/pki/parsed_certificate_unittest.cc index b33520910b3..bd08592a66c 100644 --- a/chromium/net/cert/pki/parsed_certificate_unittest.cc +++ b/chromium/net/cert/pki/parsed_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -148,7 +148,10 @@ TEST(ParsedCertificateTest, BadPolicyQualifiers) { // Parses a certificate that uses an unknown signature algorithm OID (00). TEST(ParsedCertificateTest, BadSignatureAlgorithmOid) { - ASSERT_FALSE(ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {})); + scoped_refptr<ParsedCertificate> cert = + ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {}); + ASSERT_TRUE(cert); + ASSERT_FALSE(cert->signature_algorithm()); } // The validity encodes time as UTCTime but following the BER rules rather than @@ -159,7 +162,10 @@ TEST(ParsedCertificateTest, BadValidity) { // The signature algorithm contains an unexpected parameters field. TEST(ParsedCertificateTest, FailedSignatureAlgorithm) { - ASSERT_FALSE(ParseCertificateFromFile("failed_signature_algorithm.pem", {})); + scoped_refptr<ParsedCertificate> cert = + ParseCertificateFromFile("failed_signature_algorithm.pem", {}); + ASSERT_TRUE(cert); + ASSERT_FALSE(cert->signature_algorithm()); } TEST(ParsedCertificateTest, IssuerBadPrintableString) { diff --git a/chromium/net/cert/pki/path_builder.cc b/chromium/net/cert/pki/path_builder.cc index cdb9ede48dd..c73d033dd7d 100644 --- a/chromium/net/cert/pki/path_builder.cc +++ b/chromium/net/cert/pki/path_builder.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,9 +11,7 @@ #include "base/logging.h" #include "base/memory/raw_ptr.h" #include "base/metrics/histogram_functions.h" -#include "base/notreached.h" #include "base/strings/string_number_conversions.h" -#include "crypto/sha2.h" #include "net/base/net_errors.h" #include "net/cert/pki/cert_issuer_source.h" #include "net/cert/pki/certificate_policies.h" @@ -25,6 +23,7 @@ #include "net/cert/pki/verify_name_match.h" #include "net/der/parser.h" #include "net/der/tag.h" +#include "third_party/boringssl/src/include/openssl/sha.h" namespace net { @@ -34,8 +33,10 @@ using CertIssuerSources = std::vector<CertIssuerSource*>; // Returns a hex-encoded sha256 of the DER-encoding of |cert|. std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) { - std::string hash = crypto::SHA256HashString(cert->der_cert().AsStringPiece()); - return base::HexEncode(hash.data(), hash.size()); + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256(cert->der_cert().AsSpan().data(), cert->der_cert().AsSpan().size(), + digest); + return base::HexEncode(digest, sizeof(digest)); } // TODO(mattm): decide how much debug logging to keep. @@ -225,7 +226,7 @@ class CertIssuersIter { // duplicates. This is based on the full DER of the cert to allow different // versions of the same certificate to be tried in different candidate paths. // This points to data owned by |issuers_|. - std::unordered_set<base::StringPiece, base::StringPieceHash> present_issuers_; + std::unordered_set<std::string_view> present_issuers_; // Tracks which requests have been made yet. bool did_initial_query_ = false; @@ -304,10 +305,10 @@ void CertIssuersIter::GetNextIssuer(IssuerEntry* out) { void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) { for (scoped_refptr<ParsedCertificate>& issuer : new_issuers) { - if (present_issuers_.find(issuer->der_cert().AsStringPiece()) != + if (present_issuers_.find(issuer->der_cert().AsStringView()) != present_issuers_.end()) continue; - present_issuers_.insert(issuer->der_cert().AsStringPiece()); + present_issuers_.insert(issuer->der_cert().AsStringView()); // Look up the trust for this issuer. IssuerEntry entry; @@ -420,8 +421,7 @@ class CertIssuerIterPath { } private: - using Key = - std::tuple<base::StringPiece, base::StringPiece, base::StringPiece>; + using Key = std::tuple<std::string_view, std::string_view, std::string_view>; static Key GetKey(const ParsedCertificate* cert) { // TODO(mattm): ideally this would use a normalized version of @@ -430,9 +430,9 @@ class CertIssuerIterPath { // Note that subject_alt_names_extension().value will be empty if the cert // had no SubjectAltName extension, so there is no need for a condition on // has_subject_alt_names(). - return Key(cert->normalized_subject().AsStringPiece(), - cert->subject_alt_names_extension().value.AsStringPiece(), - cert->tbs().spki_tlv.AsStringPiece()); + return Key(cert->normalized_subject().AsStringView(), + cert->subject_alt_names_extension().value.AsStringView(), + cert->tbs().spki_tlv.AsStringView()); } std::vector<std::unique_ptr<CertIssuersIter>> cur_path_; @@ -458,7 +458,7 @@ const ParsedCertificate* CertPathBuilderResultPath::GetTrustedCert() const { return nullptr; } - NOTREACHED(); + assert(0); // NOTREACHED return nullptr; } diff --git a/chromium/net/cert/pki/path_builder.h b/chromium/net/cert/pki/path_builder.h index c4bd8a72581..01fc9eb6301 100644 --- a/chromium/net/cert/pki/path_builder.h +++ b/chromium/net/cert/pki/path_builder.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/path_builder_pkits_unittest.cc b/chromium/net/cert/pki/path_builder_pkits_unittest.cc index e082f7d55fc..0939aa6bd4a 100644 --- a/chromium/net/cert/pki/path_builder_pkits_unittest.cc +++ b/chromium/net/cert/pki/path_builder_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -162,7 +162,7 @@ class PathBuilderPkitsTestDelegate { crl_ders, verify_time, /*max_age=*/base::Days(365 * 2), 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); - base::StringPiece test_number = info.test_number; + std::string_view test_number = info.test_number; if (test_number == "4.4.19" || test_number == "4.5.3" || test_number == "4.5.4" || test_number == "4.5.6") { // 4.4.19 - fails since CRL is signed by a certificate that is not part diff --git a/chromium/net/cert/pki/path_builder_unittest.cc b/chromium/net/cert/pki/path_builder_unittest.cc index 80c5baa5eae..f31c6a5f7a2 100644 --- a/chromium/net/cert/pki/path_builder_unittest.cc +++ b/chromium/net/cert/pki/path_builder_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include "base/containers/span.h" #include "base/files/file_util.h" #include "base/path_service.h" +#include "base/ranges/algorithm.h" #include "base/test/bind.h" #include "base/test/metrics/histogram_tester.h" #include "base/test/task_environment.h" @@ -917,7 +918,7 @@ bool AreCertsEq(const scoped_refptr<ParsedCertificate> cert_1, } // Test to ensure that path building stops when an intermediate cert is -// encountered that is not usable for TLS because of EKU restrictions. +// encountered that is not usable for TLS because it is explicitly distrusted. TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { crypto::ScopedHCERTSTORE root_store(CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr)); @@ -932,7 +933,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { szOID_PKIX_KP_SERVER_AUTH); AddToStoreWithEKURestriction(intermediate_store.get(), c_by_e_, szOID_PKIX_KP_SERVER_AUTH); - AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr); + AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr); std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting( std::move(root_store), std::move(intermediate_store), @@ -948,7 +949,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { auto result = path_builder.Run(); ASSERT_TRUE(result.HasValidPath()); - ASSERT_EQ(2U, result.paths.size()); + ASSERT_EQ(1U, result.paths.size()); const auto& path = *result.GetBestValidPath(); ASSERT_EQ(3U, path.certs.size()); EXPECT_TRUE(AreCertsEq(b_by_c_, path.certs[0])); @@ -956,14 +957,12 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) { EXPECT_TRUE(AreCertsEq(e_by_e_, path.certs[2])); // Should only be one valid path, the one above. - int valid_paths = 0; - for (auto&& path : result.paths) { - valid_paths += path->IsValid() ? 1 : 0; - } + int valid_paths = + base::ranges::count_if(result.paths, &CertPathBuilderResultPath::IsValid); ASSERT_EQ(1, valid_paths); } -// Test that if an intermediate is disabled for TLS, and it is the only +// Test that if an intermediate is untrusted, and it is the only // path, then path building should fail, even if the root is enabled for // TLS. TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) { @@ -976,7 +975,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) { AddToStoreWithEKURestriction(root_store.get(), d_by_d_, szOID_PKIX_KP_SERVER_AUTH); - AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr); + AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr); std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting( std::move(root_store), std::move(intermediate_store), std::move(disallowed_store)); diff --git a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc index 1db806bb67a..a3f1530e541 100644 --- a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc +++ b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,8 +17,7 @@ class PathBuilderTestDelegate { public: static void Verify(const VerifyCertChainTest& test, const std::string& test_file_path) { - SimplePathBuilderDelegate path_builder_delegate( - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + SimplePathBuilderDelegate path_builder_delegate(1024, test.digest_policy); ASSERT_FALSE(test.chain.empty()); TrustStoreInMemory trust_store; diff --git a/chromium/net/cert/pki/revocation_util.cc b/chromium/net/cert/pki/revocation_util.cc index 17a75b03c8e..afbc7290adc 100644 --- a/chromium/net/cert/pki/revocation_util.cc +++ b/chromium/net/cert/pki/revocation_util.cc @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/revocation_util.h b/chromium/net/cert/pki/revocation_util.h index 2966a0542de..1cd5ce81e8b 100644 --- a/chromium/net/cert/pki/revocation_util.h +++ b/chromium/net/cert/pki/revocation_util.h @@ -1,4 +1,4 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. +// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/signature_algorithm.cc b/chromium/net/cert/pki/signature_algorithm.cc index a7ff1852587..0b913bb72b4 100644 --- a/chromium/net/cert/pki/signature_algorithm.cc +++ b/chromium/net/cert/pki/signature_algorithm.cc @@ -1,10 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/signature_algorithm.h" -#include "base/check.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/der/input.h" @@ -17,21 +16,6 @@ namespace net { namespace { -// md2WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.2 -const uint8_t kOidMd2WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x02}; - -// md4WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.3 -const uint8_t kOidMd4WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x03}; - -// md5WithRSAEncryption -// In dotted notation: 1.2.840.113549.1.1.4 -const uint8_t kOidMd5WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04}; - // From RFC 5912: // // sha1WithRSAEncryption OBJECT IDENTIFIER ::= { @@ -134,24 +118,6 @@ const uint8_t kOidRsaSsaPss[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, // From RFC 5912: // -// dsa-with-sha1 OBJECT IDENTIFIER ::= { -// iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } -// -// In dotted notation: 1.2.840.10040.4.3 -const uint8_t kOidDsaWithSha1[] = {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03}; - -// From RFC 5912: -// -// dsa-with-sha256 OBJECT IDENTIFIER ::= { -// joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) -// csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } -// -// In dotted notation: 2.16.840.1.101.3.4.3.2 -const uint8_t kOidDsaWithSha256[] = {0x60, 0x86, 0x48, 0x01, 0x65, - 0x03, 0x04, 0x03, 0x02}; - -// From RFC 5912: -// // id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 } // // In dotted notation: 1.2.840.113549.1.1.8 @@ -391,15 +357,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm( if (oid == der::Input(kOidSha1WithRsaSignature) && IsNullOrEmpty(params)) { return SignatureAlgorithm::kRsaPkcs1Sha1; } - if (oid == der::Input(kOidMd2WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md2; - } - if (oid == der::Input(kOidMd4WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md4; - } - if (oid == der::Input(kOidMd5WithRsaEncryption) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kRsaPkcs1Md5; - } // RFC 5912 requires that the parameters for ECDSA algorithms be absent // ("PARAMS TYPE NULL ARE absent"): @@ -420,16 +377,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm( return ParseRsaPss(params); } - // RFC 5912 requires that the parameters for DSA algorithms be absent. - // - // TODO(svaldez): Add warning about non-strict parsing. - if (oid == der::Input(kOidDsaWithSha1) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kDsaSha1; - } - if (oid == der::Input(kOidDsaWithSha256) && IsNullOrEmpty(params)) { - return SignatureAlgorithm::kDsaSha256; - } - // Unknown signature algorithm. if (errors) { errors->AddError(kUnknownSignatureAlgorithm, @@ -446,8 +393,7 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm( // implement this within the library, so callers do not need to condition over // all algorithms. switch (alg) { - // If the single digest algorithm is MD5 or SHA-1, use SHA-256. - case SignatureAlgorithm::kRsaPkcs1Md5: + // If the single digest algorithm is SHA-1, use SHA-256. case SignatureAlgorithm::kRsaPkcs1Sha1: case SignatureAlgorithm::kEcdsaSha1: return DigestAlgorithm::Sha256; @@ -473,13 +419,6 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm( return DigestAlgorithm::Sha384; case SignatureAlgorithm::kRsaPssSha512: return DigestAlgorithm::Sha512; - - // Do not return anything for these legacy algorithms. - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - return absl::nullopt; } return absl::nullopt; } diff --git a/chromium/net/cert/pki/signature_algorithm.h b/chromium/net/cert/pki/signature_algorithm.h index e6e2569bbae..8e3ad573f5b 100644 --- a/chromium/net/cert/pki/signature_algorithm.h +++ b/chromium/net/cert/pki/signature_algorithm.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,6 +9,7 @@ #include "net/base/net_export.h" #include "third_party/abseil-cpp/absl/types/optional.h" +#include "third_party/boringssl/src/include/openssl/evp.h" namespace net { @@ -45,13 +46,6 @@ enum class SignatureAlgorithm { kRsaPssSha256, kRsaPssSha384, kRsaPssSha512, - // These algorithms can be parsed but are not supported. - // TODO(https://crbug.com/1321688): Remove these. - kRsaPkcs1Md2, - kRsaPkcs1Md4, - kRsaPkcs1Md5, - kDsaSha1, - kDsaSha256, }; // Parses AlgorithmIdentifier as defined by RFC 5280 section 4.1.1.2: diff --git a/chromium/net/cert/pki/signature_algorithm_unittest.cc b/chromium/net/cert/pki/signature_algorithm_unittest.cc index 2247675ca76..3997ffc505d 100644 --- a/chromium/net/cert/pki/signature_algorithm_unittest.cc +++ b/chromium/net/cert/pki/signature_algorithm_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -1373,8 +1373,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd5WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md5); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a md4WithRSAEncryption which contains a NULL parameters field. @@ -1391,8 +1390,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd4WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md4); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a md2WithRSAEncryption which contains a NULL parameters field. @@ -1409,8 +1407,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd2WithRsaEncryptionNullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kRsaPkcs1Md2); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha1 which contains no parameters field. @@ -1425,8 +1422,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NoParams) { 0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03, }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha1); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha1 which contains a NULL parameters field. @@ -1443,8 +1439,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NullParams) { 0x05, 0x00, // NULL (0 bytes) }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha1); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } // Parses a dsaWithSha256 which contains no parameters field. @@ -1459,8 +1454,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha256NoParams) { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 }; // clang-format on - EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), - SignatureAlgorithm::kDsaSha256); + EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt); } } // namespace diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.cc b/chromium/net/cert/pki/simple_path_builder_delegate.cc index aa961254d3a..06dfabff957 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate.cc +++ b/chromium/net/cert/pki/simple_path_builder_delegate.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -70,16 +70,6 @@ bool SimplePathBuilderDelegate::IsSignatureAlgorithmAcceptable( case SignatureAlgorithm::kRsaPssSha384: case SignatureAlgorithm::kRsaPssSha512: return true; - - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - case SignatureAlgorithm::kRsaPkcs1Md5: - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - // TODO(https://crbug.com/1321688): We do not implement DSA, MD2, MD4, or - // MD5 anyway. Remove them from the parser altogether, so code does not - // need to handle them. - return false; } } diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.h b/chromium/net/cert/pki/simple_path_builder_delegate.h index db1b368c215..d1f7bf5e0b5 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate.h +++ b/chromium/net/cert/pki/simple_path_builder_delegate.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc index e9613a1e61f..440dafe1c21 100644 --- a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc +++ b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/simple_path_builder_delegate.h" diff --git a/chromium/net/cert/pki/string_util.cc b/chromium/net/cert/pki/string_util.cc new file mode 100644 index 00000000000..4fc00a62b36 --- /dev/null +++ b/chromium/net/cert/pki/string_util.cc @@ -0,0 +1,75 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/pki/string_util.h" + +#include "third_party/boringssl/src/include/openssl/mem.h" + +#include <algorithm> +#include <string> + +namespace net::string_util { + +bool IsAscii(std::string_view str) { + for (unsigned char c : str) { + if (c > 127) { + return false; + } + } + return true; +} + +bool IsEqualNoCase(std::string_view str1, std::string_view str2) { + if (str1.size() != str2.size()) { + return false; + } + return std::equal(str2.cbegin(), str2.cend(), str1.cbegin(), + [](const unsigned char a, const unsigned char b) { + return OPENSSL_tolower(a) == OPENSSL_tolower(b); + }); +} + +bool EndsWithNoCase(std::string_view str, std::string_view suffix) { + return suffix.size() <= str.size() && + IsEqualNoCase(suffix, str.substr(str.size() - suffix.size())); +} + +bool StartsWithNoCase(std::string_view str, std::string_view prefix) { + return prefix.size() <= str.size() && + IsEqualNoCase(prefix, str.substr(0, prefix.size())); +} + +std::string FindAndReplace(std::string_view str, + std::string_view find, + std::string_view replace) { + std::string ret; + + if (find.empty()) { + return std::string(str); + } + while (!str.empty()) { + size_t index = str.find(find); + if (index == std::string_view::npos) { + ret.append(str); + break; + } + ret.append(str.substr(0, index)); + ret.append(replace); + str = str.substr(index + find.size()); + } + return ret; +} + +// TODO(bbe) get rid of this once we can c++20. +bool EndsWith(std::string_view str, std::string_view suffix) { + return suffix.size() <= str.size() && + suffix == str.substr(str.size() - suffix.size()); +} + +// TODO(bbe) get rid of this once we can c++20. +bool StartsWith(std::string_view str, std::string_view prefix) { + return prefix.size() <= str.size() && prefix == str.substr(0, prefix.size()); +} + +} // namespace net::string_util diff --git a/chromium/net/cert/pki/string_util.h b/chromium/net/cert/pki/string_util.h new file mode 100644 index 00000000000..da3a72af2b9 --- /dev/null +++ b/chromium/net/cert/pki/string_util.h @@ -0,0 +1,49 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_CERT_PKI_STRING_UTIL_H_ +#define NET_CERT_PKI_STRING_UTIL_H_ + +#include "net/base/net_export.h" + +#include <string_view> + +namespace net::string_util { + +// Returns true if the characters in |str| are all ASCII, false otherwise. +NET_EXPORT_PRIVATE bool IsAscii(std::string_view str); + +// Compares |str1| and |str2| ASCII case insensitively (independent of locale). +// Returns true if |str1| and |str2| match. +NET_EXPORT_PRIVATE bool IsEqualNoCase(std::string_view str1, + std::string_view str2); + +// Compares |str1| and |prefix| ASCII case insensitively (independent of +// locale). Returns true if |str1| starts with |prefix|. +NET_EXPORT_PRIVATE bool StartsWithNoCase(std::string_view str, + std::string_view prefix); + +// Compares |str1| and |suffix| ASCII case insensitively (independent of +// locale). Returns true if |str1| starts with |suffix|. +NET_EXPORT_PRIVATE bool EndsWithNoCase(std::string_view str, + std::string_view suffix); + +// Finds and replaces all occurrences of |find| of non zero length with +// |replace| in |str|, returning the result. +NET_EXPORT_PRIVATE std::string FindAndReplace(std::string_view str, + std::string_view find, + std::string_view replace); + +// TODO(bbe) transition below to c++20 +// Compares |str1| and |prefix|. Returns true if |str1| starts with |prefix|. +NET_EXPORT_PRIVATE bool StartsWith(std::string_view str, + std::string_view prefix); + +// TODO(bbe) transition below to c++20 +// Compares |str1| and |suffix|. Returns true if |str1| ends with |suffix|. +NET_EXPORT_PRIVATE bool EndsWith(std::string_view str, std::string_view suffix); + +} // namespace net::string_util + +#endif // NET_CERT_PKI_STRING_UTIL_H_ diff --git a/chromium/net/cert/pki/string_util_unittest.cc b/chromium/net/cert/pki/string_util_unittest.cc new file mode 100644 index 00000000000..5a376321908 --- /dev/null +++ b/chromium/net/cert/pki/string_util_unittest.cc @@ -0,0 +1,103 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/pki/string_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace net { + +namespace { + +TEST(StringUtilTest, IsAscii) { + EXPECT_TRUE(net::string_util::IsAscii("")); + EXPECT_TRUE(net::string_util::IsAscii("mail.google.com")); + EXPECT_TRUE(net::string_util::IsAscii("mail.google.com\x7F")); + EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\x80")); + EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\xFF")); +} + +TEST(StringUtilTest, IsEqualNoCase) { + EXPECT_TRUE(net::string_util::IsEqualNoCase("", "")); + EXPECT_TRUE( + net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("MAil~-.google.cOm", + "maIL~-.gOoGlE.CoM")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\x80.google.com", + "maIL\x80.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\xFF.google.com", + "maIL\xFF.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::IsEqualNoCase("mail.google.co", "maIL.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cO")); +} + +TEST(StringUtilTest, EndsWithNoCase) { + EXPECT_TRUE(net::string_util::EndsWithNoCase("", "")); + EXPECT_TRUE(net::string_util::EndsWithNoCase("mail.google.com", "")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("mail.google.com", ".gOoGlE.cOm")); + EXPECT_TRUE( + net::string_util::EndsWithNoCase("MAil~-.google.cOm", "-.gOoGlE.CoM")); + EXPECT_TRUE(net::string_util::EndsWithNoCase("mail\x80.google.com", + "\x80.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "pOoGlE.com")); + EXPECT_FALSE(net::string_util::EndsWithNoCase("mail\x80.google.com", + "\x81.GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.co", ".GOoGlE.cOm")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", ".GOoGlE.cO")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "mail.google.com1")); + EXPECT_FALSE( + net::string_util::EndsWithNoCase("mail.google.com", "1mail.google.com")); +} + +TEST(StringUtilTest, FindAndReplace) { + std::string tester = "hoobla derp hoobla derp porkrind"; + tester = net::string_util::FindAndReplace(tester, "blah", "woof"); + EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "", "yeet"); + EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "hoobla", "derp"); + EXPECT_EQ(tester, "derp derp derp derp porkrind"); + tester = net::string_util::FindAndReplace(tester, "derp", "a"); + EXPECT_EQ(tester, "a a a a porkrind"); + tester = net::string_util::FindAndReplace(tester, "a ", ""); + EXPECT_EQ(tester, "porkrind"); + tester = net::string_util::FindAndReplace(tester, "porkrind", ""); + EXPECT_EQ(tester, ""); +} + +TEST(StringUtilTest, StartsWithNoCase) { + EXPECT_TRUE(net::string_util::StartsWithNoCase("", "")); + EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", "")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm")); + EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", "MaIL.")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("MAil~-.google.cOm", "maiL~-.Goo")); + EXPECT_TRUE( + net::string_util::StartsWithNoCase("mail\x80.google.com", "MAIL\x80.")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail.google.com", "maIl.MoO")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail\x80.google.com", "Mail\x81")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mai.google.co", "MAiL.GoogLE")); + EXPECT_FALSE( + net::string_util::StartsWithNoCase("mail.google.com", "MaI.GooGLE")); + EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com", + "mail.google.com1")); + EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com", + "1mail.google.com")); +} + +} // namespace + +} // namespace net diff --git a/chromium/net/cert/pki/test_helpers.cc b/chromium/net/cert/pki/test_helpers.cc index 50cc1ba5105..151633f5e4d 100644 --- a/chromium/net/cert/pki/test_helpers.cc +++ b/chromium/net/cert/pki/test_helpers.cc @@ -1,18 +1,18 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/test_helpers.h" -#include "base/base64.h" #include "base/base_paths.h" #include "base/files/file_util.h" #include "base/path_service.h" #include "base/strings/string_piece.h" -#include "base/strings/string_util.h" #include "net/cert/pem.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" +#include "net/cert/pki/simple_path_builder_delegate.h" +#include "net/cert/pki/string_util.h" #include "net/der/parser.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/boringssl/src/include/openssl/pool.h" @@ -23,11 +23,11 @@ namespace net { namespace { -bool GetValue(base::StringPiece prefix, - base::StringPiece line, +bool GetValue(std::string_view prefix, + std::string_view line, std::string* value, bool* has_value) { - if (!base::StartsWith(line, prefix)) + if (!net::string_util::StartsWith(line, prefix)) return false; if (*has_value) { @@ -45,13 +45,16 @@ bool GetValue(base::StringPiece prefix, namespace der { void PrintTo(const Input& data, ::std::ostream* os) { - std::string b64; - base::Base64Encode( - base::StringPiece(reinterpret_cast<const char*>(data.UnsafeData()), - data.Length()), - &b64); - - *os << "[" << b64 << "]"; + size_t len; + if (!EVP_EncodedLength(&len, data.Length())) { + *os << "[]"; + return; + } + std::vector<uint8_t> encoded(len); + len = EVP_EncodeBlock(encoded.data(), data.UnsafeData(), data.Length()); + // Skip the trailing \0. + std::string b64_encoded(encoded.begin(), encoded.begin() + len); + *os << "[" << b64_encoded << "]"; } } // namespace der @@ -201,8 +204,9 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, bool has_time = false; bool has_errors = false; bool has_key_purpose = false; + bool has_digest_policy = false; - base::StringPiece kExpectedErrors = "expected_errors:"; + std::string kExpectedErrors = "expected_errors:"; std::istringstream stream(file_data); for (std::string line; std::getline(stream, line, '\n');) { @@ -218,7 +222,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, if (line.empty()) { continue; } - base::StringPiece line_piece(line); + std::string_view line_piece(line); std::string value; @@ -236,7 +240,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, ReadCertChainFromFile(chain_path, &test->chain); } else if (GetValue("utc_time: ", line_piece, &value, &has_time)) { if (value == "DEFAULT") { - value = "221005120000Z"; + value = "211005120000Z"; } if (!der::ParseUTCTime(der::Input(&value), &test->time)) { ADD_FAILURE() << "Failed parsing UTC time"; @@ -271,7 +275,18 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, ADD_FAILURE() << "Unrecognized last_cert_trust: " << value; return false; } - } else if (base::StartsWith(line_piece, "#")) { + } else if (GetValue("digest_policy: ", line_piece, &value, + &has_digest_policy)) { + if (value == "STRONG") { + test->digest_policy = SimplePathBuilderDelegate::DigestPolicy::kStrong; + } else if (value == "ALLOW_SHA_1") { + test->digest_policy = + SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1; + } else { + ADD_FAILURE() << "Unrecognized digest_policy: " << value; + return false; + } + } else if (net::string_util::StartsWith(line_piece, "#")) { // Skip comments. continue; } else if (line_piece == kExpectedErrors) { @@ -279,7 +294,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii, // The errors start on the next line, and extend until the end of the // file. std::string prefix = - std::string("\n") + std::string(kExpectedErrors) + std::string("\n"); + std::string("\n") + kExpectedErrors + std::string("\n"); size_t errors_start = file_data.find(prefix); if (errors_start == std::string::npos) { ADD_FAILURE() << "expected_errors not found"; diff --git a/chromium/net/cert/pki/test_helpers.h b/chromium/net/cert/pki/test_helpers.h index 0fe301af316..de2fceed4dd 100644 --- a/chromium/net/cert/pki/test_helpers.h +++ b/chromium/net/cert/pki/test_helpers.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -13,6 +13,7 @@ #include "base/memory/raw_ptr.h" #include "net/cert/pki/parsed_certificate.h" +#include "net/cert/pki/simple_path_builder_delegate.h" #include "net/cert/pki/trust_store.h" #include "net/cert/pki/verify_certificate_chain.h" #include "net/der/input.h" @@ -109,6 +110,9 @@ struct VerifyCertChainTest { // The expected errors/warnings from verification (as a string). std::string expected_errors; + SimplePathBuilderDelegate::DigestPolicy digest_policy = + SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1; + // Returns true if |expected_errors| contains any high severity errors (a // non-empty expected_errors doesn't necessarily mean verification is // expected to fail, as it may have contained warnings). diff --git a/chromium/net/cert/pki/trust_store.cc b/chromium/net/cert/pki/trust_store.cc index ee504bff53f..0f0858cdef3 100644 --- a/chromium/net/cert/pki/trust_store.cc +++ b/chromium/net/cert/pki/trust_store.cc @@ -1,11 +1,9 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/trust_store.h" -#include "base/notreached.h" - namespace net { CertificateTrust CertificateTrust::ForTrustAnchor() { @@ -49,7 +47,7 @@ bool CertificateTrust::IsTrustAnchor() const { return true; } - NOTREACHED(); + assert(0); // NOTREACHED return false; } @@ -64,7 +62,7 @@ bool CertificateTrust::IsDistrusted() const { return false; } - NOTREACHED(); + assert(0); // NOTREACHED return false; } @@ -79,7 +77,7 @@ bool CertificateTrust::HasUnspecifiedTrust() const { return false; } - NOTREACHED(); + assert(0); // NOTREACHED return true; } diff --git a/chromium/net/cert/pki/trust_store.h b/chromium/net/cert/pki/trust_store.h index 1c3a721ea29..e5718d02d77 100644 --- a/chromium/net/cert/pki/trust_store.h +++ b/chromium/net/cert/pki/trust_store.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection.cc b/chromium/net/cert/pki/trust_store_collection.cc index 03657c4d4a0..d7a3530f5c6 100644 --- a/chromium/net/cert/pki/trust_store_collection.cc +++ b/chromium/net/cert/pki/trust_store_collection.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection.h b/chromium/net/cert/pki/trust_store_collection.h index 4d168aa6cfb..472feac2629 100644 --- a/chromium/net/cert/pki/trust_store_collection.h +++ b/chromium/net/cert/pki/trust_store_collection.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_collection_unittest.cc b/chromium/net/cert/pki/trust_store_collection_unittest.cc index 8b17c5a8d8d..90131bea9ac 100644 --- a/chromium/net/cert/pki/trust_store_collection_unittest.cc +++ b/chromium/net/cert/pki/trust_store_collection_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/trust_store_in_memory.cc b/chromium/net/cert/pki/trust_store_in_memory.cc index 7769b992429..b0d9be4b9b4 100644 --- a/chromium/net/cert/pki/trust_store_in_memory.cc +++ b/chromium/net/cert/pki/trust_store_in_memory.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -45,7 +45,7 @@ void TrustStoreInMemory::AddCertificateWithUnspecifiedTrust( void TrustStoreInMemory::SyncGetIssuersOf(const ParsedCertificate* cert, ParsedCertificateList* issuers) { - auto range = entries_.equal_range(cert->normalized_issuer().AsStringPiece()); + auto range = entries_.equal_range(cert->normalized_issuer().AsStringView()); for (auto it = range.first; it != range.second; ++it) issuers->push_back(it->second.cert); } @@ -73,12 +73,12 @@ void TrustStoreInMemory::AddCertificate(scoped_refptr<ParsedCertificate> cert, // TODO(mattm): should this check for duplicate certificates? entries_.insert( - std::make_pair(entry.cert->normalized_subject().AsStringPiece(), entry)); + std::make_pair(entry.cert->normalized_subject().AsStringView(), entry)); } const TrustStoreInMemory::Entry* TrustStoreInMemory::GetEntry( const ParsedCertificate* cert) const { - auto range = entries_.equal_range(cert->normalized_subject().AsStringPiece()); + auto range = entries_.equal_range(cert->normalized_subject().AsStringView()); for (auto it = range.first; it != range.second; ++it) { if (cert == it->second.cert.get() || cert->der_cert() == it->second.cert->der_cert()) { diff --git a/chromium/net/cert/pki/trust_store_in_memory.h b/chromium/net/cert/pki/trust_store_in_memory.h index 1d6a7c69257..021d40d28f7 100644 --- a/chromium/net/cert/pki/trust_store_in_memory.h +++ b/chromium/net/cert/pki/trust_store_in_memory.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -73,8 +73,7 @@ class NET_EXPORT TrustStoreInMemory : public TrustStore { }; // Multimap from normalized subject -> Entry. - std::unordered_multimap<base::StringPiece, Entry, base::StringPieceHash> - entries_; + std::unordered_multimap<std::string_view, Entry> entries_; // Adds a certificate with the specified trust settings. Both trusted and // distrusted certificates require a full DER match. diff --git a/chromium/net/cert/pki/verify_certificate_chain.cc b/chromium/net/cert/pki/verify_certificate_chain.cc index 5fea3878087..216d8309850 100644 --- a/chromium/net/cert/pki/verify_certificate_chain.cc +++ b/chromium/net/cert/pki/verify_certificate_chain.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,7 +6,6 @@ #include <algorithm> -#include "base/check.h" #include "base/memory/raw_ptr.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" @@ -812,16 +811,18 @@ void PathVerifier::BasicCertificateProcessing( } // Check whether this signature algorithm is allowed. - if (!delegate_->IsSignatureAlgorithmAcceptable(cert.signature_algorithm(), + if (!cert.signature_algorithm().has_value() || + !delegate_->IsSignatureAlgorithmAcceptable(*cert.signature_algorithm(), errors)) { *shortcircuit_chain_validation = true; errors->AddError(cert_errors::kUnacceptableSignatureAlgorithm); + return; } if (working_public_key_) { // Verify the digital signature using the previous certificate's key (RFC // 5280 section 6.1.3 step a.1). - if (!VerifySignedData(cert.signature_algorithm(), + if (!VerifySignedData(*cert.signature_algorithm(), cert.tbs_certificate_tlv(), cert.signature_value(), working_public_key_.get())) { *shortcircuit_chain_validation = true; diff --git a/chromium/net/cert/pki/verify_certificate_chain.h b/chromium/net/cert/pki/verify_certificate_chain.h index 3dd187e6ff2..a67816f9d8a 100644 --- a/chromium/net/cert/pki/verify_certificate_chain.h +++ b/chromium/net/cert/pki/verify_certificate_chain.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc index 7a2a4aa32ec..e72a721ad33 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc +++ b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h index c563f17ffa0..e7d49876cd8 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h +++ b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -7,6 +7,7 @@ #include "net/cert/pem.h" #include "net/cert/pki/parsed_certificate.h" +#include "net/cert/pki/simple_path_builder_delegate.h" #include "net/cert/pki/test_helpers.h" #include "net/cert/pki/trust_store.h" #include "net/cert/pki/verify_certificate_chain.h" @@ -74,8 +75,8 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, UnknownExtension) { } TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WeakSignature) { - this->RunTest("target-signed-with-md5/main.test"); - this->RunTest("intermediate-signed-with-md5/main.test"); + this->RunTest("target-signed-with-sha1/main.test"); + this->RunTest("intermediate-signed-with-sha1/main.test"); } TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WrongSignature) { diff --git a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc index a98532ebc0a..3af510d0646 100644 --- a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc +++ b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -17,8 +17,7 @@ class VerifyCertificateChainTestDelegate { public: static void Verify(const VerifyCertChainTest& test, const std::string& test_file_path) { - SimplePathBuilderDelegate delegate( - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + SimplePathBuilderDelegate delegate(1024, test.digest_policy); CertPathErrors errors; // TODO(eroman): Check user_constrained_policy_set. diff --git a/chromium/net/cert/pki/verify_name_match.cc b/chromium/net/cert/pki/verify_name_match.cc index b17ab7e2296..9fa1043663f 100644 --- a/chromium/net/cert/pki/verify_name_match.cc +++ b/chromium/net/cert/pki/verify_name_match.cc @@ -1,12 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_name_match.h" -#include "base/check.h" -#include "base/notreached.h" -#include "base/strings/string_util.h" #include "net/cert/pki/cert_error_params.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/parse_name.h" @@ -77,7 +74,7 @@ enum CharsetEnforcement { std::string::const_iterator next_iter = read_iter + 1; if (next_iter != output->end() && *next_iter != ' ') *(write_iter++) = ' '; - } else if (base::IsAsciiUpper(c)) { + } else if (c >= 'A' && c <= 'Z') { // Fold case. *(write_iter++) = c + ('a' - 'A'); } else { @@ -87,7 +84,7 @@ enum CharsetEnforcement { case ENFORCE_PRINTABLE_STRING: // See NormalizePrintableStringValue comment for the acceptable list // of characters. - if (!(base::IsAsciiLower(c) || (c >= '\'' && c <= ':') || c == '=' || + if (!((c >= 'a' && c <= 'z') || (c >= '\'' && c <= ':') || c == '=' || c == '?')) return false; break; @@ -139,7 +136,7 @@ enum CharsetEnforcement { success = NormalizeDirectoryString(ENFORCE_ASCII, output); break; default: - NOTREACHED(); + // NOTREACHED success = false; break; } diff --git a/chromium/net/cert/pki/verify_name_match.h b/chromium/net/cert/pki/verify_name_match.h index 4e49d435df5..1110a5376f2 100644 --- a/chromium/net/cert/pki/verify_name_match.h +++ b/chromium/net/cert/pki/verify_name_match.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_fuzzer.cc index 02ae46f62bd..87310f23455 100644 --- a/chromium/net/cert/pki/verify_name_match_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc index dc5c810c501..cd8b3518efc 100644 --- a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_name_match_unittest.cc b/chromium/net/cert/pki/verify_name_match_unittest.cc index 59660c0c936..75e840711e8 100644 --- a/chromium/net/cert/pki/verify_name_match_unittest.cc +++ b/chromium/net/cert/pki/verify_name_match_unittest.cc @@ -1,11 +1,10 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_name_match.h" #include "base/strings/string_number_conversions.h" -#include "base/strings/string_util.h" #include "net/cert/pki/test_helpers.h" #include "testing/gtest/include/gtest/gtest.h" @@ -330,8 +329,10 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) { ASSERT_NE(std::string::npos, replace_location); for (int c = 0; c < 256; ++c) { SCOPED_TRACE(base::NumberToString(c)); - if (base::IsAsciiAlpha(c) || base::IsAsciiDigit(c)) + if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || + (c >= '0' && c <= '9')) { continue; + } switch (c) { case ' ': case '\'': diff --git a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc index 996a6353342..c755fba6626 100644 --- a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc +++ b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_signed_data.cc b/chromium/net/cert/pki/verify_signed_data.cc index 5dc399129a2..7200b555f7f 100644 --- a/chromium/net/cert/pki/verify_signed_data.cc +++ b/chromium/net/cert/pki/verify_signed_data.cc @@ -1,10 +1,9 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/pki/verify_signed_data.h" -#include "base/numerics/safe_math.h" #include "crypto/openssl_util.h" #include "net/cert/pki/cert_errors.h" #include "net/cert/pki/signature_algorithm.h" @@ -155,15 +154,6 @@ bool VerifySignedData(SignatureAlgorithm algorithm, digest = EVP_sha512(); is_rsa_pss = true; break; - - case SignatureAlgorithm::kDsaSha1: - case SignatureAlgorithm::kDsaSha256: - case SignatureAlgorithm::kRsaPkcs1Md2: - case SignatureAlgorithm::kRsaPkcs1Md4: - case SignatureAlgorithm::kRsaPkcs1Md5: - // DSA, MD2, MD4, and MD5 are not supported. See - // https://crbug.com/1321688. - return false; } if (expected_pkey_id != EVP_PKEY_id(public_key)) diff --git a/chromium/net/cert/pki/verify_signed_data.h b/chromium/net/cert/pki/verify_signed_data.h index b904992dc1c..9e30ef9a252 100644 --- a/chromium/net/cert/pki/verify_signed_data.h +++ b/chromium/net/cert/pki/verify_signed_data.h @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/pki/verify_signed_data_unittest.cc b/chromium/net/cert/pki/verify_signed_data_unittest.cc index 8a0a26e9cb0..a351fb38100 100644 --- a/chromium/net/cert/pki/verify_signed_data_unittest.cc +++ b/chromium/net/cert/pki/verify_signed_data_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/root_cert_list_generated.h b/chromium/net/cert/root_cert_list_generated.h index 8f5f7591d1c..cf13fcf103d 100644 --- a/chromium/net/cert/root_cert_list_generated.h +++ b/chromium/net/cert/root_cert_list_generated.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // @@ -1130,6 +1130,13 @@ const struct RootCertData { 278, true}, {{ + 0x48, 0xA8, 0xA7, 0xEC, 0xD0, 0x3A, 0x83, 0xB2, 0x6A, 0xEC, 0x75, + 0x74, 0xD0, 0x9D, 0x64, 0x53, 0xE9, 0x5F, 0x90, 0x36, 0x06, 0x34, + 0xCE, 0x20, 0x4B, 0xCB, 0xD4, 0x73, 0x99, 0x7D, 0x4C, 0x05, + }, + 532, + false}, + {{ 0x49, 0x05, 0x46, 0x66, 0x23, 0xAB, 0x41, 0x78, 0xBE, 0x92, 0xAC, 0x5C, 0xBD, 0x65, 0x84, 0xF7, 0xA1, 0xE1, 0x7F, 0x27, 0x65, 0x2D, 0x5A, 0x85, 0xAF, 0x89, 0x50, 0x4E, 0xA2, 0x39, 0xAA, 0xAA, @@ -1375,6 +1382,13 @@ const struct RootCertData { 440, true}, {{ + 0x58, 0x1C, 0xC1, 0x58, 0x21, 0x16, 0x96, 0x94, 0xC3, 0x9C, 0x29, + 0x91, 0xB5, 0x3E, 0x93, 0xAB, 0x94, 0x5A, 0x42, 0xB0, 0x76, 0x66, + 0x17, 0x74, 0xC2, 0xEC, 0xF3, 0x8A, 0x33, 0x23, 0xAC, 0xEA, + }, + 540, + false}, + {{ 0x58, 0x99, 0xD9, 0x13, 0xEA, 0xD1, 0x19, 0xB9, 0xCD, 0xB7, 0xBA, 0x2F, 0x30, 0xEF, 0xE0, 0xDF, 0x68, 0xAD, 0x2C, 0xD2, 0x25, 0xBD, 0xF4, 0x93, 0xE8, 0x32, 0x3A, 0x25, 0xAA, 0x4D, 0xBE, 0x23, @@ -1585,6 +1599,13 @@ const struct RootCertData { 126, true}, {{ + 0x68, 0x1D, 0xC4, 0x82, 0xC2, 0x96, 0xC8, 0x40, 0x2C, 0x6E, 0xBB, + 0x20, 0xE6, 0x83, 0x09, 0xA3, 0xBC, 0x84, 0x65, 0x23, 0xAE, 0x34, + 0xB9, 0x84, 0xA8, 0x4E, 0xE6, 0x97, 0xA3, 0x31, 0x2D, 0xB7, + }, + 536, + false}, + {{ 0x68, 0x27, 0x47, 0xF8, 0xBA, 0x62, 0x1B, 0x87, 0xCD, 0xD3, 0xBC, 0x29, 0x5E, 0xD5, 0xCA, 0xBC, 0xE7, 0x22, 0xA1, 0xC0, 0xC0, 0x36, 0x3D, 0x1D, 0x68, 0xB3, 0x89, 0x28, 0xD2, 0x78, 0x7F, 0x1E, @@ -1620,6 +1641,13 @@ const struct RootCertData { 499, true}, {{ + 0x69, 0x3C, 0x9A, 0xA6, 0xB2, 0x45, 0xB3, 0xB0, 0x26, 0x16, 0x37, + 0x75, 0x08, 0x63, 0xEA, 0xDB, 0x6C, 0x24, 0x8A, 0x16, 0xE5, 0x2D, + 0x6F, 0x4B, 0xC9, 0x0C, 0x86, 0xBB, 0xF3, 0x2D, 0x70, 0x42, + }, + 522, + false}, + {{ 0x6A, 0x43, 0x6B, 0x58, 0xD9, 0xD8, 0x30, 0xE8, 0xD5, 0xB8, 0xA6, 0x42, 0x50, 0x5A, 0xD6, 0xB4, 0x14, 0x06, 0xAD, 0xCD, 0x68, 0x94, 0xD9, 0x41, 0x4F, 0x7B, 0xE0, 0xA1, 0x46, 0x7B, 0xAD, 0xB7, @@ -1634,6 +1662,13 @@ const struct RootCertData { 421, true}, {{ + 0x6A, 0x97, 0xB5, 0x1C, 0x82, 0x19, 0xE9, 0x3E, 0x5D, 0xEC, 0x64, + 0xBA, 0xD5, 0x80, 0x6C, 0xDE, 0xB0, 0xF8, 0x35, 0x5B, 0xE4, 0x7E, + 0x75, 0x70, 0x10, 0xB7, 0x02, 0x45, 0x6E, 0x01, 0xAA, 0xFD, + }, + 531, + false}, + {{ 0x6B, 0x1A, 0x50, 0x5E, 0x02, 0x46, 0xF2, 0xF6, 0x0C, 0x49, 0x0F, 0xF0, 0xC0, 0x97, 0xA7, 0xBE, 0x27, 0x21, 0x0C, 0xBB, 0x75, 0x00, 0x23, 0x7F, 0x88, 0xB0, 0xCD, 0x48, 0x29, 0x8B, 0xC9, 0xB8, @@ -1760,6 +1795,13 @@ const struct RootCertData { 446, true}, {{ + 0x76, 0x21, 0x95, 0xC2, 0x25, 0x58, 0x6E, 0xE6, 0xC0, 0x23, 0x74, + 0x56, 0xE2, 0x10, 0x7D, 0xC5, 0x4F, 0x1E, 0xFC, 0x21, 0xF6, 0x1A, + 0x79, 0x2E, 0xBD, 0x51, 0x59, 0x13, 0xCC, 0xE6, 0x83, 0x32, + }, + 535, + false}, + {{ 0x76, 0xEE, 0x85, 0x90, 0x37, 0x4C, 0x71, 0x54, 0x37, 0xBB, 0xCA, 0x6B, 0xBA, 0x60, 0x28, 0xEA, 0xDD, 0xE2, 0xDC, 0x6D, 0xBB, 0xB8, 0xC3, 0xF6, 0x10, 0xE8, 0x51, 0xF1, 0x1D, 0x1A, 0xB7, 0xF5, @@ -2299,6 +2341,13 @@ const struct RootCertData { 259, true}, {{ + 0x96, 0x35, 0x2D, 0x0A, 0xD8, 0x75, 0xC0, 0x27, 0xDB, 0x82, 0xD5, + 0x99, 0xBA, 0xA8, 0xD4, 0x2E, 0x5C, 0x47, 0x26, 0x49, 0x98, 0x1E, + 0xCE, 0xED, 0x3B, 0xFC, 0x65, 0xF4, 0xC8, 0x1F, 0xD5, 0xC1, + }, + 526, + false}, + {{ 0x96, 0x47, 0x5B, 0x35, 0xAC, 0xB1, 0xC9, 0x30, 0x3A, 0x90, 0xBD, 0x1D, 0xBF, 0x57, 0x41, 0x8F, 0x78, 0xE2, 0x9A, 0xF1, 0x1C, 0x4D, 0xE8, 0xC8, 0xCB, 0xA2, 0xE5, 0xF9, 0x30, 0x9E, 0x38, 0xD4, @@ -2467,6 +2516,13 @@ const struct RootCertData { 407, true}, {{ + 0xA0, 0x2F, 0xAF, 0xA1, 0x92, 0xC8, 0xCB, 0x81, 0xCB, 0x13, 0x41, + 0x55, 0x4F, 0x9C, 0x05, 0xB7, 0x1C, 0xCA, 0x2A, 0x89, 0x0B, 0x0D, + 0x12, 0x98, 0xD6, 0x83, 0x64, 0x7C, 0x96, 0x1E, 0xFB, 0xDF, + }, + 523, + false}, + {{ 0xA1, 0x25, 0x74, 0xF4, 0xEB, 0x73, 0x95, 0xCC, 0x63, 0x0A, 0x15, 0xFE, 0xC8, 0xDB, 0x1C, 0x7C, 0x82, 0x8F, 0x66, 0x69, 0x9D, 0x98, 0x4C, 0x8C, 0x89, 0x7E, 0xCA, 0x44, 0xC8, 0x08, 0xF5, 0x5D, @@ -2516,6 +2572,13 @@ const struct RootCertData { 106, true}, {{ + 0xA4, 0x95, 0xC8, 0xD1, 0x10, 0xE8, 0xB9, 0xE2, 0x00, 0xF3, 0x70, + 0xAE, 0xDA, 0x3F, 0xF9, 0x2E, 0xE4, 0x3F, 0x8E, 0x3D, 0x4E, 0xC0, + 0xDB, 0x1C, 0x0D, 0xC5, 0x8B, 0xD7, 0x62, 0x88, 0x0B, 0xA5, + }, + 529, + false}, + {{ 0xA4, 0xB8, 0x9B, 0xB7, 0x06, 0x56, 0xEA, 0x49, 0x8F, 0x2D, 0x9E, 0x00, 0xA4, 0x97, 0xFD, 0xB9, 0xDC, 0xD2, 0x0B, 0x81, 0xB8, 0x93, 0x8E, 0x95, 0x2B, 0xBA, 0x2D, 0xF9, 0xF6, 0x57, 0x29, 0xC3, @@ -2719,6 +2782,13 @@ const struct RootCertData { 281, true}, {{ + 0xAE, 0x7F, 0x96, 0x2C, 0xB9, 0xE6, 0xA7, 0xDB, 0xF7, 0xB8, 0x33, + 0xFB, 0x18, 0xFA, 0x9B, 0x71, 0xA8, 0x91, 0x75, 0xDF, 0x94, 0x9C, + 0x23, 0x2B, 0x6A, 0x9E, 0xF7, 0xCB, 0x3D, 0xF2, 0xBB, 0xFC, + }, + 525, + false}, + {{ 0xAF, 0x11, 0x0F, 0x6B, 0x5A, 0xE8, 0xB7, 0x67, 0xEA, 0xC6, 0xE0, 0xAA, 0x27, 0x3F, 0x38, 0x16, 0xE7, 0xA4, 0x0A, 0x64, 0x4E, 0xDA, 0xCB, 0x43, 0x98, 0x14, 0x63, 0x56, 0xE7, 0x75, 0x09, 0xD6, @@ -2775,6 +2845,13 @@ const struct RootCertData { 72, true}, {{ + 0xB1, 0x5A, 0xC9, 0x56, 0x12, 0x04, 0x75, 0x61, 0x24, 0xB9, 0xC4, + 0xD3, 0xFE, 0x40, 0x6D, 0x93, 0x83, 0x3F, 0xF6, 0x66, 0x52, 0xF6, + 0x7F, 0xBF, 0x13, 0x9F, 0x5B, 0xBF, 0x03, 0x0A, 0x0E, 0x64, + }, + 528, + false}, + {{ 0xB1, 0x6C, 0xB1, 0xBA, 0x52, 0x9A, 0x39, 0xE2, 0xDF, 0xD5, 0x3B, 0x3F, 0xF5, 0xA7, 0x9F, 0x19, 0x04, 0x61, 0x4D, 0x83, 0xE3, 0x13, 0x04, 0xF0, 0x27, 0x8B, 0xB4, 0x0B, 0x38, 0xCF, 0x78, 0x24, @@ -2901,6 +2978,13 @@ const struct RootCertData { 178, false}, {{ + 0xBB, 0x0C, 0xE7, 0x04, 0x03, 0x14, 0xA1, 0x43, 0xDC, 0xD1, 0x0E, + 0x65, 0xCC, 0xAE, 0xEF, 0x70, 0x10, 0xE1, 0xB7, 0x84, 0xD1, 0x5D, + 0x19, 0x5D, 0x77, 0xB5, 0x60, 0x19, 0x56, 0xBF, 0x9E, 0x3F, + }, + 541, + false}, + {{ 0xBB, 0x41, 0x28, 0xEC, 0x96, 0x20, 0xF2, 0xD2, 0xA4, 0x9C, 0xE8, 0xE2, 0xC4, 0xE2, 0x57, 0xAE, 0xBA, 0xD9, 0x3A, 0x0F, 0x11, 0xC5, 0x6B, 0x5F, 0xA4, 0xB0, 0x0E, 0x23, 0x75, 0x9F, 0xA3, 0x9D, @@ -2936,6 +3020,13 @@ const struct RootCertData { 71, false}, {{ + 0xBD, 0xAC, 0xCB, 0xF2, 0xE8, 0xB2, 0x7C, 0x0C, 0x02, 0xA6, 0x89, + 0xEE, 0x86, 0x6C, 0x9B, 0x86, 0xEC, 0x04, 0x44, 0x2A, 0xFC, 0xDD, + 0xDD, 0x5D, 0x4E, 0xC3, 0x6D, 0xEF, 0x21, 0xE7, 0x61, 0xDD, + }, + 539, + false}, + {{ 0xBE, 0x32, 0x80, 0xC6, 0x86, 0x3C, 0x77, 0x0A, 0x33, 0xC9, 0x04, 0x0B, 0xD9, 0x7D, 0x55, 0x40, 0xB2, 0x16, 0xD1, 0xD9, 0x1D, 0xB8, 0xB0, 0x88, 0xCE, 0xAC, 0x11, 0x97, 0xDA, 0xE1, 0xD6, 0x60, @@ -2992,6 +3083,13 @@ const struct RootCertData { 124, false}, {{ + 0xC2, 0xB3, 0xC3, 0x1A, 0x4A, 0x29, 0x85, 0x0A, 0xA8, 0xF3, 0xCF, + 0x47, 0x2A, 0x11, 0x69, 0xFF, 0x71, 0xB4, 0x16, 0x57, 0x9F, 0x6A, + 0x44, 0x82, 0xEC, 0x77, 0x44, 0xB8, 0x3D, 0xF9, 0x88, 0xAC, + }, + 533, + false}, + {{ 0xC3, 0x72, 0xF6, 0xD1, 0x8E, 0xBE, 0xE5, 0xAA, 0x23, 0xD9, 0xE9, 0x19, 0xF3, 0xE6, 0xBE, 0x98, 0x48, 0x8E, 0xC0, 0x16, 0x07, 0xDF, 0x31, 0x62, 0xFC, 0x19, 0x2E, 0x4B, 0x13, 0x46, 0xAF, 0xB3, @@ -3258,6 +3356,13 @@ const struct RootCertData { 172, true}, {{ + 0xD6, 0xEC, 0x63, 0x48, 0xA7, 0xC4, 0xD4, 0x2A, 0xC4, 0x8D, 0x9C, + 0x43, 0x14, 0x5A, 0x8C, 0xD7, 0x19, 0x71, 0x36, 0x23, 0x63, 0x26, + 0x7C, 0x66, 0x73, 0xA7, 0x7B, 0x8A, 0x85, 0x73, 0xA6, 0x6B, + }, + 530, + false}, + {{ 0xD8, 0xFB, 0x33, 0xE3, 0x85, 0xC9, 0xC2, 0xDA, 0x72, 0x9A, 0x84, 0x70, 0x6B, 0xA9, 0x27, 0xDC, 0xBB, 0x79, 0x27, 0x3E, 0x12, 0x2F, 0xFD, 0x96, 0x73, 0x36, 0x3B, 0x70, 0xB7, 0xF3, 0x6C, 0xBB, @@ -3328,6 +3433,13 @@ const struct RootCertData { 236, true}, {{ + 0xDE, 0x7B, 0x69, 0x32, 0xE9, 0xC4, 0x45, 0x82, 0xCE, 0x0D, 0xE0, + 0x7A, 0xBD, 0xAB, 0x7E, 0xEA, 0x90, 0xC7, 0x5D, 0x6D, 0x2A, 0x07, + 0x33, 0x1D, 0xF5, 0x7B, 0xD5, 0xCB, 0x88, 0x55, 0x3D, 0x13, + }, + 542, + false}, + {{ 0xDF, 0x53, 0x0B, 0xAC, 0x9F, 0xCD, 0x91, 0x4C, 0x25, 0x2C, 0x2F, 0xBD, 0xCE, 0xDD, 0xC6, 0x18, 0x3D, 0x4A, 0xE8, 0xC6, 0x80, 0xAD, 0x65, 0xF0, 0x3E, 0x20, 0x48, 0x61, 0xDD, 0x7B, 0x1C, 0x73, @@ -3335,6 +3447,13 @@ const struct RootCertData { 313, true}, {{ + 0xE0, 0x4A, 0x02, 0x2C, 0xE3, 0x2F, 0x4C, 0xCF, 0x2C, 0x7F, 0x60, + 0x46, 0x28, 0x7B, 0x82, 0x8A, 0x32, 0xA9, 0x09, 0xF5, 0xE7, 0x51, + 0x44, 0x7F, 0x83, 0xFD, 0x2C, 0x71, 0xF6, 0xFD, 0x81, 0x73, + }, + 524, + false}, + {{ 0xE0, 0xC7, 0x80, 0xC6, 0x29, 0x90, 0x3E, 0x12, 0x6F, 0x1D, 0x91, 0x95, 0x70, 0xDC, 0xE7, 0xC4, 0x96, 0xF8, 0x5F, 0x33, 0xAA, 0xE6, 0x6B, 0x9A, 0x31, 0x47, 0xEE, 0x75, 0xF8, 0xD1, 0x62, 0x0A, @@ -3349,6 +3468,13 @@ const struct RootCertData { 369, true}, {{ + 0xE1, 0x4E, 0x51, 0x89, 0x1F, 0x34, 0x92, 0x24, 0x3E, 0xEA, 0x61, + 0x3B, 0xC2, 0xC8, 0x14, 0xD4, 0x72, 0x24, 0xB2, 0x24, 0xC5, 0x7D, + 0x38, 0x16, 0x9E, 0x95, 0x8E, 0x30, 0xB3, 0xDE, 0xDE, 0xE4, + }, + 527, + false}, + {{ 0xE1, 0x56, 0x44, 0x5F, 0xA2, 0x0C, 0x32, 0xAD, 0x00, 0x93, 0x7B, 0x27, 0xD0, 0x96, 0xB8, 0x96, 0x3B, 0xCC, 0x86, 0x39, 0x50, 0x33, 0x3A, 0x87, 0x7E, 0x68, 0xFA, 0x69, 0x70, 0x7A, 0x03, 0xAF, @@ -3489,6 +3615,13 @@ const struct RootCertData { 129, true}, {{ + 0xF0, 0x01, 0x1F, 0x92, 0xFC, 0xF9, 0xBE, 0x36, 0xC7, 0xA5, 0xB3, + 0x6E, 0x7B, 0xC8, 0x62, 0xAB, 0x20, 0xE9, 0x4E, 0xF3, 0x6F, 0xEA, + 0x8A, 0x56, 0x1D, 0xB0, 0xA8, 0xD7, 0x75, 0x0C, 0x1F, 0x51, + }, + 537, + false}, + {{ 0xF1, 0xC6, 0xBA, 0x67, 0x0C, 0xFC, 0x88, 0xE4, 0xDF, 0x52, 0x97, 0x3C, 0xAE, 0x42, 0x0F, 0x0A, 0x08, 0x9D, 0xD4, 0x74, 0x14, 0x4F, 0xE5, 0x80, 0x6C, 0x42, 0x00, 0x64, 0xE1, 0x59, 0x12, 0x29, @@ -3629,6 +3762,13 @@ const struct RootCertData { 158, true}, {{ + 0xFC, 0x78, 0x43, 0x00, 0xEC, 0x8D, 0xF4, 0xD3, 0xD1, 0xBA, 0xD7, + 0x63, 0x83, 0x51, 0x82, 0x91, 0x8D, 0x52, 0xA9, 0xFF, 0x02, 0x38, + 0xBD, 0xF6, 0x95, 0xA1, 0xCD, 0x9B, 0xDB, 0x98, 0x32, 0x1C, + }, + 534, + false}, + {{ 0xFC, 0xF7, 0xDA, 0x98, 0x36, 0x03, 0xE8, 0x88, 0x62, 0x03, 0x0D, 0x96, 0x13, 0x7D, 0x8E, 0x13, 0x03, 0x1B, 0xAD, 0xFB, 0x4D, 0x56, 0xC1, 0xFD, 0x4C, 0xAC, 0xC3, 0x39, 0xF6, 0xBD, 0xBB, 0x2A, @@ -3664,6 +3804,13 @@ const struct RootCertData { 110, false}, {{ + 0xFE, 0xE8, 0xAF, 0x92, 0x91, 0x75, 0x68, 0x7F, 0x46, 0x38, 0xA3, + 0xFC, 0x98, 0x3D, 0xB8, 0xEC, 0xD0, 0xE5, 0xE2, 0xA8, 0x3E, 0x73, + 0x7F, 0x3F, 0xB7, 0x7B, 0x4C, 0x22, 0xFC, 0xBA, 0xC0, 0xA6, + }, + 538, + false}, + {{ 0xFF, 0x34, 0x2F, 0xB6, 0xC4, 0xC8, 0xBD, 0x30, 0xA4, 0x70, 0x6F, 0x73, 0x48, 0x95, 0x39, 0xF1, 0x9E, 0x6E, 0x48, 0xCC, 0x05, 0xF4, 0x62, 0x54, 0x65, 0x4F, 0x66, 0x10, 0xDB, 0xC5, 0x40, 0xE9, diff --git a/chromium/net/cert/root_store.proto b/chromium/net/cert/root_store.proto index e4bd09a6339..91525dda07d 100644 --- a/chromium/net/cert/root_store.proto +++ b/chromium/net/cert/root_store.proto @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/scoped_nss_types.h b/chromium/net/cert/scoped_nss_types.h index a8b56549cea..b5821822de0 100644 --- a/chromium/net/cert/scoped_nss_types.h +++ b/chromium/net/cert/scoped_nss_types.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/sct_auditing_delegate.h b/chromium/net/cert/sct_auditing_delegate.h index 2a146a80be6..d2f4b728ee4 100644 --- a/chromium/net/cert/sct_auditing_delegate.h +++ b/chromium/net/cert/sct_auditing_delegate.h @@ -1,4 +1,4 @@ -// Copyright 2020 The Chromium Authors. All rights reserved. +// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/sct_status_flags.cc b/chromium/net/cert/sct_status_flags.cc index 92042fa6429..d67b4b008e8 100644 --- a/chromium/net/cert/sct_status_flags.cc +++ b/chromium/net/cert/sct_status_flags.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/sct_status_flags.h b/chromium/net/cert/sct_status_flags.h index 0957cdcbf6c..8bcbf0b2301 100644 --- a/chromium/net/cert/sct_status_flags.h +++ b/chromium/net/cert/sct_status_flags.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_certificate_timestamp.cc b/chromium/net/cert/signed_certificate_timestamp.cc index da6e2c967b9..31c73f08cfb 100644 --- a/chromium/net/cert/signed_certificate_timestamp.cc +++ b/chromium/net/cert/signed_certificate_timestamp.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_certificate_timestamp.h b/chromium/net/cert/signed_certificate_timestamp.h index a877ee724ec..a4427df1d01 100644 --- a/chromium/net/cert/signed_certificate_timestamp.h +++ b/chromium/net/cert/signed_certificate_timestamp.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_certificate_timestamp_and_status.cc b/chromium/net/cert/signed_certificate_timestamp_and_status.cc index a1ac7ac718c..dfa0126a67b 100644 --- a/chromium/net/cert/signed_certificate_timestamp_and_status.cc +++ b/chromium/net/cert/signed_certificate_timestamp_and_status.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_certificate_timestamp_and_status.h b/chromium/net/cert/signed_certificate_timestamp_and_status.h index 51cc06dd719..cdd70e68952 100644 --- a/chromium/net/cert/signed_certificate_timestamp_and_status.h +++ b/chromium/net/cert/signed_certificate_timestamp_and_status.h @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_certificate_timestamp_unittest.cc b/chromium/net/cert/signed_certificate_timestamp_unittest.cc index 0b9a7d96b88..a17cb9c3ddb 100644 --- a/chromium/net/cert/signed_certificate_timestamp_unittest.cc +++ b/chromium/net/cert/signed_certificate_timestamp_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_tree_head.cc b/chromium/net/cert/signed_tree_head.cc index 9640b135a5d..41c205341d9 100644 --- a/chromium/net/cert/signed_tree_head.cc +++ b/chromium/net/cert/signed_tree_head.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/signed_tree_head.h b/chromium/net/cert/signed_tree_head.h index 13248888314..98978415be5 100644 --- a/chromium/net/cert/signed_tree_head.h +++ b/chromium/net/cert/signed_tree_head.h @@ -1,4 +1,4 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. +// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/symantec_certs.cc b/chromium/net/cert/symantec_certs.cc index ae4a3c9b0c2..82dcecf9dea 100644 --- a/chromium/net/cert/symantec_certs.cc +++ b/chromium/net/cert/symantec_certs.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/symantec_certs.h b/chromium/net/cert/symantec_certs.h index f34d08ef14d..9f1dafc9dca 100644 --- a/chromium/net/cert/symantec_certs.h +++ b/chromium/net/cert/symantec_certs.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/symantec_certs_unittest.cc b/chromium/net/cert/symantec_certs_unittest.cc index 6a1fff6cb31..44a2da68e10 100644 --- a/chromium/net/cert/symantec_certs_unittest.cc +++ b/chromium/net/cert/symantec_certs_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_keychain_search_list_mac.cc b/chromium/net/cert/test_keychain_search_list_mac.cc index c2fe00107a2..02215a6cdfe 100644 --- a/chromium/net/cert/test_keychain_search_list_mac.cc +++ b/chromium/net/cert/test_keychain_search_list_mac.cc @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_keychain_search_list_mac.h b/chromium/net/cert/test_keychain_search_list_mac.h index 48edf89d979..002264ac9cc 100644 --- a/chromium/net/cert/test_keychain_search_list_mac.h +++ b/chromium/net/cert/test_keychain_search_list_mac.h @@ -1,4 +1,4 @@ -// Copyright 2016 The Chromium Authors. All rights reserved. +// Copyright 2016 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs.cc b/chromium/net/cert/test_root_certs.cc index fd158a06352..8b1f2a4d88e 100644 --- a/chromium/net/cert/test_root_certs.cc +++ b/chromium/net/cert/test_root_certs.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs.h b/chromium/net/cert/test_root_certs.h index c299b3c6d3b..00139642feb 100644 --- a/chromium/net/cert/test_root_certs.h +++ b/chromium/net/cert/test_root_certs.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs_android.cc b/chromium/net/cert/test_root_certs_android.cc index ce1bca56018..3cbef700135 100644 --- a/chromium/net/cert/test_root_certs_android.cc +++ b/chromium/net/cert/test_root_certs_android.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs_builtin.cc b/chromium/net/cert/test_root_certs_builtin.cc index c26eb4a290e..26a833c7f15 100644 --- a/chromium/net/cert/test_root_certs_builtin.cc +++ b/chromium/net/cert/test_root_certs_builtin.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs_mac.cc b/chromium/net/cert/test_root_certs_mac.cc index d5023728e2c..777ae20e02d 100644 --- a/chromium/net/cert/test_root_certs_mac.cc +++ b/chromium/net/cert/test_root_certs_mac.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/test_root_certs_unittest.cc b/chromium/net/cert/test_root_certs_unittest.cc index f430c590623..aefbf56b199 100644 --- a/chromium/net/cert/test_root_certs_unittest.cc +++ b/chromium/net/cert/test_root_certs_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -33,15 +33,14 @@ const char kRootCertificateFile[] = "root_ca_cert.pem"; const char kGoodCertificateFile[] = "ok_cert.pem"; scoped_refptr<CertVerifyProc> CreateCertVerifyProc() { -#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) - return CertVerifyProc::CreateBuiltinVerifyProc(/*cert_net_fetcher=*/nullptr); -#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) - if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) { - return CertVerifyProc::CreateBuiltinVerifyProc( +#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) + if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) { + return CertVerifyProc::CreateBuiltinWithChromeRootStore( /*cert_net_fetcher=*/nullptr); - } else { - return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr); } +#endif +#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) + return CertVerifyProc::CreateBuiltinVerifyProc(/*cert_net_fetcher=*/nullptr); #else return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr); #endif diff --git a/chromium/net/cert/test_root_certs_win.cc b/chromium/net/cert/test_root_certs_win.cc index 85632fbbc46..cabdd8b4138 100644 --- a/chromium/net/cert/test_root_certs_win.cc +++ b/chromium/net/cert/test_root_certs_win.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/trial_comparison_cert_verifier.cc b/chromium/net/cert/trial_comparison_cert_verifier.cc index 963677c5ed0..47158ef7a8b 100644 --- a/chromium/net/cert/trial_comparison_cert_verifier.cc +++ b/chromium/net/cert/trial_comparison_cert_verifier.cc @@ -1,4 +1,4 @@ -// Copyright 2018 The Chromium Authors. All rights reserved. +// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/trial_comparison_cert_verifier.h b/chromium/net/cert/trial_comparison_cert_verifier.h index f6d0981a6d0..f746593a7df 100644 --- a/chromium/net/cert/trial_comparison_cert_verifier.h +++ b/chromium/net/cert/trial_comparison_cert_verifier.h @@ -1,4 +1,4 @@ -// Copyright 2018 The Chromium Authors. All rights reserved. +// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc b/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc index 5769a076753..26ae5f4b5a6 100644 --- a/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc +++ b/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2018 The Chromium Authors. All rights reserved. +// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/trial_comparison_cert_verifier_util.cc b/chromium/net/cert/trial_comparison_cert_verifier_util.cc index b51d4306286..e039910c1a2 100644 --- a/chromium/net/cert/trial_comparison_cert_verifier_util.cc +++ b/chromium/net/cert/trial_comparison_cert_verifier_util.cc @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/trial_comparison_cert_verifier_util.h b/chromium/net/cert/trial_comparison_cert_verifier_util.h index fd10d8bfdfc..9321d47938d 100644 --- a/chromium/net/cert/trial_comparison_cert_verifier_util.h +++ b/chromium/net/cert/trial_comparison_cert_verifier_util.h @@ -1,4 +1,4 @@ -// Copyright 2021 The Chromium Authors. All rights reserved. +// Copyright 2021 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_cert_types.cc b/chromium/net/cert/x509_cert_types.cc index 202181d7e00..9263cc3e4ce 100644 --- a/chromium/net/cert/x509_cert_types.cc +++ b/chromium/net/cert/x509_cert_types.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_cert_types.h b/chromium/net/cert/x509_cert_types.h index 8450ee0b93b..13ab5629f31 100644 --- a/chromium/net/cert/x509_cert_types.h +++ b/chromium/net/cert/x509_cert_types.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_cert_types_unittest.cc b/chromium/net/cert/x509_cert_types_unittest.cc index 5de99ffea3d..7c3c97aa3d9 100644 --- a/chromium/net/cert/x509_cert_types_unittest.cc +++ b/chromium/net/cert/x509_cert_types_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright 2010 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_certificate.cc b/chromium/net/cert/x509_certificate.cc index 1dac369039a..be2c1d3aade 100644 --- a/chromium/net/cert/x509_certificate.cc +++ b/chromium/net/cert/x509_certificate.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_certificate.h b/chromium/net/cert/x509_certificate.h index 751d6c3e917..31cd48d3d8a 100644 --- a/chromium/net/cert/x509_certificate.h +++ b/chromium/net/cert/x509_certificate.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_certificate_net_log_param.cc b/chromium/net/cert/x509_certificate_net_log_param.cc index 61faf8a47f1..2a32576f762 100644 --- a/chromium/net/cert/x509_certificate_net_log_param.cc +++ b/chromium/net/cert/x509_certificate_net_log_param.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_certificate_net_log_param.h b/chromium/net/cert/x509_certificate_net_log_param.h index fe03f0a7907..218431e68cf 100644 --- a/chromium/net/cert/x509_certificate_net_log_param.h +++ b/chromium/net/cert/x509_certificate_net_log_param.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_certificate_unittest.cc b/chromium/net/cert/x509_certificate_unittest.cc index a32ba859784..d3236f7f95a 100644 --- a/chromium/net/cert/x509_certificate_unittest.cc +++ b/chromium/net/cert/x509_certificate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -22,6 +22,7 @@ #include "net/cert/pem.h" #include "net/cert/pki/parse_certificate.h" #include "net/cert/x509_util.h" +#include "net/test/cert_builder.h" #include "net/test/cert_test_util.h" #include "net/test/test_certificate_data.h" #include "net/test/test_data_directory.h" @@ -921,66 +922,38 @@ TEST(X509CertificateTest, IsSelfSigned) { } TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) { - static const unsigned char kPolicyRootDN[] = { - 0x30, 0x1e, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, - 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41 - }; - static const unsigned char kPolicyIntermediateDN[] = { - 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, - 0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, - 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, - 0x65, 0x20, 0x43, 0x41 - }; - - base::FilePath certs_dir = GetTestCertsDirectory(); + std::unique_ptr<CertBuilder> leaf, intermediate, root; + CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root); + ASSERT_TRUE(leaf && intermediate && root); - CertificateList policy_chain = CreateCertificateListFromFile( - certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO); - ASSERT_EQ(3u, policy_chain.size()); + std::string intermediate_dn = intermediate->GetSubject(); + std::string root_dn = root->GetSubject(); - // The intermediate CA certificate's policyConstraints extension has a - // requireExplicitPolicy field with SkipCerts=0. - std::string policy_intermediate_dn( - reinterpret_cast<const char*>(kPolicyIntermediateDN), - sizeof(kPolicyIntermediateDN)); - std::string policy_root_dn(reinterpret_cast<const char*>(kPolicyRootDN), - sizeof(kPolicyRootDN)); - - std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; - intermediates.push_back(bssl::UpRef(policy_chain[1]->cert_buffer())); - scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromBuffer( - bssl::UpRef(policy_chain[0]->cert_buffer()), std::move(intermediates)); + // Create an X509Certificate object containing the leaf and the intermediate + // but not the root. + scoped_refptr<X509Certificate> cert_chain = leaf->GetX509CertificateChain(); ASSERT_TRUE(cert_chain); - std::vector<std::string> issuers; - // Check that the chain is issued by the intermediate. - issuers.clear(); - issuers.push_back(policy_intermediate_dn); - EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); + EXPECT_TRUE(cert_chain->IsIssuedByEncoded({intermediate_dn})); // Check that the chain is also issued by the root. - issuers.clear(); - issuers.push_back(policy_root_dn); - EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); + EXPECT_TRUE(cert_chain->IsIssuedByEncoded({root_dn})); // Check that the chain is issued by either the intermediate or the root. - issuers.clear(); - issuers.push_back(policy_intermediate_dn); - issuers.push_back(policy_root_dn); - EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers)); + EXPECT_TRUE(cert_chain->IsIssuedByEncoded({intermediate_dn, root_dn})); // Check that an empty issuers list returns false. - issuers.clear(); - EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); + EXPECT_FALSE(cert_chain->IsIssuedByEncoded({})); // Check that the chain is not issued by Verisign - std::string mit_issuer(reinterpret_cast<const char*>(VerisignDN), - sizeof(VerisignDN)); - issuers.clear(); - issuers.push_back(mit_issuer); - EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers)); + std::string verisign_issuer(reinterpret_cast<const char*>(VerisignDN), + sizeof(VerisignDN)); + EXPECT_FALSE(cert_chain->IsIssuedByEncoded({verisign_issuer})); + + // Check that the chain is issued by root, though the extraneous Verisign + // name is also given. + EXPECT_TRUE(cert_chain->IsIssuedByEncoded({verisign_issuer, root_dn})); } const struct CertificateFormatTestData { diff --git a/chromium/net/cert/x509_util.cc b/chromium/net/cert/x509_util.cc index 310742ec97a..537ff4ac9b8 100644 --- a/chromium/net/cert/x509_util.cc +++ b/chromium/net/cert/x509_util.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util.h b/chromium/net/cert/x509_util.h index f86c7cd9a99..f2a615663ad 100644 --- a/chromium/net/cert/x509_util.h +++ b/chromium/net/cert/x509_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_android.cc b/chromium/net/cert/x509_util_android.cc index d607d5bc83d..a4b2642fd28 100644 --- a/chromium/net/cert/x509_util_android.cc +++ b/chromium/net/cert/x509_util_android.cc @@ -1,4 +1,4 @@ -// Copyright 2013 The Chromium Authors. All rights reserved. +// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_apple.cc b/chromium/net/cert/x509_util_apple.cc index 979e84f2d82..ae69948dfca 100644 --- a/chromium/net/cert/x509_util_apple.cc +++ b/chromium/net/cert/x509_util_apple.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -75,16 +75,16 @@ CreateSecCertificateArrayForX509Certificate( return base::ScopedCFTypeRef<CFMutableArrayRef>(); CFArrayAppendValue(cert_list, sec_cert); for (const auto& intermediate : cert->intermediate_buffers()) { - base::ScopedCFTypeRef<SecCertificateRef> sec_cert( + base::ScopedCFTypeRef<SecCertificateRef> intermediate_cert( CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(intermediate.get()), CRYPTO_BUFFER_len(intermediate.get()))); - if (!sec_cert) { + if (!intermediate_cert) { if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail) return base::ScopedCFTypeRef<CFMutableArrayRef>(); LOG(WARNING) << "error parsing intermediate"; continue; } - CFArrayAppendValue(cert_list, sec_cert); + CFArrayAppendValue(cert_list, intermediate_cert); } return cert_list; } diff --git a/chromium/net/cert/x509_util_apple.h b/chromium/net/cert/x509_util_apple.h index 1348a2ef5f3..d1bba8d868d 100644 --- a/chromium/net/cert/x509_util_apple.h +++ b/chromium/net/cert/x509_util_apple.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_apple_unittest.cc b/chromium/net/cert/x509_util_apple_unittest.cc index 06ff6b8c108..683827a710c 100644 --- a/chromium/net/cert/x509_util_apple_unittest.cc +++ b/chromium/net/cert/x509_util_apple_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_mac.cc b/chromium/net/cert/x509_util_mac.cc index bb675db0715..21892943aa9 100644 --- a/chromium/net/cert/x509_util_mac.cc +++ b/chromium/net/cert/x509_util_mac.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_mac.h b/chromium/net/cert/x509_util_mac.h index d95f21af267..8c2e1fa2dd0 100644 --- a/chromium/net/cert/x509_util_mac.h +++ b/chromium/net/cert/x509_util_mac.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_nss.cc b/chromium/net/cert/x509_util_nss.cc index d52282832e5..6d17c40f445 100644 --- a/chromium/net/cert/x509_util_nss.cc +++ b/chromium/net/cert/x509_util_nss.cc @@ -1,4 +1,4 @@ -// Copyright 2015 The Chromium Authors. All rights reserved. +// Copyright 2015 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -7,15 +7,18 @@ #include <cert.h> // Must be included before certdb.h #include <certdb.h> #include <cryptohi.h> +#include <dlfcn.h> #include <nss.h> #include <pk11pub.h> #include <prerror.h> +#include <seccomon.h> #include <secder.h> #include <sechash.h> #include <secmod.h> #include <secport.h> #include <string.h> +#include "base/compiler_specific.h" #include "base/logging.h" #include "base/strings/stringprintf.h" #include "crypto/nss_util.h" @@ -436,4 +439,19 @@ SHA256HashValue CalculateFingerprint256(CERTCertificate* cert) { return sha256; } +DISABLE_CFI_DLSYM +SECStatus GetCertIsPerm(const CERTCertificate* cert, PRBool* isperm) { + // TODO(https://crbug.com/1365414): When the minimum NSS version is raised to + // 3.31 or higher, replace this with calling CERT_GetCertIsPerm directly. + using GetCertIsPermFunction = SECStatus (*)(const CERTCertificate*, PRBool*); + static GetCertIsPermFunction get_cert_is_perm = + reinterpret_cast<GetCertIsPermFunction>( + dlsym(RTLD_DEFAULT, "CERT_GetCertIsPerm")); + if (get_cert_is_perm) { + return get_cert_is_perm(cert, isperm); + } + *isperm = cert->isperm; + return SECSuccess; +} + } // namespace net::x509_util diff --git a/chromium/net/cert/x509_util_nss.h b/chromium/net/cert/x509_util_nss.h index c9cb113a88d..c8c1a1e313e 100644 --- a/chromium/net/cert/x509_util_nss.h +++ b/chromium/net/cert/x509_util_nss.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright 2011 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -157,6 +157,11 @@ NET_EXPORT bool GetValidityTimes(CERTCertificate* cert, // (all zero) fingerprint on failure. NET_EXPORT SHA256HashValue CalculateFingerprint256(CERTCertificate* cert); +// Behaves like `CERT_GetCertIsPerm` in NSS. This function's type signature +// mirrors the NSS function so call sites can be easily replaced when +// https://crbug.com/1365414 is resolved. +NET_EXPORT SECStatus GetCertIsPerm(const CERTCertificate* cert, PRBool* isperm); + } // namespace net::x509_util #endif // NET_CERT_X509_UTIL_NSS_H_ diff --git a/chromium/net/cert/x509_util_nss_unittest.cc b/chromium/net/cert/x509_util_nss_unittest.cc index 89816c2452c..65d7f114e91 100644 --- a/chromium/net/cert/x509_util_nss_unittest.cc +++ b/chromium/net/cert/x509_util_nss_unittest.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_unittest.cc b/chromium/net/cert/x509_util_unittest.cc index 00d5d281297..6a61fe90690 100644 --- a/chromium/net/cert/x509_util_unittest.cc +++ b/chromium/net/cert/x509_util_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_win.cc b/chromium/net/cert/x509_util_win.cc index ad819d986f6..72c537ac4f4 100644 --- a/chromium/net/cert/x509_util_win.cc +++ b/chromium/net/cert/x509_util_win.cc @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. diff --git a/chromium/net/cert/x509_util_win.h b/chromium/net/cert/x509_util_win.h index 02f52cdaee1..27e08bb29b6 100644 --- a/chromium/net/cert/x509_util_win.h +++ b/chromium/net/cert/x509_util_win.h @@ -1,4 +1,4 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. +// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. |