diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-12-10 16:19:40 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-12-10 16:01:50 +0000 |
| commit | 51f6c2793adab2d864b3d2b360000ef8db1d3e92 (patch) | |
| tree | 835b3b4446b012c75e80177cef9fbe6972cc7dbe /chromium/net/cert | |
| parent | 6036726eb981b6c4b42047513b9d3f4ac865daac (diff) | |
| download | qtwebengine-chromium-51f6c2793adab2d864b3d2b360000ef8db1d3e92.tar.gz | |
BASELINE: Update Chromium to 71.0.3578.93
Change-Id: I6a32086c33670e1b033f8b10e6bf1fd4da1d105d
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Diffstat (limited to 'chromium/net/cert')
21 files changed, 106 insertions, 74 deletions
diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc index bb9e67681ad..7d6be709a1d 100644 --- a/chromium/net/cert/cert_verify_proc.cc +++ b/chromium/net/cert/cert_verify_proc.cc @@ -886,6 +886,6 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { // static const base::Feature CertVerifyProc::kLegacySymantecPKIEnforcement{ - "LegacySymantecPKI", base::FEATURE_DISABLED_BY_DEFAULT}; + "LegacySymantecPKI", base::FEATURE_ENABLED_BY_DEFAULT}; } // namespace net diff --git a/chromium/net/cert/cert_verify_proc_nss.cc b/chromium/net/cert/cert_verify_proc_nss.cc index 9c11b0545aa..9615b13c157 100644 --- a/chromium/net/cert/cert_verify_proc_nss.cc +++ b/chromium/net/cert/cert_verify_proc_nss.cc @@ -290,8 +290,7 @@ CRLSetResult CheckRevocationWithCRLSet(const CERTCertList* cert_list, // We iterate from the root certificate down to the leaf, keeping track of // the issuer's SPKI at each step. std::string issuer_spki_hash; - for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin(); - i != certs.rend(); ++i) { + for (auto i = certs.rbegin(); i != certs.rend(); ++i) { CERTCertificate* cert = *i; base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), diff --git a/chromium/net/cert/crl_set.cc b/chromium/net/cert/crl_set.cc index 4758bb667ab..aa07edc17ac 100644 --- a/chromium/net/cert/crl_set.cc +++ b/chromium/net/cert/crl_set.cc @@ -257,8 +257,7 @@ bool CRLSet::Parse(base::StringPiece data, scoped_refptr<CRLSet>* out_crl_set) { } CRLSet::Result CRLSet::CheckSPKI(const base::StringPiece& spki_hash) const { - for (std::vector<std::string>::const_iterator i = blocked_spkis_.begin(); - i != blocked_spkis_.end(); ++i) { + for (auto i = blocked_spkis_.begin(); i != blocked_spkis_.end(); ++i) { if (spki_hash.size() == i->size() && memcmp(spki_hash.data(), i->data(), i->size()) == 0) { return REVOKED; diff --git a/chromium/net/cert/ct_log_verifier.cc b/chromium/net/cert/ct_log_verifier.cc index 546301ffc0d..7559d337b92 100644 --- a/chromium/net/cert/ct_log_verifier.cc +++ b/chromium/net/cert/ct_log_verifier.cc @@ -177,7 +177,7 @@ bool CTLogVerifier::VerifyConsistencyProof( // 1. If "first" is an exact power of 2, then prepend "first_hash" to the // "consistency_path" array. base::StringPiece first_proof_node = old_tree_hash; - std::vector<std::string>::const_iterator iter = proof.nodes.begin(); + auto iter = proof.nodes.begin(); if (!IsPowerOfTwo(proof.first_tree_size)) { if (iter == proof.nodes.end()) return false; diff --git a/chromium/net/cert/ct_policy_status.h b/chromium/net/cert/ct_policy_status.h index eb167b6168d..c67269724df 100644 --- a/chromium/net/cert/ct_policy_status.h +++ b/chromium/net/cert/ct_policy_status.h @@ -27,7 +27,7 @@ enum class CTPolicyCompliance { // Compliance details for the connection are not available, e.g. because a // resource was loaded from disk cache. CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE = 4, - CT_POLICY_MAX + CT_POLICY_COUNT }; } // namespace ct diff --git a/chromium/net/cert/ev_root_ca_metadata.cc b/chromium/net/cert/ev_root_ca_metadata.cc index 480d0389c4e..9733b8228b9 100644 --- a/chromium/net/cert/ev_root_ca_metadata.cc +++ b/chromium/net/cert/ev_root_ca_metadata.cc @@ -796,7 +796,7 @@ bool EVRootCAMetadata::IsEVPolicyOIDGivenBytes( bool EVRootCAMetadata::HasEVPolicyOID(const SHA256HashValue& fingerprint, PolicyOID policy_oid) const { - PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); + auto iter = ev_policy_.find(fingerprint); if (iter == ev_policy_.end()) return false; return std::find(iter->second.begin(), iter->second.end(), policy_oid) != @@ -837,7 +837,7 @@ bool EVRootCAMetadata::AddEVCA(const SHA256HashValue& fingerprint, } bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) { - PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); + auto it = ev_policy_.find(fingerprint); if (it == ev_policy_.end()) return false; PolicyOID oid = it->second[0]; diff --git a/chromium/net/cert/internal/certificate_policies.cc b/chromium/net/cert/internal/certificate_policies.cc index db7cd19ff27..bbc142d343e 100644 --- a/chromium/net/cert/internal/certificate_policies.cc +++ b/chromium/net/cert/internal/certificate_policies.cc @@ -211,8 +211,7 @@ bool ParseCertificatePoliciesExtension(const der::Input& extension_value, // Build the |policies| vector in sorted order (sorted on DER encoded policy // OID). Use a binary search to check whether a duplicate policy is present, // and if not, where to insert the policy to maintain the sorted order. - std::vector<der::Input>::iterator i = - std::lower_bound(policies->begin(), policies->end(), policy_oid); + auto i = std::lower_bound(policies->begin(), policies->end(), policy_oid); // RFC 5280 section 4.2.1.4: A certificate policy OID MUST NOT appear more // than once in a certificate policies extension. if (i != policies->end() && *i == policy_oid) { diff --git a/chromium/net/cert/internal/verify_name_match.cc b/chromium/net/cert/internal/verify_name_match.cc index 858f6fe9b02..68194e702ef 100644 --- a/chromium/net/cert/internal/verify_name_match.cc +++ b/chromium/net/cert/internal/verify_name_match.cc @@ -223,7 +223,7 @@ bool VerifyRdnMatch(der::Parser* a_parser, der::Parser* b_parser) { // small, a naive linear search for each element should be fine. (Hostile // certificates already have ways to provoke pathological behavior.) for (const auto& a : a_type_and_values) { - RelativeDistinguishedName::iterator b_iter = b_type_and_values.begin(); + auto b_iter = b_type_and_values.begin(); for (; b_iter != b_type_and_values.end(); ++b_iter) { const auto& b = *b_iter; if (a.type == b.type && VerifyValueMatch(a, b)) { diff --git a/chromium/net/cert/known_roots_win.h b/chromium/net/cert/known_roots_win.h index e9f681b8457..8b9cd243d07 100644 --- a/chromium/net/cert/known_roots_win.h +++ b/chromium/net/cert/known_roots_win.h @@ -5,7 +5,7 @@ #ifndef NET_CERT_KNOWN_ROOTS_WIN_H_ #define NET_CERT_KNOWN_ROOTS_WIN_H_ -#include "crypto/wincrypt_shim.h" +#include "base/win/wincrypt_shim.h" namespace net { diff --git a/chromium/net/cert/multi_threaded_cert_verifier.cc b/chromium/net/cert/multi_threaded_cert_verifier.cc index eb082faecc8..715435868e2 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier.cc +++ b/chromium/net/cert/multi_threaded_cert_verifier.cc @@ -102,10 +102,8 @@ std::unique_ptr<base::Value> CertVerifyResultCallback( capture_mode)); std::unique_ptr<base::ListValue> hashes(new base::ListValue()); - for (std::vector<HashValue>::const_iterator it = - verify_result.public_key_hashes.begin(); - it != verify_result.public_key_hashes.end(); - ++it) { + for (auto it = verify_result.public_key_hashes.begin(); + it != verify_result.public_key_hashes.end(); ++it) { hashes->AppendString(it->ToString()); } results->Set("public_key_hashes", std::move(hashes)); diff --git a/chromium/net/cert/nss_cert_database_chromeos.cc b/chromium/net/cert/nss_cert_database_chromeos.cc index b35d1f66c01..757fc5e086a 100644 --- a/chromium/net/cert/nss_cert_database_chromeos.cc +++ b/chromium/net/cert/nss_cert_database_chromeos.cc @@ -84,9 +84,10 @@ void NSSCertDatabaseChromeOS::ListModules( NSSCertDatabase::ListModules(modules, need_rw); size_t pre_size = modules->size(); - base::EraseIf(*modules, - NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate( - profile_filter_)); + const NSSProfileFilterChromeOS& profile_filter = profile_filter_; + base::EraseIf(*modules, [&profile_filter](crypto::ScopedPK11Slot& module) { + return !profile_filter.IsModuleAllowed(module.get()); + }); DVLOG(1) << "filtered " << pre_size - modules->size() << " of " << pre_size << " modules"; } diff --git a/chromium/net/cert/nss_profile_filter_chromeos.cc b/chromium/net/cert/nss_profile_filter_chromeos.cc index 45bd99c9f6b..3cbd0c3a281 100644 --- a/chromium/net/cert/nss_profile_filter_chromeos.cc +++ b/chromium/net/cert/nss_profile_filter_chromeos.cc @@ -139,13 +139,4 @@ bool NSSProfileFilterChromeOS::IsCertAllowed(CERTCertificate* cert) const { return false; } -NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate:: - ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter) - : filter_(filter) {} - -bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()( - const crypto::ScopedPK11Slot& module) const { - return !filter_.IsModuleAllowed(module.get()); -} - } // namespace net diff --git a/chromium/net/cert/nss_profile_filter_chromeos.h b/chromium/net/cert/nss_profile_filter_chromeos.h index c67af166b70..499527b33b7 100644 --- a/chromium/net/cert/nss_profile_filter_chromeos.h +++ b/chromium/net/cert/nss_profile_filter_chromeos.h @@ -42,17 +42,6 @@ class NET_EXPORT NSSProfileFilterChromeOS { bool IsModuleAllowed(PK11SlotInfo* slot) const; bool IsCertAllowed(CERTCertificate* cert) const; - // TODO(mattm): remove this predicate and use labmda instead. - class ModuleNotAllowedForProfilePredicate { - public: - explicit ModuleNotAllowedForProfilePredicate( - const NSSProfileFilterChromeOS& filter); - bool operator()(const crypto::ScopedPK11Slot& module) const; - - private: - const NSSProfileFilterChromeOS& filter_; - }; - private: crypto::ScopedPK11Slot public_slot_; crypto::ScopedPK11Slot private_slot_; diff --git a/chromium/net/cert/ocsp_revocation_status.h b/chromium/net/cert/ocsp_revocation_status.h index c20dd2e2c83..dac7a2067e6 100644 --- a/chromium/net/cert/ocsp_revocation_status.h +++ b/chromium/net/cert/ocsp_revocation_status.h @@ -7,10 +7,13 @@ namespace net { +// This value is histogrammed, so do not re-order or change values, and add +// new values at the end. enum class OCSPRevocationStatus { - GOOD, - REVOKED, - UNKNOWN, + GOOD = 0, + REVOKED = 1, + UNKNOWN = 2, + MAX_VALUE = UNKNOWN }; } // namespace net diff --git a/chromium/net/cert/ocsp_verify_result.h b/chromium/net/cert/ocsp_verify_result.h index 3a0bd7c26e3..48a7a00a236 100644 --- a/chromium/net/cert/ocsp_verify_result.h +++ b/chromium/net/cert/ocsp_verify_result.h @@ -26,37 +26,39 @@ struct NET_EXPORT OCSPVerifyResult { bool operator==(const OCSPVerifyResult& other) const; + // This value is histogrammed, so do not re-order or change values, and add + // new values at the end. enum ResponseStatus { // OCSP verification was not checked on this connection. - NOT_CHECKED, + NOT_CHECKED = 0, // No OCSPResponse was stapled. - MISSING, + MISSING = 1, // An up-to-date OCSP response was stapled and matched the certificate. - PROVIDED, + PROVIDED = 2, // The stapled OCSP response did not have a SUCCESSFUL status. - ERROR_RESPONSE, + ERROR_RESPONSE = 3, // The OCSPResponseData field producedAt was outside the certificate // validity period. - BAD_PRODUCED_AT, + BAD_PRODUCED_AT = 4, // At least one OCSPSingleResponse was stapled, but none matched the // certificate. - NO_MATCHING_RESPONSE, + NO_MATCHING_RESPONSE = 5, // A matching OCSPSingleResponse was stapled, but was either expired or not // yet valid. - INVALID_DATE, + INVALID_DATE = 6, // The OCSPResponse structure could not be parsed. - PARSE_RESPONSE_ERROR, + PARSE_RESPONSE_ERROR = 7, // The OCSPResponseData structure could not be parsed. - PARSE_RESPONSE_DATA_ERROR, - + PARSE_RESPONSE_DATA_ERROR = 8, + RESPONSE_STATUS_MAX = PARSE_RESPONSE_DATA_ERROR }; ResponseStatus response_status = NOT_CHECKED; diff --git a/chromium/net/cert/pem_tokenizer.cc b/chromium/net/cert/pem_tokenizer.cc index fe2f780c66e..f9edb3fc6ab 100644 --- a/chromium/net/cert/pem_tokenizer.cc +++ b/chromium/net/cert/pem_tokenizer.cc @@ -91,8 +91,8 @@ void PEMTokenizer::Init( // Construct PEM header/footer strings for all the accepted types, to // reduce parsing later. - for (std::vector<std::string>::const_iterator it = - allowed_block_types.begin(); it != allowed_block_types.end(); ++it) { + for (auto it = allowed_block_types.begin(); it != allowed_block_types.end(); + ++it) { PEMType allowed_type; allowed_type.type = *it; allowed_type.header = base::StringPrintf(kPEMBeginBlock, it->c_str()); diff --git a/chromium/net/cert/test_root_certs.h b/chromium/net/cert/test_root_certs.h index bc211c53920..8992af129fc 100644 --- a/chromium/net/cert/test_root_certs.h +++ b/chromium/net/cert/test_root_certs.h @@ -18,7 +18,7 @@ #include "net/cert/scoped_nss_types.h" #elif defined(OS_WIN) #include <windows.h> -#include "crypto/wincrypt_shim.h" +#include "base/win/wincrypt_shim.h" #elif defined(OS_MACOSX) #include <CoreFoundation/CFArray.h> #include <Security/SecTrust.h> diff --git a/chromium/net/cert/x509_util.cc b/chromium/net/cert/x509_util.cc index 624d931d79a..dfebdaa9322 100644 --- a/chromium/net/cert/x509_util.cc +++ b/chromium/net/cert/x509_util.cc @@ -210,19 +210,27 @@ bool CreateKeyAndSelfSignedCert(const std::string& subject, bool success = CreateSelfSignedCert(new_key->key(), kSignatureDigestAlgorithm, subject, serial_number, not_valid_before, - not_valid_after, der_cert); + not_valid_after, {}, der_cert); if (success) *key = std::move(new_key); return success; } +Extension::Extension(base::span<const uint8_t> in_oid, + bool in_critical, + base::span<const uint8_t> in_contents) + : oid(in_oid), critical(in_critical), contents(in_contents) {} +Extension::~Extension() {} +Extension::Extension(const Extension&) = default; + bool CreateSelfSignedCert(EVP_PKEY* key, DigestAlgorithm alg, const std::string& subject, uint32_t serial_number, base::Time not_valid_before, base::Time not_valid_after, + const std::vector<Extension>& extension_specs, std::string* der_encoded) { crypto::EnsureOpenSSLInit(); crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); @@ -255,10 +263,40 @@ bool CreateSelfSignedCert(EVP_PKEY* key, !AddTime(&validity, not_valid_before) || !AddTime(&validity, not_valid_after) || !AddNameWithCommonName(&tbs_cert, common_name) || // subject - !EVP_marshal_public_key(&tbs_cert, key) || // subjectPublicKeyInfo - !CBB_finish(cbb.get(), &tbs_cert_bytes, &tbs_cert_len)) { + !EVP_marshal_public_key(&tbs_cert, key)) { // subjectPublicKeyInfo return false; } + + if (!extension_specs.empty()) { + CBB outer_extensions, extensions; + if (!CBB_add_asn1(&tbs_cert, &outer_extensions, + 3 | CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED) || + !CBB_add_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) { + return false; + } + + for (const auto& extension_spec : extension_specs) { + CBB extension, oid, value; + if (!CBB_add_asn1(&extensions, &extension, CBS_ASN1_SEQUENCE) || + !CBB_add_asn1(&extension, &oid, CBS_ASN1_OBJECT) || + !CBB_add_bytes(&oid, extension_spec.oid.data(), + extension_spec.oid.size()) || + (extension_spec.critical && !CBB_add_asn1_bool(&extension, 1)) || + !CBB_add_asn1(&extension, &value, CBS_ASN1_OCTETSTRING) || + !CBB_add_bytes(&value, extension_spec.contents.data(), + extension_spec.contents.size()) || + !CBB_flush(&extensions)) { + return false; + } + } + + if (!CBB_flush(&tbs_cert)) { + return false; + } + } + + if (!CBB_finish(cbb.get(), &tbs_cert_bytes, &tbs_cert_len)) + return false; bssl::UniquePtr<uint8_t> delete_tbs_cert_bytes(tbs_cert_bytes); // Sign the TBSCertificate and write the entire certificate. diff --git a/chromium/net/cert/x509_util.h b/chromium/net/cert/x509_util.h index 27d5f2633ed..8d48701b334 100644 --- a/chromium/net/cert/x509_util.h +++ b/chromium/net/cert/x509_util.h @@ -11,6 +11,7 @@ #include <string> #include <vector> +#include "base/containers/span.h" #include "base/macros.h" #include "base/memory/ref_counted.h" #include "base/strings/string_piece.h" @@ -33,9 +34,7 @@ class X509Certificate; namespace x509_util { // Supported digest algorithms for signing certificates. -enum DigestAlgorithm { - DIGEST_SHA256 -}; +enum DigestAlgorithm { DIGEST_SHA256 }; // Generate a 'tls-server-end-point' channel binding based on the specified // certificate. Channel bindings are based on RFC 5929. @@ -68,15 +67,29 @@ NET_EXPORT bool CreateKeyAndSelfSignedCert( std::unique_ptr<crypto::RSAPrivateKey>* key, std::string* der_cert); +struct NET_EXPORT Extension { + Extension(base::span<const uint8_t> oid, + bool critical, + base::span<const uint8_t> contents); + ~Extension(); + Extension(const Extension&); + + base::span<const uint8_t> oid; + bool critical; + base::span<const uint8_t> contents; +}; + // Creates a self-signed certificate from a provided key, using the specified // hash algorithm. -NET_EXPORT bool CreateSelfSignedCert(EVP_PKEY* key, - DigestAlgorithm alg, - const std::string& subject, - uint32_t serial_number, - base::Time not_valid_before, - base::Time not_valid_after, - std::string* der_cert); +NET_EXPORT bool CreateSelfSignedCert( + EVP_PKEY* key, + DigestAlgorithm alg, + const std::string& subject, + uint32_t serial_number, + base::Time not_valid_before, + base::Time not_valid_after, + const std::vector<Extension>& extension_specs, + std::string* der_cert); // Returns a CRYPTO_BUFFER_POOL for deduplicating certificates. NET_EXPORT CRYPTO_BUFFER_POOL* GetBufferPool(); @@ -105,7 +118,7 @@ NET_EXPORT base::StringPiece CryptoBufferAsStringPiece( // Creates a new X509Certificate from the chain in |buffers|, which must have at // least one element. -scoped_refptr<X509Certificate> CreateX509CertificateFromBuffers( +NET_EXPORT scoped_refptr<X509Certificate> CreateX509CertificateFromBuffers( const STACK_OF(CRYPTO_BUFFER) * buffers); // Returns the default ParseCertificateOptions for the net stack. @@ -126,8 +139,8 @@ NET_EXPORT bool SignatureVerifierInitWithCertificate( base::span<const uint8_t> signature, const CRYPTO_BUFFER* certificate); -} // namespace x509_util +} // namespace x509_util -} // namespace net +} // namespace net #endif // NET_CERT_X509_UTIL_H_ diff --git a/chromium/net/cert/x509_util_unittest.cc b/chromium/net/cert/x509_util_unittest.cc index 8c9ca484dcf..949946c43ab 100644 --- a/chromium/net/cert/x509_util_unittest.cc +++ b/chromium/net/cert/x509_util_unittest.cc @@ -141,7 +141,7 @@ TEST(X509UtilTest, CreateSelfSigned) { std::string der_cert; ASSERT_TRUE(x509_util::CreateSelfSignedCert( private_key->key(), x509_util::DIGEST_SHA256, "CN=subject", 1, - base::Time::Now(), base::Time::Now() + base::TimeDelta::FromDays(1), + base::Time::Now(), base::Time::Now() + base::TimeDelta::FromDays(1), {}, &der_cert)); scoped_refptr<X509Certificate> cert = diff --git a/chromium/net/cert/x509_util_win.h b/chromium/net/cert/x509_util_win.h index a6a234ed0e7..c1c8f49a6c1 100644 --- a/chromium/net/cert/x509_util_win.h +++ b/chromium/net/cert/x509_util_win.h @@ -11,7 +11,7 @@ #include <windows.h> #include "base/memory/ref_counted.h" -#include "crypto/wincrypt_shim.h" +#include "base/win/wincrypt_shim.h" #include "net/base/hash_value.h" #include "net/base/net_export.h" #include "net/cert/x509_certificate.h" |