diff options
Diffstat (limited to 'chromium/net/cert/ev_root_ca_metadata.cc')
-rw-r--r-- | chromium/net/cert/ev_root_ca_metadata.cc | 88 |
1 files changed, 82 insertions, 6 deletions
diff --git a/chromium/net/cert/ev_root_ca_metadata.cc b/chromium/net/cert/ev_root_ca_metadata.cc index 26f9773d326..1370f1726c4 100644 --- a/chromium/net/cert/ev_root_ca_metadata.cc +++ b/chromium/net/cert/ev_root_ca_metadata.cc @@ -17,15 +17,19 @@ #include "base/logging.h" #if defined(USE_NSS_CERTS) #include "crypto/nss_util.h" +#elif defined(OS_MACOSX) +#include "net/der/input.h" +#include "third_party/boringssl/src/include/openssl/asn1.h" +#include "third_party/boringssl/src/include/openssl/obj.h" #endif namespace net { -#if defined(USE_NSS_CERTS) || defined(OS_WIN) +#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) // Raw metadata. struct EVMetadata { // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At - // least one CA has different EV policies for businuss vs government + // least one CA has different EV policies for business vs government // entities and, in the case of cross-signing, we might need to list another // CA's policy OID under the cross-signing root. static const size_t kMaxOIDsPerCA = 2; @@ -48,8 +52,7 @@ static const EVMetadata ev_root_ca_metadata[] = { 0x30, 0x50, 0xba, 0x9e, 0xa8, 0x7e, 0xfe, 0x9a, 0xce, 0x3c}}, { // AC Camerfirma uses the last two arcs to track how the private key - // is - // managed - the effective verification policy is the same. + // is managed - the effective verification policy is the same. "1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.14.2.2.2", }, }, @@ -60,8 +63,7 @@ static const EVMetadata ev_root_ca_metadata[] = { 0xc7, 0x52, 0xa1, 0x2c, 0x5b, 0x29, 0xf6, 0xd6, 0xaa, 0x0c}}, { // AC Camerfirma uses the last two arcs to track how the private key - // is - // managed - the effective verification policy is the same. + // is managed - the effective verification policy is the same. "1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.17326.10.8.12.2.2", }, }, @@ -710,6 +712,61 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { return true; } +#elif defined(OS_MACOSX) + +namespace { + +std::string OIDStringToDER(const char* policy) { + bssl::UniquePtr<ASN1_OBJECT> obj( + OBJ_txt2obj(policy, 1 /* dont_search_names */)); + if (!obj) + return std::string(); + + return std::string(reinterpret_cast<const char*>(obj->data), obj->length); +} + +} // namespace + +bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { + return policy_oids_.find(policy_oid.AsString()) != policy_oids_.end(); +} + +bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint, + PolicyOID policy_oid) const { + PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint); + if (iter == ev_policy_.end()) + return false; + for (const std::string& ev_oid : iter->second) { + if (der::Input(&ev_oid) == policy_oid) + return true; + } + return false; +} + +bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint, + const char* policy) { + if (ev_policy_.find(fingerprint) != ev_policy_.end()) + return false; + + std::string der_policy = OIDStringToDER(policy); + if (der_policy.empty()) + return false; + + ev_policy_[fingerprint].push_back(der_policy); + policy_oids_.insert(der_policy); + return true; +} + +bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { + PolicyOIDMap::iterator it = ev_policy_.find(fingerprint); + if (it == ev_policy_.end()) + return false; + std::string oid = it->second[0]; + ev_policy_.erase(it); + policy_oids_.erase(oid); + return true; +} + #else // These are just stub functions for platforms where we don't use this EV @@ -748,6 +805,25 @@ EVRootCAMetadata::EVRootCAMetadata() { policy_oids_.insert(policy); } } +#elif defined(OS_MACOSX) + for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { + const EVMetadata& metadata = ev_root_ca_metadata[i]; + for (size_t j = 0; j < arraysize(metadata.policy_oids); j++) { + if (metadata.policy_oids[j][0] == '\0') + break; + const char* policy_oid = metadata.policy_oids[j]; + + PolicyOID policy; + std::string policy_der = OIDStringToDER(policy_oid); + if (policy_der.empty()) { + LOG(ERROR) << "Failed to register OID: " << policy_oid; + continue; + } + + ev_policy_[metadata.fingerprint].push_back(policy_der); + policy_oids_.insert(policy_der); + } + } #endif } |