From c30a6232df03e1efbd9f3b226777b07e087a1122 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 12 Oct 2020 14:27:29 +0200 Subject: BASELINE: Update Chromium to 85.0.4183.140 Change-Id: Iaa42f4680837c57725b1344f108c0196741f6057 Reviewed-by: Allan Sandfeld Jensen --- chromium/net/cert/cert_verifier.cc | 6 +- chromium/net/cert/cert_verifier.h | 6 + chromium/net/cert/cert_verify_proc.cc | 17 +- chromium/net/cert/cert_verify_proc_ios.cc | 1 + chromium/net/cert/cert_verify_proc_unittest.cc | 3 + chromium/net/cert/ct_log_verifier.cc | 1 + chromium/net/cert/ct_sct_to_string.cc | 1 + chromium/net/cert/ev_root_ca_metadata.cc | 399 +++------------------ chromium/net/cert/ev_root_ca_metadata.h | 19 +- chromium/net/cert/ev_root_ca_metadata_unittest.cc | 149 +++----- .../parse_authority_key_identifier_fuzzer.cc | 1 + chromium/net/cert/internal/parsed_certificate.h | 2 +- chromium/net/cert/internal/path_builder.cc | 1 + .../cert/internal/path_builder_pkits_unittest.cc | 90 +++-- chromium/net/cert/internal/system_trust_store.cc | 1 + .../net/cert/internal/trust_store_mac_unittest.cc | 1 + chromium/net/cert/internal/trust_store_nss.cc | 1 + chromium/net/cert/known_roots_mac.cc | 1 + chromium/net/cert/multi_threaded_cert_verifier.cc | 19 + chromium/net/cert/multi_threaded_cert_verifier.h | 12 + chromium/net/cert/test_keychain_search_list_mac.h | 2 + chromium/net/cert/test_root_certs.h | 50 +-- chromium/net/cert/test_root_certs_builtin.cc | 46 +++ chromium/net/cert/test_root_certs_fuchsia.cc | 46 --- chromium/net/cert/test_root_certs_nss.cc | 120 ------- chromium/net/cert/test_root_certs_unittest.cc | 45 --- chromium/net/cert/x509_cert_types.h | 1 - chromium/net/cert/x509_util.cc | 1 + chromium/net/cert/x509_util_ios_and_mac.cc | 1 + 29 files changed, 303 insertions(+), 740 deletions(-) create mode 100644 chromium/net/cert/test_root_certs_builtin.cc delete mode 100644 chromium/net/cert/test_root_certs_fuchsia.cc delete mode 100644 chromium/net/cert/test_root_certs_nss.cc (limited to 'chromium/net/cert') diff --git a/chromium/net/cert/cert_verifier.cc b/chromium/net/cert/cert_verifier.cc index 580c7212d65..6504721e2fa 100644 --- a/chromium/net/cert/cert_verifier.cc +++ b/chromium/net/cert/cert_verifier.cc @@ -120,11 +120,13 @@ bool operator==(const CertVerifier::Config& lhs, return std::tie( lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors, lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement, - lhs.crl_set, lhs.additional_trust_anchors) == + lhs.crl_set, lhs.additional_trust_anchors, + lhs.additional_untrusted_authorities) == std::tie( rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors, rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement, - rhs.crl_set, rhs.additional_trust_anchors); + rhs.crl_set, rhs.additional_trust_anchors, + rhs.additional_untrusted_authorities); } bool operator!=(const CertVerifier::Config& lhs, diff --git a/chromium/net/cert/cert_verifier.h b/chromium/net/cert/cert_verifier.h index 5c9c3798925..bcb768a353e 100644 --- a/chromium/net/cert/cert_verifier.h +++ b/chromium/net/cert/cert_verifier.h @@ -65,6 +65,12 @@ class NET_EXPORT CertVerifier { // system store. This is implementation-specific plumbing for passing // additional anchors through. CertificateList additional_trust_anchors; + + // Additional temporary certs to consider as intermediates during path + // validation. Ordinarily, implementations of CertVerifier use intermediate + // certs from the configured system store. This is implementation-specific + // plumbing for passing additional intermediates through. + CertificateList additional_untrusted_authorities; }; class Request { diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc index b6502664174..0b7e5f9d1a4 100644 --- a/chromium/net/cert/cert_verify_proc.cc +++ b/chromium/net/cert/cert_verify_proc.cc @@ -935,6 +935,9 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1519862400); const base::Time time_2019_07_01 = base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1561939200); + // From Chrome Root Certificate Policy + const base::Time time_2020_09_01 = + base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1598918400); // Compute the maximally permissive interpretations, accounting for leap // years. @@ -957,21 +960,27 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) { return true; } - // For certificates issued after the BR effective date of 1 July 2012: 60 - // months. + // For certificates issued on-or-after the BR effective date of 1 July 2012: + // 60 months. if (start >= time_2012_07_01 && validity_duration > kSixtyMonths) return true; - // For certificates issued after 1 April 2015: 39 months. + // For certificates issued on-or-after 1 April 2015: 39 months. if (start >= time_2015_04_01 && validity_duration > kThirtyNineMonths) return true; - // For certificates issued after 1 March 2018: 825 days. + // For certificates issued on-or-after 1 March 2018: 825 days. if (start >= time_2018_03_01 && validity_duration > base::TimeDelta::FromDays(825)) { return true; } + // For certificates issued on-or-after 1 September 2020: 398 days. + if (start >= time_2020_09_01 && + validity_duration > base::TimeDelta::FromDays(398)) { + return true; + } + return false; } diff --git a/chromium/net/cert/cert_verify_proc_ios.cc b/chromium/net/cert/cert_verify_proc_ios.cc index 59624eb894d..ed9234dd80e 100644 --- a/chromium/net/cert/cert_verify_proc_ios.cc +++ b/chromium/net/cert/cert_verify_proc_ios.cc @@ -10,6 +10,7 @@ #include "base/mac/foundation_util.h" #include "base/mac/mac_logging.h" #include "base/mac/scoped_cftyperef.h" +#include "base/notreached.h" #include "crypto/sha2.h" #include "net/base/net_errors.h" #include "net/cert/asn1_util.h" diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc index e8cbe147cee..ffb85e65fce 100644 --- a/chromium/net/cert/cert_verify_proc_unittest.cc +++ b/chromium/net/cert/cert_verify_proc_unittest.cc @@ -1499,6 +1499,9 @@ TEST(CertVerifyProcTest, TestHasTooLongValidity) { {"826_days_after_2018_03_01.pem", true}, {"825_days_1_second_after_2018_03_01.pem", true}, {"39_months_based_on_last_day.pem", false}, + {"398_days_after_2020_09_01.pem", false}, + {"399_days_after_2020_09_01.pem", true}, + {"398_days_1_second_after_2020_09_01.pem", true}, }; base::FilePath certs_dir = GetTestCertsDirectory(); diff --git a/chromium/net/cert/ct_log_verifier.cc b/chromium/net/cert/ct_log_verifier.cc index e255cae67ef..70cc5e1001f 100644 --- a/chromium/net/cert/ct_log_verifier.cc +++ b/chromium/net/cert/ct_log_verifier.cc @@ -9,6 +9,7 @@ #include #include "base/logging.h" +#include "base/notreached.h" #include "crypto/openssl_util.h" #include "crypto/sha2.h" #include "net/cert/ct_log_verifier_util.h" diff --git a/chromium/net/cert/ct_sct_to_string.cc b/chromium/net/cert/ct_sct_to_string.cc index adbb712af75..211f7ea264a 100644 --- a/chromium/net/cert/ct_sct_to_string.cc +++ b/chromium/net/cert/ct_sct_to_string.cc @@ -5,6 +5,7 @@ #include "net/cert/ct_sct_to_string.h" #include "base/logging.h" +#include "base/notreached.h" namespace net { diff --git a/chromium/net/cert/ev_root_ca_metadata.cc b/chromium/net/cert/ev_root_ca_metadata.cc index 052161a3498..13b5a55d77c 100644 --- a/chromium/net/cert/ev_root_ca_metadata.cc +++ b/chromium/net/cert/ev_root_ca_metadata.cc @@ -4,12 +4,7 @@ #include "net/cert/ev_root_ca_metadata.h" -#if defined(USE_NSS_CERTS) -#include -#include -#include -#include -#elif defined(OS_WIN) +#if defined(OS_WIN) #include #endif @@ -19,9 +14,7 @@ #include "base/logging.h" #include "base/strings/string_piece.h" #include "net/der/input.h" -#if defined(USE_NSS_CERTS) -#include "crypto/nss_util.h" -#elif defined(PLATFORM_USES_CHROMIUM_EV_METADATA) || defined(OS_WIN) +#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/mem.h" #endif @@ -57,19 +50,8 @@ static const EVMetadata kEvRootCaMetadata[] = { { // AC Camerfirma uses the last two arcs to track how the private key // is managed - the effective verification policy is the same. - "1.3.6.1.4.1.17326.10.14.2.1.2", "1.3.6.1.4.1.17326.10.14.2.2.2", - }, - }, - // AC Camerfirma S.A. Global Chambersign Root - 2008 - // https://server2.camerfirma.com:8082 - { - {{0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xa7, 0x69, 0x80, 0x16, 0xa0, - 0xd3, 0x24, 0xde, 0x72, 0x28, 0x4e, 0x07, 0x9d, 0x7b, 0x52, 0x20, - 0xbb, 0x8f, 0xbd, 0x74, 0x78, 0x16, 0xee, 0xbe, 0xba, 0xca}}, - { - // AC Camerfirma uses the last two arcs to track how the private key - // is managed - the effective verification policy is the same. - "1.3.6.1.4.1.17326.10.8.12.1.2", "1.3.6.1.4.1.17326.10.8.12.2.2", + "1.3.6.1.4.1.17326.10.14.2.1.2", + "1.3.6.1.4.1.17326.10.14.2.2.2", }, }, // AddTrust External CA Root @@ -173,14 +155,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xac, 0x95, 0xcd, 0x4b, 0x93, 0xdb, 0xf3, 0xf2, 0x6a, 0xeb}}, {"1.3.6.1.4.1.6334.1.100.1", ""}, }, - // Buypass Class 3 CA 1 - // https://valid.evident.ca13.ssl.buypass.no/ - { - {{0xb7, 0xb1, 0x2b, 0x17, 0x1f, 0x82, 0x1d, 0xaa, 0x99, 0x0c, 0xd0, - 0xfe, 0x50, 0x87, 0xb1, 0x28, 0x44, 0x8b, 0xa8, 0xe5, 0x18, 0x4f, - 0x84, 0xc5, 0x1e, 0x02, 0xb5, 0xc8, 0xfb, 0x96, 0x2b, 0x24}}, - {"2.16.578.1.26.1.3.3", ""}, - }, // Buypass Class 3 Root CA // https://valid.evident.ca23.ssl.buypass.no/ { @@ -189,14 +163,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x29, 0xb4, 0xae, 0x1d, 0x5b, 0x93, 0x32, 0xe6, 0xb2, 0x4d}}, {"2.16.578.1.26.1.3.3", ""}, }, - // CertPlus Class 2 Primary CA (KEYNECTIS) - // https://www.keynectis.com/ - { - {{0x0f, 0x99, 0x3c, 0x8a, 0xef, 0x97, 0xba, 0xaf, 0x56, 0x87, 0x14, - 0x0e, 0xd5, 0x9a, 0xd1, 0x82, 0x1b, 0xb4, 0xaf, 0xac, 0xf0, 0xaa, - 0x9a, 0x58, 0xb5, 0xd5, 0x7a, 0x33, 0x8a, 0x3a, 0xfb, 0xcb}}, - {"1.3.6.1.4.1.22234.2.5.2.3.1", ""}, - }, // Certum Trusted Network CA // https://juice.certum.pl/ { @@ -213,15 +179,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x2e, 0xf8, 0x00, 0xf3, 0x55, 0xc4, 0xc5, 0xfd, 0x70, 0xfd}}, {"2.16.156.112554.3", ""}, }, - // China Internet Network Information Center EV Certificates Root - // https://evdemo.cnnic.cn/ - { - // Root - {{0x1c, 0x01, 0xc6, 0xf4, 0xdb, 0xb2, 0xfe, 0xfc, 0x22, 0x55, 0x8b, - 0x2b, 0xca, 0x32, 0x56, 0x3f, 0x49, 0x84, 0x4a, 0xcf, 0xc3, 0x2b, - 0x7b, 0xe4, 0xb0, 0xff, 0x59, 0x9f, 0x9e, 0x8c, 0x7a, 0xf7}}, - {"1.3.6.1.4.1.29836.1.10", ""}, - }, // COMODO Certification Authority // https://secure.comodo.com/ { @@ -271,6 +228,22 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xbc, 0xf1, 0xdf, 0x69, 0x56, 0x1e, 0x3d, 0xc6, 0x32, 0x5c}}, {"2.16.840.1.114412.2.1", ""}, }, + // DigiCert Assured ID Root G2 + // https://assured-id-root-g2.chain-demos.digicert.com/ + { + {{0x7d, 0x05, 0xeb, 0xb6, 0x82, 0x33, 0x9f, 0x8c, 0x94, 0x51, 0xee, + 0x09, 0x4e, 0xeb, 0xfe, 0xfa, 0x79, 0x53, 0xa1, 0x14, 0xed, 0xb2, + 0xf4, 0x49, 0x49, 0x45, 0x2f, 0xab, 0x7d, 0x2f, 0xc1, 0x85}}, + {"2.16.840.1.114412.2.1", ""}, + }, + // DigiCert Assured ID Root G3 + // https://assured-id-root-g3.chain-demos.digicert.com/ + { + {{0x7e, 0x37, 0xcb, 0x8b, 0x4c, 0x47, 0x09, 0x0c, 0xab, 0x36, 0x55, + 0x1b, 0xa6, 0xf4, 0x5d, 0xb8, 0x40, 0x68, 0x0f, 0xba, 0x16, 0x6a, + 0x95, 0x2d, 0xb1, 0x00, 0x71, 0x7f, 0x43, 0x05, 0x3f, 0xc2}}, + {"2.16.840.1.114412.2.1", ""}, + }, // DigiCert Global Root CA // https://global-root-ca.chain-demos.digicert.com/ { @@ -319,13 +292,13 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xd4, 0x73, 0x0c, 0x84, 0xea, 0xf1, 0xf3, 0xd3, 0x48, 0x81}}, {"1.3.6.1.4.1.4788.2.202.1", ""}, }, - // Entrust.net Secure Server Certification Authority - // https://www.entrust.net/ + // emSign Root CA - G1 + // https://testevg1.emsign.com/ { - {{0x62, 0xf2, 0x40, 0x27, 0x8c, 0x56, 0x4c, 0x4d, 0xd8, 0xbf, 0x7d, - 0x9d, 0x4f, 0x6f, 0x36, 0x6e, 0xa8, 0x94, 0xd2, 0x2f, 0x5f, 0x34, - 0xd9, 0x89, 0xa9, 0x83, 0xac, 0xec, 0x2f, 0xff, 0xed, 0x50}}, - {"2.16.840.1.114028.10.1.2", ""}, + {{0x40, 0xf6, 0xaf, 0x03, 0x46, 0xa9, 0x9a, 0xa1, 0xcd, 0x1d, 0x55, + 0x5a, 0x4e, 0x9c, 0xce, 0x62, 0xc7, 0xf9, 0x63, 0x46, 0x03, 0xee, + 0x40, 0x66, 0x15, 0x83, 0x3d, 0xc8, 0xc8, 0xd0, 0x03, 0x67}}, + {"2.23.140.1.1", ""}, }, // Entrust Root Certification Authority // https://www.entrust.net/ @@ -351,14 +324,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xab, 0x1d, 0x3b, 0x8e, 0xb0, 0x70, 0xe5, 0x6e, 0xdf, 0xf5}}, {"2.16.840.1.114028.10.1.2", ""}, }, - // Equifax Secure Certificate Authority (GeoTrust) - // https://www.geotrust.com/ - { - {{0x08, 0x29, 0x7a, 0x40, 0x47, 0xdb, 0xa2, 0x36, 0x80, 0xc7, 0x31, - 0xdb, 0x6e, 0x31, 0x76, 0x53, 0xca, 0x78, 0x48, 0xe1, 0xbe, 0xbd, - 0x3a, 0x0b, 0x01, 0x79, 0xa7, 0x07, 0xf9, 0x2c, 0xf1, 0x78}}, - {"1.3.6.1.4.1.14370.1.6", ""}, - }, // E-Tugra Certification Authority // https://sslev.e-tugra.com.tr { @@ -367,36 +332,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x65, 0xea, 0x89, 0x39, 0x11, 0xf5, 0x5e, 0x55, 0xf2, 0x3c}}, {"2.16.792.3.0.4.1.1.4", ""}, }, - // GeoTrust Primary Certification Authority - // https://www.geotrust.com/ - { - {{0x37, 0xd5, 0x10, 0x06, 0xc5, 0x12, 0xea, 0xab, 0x62, 0x64, 0x21, - 0xf1, 0xec, 0x8c, 0x92, 0x01, 0x3f, 0xc5, 0xf8, 0x2a, 0xe9, 0x8e, - 0xe5, 0x33, 0xeb, 0x46, 0x19, 0xb8, 0xde, 0xb4, 0xd0, 0x6c}}, - {"1.3.6.1.4.1.14370.1.6", ""}, - }, - // GeoTrust Primary Certification Authority - G2 - { - {{0x5e, 0xdb, 0x7a, 0xc4, 0x3b, 0x82, 0xa0, 0x6a, 0x87, 0x61, 0xe8, - 0xd7, 0xbe, 0x49, 0x79, 0xeb, 0xf2, 0x61, 0x1f, 0x7d, 0xd7, 0x9b, - 0xf9, 0x1c, 0x1c, 0x6b, 0x56, 0x6a, 0x21, 0x9e, 0xd7, 0x66}}, - {"1.3.6.1.4.1.14370.1.6", ""}, - }, - // GeoTrust Primary Certification Authority - G3 - { - {{0xb4, 0x78, 0xb8, 0x12, 0x25, 0x0d, 0xf8, 0x78, 0x63, 0x5c, 0x2a, - 0xa7, 0xec, 0x7d, 0x15, 0x5e, 0xaa, 0x62, 0x5e, 0xe8, 0x29, 0x16, - 0xe2, 0xcd, 0x29, 0x43, 0x61, 0x88, 0x6c, 0xd1, 0xfb, 0xd4}}, - {"1.3.6.1.4.1.14370.1.6", ""}, - }, - // GlobalSign Root CA - R2 - // https://www.globalsign.com/ - { - {{0xca, 0x42, 0xdd, 0x41, 0x74, 0x5f, 0xd0, 0xb8, 0x1e, 0xb9, 0x02, - 0x36, 0x2c, 0xf9, 0xd8, 0xbf, 0x71, 0x9d, 0xa1, 0xbd, 0x1b, 0x1e, - 0xfc, 0x94, 0x6f, 0x5b, 0x4c, 0x99, 0xf4, 0x2c, 0x1b, 0x9e}}, - {"1.3.6.1.4.1.4146.1.1", ""}, - }, // GlobalSign Root CA { {{0xeb, 0xd4, 0x10, 0x40, 0xe4, 0xbb, 0x3e, 0xc7, 0x42, 0xc9, 0xe3, @@ -412,14 +347,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x63, 0x5a, 0x7c, 0xf4, 0x72, 0x0d, 0xc9, 0x63, 0xc5, 0x3b}}, {"1.3.6.1.4.1.4146.1.1", ""}, }, - // GlobalSign ECC Root CA - R4 - // https://2038r4.globalsign.com - { - {{0xbe, 0xc9, 0x49, 0x11, 0xc2, 0x95, 0x56, 0x76, 0xdb, 0x6c, 0x0a, - 0x55, 0x09, 0x86, 0xd7, 0x6e, 0x3b, 0xa0, 0x05, 0x66, 0x7c, 0x44, - 0x2c, 0x97, 0x62, 0xb4, 0xfb, 0xb7, 0x73, 0xde, 0x22, 0x8c}}, - {"1.3.6.1.4.1.4146.1.1", ""}, - }, // GlobalSign ECC Root CA - R5 // https://2038r5.globalsign.com/ { @@ -444,13 +371,13 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x63, 0xe2, 0x74, 0x9d, 0xd3, 0xac, 0xa9, 0x19, 0x8e, 0xda}}, {"2.16.840.1.114413.1.7.23.3", ""}, }, - // GTE CyberTrust Global Root - // https://www.cybertrust.ne.jp/ + // Hongkong Post Root CA 3 + // https://valid-ev.ecert.gov.hk/ { - {{0xa5, 0x31, 0x25, 0x18, 0x8d, 0x21, 0x10, 0xaa, 0x96, 0x4b, 0x02, - 0xc7, 0xb7, 0xc6, 0xda, 0x32, 0x03, 0x17, 0x08, 0x94, 0xe5, 0xfb, - 0x71, 0xff, 0xfb, 0x66, 0x67, 0xd5, 0xe6, 0x81, 0x0a, 0x36}}, - {"1.3.6.1.4.1.6334.1.100.1", ""}, + {{0x5a, 0x2f, 0xc0, 0x3f, 0x0c, 0x83, 0xb0, 0x90, 0xbb, 0xfa, 0x40, + 0x60, 0x4b, 0x09, 0x88, 0x44, 0x6c, 0x76, 0x36, 0x18, 0x3d, 0xf9, + 0x84, 0x6e, 0x17, 0x10, 0x1a, 0x44, 0x7f, 0xb8, 0xef, 0xd6}}, + {"2.23.140.1.1", ""}, }, // Izenpe.com - SHA256 root // The first OID is for businesses and the second for government entities. @@ -545,14 +472,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x82, 0x01, 0x78, 0x95, 0x97, 0x4a, 0x99, 0x02, 0x6b, 0x6c}}, {"1.2.392.200091.100.721.1", ""}, }, - // Security Communication EV RootCA1 - // https://www.secomtrust.net/contact/form.html - { - {{0xa2, 0x2d, 0xba, 0x68, 0x1e, 0x97, 0x37, 0x6e, 0x2d, 0x39, 0x7d, - 0x72, 0x8a, 0xae, 0x3a, 0x9b, 0x62, 0x96, 0xb9, 0xfd, 0xba, 0x60, - 0xbc, 0x2e, 0x11, 0xf6, 0x47, 0xf2, 0xc6, 0x75, 0xfb, 0x37}}, - {"1.2.392.200091.100.721.1", ""}, - }, // Security Communication EV RootCA2 // https://www.secomtrust.net/contact/form.html { @@ -561,6 +480,22 @@ static const EVMetadata kEvRootCaMetadata[] = { 0xd2, 0xb5, 0x21, 0x48, 0x4a, 0xa4, 0x7a, 0x0e, 0xbe, 0xf6}}, {"1.2.392.200091.100.721.1", ""}, }, + // SSL.com EV Root Certification Authority ECC + // https://test-ev-ecc.ssl.com/ + { + {{0x22, 0xa2, 0xc1, 0xf7, 0xbd, 0xed, 0x70, 0x4c, 0xc1, 0xe7, 0x01, + 0xb5, 0xf4, 0x08, 0xc3, 0x10, 0x88, 0x0f, 0xe9, 0x56, 0xb5, 0xde, + 0x2a, 0x4a, 0x44, 0xf9, 0x9c, 0x87, 0x3a, 0x25, 0xa7, 0xc8}}, + {"2.23.140.1.1", ""}, + }, + // SSL.com EV Root Certification Authority RSA R2 + // https://test-ev-rsa.ssl.com/ + { + {{0x2e, 0x7b, 0xf1, 0x6c, 0xc2, 0x24, 0x85, 0xa7, 0xbb, 0xe2, 0xaa, + 0x86, 0x96, 0x75, 0x07, 0x61, 0xb0, 0xae, 0x39, 0xbe, 0x3b, 0x2f, + 0xe9, 0xd0, 0xcc, 0x6d, 0x4e, 0xf7, 0x34, 0x91, 0x42, 0x5c}}, + {"2.23.140.1.1", ""}, + }, // Staat der Nederlanden EV Root CA // https://pkioevssl-v.quovadisglobal.com/ { @@ -569,14 +504,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x9d, 0x8a, 0x90, 0x7a, 0xc4, 0xcb, 0x5d, 0xad, 0xc1, 0x5a}}, {"2.16.528.1.1003.1.2.7", ""}, }, - // StartCom Certification Authority - // https://www.startssl.com/ - { - {{0xc7, 0x66, 0xa9, 0xbe, 0xf2, 0xd4, 0x07, 0x1c, 0x86, 0x3a, 0x31, - 0xaa, 0x49, 0x20, 0xe8, 0x13, 0xb2, 0xd1, 0x98, 0x60, 0x8c, 0xb7, - 0xb7, 0xcf, 0xe2, 0x11, 0x43, 0xb8, 0x36, 0xdf, 0x09, 0xea}}, - {"1.3.6.1.4.1.23223.1.1.1", ""}, - }, // Starfield Class 2 Certification Authority // https://www.starfieldtech.com/ { @@ -609,44 +536,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x8f, 0x64, 0x7c, 0x68, 0x81, 0xf2, 0xc8, 0x35, 0x7b, 0x95}}, {"2.16.756.1.89.1.2.1.1", ""}, }, - // Swisscom Root EV CA 2 - // https://test-quarz-ev-ca-2.pre.swissdigicert.ch - { - {{0xd9, 0x5f, 0xea, 0x3c, 0xa4, 0xee, 0xdc, 0xe7, 0x4c, 0xd7, 0x6e, - 0x75, 0xfc, 0x6d, 0x1f, 0xf6, 0x2c, 0x44, 0x1f, 0x0f, 0xa8, 0xbc, - 0x77, 0xf0, 0x34, 0xb1, 0x9e, 0x5d, 0xb2, 0x58, 0x01, 0x5d}}, - {"2.16.756.1.83.21.0", ""}, - }, - // Thawte Premium Server CA - // https://www.thawte.com/ - { - {{0xab, 0x70, 0x36, 0x36, 0x5c, 0x71, 0x54, 0xaa, 0x29, 0xc2, 0xc2, - 0x9f, 0x5d, 0x41, 0x91, 0x16, 0x3b, 0x16, 0x2a, 0x22, 0x25, 0x01, - 0x13, 0x57, 0xd5, 0x6d, 0x07, 0xff, 0xa7, 0xbc, 0x1f, 0x72}}, - {"2.16.840.1.113733.1.7.48.1", ""}, - }, - // thawte Primary Root CA - // https://www.thawte.com/ - { - {{0x8d, 0x72, 0x2f, 0x81, 0xa9, 0xc1, 0x13, 0xc0, 0x79, 0x1d, 0xf1, - 0x36, 0xa2, 0x96, 0x6d, 0xb2, 0x6c, 0x95, 0x0a, 0x97, 0x1d, 0xb4, - 0x6b, 0x41, 0x99, 0xf4, 0xea, 0x54, 0xb7, 0x8b, 0xfb, 0x9f}}, - {"2.16.840.1.113733.1.7.48.1", ""}, - }, - // thawte Primary Root CA - G2 - { - {{0xa4, 0x31, 0x0d, 0x50, 0xaf, 0x18, 0xa6, 0x44, 0x71, 0x90, 0x37, - 0x2a, 0x86, 0xaf, 0xaf, 0x8b, 0x95, 0x1f, 0xfb, 0x43, 0x1d, 0x83, - 0x7f, 0x1e, 0x56, 0x88, 0xb4, 0x59, 0x71, 0xed, 0x15, 0x57}}, - {"2.16.840.1.113733.1.7.48.1", ""}, - }, - // thawte Primary Root CA - G3 - { - {{0x4b, 0x03, 0xf4, 0x58, 0x07, 0xad, 0x70, 0xf2, 0x1b, 0xfc, 0x2c, - 0xae, 0x71, 0xc9, 0xfd, 0xe4, 0x60, 0x4c, 0x06, 0x4c, 0xf5, 0xff, - 0xb6, 0x86, 0xba, 0xe5, 0xdb, 0xaa, 0xd7, 0xfd, 0xd3, 0x4c}}, - {"2.16.840.1.113733.1.7.48.1", ""}, - }, // TWCA Global Root CA // https://evssldemo3.twca.com.tw/index.html { @@ -671,6 +560,14 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x7e, 0x31, 0x70, 0x7a, 0xf3, 0xe9, 0x6d, 0x52, 0x2b, 0xbd}}, {"1.3.6.1.4.1.7879.13.24.1", ""}, }, + // UCA Extended Validation Root + // https://rsaevg1.good.sheca.com/ + { + {{0xd4, 0x3a, 0xf9, 0xb3, 0x54, 0x73, 0x75, 0x5c, 0x96, 0x84, 0xfc, + 0x06, 0xd7, 0xd8, 0xcb, 0x70, 0xee, 0x5c, 0x28, 0xe7, 0x73, 0xfb, + 0x29, 0x4e, 0xb4, 0x1e, 0xe7, 0x17, 0x22, 0x92, 0x4d, 0x24}}, + {"2.23.140.1.1", ""}, + }, // USERTrust ECC Certification Authority // https://usertrustecccertificationauthority-ev.comodoca.com/ { @@ -687,63 +584,6 @@ static const EVMetadata kEvRootCaMetadata[] = { 0x89, 0x64, 0xb1, 0x74, 0x6d, 0x46, 0xc3, 0xd4, 0xcb, 0xd2}}, {"1.3.6.1.4.1.6449.1.2.1.5.1", ""}, }, - // UTN-USERFirst-Hardware - { - {{0x6e, 0xa5, 0x47, 0x41, 0xd0, 0x04, 0x66, 0x7e, 0xed, 0x1b, 0x48, - 0x16, 0x63, 0x4a, 0xa3, 0xa7, 0x9e, 0x6e, 0x4b, 0x96, 0x95, 0x0f, - 0x82, 0x79, 0xda, 0xfc, 0x8d, 0x9b, 0xd8, 0x81, 0x21, 0x37}}, - { - "1.3.6.1.4.1.6449.1.2.1.5.1", - // This is the Network Solutions EV OID. However, this root - // cross-certifies NetSol and so we need it here too. - "1.3.6.1.4.1.782.1.2.1.8.1", - }, - }, - // ValiCert Class 2 Policy Validation Authority - { - {{0x58, 0xd0, 0x17, 0x27, 0x9c, 0xd4, 0xdc, 0x63, 0xab, 0xdd, 0xb1, - 0x96, 0xa6, 0xc9, 0x90, 0x6c, 0x30, 0xc4, 0xe0, 0x87, 0x83, 0xea, - 0xe8, 0xc1, 0x60, 0x99, 0x54, 0xd6, 0x93, 0x55, 0x59, 0x6b}}, - {"2.16.840.1.114413.1.7.23.3", "2.16.840.1.114414.1.7.23.3"}, - }, - // VeriSign Class 3 Public Primary Certification Authority - // https://www.verisign.com/ - { - {{0xe7, 0x68, 0x56, 0x34, 0xef, 0xac, 0xf6, 0x9a, 0xce, 0x93, 0x9a, - 0x6b, 0x25, 0x5b, 0x7b, 0x4f, 0xab, 0xef, 0x42, 0x93, 0x5b, 0x50, - 0xa2, 0x65, 0xac, 0xb5, 0xcb, 0x60, 0x27, 0xe4, 0x4e, 0x70}}, - {"2.16.840.1.113733.1.7.23.6", ""}, - }, - // VeriSign Class 3 Public Primary Certification Authority - G4 - { - {{0x69, 0xdd, 0xd7, 0xea, 0x90, 0xbb, 0x57, 0xc9, 0x3e, 0x13, 0x5d, - 0xc8, 0x5e, 0xa6, 0xfc, 0xd5, 0x48, 0x0b, 0x60, 0x32, 0x39, 0xbd, - 0xc4, 0x54, 0xfc, 0x75, 0x8b, 0x2a, 0x26, 0xcf, 0x7f, 0x79}}, - {"2.16.840.1.113733.1.7.23.6", ""}, - }, - // VeriSign Class 3 Public Primary Certification Authority - G5 - // https://www.verisign.com/ - { - {{0x9a, 0xcf, 0xab, 0x7e, 0x43, 0xc8, 0xd8, 0x80, 0xd0, 0x6b, 0x26, - 0x2a, 0x94, 0xde, 0xee, 0xe4, 0xb4, 0x65, 0x99, 0x89, 0xc3, 0xd0, - 0xca, 0xf1, 0x9b, 0xaf, 0x64, 0x05, 0xe4, 0x1a, 0xb7, 0xdf}}, - {"2.16.840.1.113733.1.7.23.6", ""}, - }, - // VeriSign Universal Root Certification Authority - { - {{0x23, 0x99, 0x56, 0x11, 0x27, 0xa5, 0x71, 0x25, 0xde, 0x8c, 0xef, - 0xea, 0x61, 0x0d, 0xdf, 0x2f, 0xa0, 0x78, 0xb5, 0xc8, 0x06, 0x7f, - 0x4e, 0x82, 0x82, 0x90, 0xbf, 0xb8, 0x60, 0xe8, 0x4b, 0x3c}}, - {"2.16.840.1.113733.1.7.23.6", ""}, - }, - // Wells Fargo WellsSecure Public Root Certificate Authority - // https://nerys.wellsfargo.com/test.html - { - {{0xa7, 0x12, 0x72, 0xae, 0xaa, 0xa3, 0xcf, 0xe8, 0x72, 0x7f, 0x7f, - 0xb3, 0x9f, 0x0f, 0xb3, 0xd1, 0xe5, 0x42, 0x6e, 0x90, 0x60, 0xb0, - 0x6e, 0xe6, 0xf1, 0x3e, 0x9a, 0x3c, 0x58, 0x33, 0xcd, 0x43}}, - {"2.16.840.1.114171.500.9", ""}, - }, // XRamp Global Certification Authority { {{0xce, 0xcd, 0xdc, 0x90, 0x50, 0x99, 0xd8, 0xda, 0xdf, 0xc5, 0xb1, @@ -763,113 +603,7 @@ EVRootCAMetadata* EVRootCAMetadata::GetInstance() { return g_ev_root_ca_metadata.Pointer(); } -#if defined(USE_NSS_CERTS) - -namespace { -// Converts a DER-encoded OID (without leading tag and length) to a SECOidTag. -// -// Returns true if it was able to find an *existing* SECOidTag (it will not -// register one if missing). -// -// Since all the EV OIDs are registered during EVRootCAMetadata's constructor, -// doing a lookup only needs to consider existing OID tags. -bool ConvertBytesToSecOidTag(const der::Input& oid, SECOidTag* out) { - SECItem item; - item.data = const_cast(oid.UnsafeData()); - item.len = oid.Length(); - *out = SECOID_FindOIDTag(&item); - return *out != SEC_OID_UNKNOWN; -} - -} // namespace - -bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { - return policy_oids_.find(policy_oid) != policy_oids_.end(); -} - -bool EVRootCAMetadata::IsEVPolicyOIDGivenBytes( - const der::Input& policy_oid) const { - SECOidTag oid_tag; - return ConvertBytesToSecOidTag(policy_oid, &oid_tag) && - IsEVPolicyOID(oid_tag); -} - -bool EVRootCAMetadata::HasEVPolicyOID(const SHA256HashValue& fingerprint, - PolicyOID policy_oid) const { - auto iter = ev_policy_.find(fingerprint); - if (iter == ev_policy_.end()) - return false; - return std::find(iter->second.begin(), iter->second.end(), policy_oid) != - iter->second.end(); -} - -bool EVRootCAMetadata::HasEVPolicyOIDGivenBytes( - const SHA256HashValue& fingerprint, - const der::Input& policy_oid) const { - SECOidTag oid_tag; - return ConvertBytesToSecOidTag(policy_oid, &oid_tag) && - HasEVPolicyOID(fingerprint, oid_tag); -} - -// static -bool EVRootCAMetadata::IsCaBrowserForumEvOid(PolicyOID policy_oid) { - // OID: 2.23.140.1.1 - const uint8_t kCabEvOid[] = {0x67, 0x81, 0x0c, 0x01, 0x01}; - SECItem item; - item.data = const_cast(&kCabEvOid[0]); - item.len = sizeof(kCabEvOid); - return policy_oid == SECOID_FindOIDTag(&item); -} - -bool EVRootCAMetadata::AddEVCA(const SHA256HashValue& fingerprint, - const char* policy) { - if (ev_policy_.find(fingerprint) != ev_policy_.end()) - return false; - - PolicyOID oid; - if (!RegisterOID(policy, &oid)) - return false; - - ev_policy_[fingerprint].push_back(oid); - policy_oids_.insert(oid); - - return true; -} - -bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) { - auto it = ev_policy_.find(fingerprint); - if (it == ev_policy_.end()) - return false; - PolicyOID oid = it->second[0]; - ev_policy_.erase(it); - policy_oids_.erase(oid); - return true; -} - -// static -bool EVRootCAMetadata::RegisterOID(const char* policy, - PolicyOID* out) { - PRUint8 buf[64]; - SECItem oid_item; - oid_item.data = buf; - oid_item.len = sizeof(buf); - SECStatus status = SEC_StringToOID(NULL, &oid_item, policy, 0); - if (status != SECSuccess) - return false; - - // Register the OID. - SECOidData od; - od.oid.len = oid_item.len; - od.oid.data = oid_item.data; - od.offset = SEC_OID_UNKNOWN; - od.desc = policy; - od.mechanism = CKM_INVALID_MECHANISM; - od.supportedExtension = INVALID_CERT_EXTENSION; - *out = SECOID_AddEntry(&od); - return *out != SEC_OID_UNKNOWN; -} - -#elif defined(OS_WIN) +#if defined(OS_WIN) namespace { @@ -1084,24 +818,7 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA256HashValue& fingerprint) { EVRootCAMetadata::EVRootCAMetadata() { // Constructs the object from the raw metadata in kEvRootCaMetadata. -#if defined(USE_NSS_CERTS) - crypto::EnsureNSSInit(); - - for (const auto& ev_root : kEvRootCaMetadata) { - for (const auto& policy : ev_root.policy_oids) { - if (policy.empty()) - break; - PolicyOID policy_oid; - if (!RegisterOID(policy.data(), &policy_oid)) { - LOG(ERROR) << "Failed to register OID: " << policy; - continue; - } - - ev_policy_[ev_root.fingerprint].push_back(policy_oid); - policy_oids_.insert(policy_oid); - } - } -#elif defined(PLATFORM_USES_CHROMIUM_EV_METADATA) && !defined(OS_WIN) +#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) && !defined(OS_WIN) for (const auto& ev_root : kEvRootCaMetadata) { for (const auto& policy : ev_root.policy_oids) { if (policy.empty()) diff --git a/chromium/net/cert/ev_root_ca_metadata.h b/chromium/net/cert/ev_root_ca_metadata.h index 42daddbd8bd..b79206e9141 100644 --- a/chromium/net/cert/ev_root_ca_metadata.h +++ b/chromium/net/cert/ev_root_ca_metadata.h @@ -7,10 +7,6 @@ #include "build/build_config.h" -#if defined(USE_NSS_CERTS) -#include -#endif - #include #include #include @@ -42,9 +38,7 @@ class Input; // extended-validation (EV) certificates. class NET_EXPORT_PRIVATE EVRootCAMetadata { public: -#if defined(USE_NSS_CERTS) - typedef SECOidTag PolicyOID; -#elif defined(OS_WIN) +#if defined(OS_WIN) typedef const char* PolicyOID; #else // DER-encoded OID value (no tag or length). @@ -90,16 +84,7 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata { EVRootCAMetadata(); ~EVRootCAMetadata(); -#if defined(USE_NSS_CERTS) - using PolicyOIDMap = std::map>; - - // RegisterOID registers |policy|, a policy OID in dotted string form, and - // writes the memoized form to |*out|. It returns true on success. - static bool RegisterOID(const char* policy, PolicyOID* out); - - PolicyOIDMap ev_policy_; - std::set policy_oids_; -#elif defined(OS_WIN) +#if defined(OS_WIN) using ExtraEVCAMap = std::map; // extra_cas_ contains any EV CA metadata that was added at runtime. diff --git a/chromium/net/cert/ev_root_ca_metadata_unittest.cc b/chromium/net/cert/ev_root_ca_metadata_unittest.cc index bb69645df5e..56ffc5e643e 100644 --- a/chromium/net/cert/ev_root_ca_metadata_unittest.cc +++ b/chromium/net/cert/ev_root_ca_metadata_unittest.cc @@ -10,132 +10,74 @@ #include "net/test/cert_test_util.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) -#include "crypto/nss_util.h" -#include "crypto/scoped_nss_types.h" -#endif - namespace net { namespace { -#if defined(USE_NSS_CERTS) || defined(OS_WIN) -const char kVerisignPolicyStr[] = "2.16.840.1.113733.1.7.23.6"; -const char kThawtePolicyStr[] = "2.16.840.1.113733.1.7.48.1"; +#if defined(OS_WIN) const char kFakePolicyStr[] = "2.16.840.1.42"; const char kCabEvPolicyStr[] = "2.23.140.1.1"; -#elif defined(OS_MACOSX) +const char kStarfieldPolicyStr[] = "2.16.840.1.114414.1.7.23.3"; +#elif defined(PLATFORM_USES_CHROMIUM_EV_METADATA) const char kFakePolicyStr[] = "2.16.840.1.42"; #endif -#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) +#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) // DER OID values (no tag or length). -const uint8_t kVerisignPolicyBytes[] = {0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, - 0x45, 0x01, 0x07, 0x17, 0x06}; -const uint8_t kThawtePolicyBytes[] = {0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, - 0x45, 0x01, 0x07, 0x30, 0x01}; const uint8_t kFakePolicyBytes[] = {0x60, 0x86, 0x48, 0x01, 0x2a}; const uint8_t kCabEvPolicyBytes[] = {0x67, 0x81, 0x0c, 0x01, 0x01}; +const uint8_t kStarfieldPolicyBytes[] = {0x60, 0x86, 0x48, 0x01, 0x86, 0xFD, + 0x6E, 0x01, 0x07, 0x17, 0x03}; -const SHA256HashValue kVerisignFingerprint = { - {0xe7, 0x68, 0x56, 0x34, 0xef, 0xac, 0xf6, 0x9a, 0xce, 0x93, 0x9a, - 0x6b, 0x25, 0x5b, 0x7b, 0x4f, 0xab, 0xef, 0x42, 0x93, 0x5b, 0x50, - 0xa2, 0x65, 0xac, 0xb5, 0xcb, 0x60, 0x27, 0xe4, 0x4e, 0x70}}; const SHA256HashValue kFakeFingerprint = { {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}}; +const SHA256HashValue kStarfieldFingerprint = { + {0x14, 0x65, 0xfa, 0x20, 0x53, 0x97, 0xb8, 0x76, 0xfa, 0xa6, 0xf0, + 0xa9, 0x95, 0x8e, 0x55, 0x90, 0xe4, 0x0f, 0xcc, 0x7f, 0xaa, 0x4f, + 0xb7, 0xc2, 0xc8, 0x67, 0x75, 0x21, 0xfb, 0x5f, 0xb6, 0x58}}; class EVOidData { public: EVOidData(); bool Init(); - EVRootCAMetadata::PolicyOID verisign_policy; - der::Input verisign_policy_bytes; - - EVRootCAMetadata::PolicyOID thawte_policy; - der::Input thawte_policy_bytes; - EVRootCAMetadata::PolicyOID fake_policy; der::Input fake_policy_bytes; EVRootCAMetadata::PolicyOID cab_ev_policy; der::Input cab_ev_policy_bytes; -}; - -#endif // defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) - -#if defined(USE_NSS_CERTS) - -SECOidTag RegisterOID(PLArenaPool* arena, const char* oid_string) { - SECOidData oid_data; - memset(&oid_data, 0, sizeof(oid_data)); - oid_data.offset = SEC_OID_UNKNOWN; - oid_data.desc = oid_string; - oid_data.mechanism = CKM_INVALID_MECHANISM; - oid_data.supportedExtension = INVALID_CERT_EXTENSION; - SECStatus rv = SEC_StringToOID(arena, &oid_data.oid, oid_string, 0); - if (rv != SECSuccess) - return SEC_OID_UNKNOWN; - - return SECOID_AddEntry(&oid_data); -} - -EVOidData::EVOidData() - : verisign_policy(SEC_OID_UNKNOWN), - verisign_policy_bytes(kVerisignPolicyBytes), - thawte_policy(SEC_OID_UNKNOWN), - thawte_policy_bytes(kThawtePolicyBytes), - fake_policy(SEC_OID_UNKNOWN), - fake_policy_bytes(kFakePolicyBytes), - cab_ev_policy(SEC_OID_UNKNOWN), - cab_ev_policy_bytes(kCabEvPolicyBytes) {} + EVRootCAMetadata::PolicyOID starfield_policy; + der::Input starfield_policy_bytes; +}; -bool EVOidData::Init() { - crypto::EnsureNSSInit(); - crypto::ScopedPLArenaPool pool(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); - if (!pool.get()) - return false; - - verisign_policy = RegisterOID(pool.get(), kVerisignPolicyStr); - thawte_policy = RegisterOID(pool.get(), kThawtePolicyStr); - fake_policy = RegisterOID(pool.get(), kFakePolicyStr); - cab_ev_policy = RegisterOID(pool.get(), kCabEvPolicyStr); - - return verisign_policy != SEC_OID_UNKNOWN && - thawte_policy != SEC_OID_UNKNOWN && fake_policy != SEC_OID_UNKNOWN && - cab_ev_policy != SEC_OID_UNKNOWN; -} +#endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA) -#elif defined(OS_WIN) +#if defined(OS_WIN) EVOidData::EVOidData() - : verisign_policy(kVerisignPolicyStr), - verisign_policy_bytes(kVerisignPolicyBytes), - thawte_policy(kThawtePolicyStr), - thawte_policy_bytes(kThawtePolicyBytes), - fake_policy(kFakePolicyStr), + : fake_policy(kFakePolicyStr), fake_policy_bytes(kFakePolicyBytes), cab_ev_policy(kCabEvPolicyStr), - cab_ev_policy_bytes(kCabEvPolicyBytes) {} + cab_ev_policy_bytes(kCabEvPolicyBytes), + starfield_policy(kStarfieldPolicyStr), + starfield_policy_bytes(kStarfieldPolicyBytes) {} bool EVOidData::Init() { return true; } -#elif defined(OS_MACOSX) +#elif defined(PLATFORM_USES_CHROMIUM_EV_METADATA) EVOidData::EVOidData() - : verisign_policy(kVerisignPolicyBytes), - verisign_policy_bytes(kVerisignPolicyBytes), - thawte_policy(kThawtePolicyBytes), - thawte_policy_bytes(kThawtePolicyBytes), - fake_policy(kFakePolicyBytes), + : fake_policy(kFakePolicyBytes), fake_policy_bytes(kFakePolicyBytes), cab_ev_policy(kCabEvPolicyBytes), - cab_ev_policy_bytes(kCabEvPolicyBytes) {} + cab_ev_policy_bytes(kCabEvPolicyBytes), + starfield_policy(kStarfieldPolicyBytes), + starfield_policy_bytes(kStarfieldPolicyBytes) {} bool EVOidData::Init() { return true; @@ -143,7 +85,7 @@ bool EVOidData::Init() { #endif -#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) +#if defined(PLATFORM_USES_CHROMIUM_EV_METADATA) class EVRootCAMetadataTest : public testing::Test { protected: @@ -155,43 +97,51 @@ class EVRootCAMetadataTest : public testing::Test { TEST_F(EVRootCAMetadataTest, Basic) { EVRootCAMetadata* ev_metadata(EVRootCAMetadata::GetInstance()); - EXPECT_TRUE(ev_metadata->IsEVPolicyOID(ev_oid_data.verisign_policy)); + // Contains an expected policy. + EXPECT_TRUE(ev_metadata->IsEVPolicyOID(ev_oid_data.starfield_policy)); EXPECT_TRUE( - ev_metadata->IsEVPolicyOIDGivenBytes(ev_oid_data.verisign_policy_bytes)); + ev_metadata->IsEVPolicyOIDGivenBytes(ev_oid_data.starfield_policy_bytes)); + // Does not contain an unregistered policy. EXPECT_FALSE(ev_metadata->IsEVPolicyOID(ev_oid_data.fake_policy)); EXPECT_FALSE( ev_metadata->IsEVPolicyOIDGivenBytes(ev_oid_data.fake_policy_bytes)); - EXPECT_TRUE(ev_metadata->HasEVPolicyOID(kVerisignFingerprint, - ev_oid_data.verisign_policy)); + // The policy is correct for the right root. + EXPECT_TRUE(ev_metadata->HasEVPolicyOID(kStarfieldFingerprint, + ev_oid_data.starfield_policy)); EXPECT_TRUE(ev_metadata->HasEVPolicyOIDGivenBytes( - kVerisignFingerprint, ev_oid_data.verisign_policy_bytes)); + kStarfieldFingerprint, ev_oid_data.starfield_policy_bytes)); + // The policy does not match if the root does not match. EXPECT_FALSE(ev_metadata->HasEVPolicyOID(kFakeFingerprint, - ev_oid_data.verisign_policy)); + ev_oid_data.starfield_policy)); EXPECT_FALSE(ev_metadata->HasEVPolicyOIDGivenBytes( - kFakeFingerprint, ev_oid_data.verisign_policy_bytes)); + kFakeFingerprint, ev_oid_data.starfield_policy_bytes)); - EXPECT_FALSE(ev_metadata->HasEVPolicyOID(kVerisignFingerprint, + // The expected root only has the expected policies; it should fail to match + // the root against both unknown policies as well as policies associated + // with other roots. + EXPECT_FALSE(ev_metadata->HasEVPolicyOID(kStarfieldFingerprint, ev_oid_data.fake_policy)); EXPECT_FALSE(ev_metadata->HasEVPolicyOIDGivenBytes( - kVerisignFingerprint, ev_oid_data.fake_policy_bytes)); + kStarfieldFingerprint, ev_oid_data.fake_policy_bytes)); - EXPECT_FALSE(ev_metadata->HasEVPolicyOID(kVerisignFingerprint, - ev_oid_data.thawte_policy)); + EXPECT_FALSE(ev_metadata->HasEVPolicyOID(kStarfieldFingerprint, + ev_oid_data.cab_ev_policy)); EXPECT_FALSE(ev_metadata->HasEVPolicyOIDGivenBytes( - kVerisignFingerprint, ev_oid_data.thawte_policy_bytes)); + kStarfieldFingerprint, ev_oid_data.cab_ev_policy_bytes)); // Test a completely bogus OID given bytes. const uint8_t bad_oid[] = {0}; - EXPECT_FALSE(ev_metadata->HasEVPolicyOIDGivenBytes(kVerisignFingerprint, + EXPECT_FALSE(ev_metadata->HasEVPolicyOIDGivenBytes(kStarfieldFingerprint, der::Input(bad_oid))); } TEST_F(EVRootCAMetadataTest, AddRemove) { EVRootCAMetadata* ev_metadata(EVRootCAMetadata::GetInstance()); + // An unregistered/junk policy should not work. EXPECT_FALSE(ev_metadata->IsEVPolicyOID(ev_oid_data.fake_policy)); EXPECT_FALSE( ev_metadata->IsEVPolicyOIDGivenBytes(ev_oid_data.fake_policy_bytes)); @@ -202,6 +152,8 @@ TEST_F(EVRootCAMetadataTest, AddRemove) { kFakeFingerprint, ev_oid_data.fake_policy_bytes)); { + // However, this unregistered/junk policy can be temporarily registered + // and made to work. ScopedTestEVPolicy test_ev_policy(ev_metadata, kFakeFingerprint, kFakePolicyStr); @@ -215,6 +167,7 @@ TEST_F(EVRootCAMetadataTest, AddRemove) { kFakeFingerprint, ev_oid_data.fake_policy_bytes)); } + // It should go out of scope when the ScopedTestEVPolicy goes out of scope. EXPECT_FALSE(ev_metadata->IsEVPolicyOID(ev_oid_data.fake_policy)); EXPECT_FALSE( ev_metadata->IsEVPolicyOIDGivenBytes(ev_oid_data.fake_policy_bytes)); @@ -232,10 +185,10 @@ TEST_F(EVRootCAMetadataTest, IsCaBrowserForumEvOid) { EXPECT_FALSE( EVRootCAMetadata::IsCaBrowserForumEvOid(ev_oid_data.fake_policy)); EXPECT_FALSE( - EVRootCAMetadata::IsCaBrowserForumEvOid(ev_oid_data.verisign_policy)); + EVRootCAMetadata::IsCaBrowserForumEvOid(ev_oid_data.starfield_policy)); } -#endif // defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX) +#endif // defined(PLATFORM_USES_CHROMIUM_EV_METADATA) } // namespace diff --git a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc index cb1718673a1..3d3e00ed321 100644 --- a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc +++ b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc @@ -5,6 +5,7 @@ #include #include +#include "base/macros.h" #include "net/cert/internal/parse_certificate.h" #include "net/der/input.h" diff --git a/chromium/net/cert/internal/parsed_certificate.h b/chromium/net/cert/internal/parsed_certificate.h index c83cebe57c5..a5ad843e001 100644 --- a/chromium/net/cert/internal/parsed_certificate.h +++ b/chromium/net/cert/internal/parsed_certificate.h @@ -9,7 +9,7 @@ #include #include -#include "base/logging.h" +#include "base/check.h" #include "base/memory/ref_counted.h" #include "net/base/net_export.h" #include "net/cert/internal/certificate_policies.h" diff --git a/chromium/net/cert/internal/path_builder.cc b/chromium/net/cert/internal/path_builder.cc index ccd89249ab4..568497b7b4a 100644 --- a/chromium/net/cert/internal/path_builder.cc +++ b/chromium/net/cert/internal/path_builder.cc @@ -10,6 +10,7 @@ #include "base/logging.h" #include "base/metrics/histogram_functions.h" +#include "base/notreached.h" #include "base/strings/string_number_conversions.h" #include "crypto/sha2.h" #include "net/base/net_errors.h" diff --git a/chromium/net/cert/internal/path_builder_pkits_unittest.cc b/chromium/net/cert/internal/path_builder_pkits_unittest.cc index dca35a8cb0a..b6daaaf0a17 100644 --- a/chromium/net/cert/internal/path_builder_pkits_unittest.cc +++ b/chromium/net/cert/internal/path_builder_pkits_unittest.cc @@ -114,7 +114,9 @@ class PathBuilderPkitsTestDelegate { public: static void RunTest(std::vector cert_ders, std::vector crl_ders, - const PkitsTestInfo& info) { + const PkitsTestInfo& orig_info) { + PkitsTestInfo info = orig_info; + ASSERT_FALSE(cert_ders.empty()); ParsedCertificateList certs; for (const std::string& der : cert_ders) { @@ -139,28 +141,71 @@ class PathBuilderPkitsTestDelegate { scoped_refptr target_cert(certs.back()); + base::Time verify_time; + ASSERT_TRUE(der::GeneralizedTimeToTime(info.time, &verify_time)); + CrlCheckingPathBuilderDelegate path_builder_delegate( + crl_ders, verify_time, /*max_age=*/base::TimeDelta::FromDays(365 * 2), + 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + base::StringPiece test_number = info.test_number; - std::unique_ptr path_builder_delegate; if (test_number == "4.4.19" || test_number == "4.5.3" || test_number == "4.5.4" || test_number == "4.5.6") { - // TODO(https://crbug.com/749276): extend CRL support: These tests - // require better CRL issuer cert discovery & path building and/or - // issuingDistributionPoint extension handling. Disable CRL checking for - // them for now. Maybe should just run these with CRL checking enabled - // and expect them to fail? - path_builder_delegate = std::make_unique( - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); - } else { - base::Time verify_time; - ASSERT_TRUE(der::GeneralizedTimeToTime(info.time, &verify_time)); - path_builder_delegate = std::make_unique( - crl_ders, verify_time, /*max_age=*/base::TimeDelta::FromDays(365 * 2), - 1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1); + // 4.4.19 - fails since CRL is signed by a certificate that is not part + // of the verified chain, which is not supported. + // 4.5.3 - fails since non-URI distribution point names are not supported + // 4.5.4, 4.5.6 - fails since CRL is signed by a certificate that is not + // part of verified chain, and also non-URI distribution + // point names not supported + info.should_validate = false; + } else if (test_number == "4.14.1" || test_number == "4.14.4" || + test_number == "4.14.5" || test_number == "4.14.7" || + test_number == "4.14.18" || test_number == "4.14.19" || + test_number == "4.14.22" || test_number == "4.14.24" || + test_number == "4.14.25" || test_number == "4.14.28" || + test_number == "4.14.29" || test_number == "4.14.30" || + test_number == "4.14.33") { + // 4.14 tests: + // .1 - fails since non-URI distribution point names not supported + // .2, .3 - fails since non-URI distribution point names not supported + // (but test is expected to fail for other reason) + // .4, .5 - fails since non-URI distribution point names not supported, + // also uses nameRelativeToCRLIssuer which is not supported + // .6 - fails since non-URI distribution point names not supported, also + // uses nameRelativeToCRLIssuer which is not supported (but test is + // expected to fail for other reason) + // .7 - fails since relative distributionPointName not supported + // .8, .9 - fails since relative distributionPointName not supported (but + // test is expected to fail for other reason) + // .10, .11, .12, .13, .14, .27, .35 - PASS + // .15, .16, .17, .20, .21 - fails since onlySomeReasons is not supported + // (but test is expected to fail for other + // reason) + // .18, .19 - fails since onlySomeReasons is not supported + // .22, .24, .25, .28, .29, .30, .33 - fails since indirect CRLs are not + // supported + // .23, .26, .31, .32, .34 - fails since indirect CRLs are not supported + // (but test is expected to fail for other + // reason) + info.should_validate = false; + } else if (test_number == "4.15.1" || test_number == "4.15.5") { + // 4.15 tests: + // .1 - fails due to unhandled critical deltaCRLIndicator extension + // .2, .3, .6, .7, .8, .9, .10 - PASS since expected cert status is + // reflected in base CRL and delta CRL is + // ignored + // .5 - fails, cert status is "on hold" in base CRL but the delta CRL + // which removes the cert from CRL is ignored + info.should_validate = false; + } else if (test_number == "4.15.4") { + // 4.15.4 - Invalid delta-CRL Test4 has the target cert marked revoked in + // a delta-CRL. Since delta-CRLs are not supported, the chain validates + // successfully. + info.should_validate = true; } CertPathBuilder path_builder( - std::move(target_cert), &trust_store, path_builder_delegate.get(), - info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy, + std::move(target_cert), &trust_store, &path_builder_delegate, info.time, + KeyPurpose::ANY_EKU, info.initial_explicit_policy, info.initial_policy_set, info.initial_policy_mapping_inhibit, info.initial_inhibit_any_policy); path_builder.AddCertIssuerSource(&cert_issuer_source); @@ -227,13 +272,14 @@ INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest13NameConstraints, PathBuilderPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, + PkitsTest14DistributionPoints, + PathBuilderPkitsTestDelegate); +INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, + PkitsTest15DeltaCRLs, + PathBuilderPkitsTestDelegate); INSTANTIATE_TYPED_TEST_SUITE_P(PathBuilder, PkitsTest16PrivateCertificateExtensions, PathBuilderPkitsTestDelegate); -// TODO(https://crbug.com/749276): extend CRL support?: -// PkitsTest14DistributionPoints: indirect CRLs and reason codes are not -// supported. -// PkitsTest15DeltaCRLs: Delta CRLs are not supported. - } // namespace net diff --git a/chromium/net/cert/internal/system_trust_store.cc b/chromium/net/cert/internal/system_trust_store.cc index f3737ebd167..0f0d3332b5a 100644 --- a/chromium/net/cert/internal/system_trust_store.cc +++ b/chromium/net/cert/internal/system_trust_store.cc @@ -19,6 +19,7 @@ #include "base/files/file_path.h" #include "base/files/file_util.h" +#include "base/logging.h" #include "base/no_destructor.h" #include "build/build_config.h" #include "net/cert/internal/cert_errors.h" diff --git a/chromium/net/cert/internal/trust_store_mac_unittest.cc b/chromium/net/cert/internal/trust_store_mac_unittest.cc index dd79ef376b5..7c5ff55227e 100644 --- a/chromium/net/cert/internal/trust_store_mac_unittest.cc +++ b/chromium/net/cert/internal/trust_store_mac_unittest.cc @@ -7,6 +7,7 @@ #include "base/base_paths.h" #include "base/files/file_util.h" #include "base/files/scoped_temp_dir.h" +#include "base/logging.h" #include "base/path_service.h" #include "base/process/launch.h" #include "base/strings/string_split.h" diff --git a/chromium/net/cert/internal/trust_store_nss.cc b/chromium/net/cert/internal/trust_store_nss.cc index e4cf9e3a94a..4b0ba6e5457 100644 --- a/chromium/net/cert/internal/trust_store_nss.cc +++ b/chromium/net/cert/internal/trust_store_nss.cc @@ -7,6 +7,7 @@ #include #include +#include "base/logging.h" #include "crypto/nss_util.h" #include "net/cert/internal/cert_errors.h" #include "net/cert/internal/parsed_certificate.h" diff --git a/chromium/net/cert/known_roots_mac.cc b/chromium/net/cert/known_roots_mac.cc index 72ed07f027a..dfcaecd73d3 100644 --- a/chromium/net/cert/known_roots_mac.cc +++ b/chromium/net/cert/known_roots_mac.cc @@ -10,6 +10,7 @@ #include #include "base/lazy_instance.h" +#include "base/logging.h" #include "crypto/mac_security_services_lock.h" #include "net/cert/x509_util_mac.h" diff --git a/chromium/net/cert/multi_threaded_cert_verifier.cc b/chromium/net/cert/multi_threaded_cert_verifier.cc index 8b0ff51d732..f2546d9187d 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier.cc +++ b/chromium/net/cert/multi_threaded_cert_verifier.cc @@ -22,6 +22,10 @@ #include "net/log/net_log_source_type.h" #include "net/log/net_log_with_source.h" +#if defined(USE_NSS_CERTS) +#include "net/cert/x509_util_nss.h" +#endif + namespace net { // Allows DoVerifyOnWorkerThread to wait on a base::WaitableEvent. @@ -232,6 +236,21 @@ void MultiThreadedCertVerifier::SetConfig(const CertVerifier::Config& config) { << "Attempted to set a CertVerifier::Config with additional trust " "anchors, but |verify_proc_| does not support additional trust " "anchors."; + +// TODO(https://crbug.com/978854): Pass these into the actual CertVerifyProc +// rather than relying on global side-effects. +#if !defined(USE_NSS_CERTS) + // Not yet implemented. + DCHECK(config.additional_untrusted_authorities.empty()); +#else + for (const auto& cert : config.additional_untrusted_authorities) { + ScopedCERTCertificate x509_cert = + x509_util::CreateCERTCertificateFromX509Certificate(cert.get()); + DCHECK(x509_cert); + temp_certs_.push_back(std::move(x509_cert)); + } +#endif + config_ = config; if (!config_.crl_set) config_.crl_set = CRLSet::BuiltinCRLSet(); diff --git a/chromium/net/cert/multi_threaded_cert_verifier.h b/chromium/net/cert/multi_threaded_cert_verifier.h index ef8225bc878..82b750a42f8 100644 --- a/chromium/net/cert/multi_threaded_cert_verifier.h +++ b/chromium/net/cert/multi_threaded_cert_verifier.h @@ -18,6 +18,10 @@ #include "net/base/net_export.h" #include "net/cert/cert_verifier.h" +#if defined(USE_NSS_CERTS) +#include "net/cert/scoped_nss_types.h" +#endif + namespace net { class CertVerifyProc; @@ -48,6 +52,14 @@ class NET_EXPORT_PRIVATE MultiThreadedCertVerifier : public CertVerifier { base::LinkedList request_list_; +#if defined(USE_NSS_CERTS) + // Holds NSS temporary certificates that will be exposed as untrusted + // authorities by SystemCertStoreNSS. + // TODO(https://crbug.com/978854): Pass these into the actual CertVerifyProc + // rather than relying on global side-effects. + net::ScopedCERTCertificateList temp_certs_; +#endif + THREAD_CHECKER(thread_checker_); DISALLOW_COPY_AND_ASSIGN(MultiThreadedCertVerifier); diff --git a/chromium/net/cert/test_keychain_search_list_mac.h b/chromium/net/cert/test_keychain_search_list_mac.h index 4ae25729c93..48edf89d979 100644 --- a/chromium/net/cert/test_keychain_search_list_mac.h +++ b/chromium/net/cert/test_keychain_search_list_mac.h @@ -5,6 +5,8 @@ #ifndef NET_CERT_TEST_KEYCHAIN_SEARCH_LIST_MAC_H_ #define NET_CERT_TEST_KEYCHAIN_SEARCH_LIST_MAC_H_ +#include + #include #include diff --git a/chromium/net/cert/test_root_certs.h b/chromium/net/cert/test_root_certs.h index c0be7b78328..756379fb9b7 100644 --- a/chromium/net/cert/test_root_certs.h +++ b/chromium/net/cert/test_root_certs.h @@ -12,11 +12,7 @@ #include "net/base/net_export.h" #include "net/cert/internal/trust_store_in_memory.h" -#if defined(USE_NSS_CERTS) -#include -#include -#include "net/cert/scoped_nss_types.h" -#elif defined(OS_WIN) +#if defined(OS_WIN) #include #include "base/win/wincrypt_shim.h" #elif defined(OS_MACOSX) @@ -62,10 +58,7 @@ class NET_EXPORT TestRootCerts { // Returns true if there are no certificates that have been marked trusted. bool IsEmpty() const; -#if defined(USE_NSS_CERTS) - bool Contains(CERTCertificate* cert) const; - TrustStore* test_trust_store() { return &test_trust_store_; } -#elif defined(OS_MACOSX) +#if defined(OS_MACOSX) CFArrayRef temporary_roots() const { return temporary_roots_; } // Modifies the root certificates of |trust_ref| to include the @@ -82,7 +75,7 @@ class NET_EXPORT TestRootCerts { // engine is appropriate. The caller is responsible for freeing the // returned HCERTCHAINENGINE. HCERTCHAINENGINE GetChainEngine() const; -#elif defined(OS_FUCHSIA) +#elif defined(OS_FUCHSIA) || defined(OS_LINUX) || defined(OS_CHROMEOS) TrustStore* test_trust_store() { return &test_trust_store_; } #endif @@ -95,46 +88,17 @@ class NET_EXPORT TestRootCerts { // Performs platform-dependent initialization. void Init(); -#if defined(USE_NSS_CERTS) - // TrustEntry is used to store the original CERTCertificate and CERTCertTrust - // for a certificate whose trust status has been changed by the - // TestRootCerts. - class TrustEntry { - public: - // Creates a new TrustEntry by incrementing the reference to |certificate| - // and copying |trust|. - TrustEntry(ScopedCERTCertificate certificate, const CERTCertTrust& trust); - ~TrustEntry(); - - CERTCertificate* certificate() const { return certificate_.get(); } - const CERTCertTrust& trust() const { return trust_; } - - private: - // The temporary root certificate. - ScopedCERTCertificate certificate_; - - // The original trust settings, before |certificate_| was manipulated to - // be a temporarily trusted root. - CERTCertTrust trust_; - - DISALLOW_COPY_AND_ASSIGN(TrustEntry); - }; - - // It is necessary to maintain a cache of the original certificate trust - // settings, in order to restore them when Clear() is called. - std::vector> trust_cache_; - - TrustStoreInMemory test_trust_store_; -#elif defined(OS_WIN) +#if defined(OS_WIN) HCERTSTORE temporary_roots_; #elif defined(OS_MACOSX) base::ScopedCFTypeRef temporary_roots_; TrustStoreInMemory test_trust_store_; -#elif defined(OS_FUCHSIA) +#elif defined(OS_FUCHSIA) || defined(OS_LINUX) || defined(OS_CHROMEOS) TrustStoreInMemory test_trust_store_; #endif -#if defined(OS_WIN) || defined(OS_ANDROID) || defined(OS_FUCHSIA) +#if defined(OS_WIN) || defined(OS_ANDROID) || defined(OS_FUCHSIA) || \ + defined(OS_LINUX) || defined(OS_CHROMEOS) // True if there are no temporarily trusted root certificates. bool empty_ = true; #endif diff --git a/chromium/net/cert/test_root_certs_builtin.cc b/chromium/net/cert/test_root_certs_builtin.cc new file mode 100644 index 00000000000..3bf05c8f34b --- /dev/null +++ b/chromium/net/cert/test_root_certs_builtin.cc @@ -0,0 +1,46 @@ +// Copyright 2017 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/test_root_certs.h" + +#include "base/location.h" +#include "base/logging.h" +#include "net/cert/internal/cert_errors.h" +#include "net/cert/internal/parsed_certificate.h" +#include "net/cert/x509_certificate.h" +#include "net/cert/x509_util.h" +#include "third_party/boringssl/src/include/openssl/pool.h" + +namespace net { + +bool TestRootCerts::Add(X509Certificate* certificate) { + CertErrors errors; + auto parsed = + ParsedCertificate::Create(bssl::UpRef(certificate->cert_buffer()), + ParseCertificateOptions(), &errors); + if (!parsed) { + LOG(ERROR) << "Failed to parse DER certificate: " << errors.ToDebugString(); + return false; + } + test_trust_store_.AddTrustAnchor(parsed); + empty_ = false; + return true; +} + +void TestRootCerts::Clear() { + test_trust_store_.Clear(); + empty_ = true; +} + +bool TestRootCerts::IsEmpty() const { + return empty_; +} + +TestRootCerts::~TestRootCerts() {} + +void TestRootCerts::Init() { + empty_ = true; +} + +} // namespace net diff --git a/chromium/net/cert/test_root_certs_fuchsia.cc b/chromium/net/cert/test_root_certs_fuchsia.cc deleted file mode 100644 index 3bf05c8f34b..00000000000 --- a/chromium/net/cert/test_root_certs_fuchsia.cc +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright 2017 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/cert/test_root_certs.h" - -#include "base/location.h" -#include "base/logging.h" -#include "net/cert/internal/cert_errors.h" -#include "net/cert/internal/parsed_certificate.h" -#include "net/cert/x509_certificate.h" -#include "net/cert/x509_util.h" -#include "third_party/boringssl/src/include/openssl/pool.h" - -namespace net { - -bool TestRootCerts::Add(X509Certificate* certificate) { - CertErrors errors; - auto parsed = - ParsedCertificate::Create(bssl::UpRef(certificate->cert_buffer()), - ParseCertificateOptions(), &errors); - if (!parsed) { - LOG(ERROR) << "Failed to parse DER certificate: " << errors.ToDebugString(); - return false; - } - test_trust_store_.AddTrustAnchor(parsed); - empty_ = false; - return true; -} - -void TestRootCerts::Clear() { - test_trust_store_.Clear(); - empty_ = true; -} - -bool TestRootCerts::IsEmpty() const { - return empty_; -} - -TestRootCerts::~TestRootCerts() {} - -void TestRootCerts::Init() { - empty_ = true; -} - -} // namespace net diff --git a/chromium/net/cert/test_root_certs_nss.cc b/chromium/net/cert/test_root_certs_nss.cc deleted file mode 100644 index a04885edbb8..00000000000 --- a/chromium/net/cert/test_root_certs_nss.cc +++ /dev/null @@ -1,120 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/cert/test_root_certs.h" - -#include - -#include "base/logging.h" -#include "base/macros.h" -#include "crypto/nss_util.h" -#include "net/cert/internal/cert_errors.h" -#include "net/cert/x509_certificate.h" -#include "net/cert/x509_util.h" -#include "net/cert/x509_util_nss.h" -#include "third_party/boringssl/src/include/openssl/pool.h" - -namespace net { - -TestRootCerts::TrustEntry::TrustEntry(ScopedCERTCertificate certificate, - const CERTCertTrust& trust) - : certificate_(std::move(certificate)), trust_(trust) {} - -TestRootCerts::TrustEntry::~TrustEntry() = default; - -bool TestRootCerts::Add(X509Certificate* certificate) { - ScopedCERTCertificate cert_handle = - x509_util::CreateCERTCertificateFromX509Certificate(certificate); - if (!cert_handle) - return false; - // Preserve the original trust bits so that they can be restored when - // the certificate is removed. - CERTCertTrust original_trust; - SECStatus rv = CERT_GetCertTrust(cert_handle.get(), &original_trust); - if (rv != SECSuccess) { - // CERT_GetCertTrust will fail if the certificate does not have any - // particular trust settings associated with it, and attempts to use - // |original_trust| later to restore the original trust settings will not - // cause the trust settings to be revoked. If the certificate has no - // particular trust settings associated with it, mark the certificate as - // a valid CA certificate with no specific trust. - rv = CERT_DecodeTrustString(&original_trust, "c,c,c"); - } - - // Change the trust bits to unconditionally trust this certificate. - CERTCertTrust new_trust; - rv = CERT_DecodeTrustString(&new_trust, "TCPu,Cu,Tu"); - if (rv != SECSuccess) { - LOG(ERROR) << "Cannot decode certificate trust string."; - return false; - } - - rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert_handle.get(), - &new_trust); - if (rv != SECSuccess) { - LOG(ERROR) << "Cannot change certificate trust."; - return false; - } - - trust_cache_.push_back( - std::make_unique(std::move(cert_handle), original_trust)); - - // Add the certificate to the parallel |test_trust_store_|. TrustStoreNSS - // ignores temporary certs, so it won't see the cert that was added above. - // (See https://crbug.com/951166) - // TODO(https://crbug.com/951479): remove this when the istemp check is - // removed from TrustStoreNSS. - CertErrors errors; - scoped_refptr parsed = ParsedCertificate::Create( - bssl::UpRef(certificate->cert_buffer()), - x509_util::DefaultParseCertificateOptions(), &errors); - if (!parsed) - return false; - test_trust_store_.AddTrustAnchor(parsed); - - return true; -} - -void TestRootCerts::Clear() { - // Restore the certificate trusts to what they were originally, before - // Add() was called. Work from the rear first, since if a certificate was - // added twice, the second entry's original trust status will be that of - // the first entry, while the first entry contains the desired resultant - // status. - for (auto it = trust_cache_.rbegin(); it != trust_cache_.rend(); ++it) { - CERTCertTrust original_trust = (*it)->trust(); - SECStatus rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), - (*it)->certificate(), - &original_trust); - // DCHECK(), rather than LOG(), as a failure to restore the original - // trust can cause flake or hard-to-trace errors in any unit tests that - // occur after Clear() has been called. - DCHECK_EQ(SECSuccess, rv) << "Cannot restore certificate trust."; - } - trust_cache_.clear(); - - test_trust_store_.Clear(); -} - -bool TestRootCerts::IsEmpty() const { - return trust_cache_.empty(); -} - -bool TestRootCerts::Contains(CERTCertificate* cert) const { - for (const auto& item : trust_cache_) - if (x509_util::IsSameCertificate(cert, item->certificate())) - return true; - - return false; -} - -TestRootCerts::~TestRootCerts() { - Clear(); -} - -void TestRootCerts::Init() { - crypto::EnsureNSSInit(); -} - -} // namespace net diff --git a/chromium/net/cert/test_root_certs_unittest.cc b/chromium/net/cert/test_root_certs_unittest.cc index f65174ddf68..983c88c3b80 100644 --- a/chromium/net/cert/test_root_certs_unittest.cc +++ b/chromium/net/cert/test_root_certs_unittest.cc @@ -21,12 +21,6 @@ #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) -#include - -#include "net/cert/x509_util_nss.h" -#endif - using net::test::IsOk; namespace net { @@ -147,45 +141,6 @@ TEST(TestRootCertsTest, OverrideTrust) { EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); } -#if defined(USE_NSS_CERTS) -TEST(TestRootCertsTest, Contains) { - // Another test root certificate. - const char kRootCertificateFile2[] = "2048-rsa-root.pem"; - - TestRootCerts* test_roots = TestRootCerts::GetInstance(); - ASSERT_TRUE(test_roots); - - scoped_refptr root_cert_1 = - ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); - ASSERT_TRUE(root_cert_1); - ScopedCERTCertificate nss_root_cert_1 = - x509_util::CreateCERTCertificateFromX509Certificate(root_cert_1.get()); - ASSERT_TRUE(nss_root_cert_1); - - scoped_refptr root_cert_2 = - ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2); - ASSERT_TRUE(root_cert_2); - ScopedCERTCertificate nss_root_cert_2 = - x509_util::CreateCERTCertificateFromX509Certificate(root_cert_2.get()); - ASSERT_TRUE(nss_root_cert_2); - - EXPECT_FALSE(test_roots->Contains(nss_root_cert_1.get())); - EXPECT_FALSE(test_roots->Contains(nss_root_cert_2.get())); - - EXPECT_TRUE(test_roots->Add(root_cert_1.get())); - EXPECT_TRUE(test_roots->Contains(nss_root_cert_1.get())); - EXPECT_FALSE(test_roots->Contains(nss_root_cert_2.get())); - - EXPECT_TRUE(test_roots->Add(root_cert_2.get())); - EXPECT_TRUE(test_roots->Contains(nss_root_cert_1.get())); - EXPECT_TRUE(test_roots->Contains(nss_root_cert_2.get())); - - test_roots->Clear(); - EXPECT_FALSE(test_roots->Contains(nss_root_cert_1.get())); - EXPECT_FALSE(test_roots->Contains(nss_root_cert_2.get())); -} -#endif - // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that // TestRootCerts properly injects itself into the validation process. See // http://crbug.com/63958 diff --git a/chromium/net/cert/x509_cert_types.h b/chromium/net/cert/x509_cert_types.h index 3317d93adfe..b5c42777309 100644 --- a/chromium/net/cert/x509_cert_types.h +++ b/chromium/net/cert/x509_cert_types.h @@ -13,7 +13,6 @@ #include #include -#include "base/logging.h" #include "base/strings/string_piece.h" #include "build/build_config.h" #include "net/base/hash_value.h" diff --git a/chromium/net/cert/x509_util.cc b/chromium/net/cert/x509_util.cc index 90b848da6ab..4ebef1754b0 100644 --- a/chromium/net/cert/x509_util.cc +++ b/chromium/net/cert/x509_util.cc @@ -10,6 +10,7 @@ #include "base/lazy_instance.h" #include "base/logging.h" +#include "base/notreached.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "base/time/time.h" diff --git a/chromium/net/cert/x509_util_ios_and_mac.cc b/chromium/net/cert/x509_util_ios_and_mac.cc index 8e41cd87cd0..4d503de1414 100644 --- a/chromium/net/cert/x509_util_ios_and_mac.cc +++ b/chromium/net/cert/x509_util_ios_and_mac.cc @@ -4,6 +4,7 @@ #include "net/cert/x509_util_ios_and_mac.h" +#include "base/logging.h" #include "net/cert/x509_certificate.h" #if defined(OS_IOS) #include "net/cert/x509_util_ios.h" -- cgit v1.2.1