[Pkg-chromium-commit] [SCM] Git repository for pkg-chromium branch, squeeze, updated. 9fa258ed76d7ba8bc710bf30d5906d568d8f19f4
Giuseppe Iuculano
iuculano at debian.org
Sat Sep 10 10:02:34 UTC 2011
The following commit has been merged in the squeeze branch:
commit 2ca2d6057b5fc07de533662b61116c53019926e0
Author: Giuseppe Iuculano <iuculano at debian.org>
Date: Thu Sep 8 12:48:46 2011 +0200
Backport some x509 code
diff --git a/debian/patches/DigiNotar.patch b/debian/patches/DigiNotar.patch
index 09b96df..8759330 100644
--- a/debian/patches/DigiNotar.patch
+++ b/debian/patches/DigiNotar.patch
@@ -426,7 +426,18 @@
} // namespace net
--- a/src/net/base/x509_certificate.h
+++ b/src/net/base/x509_certificate.h
-@@ -126,8 +126,6 @@ class X509Certificate : public base::Ref
+@@ -28,6 +28,10 @@ struct CERTCertificateStr;
+
+ class Pickle;
+
++namespace base {
++class StringPiece;
++} // namespace base
++
+ namespace net {
+
+ class CertVerifyResult;
+@@ -126,8 +130,6 @@ class X509Certificate : public base::Ref
// The fingerprint of this certificate.
const SHA1Fingerprint& fingerprint() const { return fingerprint_; }
@@ -435,7 +446,7 @@
// Gets the DNS names in the certificate. Pursuant to RFC 2818, Section 3.1
// Server Identity, if the certificate has a subjectAltName extension of
-@@ -235,9 +233,29 @@ class X509Certificate : public base::Ref
+@@ -235,9 +237,29 @@ class X509Certificate : public base::Ref
// (all zero) fingerprint on failure.
static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
@@ -486,7 +497,33 @@
typedef char* (*CERTGetNameFunc)(CERTName* name);
void ParsePrincipal(CERTName* name,
-@@ -643,11 +655,14 @@ int X509Certificate::Verify(const std::s
+@@ -571,6 +583,25 @@ bool CheckCertPolicies(X509Certificate::
+ return false;
+ }
+
++SHA1Fingerprint CertPublicKeyHash(CERTCertificate* cert) {
++ SHA1Fingerprint hash;
++ SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data,
++ cert->derPublicKey.data, cert->derPublicKey.len);
++ DCHECK_EQ(rv, SECSuccess);
++ return hash;
++}
++
++void AppendPublicKeyHashes(std::vector<SHA1Fingerprint>* hashes,
++ CERTCertList* cert_list,
++ CERTCertificate* root_cert) {
++ for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
++ !CERT_LIST_END(node, cert_list);
++ node = CERT_LIST_NEXT(node)) {
++ hashes->push_back(CertPublicKeyHash(node->cert));
++ }
++ hashes->push_back(CertPublicKeyHash(root_cert));
++}
++
+ } // namespace
+
+ void X509Certificate::Initialize() {
+@@ -643,11 +674,14 @@ int X509Certificate::Verify(const std::s
CERTValOutParam cvout[3];
int cvout_index = 0;
@@ -502,10 +539,14 @@
cvout[cvout_index].type = cert_po_end;
ScopedCERTValOutParam scoped_cvout(cvout);
-@@ -682,8 +697,17 @@ int X509Certificate::Verify(const std::s
+@@ -682,8 +716,21 @@ int X509Certificate::Verify(const std::s
if (IsCertStatusError(verify_result->cert_status))
return MapCertStatusToNetError(verify_result->cert_status);
++ AppendPublicKeyHashes(&verify_result->public_key_hashes,
++ cvout[cvout_cert_list_index].value.pointer.chain,
++ cvout[cvout_trust_anchor_index].value.pointer.cert);
++
+ verify_result->is_issued_by_known_root =
+ IsBuiltinRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
+
@@ -522,25 +563,41 @@
--- a/src/net/base/cert_verify_result.h
+++ b/src/net/base/cert_verify_result.h
-@@ -1,4 +1,4 @@
+@@ -1,10 +1,14 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-@@ -20,6 +20,7 @@ class CertVerifyResult {
+ #ifndef NET_BASE_CERT_VERIFY_RESULT_H_
+ #define NET_BASE_CERT_VERIFY_RESULT_H_
+
++#include <vector>
++
++#include "net/base/x509_cert_types.h"
++
+ namespace net {
+
+ // The result of certificate verification. Eventually this may contain the
+@@ -20,6 +24,8 @@ class CertVerifyResult {
has_md4 = false;
has_md5_ca = false;
has_md2_ca = false;
+ is_issued_by_known_root = false;
++ public_key_hashes.clear();
}
int cert_status;
-@@ -30,6 +31,12 @@ class CertVerifyResult {
+@@ -30,6 +36,17 @@ class CertVerifyResult {
bool has_md4;
bool has_md5_ca;
bool has_md2_ca;
+
++ // If the certificate was successfully verified then this contains the SHA1
++ // fingerprints of the SubjectPublicKeyInfos of the chain. The fingerprint
++ // from the leaf certificate will be the first element of the vector.
++ std::vector<SHA1Fingerprint> public_key_hashes;
++
+ // is_issued_by_known_root is true if recognise the root CA as a standard
+ // root. If it isn't then it's probably the case that this certificate was
+ // generated by a MITM proxy whose root has been installed locally. This is
@@ -570,3 +627,203 @@
+
+
} // namespace net
+--- /dev/null
++++ b/src/net/base/asn1_util.cc
+@@ -0,0 +1,129 @@
++// Copyright (c) 2011 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++#include "net/base/asn1_util.h"
++
++namespace net {
++
++namespace asn1 {
++
++bool ParseElement(base::StringPiece* in,
++ unsigned tag_value,
++ base::StringPiece* out,
++ unsigned *out_header_len) {
++ const uint8* data = reinterpret_cast<const uint8*>(in->data());
++
++ if (in->size() < 2)
++ return false;
++
++ if (static_cast<unsigned char>(data[0]) != tag_value)
++ return false;
++
++ size_t len = 0;
++ if ((data[1] & 0x80) == 0) {
++ // short form length
++ if (out_header_len)
++ *out_header_len = 2;
++ len = static_cast<size_t>(data[1]) + 2;
++ } else {
++ // long form length
++ const unsigned num_bytes = data[1] & 0x7f;
++ if (num_bytes == 0 || num_bytes > 2)
++ return false;
++ if (in->size() < 2 + num_bytes)
++ return false;
++ len = data[2];
++ if (num_bytes == 2) {
++ if (len == 0) {
++ // the length encoding must be minimal.
++ return false;
++ }
++ len <<= 8;
++ len += data[3];
++ }
++ if (len < 128) {
++ // the length should have been encoded in short form. This distinguishes
++ // DER from BER encoding.
++ return false;
++ }
++ if (out_header_len)
++ *out_header_len = 2 + num_bytes;
++ len += 2 + num_bytes;
++ }
++
++ if (in->size() < len)
++ return false;
++ if (out)
++ *out = base::StringPiece(in->data(), len);
++ in->remove_prefix(len);
++ return true;
++}
++
++// GetElement performs the same actions as ParseElement, expect that the header
++// bytes are not included in the output.
++bool GetElement(base::StringPiece* in,
++ unsigned tag_value,
++ base::StringPiece* out) {
++ unsigned header_len;
++ if (!ParseElement(in, tag_value, out, &header_len))
++ return false;
++ if (out)
++ out->remove_prefix(header_len);
++ return true;
++}
++
++bool ExtractSPKIFromDERCert(base::StringPiece cert,
++ base::StringPiece* spki_out) {
++ // From RFC 5280, section 4.1
++ // Certificate ::= SEQUENCE {
++ // tbsCertificate TBSCertificate,
++ // signatureAlgorithm AlgorithmIdentifier,
++ // signatureValue BIT STRING }
++
++ // TBSCertificate ::= SEQUENCE {
++ // version [0] EXPLICIT Version DEFAULT v1,
++ // serialNumber CertificateSerialNumber,
++ // signature AlgorithmIdentifier,
++ // issuer Name,
++ // validity Validity,
++ // subject Name,
++ // subjectPublicKeyInfo SubjectPublicKeyInfo,
++
++ base::StringPiece certificate;
++ if (!asn1::GetElement(&cert, asn1::kSEQUENCE, &certificate))
++ return false;
++
++ base::StringPiece tbs_certificate;
++ if (!asn1::GetElement(&certificate, asn1::kSEQUENCE, &tbs_certificate))
++ return false;
++
++ // The version is optional, so a failure to parse it is fine.
++ asn1::GetElement(&tbs_certificate,
++ asn1::kCompound | asn1::kContextSpecific | 0,
++ NULL);
++
++ // serialNumber
++ if (!asn1::GetElement(&tbs_certificate, asn1::kINTEGER, NULL))
++ return false;
++ // signature
++ if (!asn1::GetElement(&tbs_certificate, asn1::kSEQUENCE, NULL))
++ return false;
++ // issuer
++ if (!asn1::GetElement(&tbs_certificate, asn1::kSEQUENCE, NULL))
++ return false;
++ // validity
++ if (!asn1::GetElement(&tbs_certificate, asn1::kSEQUENCE, NULL))
++ return false;
++ // subject
++ if (!asn1::GetElement(&tbs_certificate, asn1::kSEQUENCE, NULL))
++ return false;
++ // subjectPublicKeyInfo
++ if (!asn1::ParseElement(&tbs_certificate, asn1::kSEQUENCE, spki_out, NULL))
++ return false;
++ return true;
++}
++
++} // namespace asn1
++
++} // namespace net
+--- /dev/null
++++ b/src/net/base/asn1_util.h
+@@ -0,0 +1,55 @@
++// Copyright (c) 2011 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++#ifndef NET_BASE_ASN1_UTIL_H_
++#define NET_BASE_ASN1_UTIL_H_
++#pragma once
++
++#include "base/string_piece.h"
++
++namespace net {
++
++namespace asn1 {
++
++// These are the DER encodings of the tag byte for ASN.1 objects.
++static const unsigned kINTEGER = 0x02;
++static const unsigned kOID = 0x06;
++static const unsigned kSEQUENCE = 0x30;
++
++// These are flags that can be ORed with the above tag numbers.
++static const unsigned kContextSpecific = 0x80;
++static const unsigned kCompound = 0x20;
++
++// ParseElement parses a DER encoded ASN1 element from |in|, requiring that
++// it have the given |tag_value|. It returns true on success. The following
++// limitations are imposed:
++// 1) tag numbers > 31 are not permitted.
++// 2) lengths > 65535 are not permitted.
++// On successful return:
++// |in| is advanced over the element
++// |out| contains the element, including the tag and length bytes.
++// |out_header_len| contains the length of the tag and length bytes in |out|.
++bool ParseElement(base::StringPiece* in,
++ unsigned tag_value,
++ base::StringPiece* out,
++ unsigned *out_header_len);
++
++// GetElement performs the same actions as ParseElement, expect that the header
++// bytes are not included in the output.
++bool GetElement(base::StringPiece* in,
++ unsigned tag_value,
++ base::StringPiece* out);
++
++
++// ExtractSPKIFromDERCert parses the DER encoded certificate in |cert| and
++// extracts the bytes of the SubjectPublicKeyInfo. On successful return,
++// |spki_out| is set to contain the SPKI, pointing into |cert|.
++bool ExtractSPKIFromDERCert(base::StringPiece cert,
++ base::StringPiece* spki_out);
++
++} // namespace asn1
++
++} // namespace net
++
++#endif // NET_BASE_ASN1_UTIL_H_
+--- a/src/net/net.gyp
++++ b/src/net/net.gyp
+@@ -25,6 +25,7 @@
+ 'base/address_list.h',
+ 'base/address_list_net_log_param.cc',
+ 'base/address_list_net_log_param.h',
++ 'base/asn1_util.cc',
+ 'base/auth.h',
+ 'base/cache_type.h',
+ 'base/capturing_net_log.cc',
--
Git repository for pkg-chromium
More information about the Pkg-chromium-commit
mailing list