#include "net/cert/x509_util_ios.h"
#endif // defined(OS_IOS)
-#define NSS_VERSION_NUM (NSS_VMAJOR * 10000 + NSS_VMINOR * 100 + NSS_VPATCH)
-#if NSS_VERSION_NUM < 31305
-// Added in NSS 3.13.5.
-#define SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED -8016
-#endif
-
-#if NSS_VERSION_NUM < 31402
-// Added in NSS 3.14.2.
-#define cert_pi_useOnlyTrustAnchors static_cast<CERTValParamInType>(14)
-#endif
-
namespace net {
namespace {
case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_UNTRUSTED_ISSUER:
case SEC_ERROR_CA_CERT_INVALID:
+ case SEC_ERROR_APPLICATION_CALLBACK_ERROR: // Rejected by
+ // chain_verify_callback.
return ERR_CERT_AUTHORITY_INVALID;
// TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM.
case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE:
case SEC_ERROR_REVOKED_CERTIFICATE:
case SEC_ERROR_UNTRUSTED_CERT: // Treat as revoked.
return ERR_CERT_REVOKED;
+ case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
+ return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
case SEC_ERROR_BAD_DER:
case SEC_ERROR_BAD_SIGNATURE:
case SEC_ERROR_CERT_NOT_VALID:
case SEC_ERROR_INADEQUATE_CERT_TYPE: // Extended key usage and whether
// the certificate is a CA.
case SEC_ERROR_POLICY_VALIDATION_FAILED:
- case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
case SEC_ERROR_EXTENSION_VALUE_INVALID:
const SECOidTag* policy_oids,
int num_policy_oids,
CERTCertList* additional_trust_anchors,
+ CERTChainVerifyCallback* chain_verify_callback,
CERTValOutParam* cvout) {
bool use_crl = check_revocation;
bool use_ocsp = check_revocation;
in_param.value.scalar.b = PR_FALSE;
cvin.push_back(in_param);
}
+ if (chain_verify_callback) {
+ in_param.type = cert_pi_chainVerifyCallback;
+ in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
+ cvin.push_back(in_param);
+ }
in_param.type = cert_pi_end;
cvin.push_back(in_param);
bool rev_checking_enabled,
EVRootCAMetadata* metadata,
SECOidTag ev_policy_oid,
- CERTCertList* additional_trust_anchors) {
+ CERTCertList* additional_trust_anchors,
+ CERTChainVerifyCallback* chain_verify_callback) {
CERTValOutParam cvout[3];
int cvout_index = 0;
cvout[cvout_index].type = cert_po_certList;
&ev_policy_oid,
1,
additional_trust_anchors,
+ chain_verify_callback,
cvout);
if (status != SECSuccess)
return false;
CertVerifyProcNSS::~CertVerifyProcNSS() {}
bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
- // This requires APIs introduced in 3.14.2.
- return NSS_VersionCheck("3.14.2");
+ return true;
}
-int CertVerifyProcNSS::VerifyInternal(
+int CertVerifyProcNSS::VerifyInternalImpl(
X509Certificate* cert,
const std::string& hostname,
int flags,
CRLSet* crl_set,
const CertificateList& additional_trust_anchors,
+ CERTChainVerifyCallback* chain_verify_callback,
CertVerifyResult* verify_result) {
#if defined(OS_IOS)
// For iOS, the entire chain must be loaded into NSS's in-memory certificate
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
ScopedCERTCertList trust_anchors;
- if (SupportsAdditionalTrustAnchors() && !additional_trust_anchors.empty()) {
+ if (!additional_trust_anchors.empty()) {
trust_anchors.reset(
CertificateListToCERTCertList(additional_trust_anchors));
}
- SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false,
- cert_io_enabled, NULL, 0,
- trust_anchors.get(), cvout);
+ SECStatus status = PKIXVerifyCert(cert_handle,
+ check_revocation,
+ false,
+ cert_io_enabled,
+ NULL,
+ 0,
+ trust_anchors.get(),
+ chain_verify_callback,
+ cvout);
if (status == SECSuccess &&
(flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
// NSS tests for that feature.
scoped_cvout.Clear();
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
- status = PKIXVerifyCert(cert_handle, true, true,
- cert_io_enabled, NULL, 0, trust_anchors.get(),
+ status = PKIXVerifyCert(cert_handle,
+ true,
+ true,
+ cert_io_enabled,
+ NULL,
+ 0,
+ trust_anchors.get(),
+ chain_verify_callback,
cvout);
}
if (check_revocation)
verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
- if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata,
- ev_policy_oid, trust_anchors.get())) {
+ if (VerifyEV(cert_handle,
+ flags,
+ crl_set,
+ check_revocation,
+ metadata,
+ ev_policy_oid,
+ trust_anchors.get(),
+ chain_verify_callback)) {
verify_result->cert_status |= CERT_STATUS_IS_EV;
}
}
return OK;
}
+int CertVerifyProcNSS::VerifyInternal(
+ X509Certificate* cert,
+ const std::string& hostname,
+ int flags,
+ CRLSet* crl_set,
+ const CertificateList& additional_trust_anchors,
+ CertVerifyResult* verify_result) {
+ return VerifyInternalImpl(cert,
+ hostname,
+ flags,
+ crl_set,
+ additional_trust_anchors,
+ NULL, // chain_verify_callback
+ verify_result);
+}
+
} // namespace net