Upstream version 5.34.104.0
[platform/framework/web/crosswalk.git] / src / net / cert / cert_verify_proc_nss.cc
index 31c38c7..748d1d3 100644 (file)
 #include "net/cert/x509_util_ios.h"
 #endif  // defined(OS_IOS)
 
-#define NSS_VERSION_NUM (NSS_VMAJOR * 10000 + NSS_VMINOR * 100 + NSS_VPATCH)
-#if NSS_VERSION_NUM < 31305
-// Added in NSS 3.13.5.
-#define SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED -8016
-#endif
-
-#if NSS_VERSION_NUM < 31402
-// Added in NSS 3.14.2.
-#define cert_pi_useOnlyTrustAnchors static_cast<CERTValParamInType>(14)
-#endif
-
 namespace net {
 
 namespace {
@@ -119,6 +108,8 @@ int MapSecurityError(int err) {
     case SEC_ERROR_UNKNOWN_ISSUER:
     case SEC_ERROR_UNTRUSTED_ISSUER:
     case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_APPLICATION_CALLBACK_ERROR:  // Rejected by
+                                                // chain_verify_callback.
       return ERR_CERT_AUTHORITY_INVALID;
     // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM.
     case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE:
@@ -127,6 +118,8 @@ int MapSecurityError(int err) {
     case SEC_ERROR_REVOKED_CERTIFICATE:
     case SEC_ERROR_UNTRUSTED_CERT:  // Treat as revoked.
       return ERR_CERT_REVOKED;
+    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
+      return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
     case SEC_ERROR_BAD_DER:
     case SEC_ERROR_BAD_SIGNATURE:
     case SEC_ERROR_CERT_NOT_VALID:
@@ -136,7 +129,6 @@ int MapSecurityError(int err) {
     case SEC_ERROR_INADEQUATE_CERT_TYPE:  // Extended key usage and whether
                                           // the certificate is a CA.
     case SEC_ERROR_POLICY_VALIDATION_FAILED:
-    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
     case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
     case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
     case SEC_ERROR_EXTENSION_VALUE_INVALID:
@@ -359,6 +351,7 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTCertList* additional_trust_anchors,
+                         CERTChainVerifyCallback* chain_verify_callback,
                          CERTValOutParam* cvout) {
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
@@ -448,6 +441,11 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
     in_param.value.scalar.b = PR_FALSE;
     cvin.push_back(in_param);
   }
+  if (chain_verify_callback) {
+    in_param.type = cert_pi_chainVerifyCallback;
+    in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
+    cvin.push_back(in_param);
+  }
   in_param.type = cert_pi_end;
   cvin.push_back(in_param);
 
@@ -668,7 +666,8 @@ bool VerifyEV(CERTCertificate* cert_handle,
               bool rev_checking_enabled,
               EVRootCAMetadata* metadata,
               SECOidTag ev_policy_oid,
-              CERTCertList* additional_trust_anchors) {
+              CERTCertList* additional_trust_anchors,
+              CERTChainVerifyCallback* chain_verify_callback) {
   CERTValOutParam cvout[3];
   int cvout_index = 0;
   cvout[cvout_index].type = cert_po_certList;
@@ -690,6 +689,7 @@ bool VerifyEV(CERTCertificate* cert_handle,
       &ev_policy_oid,
       1,
       additional_trust_anchors,
+      chain_verify_callback,
       cvout);
   if (status != SECSuccess)
     return false;
@@ -743,16 +743,16 @@ CertVerifyProcNSS::CertVerifyProcNSS() {}
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
-  // This requires APIs introduced in 3.14.2.
-  return NSS_VersionCheck("3.14.2");
+  return true;
 }
 
-int CertVerifyProcNSS::VerifyInternal(
+int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
+    CERTChainVerifyCallback* chain_verify_callback,
     CertVerifyResult* verify_result) {
 #if defined(OS_IOS)
   // For iOS, the entire chain must be loaded into NSS's in-memory certificate
@@ -800,14 +800,20 @@ int CertVerifyProcNSS::VerifyInternal(
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
   ScopedCERTCertList trust_anchors;
-  if (SupportsAdditionalTrustAnchors() && !additional_trust_anchors.empty()) {
+  if (!additional_trust_anchors.empty()) {
     trust_anchors.reset(
         CertificateListToCERTCertList(additional_trust_anchors));
   }
 
-  SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false,
-                                    cert_io_enabled, NULL, 0,
-                                    trust_anchors.get(), cvout);
+  SECStatus status = PKIXVerifyCert(cert_handle,
+                                    check_revocation,
+                                    false,
+                                    cert_io_enabled,
+                                    NULL,
+                                    0,
+                                    trust_anchors.get(),
+                                    chain_verify_callback,
+                                    cvout);
 
   if (status == SECSuccess &&
       (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
@@ -817,8 +823,14 @@ int CertVerifyProcNSS::VerifyInternal(
     // NSS tests for that feature.
     scoped_cvout.Clear();
     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
-    status = PKIXVerifyCert(cert_handle, true, true,
-                            cert_io_enabled, NULL, 0, trust_anchors.get(),
+    status = PKIXVerifyCert(cert_handle,
+                            true,
+                            true,
+                            cert_io_enabled,
+                            NULL,
+                            0,
+                            trust_anchors.get(),
+                            chain_verify_callback,
                             cvout);
   }
 
@@ -880,8 +892,14 @@ int CertVerifyProcNSS::VerifyInternal(
     if (check_revocation)
       verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 
-    if (VerifyEV(cert_handle, flags, crl_set, check_revocation, metadata,
-                 ev_policy_oid, trust_anchors.get())) {
+    if (VerifyEV(cert_handle,
+                 flags,
+                 crl_set,
+                 check_revocation,
+                 metadata,
+                 ev_policy_oid,
+                 trust_anchors.get(),
+                 chain_verify_callback)) {
       verify_result->cert_status |= CERT_STATUS_IS_EV;
     }
   }
@@ -889,4 +907,20 @@ int CertVerifyProcNSS::VerifyInternal(
   return OK;
 }
 
+int CertVerifyProcNSS::VerifyInternal(
+    X509Certificate* cert,
+    const std::string& hostname,
+    int flags,
+    CRLSet* crl_set,
+    const CertificateList& additional_trust_anchors,
+    CertVerifyResult* verify_result) {
+  return VerifyInternalImpl(cert,
+                            hostname,
+                            flags,
+                            crl_set,
+                            additional_trust_anchors,
+                            NULL,  // chain_verify_callback
+                            verify_result);
+}
+
 }  // namespace net