Chromium Code Reviews

Side by Side Diff: rtc_base/opensslstreamadapter.cc

Issue 3010363002: Implement GetChain for OpenSSLCertificate.
Patch Set: Adding unit tests and clean up. Created 3 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff |
« no previous file with comments | « rtc_base/opensslidentity_unittest.cc ('k') | rtc_base/sslstreamadapter_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 20 matching lines...)
31 #include "rtc_base/openssldigest.h" 31 #include "rtc_base/openssldigest.h"
32 #include "rtc_base/opensslidentity.h" 32 #include "rtc_base/opensslidentity.h"
33 #include "rtc_base/safe_conversions.h" 33 #include "rtc_base/safe_conversions.h"
34 #include "rtc_base/stream.h" 34 #include "rtc_base/stream.h"
35 #include "rtc_base/stringutils.h" 35 #include "rtc_base/stringutils.h"
36 #include "rtc_base/thread.h" 36 #include "rtc_base/thread.h"
37 #include "rtc_base/timeutils.h" 37 #include "rtc_base/timeutils.h"
38 38
39 namespace { 39 namespace {
40 bool g_use_time_callback_for_testing = false; 40 bool g_use_time_callback_for_testing = false;
41 const int kMaxSupportedCertChainDepth = 3;
41 } 42 }
42 43
43 namespace rtc { 44 namespace rtc {
44 45
45 #if (OPENSSL_VERSION_NUMBER < 0x10001000L) 46 #if (OPENSSL_VERSION_NUMBER < 0x10001000L)
46 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP" 47 #error "webrtc requires at least OpenSSL version 1.0.1, to support DTLS-SRTP"
47 #endif 48 #endif
48 49
49 // SRTP cipher suite table. |internal_name| is used to construct a 50 // SRTP cipher suite table. |internal_name| is used to construct a
50 // colon-separated profile strings which is needed by 51 // colon-separated profile strings which is needed by
(...skipping 1054 matching lines...)
1105 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) { 1106 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
1106 // Get our SSL structure from the store 1107 // Get our SSL structure from the store
1107 SSL* ssl = reinterpret_cast<SSL*>( 1108 SSL* ssl = reinterpret_cast<SSL*>(
1108 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx())); 1109 X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx()));
1109 X509* cert = X509_STORE_CTX_get_current_cert(store); 1110 X509* cert = X509_STORE_CTX_get_current_cert(store);
1110 int depth = X509_STORE_CTX_get_error_depth(store); 1111 int depth = X509_STORE_CTX_get_error_depth(store);
1111 1112
1112 // For now we ignore the parent certificates and verify the leaf against 1113 // For now we ignore the parent certificates and verify the leaf against
1113 // the digest. 1114 // the digest.
1114 // 1115 //
1115 // TODO(jiayl): Verify the chain is a proper chain and report the chain to
1116 // |stream->peer_certificate_|.
1117 if (depth > 0) {
1118 LOG(LS_INFO) << "Ignored chained certificate at depth " << depth;
1119 return 1;
1120 }
1121 1116
1122 OpenSSLStreamAdapter* stream = 1117 OpenSSLStreamAdapter* stream =
1123 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl)); 1118 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
1124 1119
1125 // Record the peer's certificate. 1120 STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store);
1126 stream->peer_certificate_.reset(new OpenSSLCertificate(cert)); 1121 if (sk_X509_num(chain) >= kMaxSupportedCertChainDepth) {
1122 LOG(LS_INFO) << "Ignore chained certificate at depth " << depth;
1123 return 1;
1124 }
1125 stream->peer_certificate_.reset(new OpenSSLCertificate(chain));
1127 1126
1128 // If the peer certificate digest isn't known yet, we'll wait to verify 1127 // If the peer certificate digest isn't known yet, we'll wait to verify
1129 // until it's known, and for now just return a success status. 1128 // until it's known, and for now just return a success status.
1130 if (stream->peer_certificate_digest_algorithm_.empty()) { 1129 if (stream->peer_certificate_digest_algorithm_.empty()) {
1131 LOG(LS_INFO) << "Waiting to verify certificate until digest is known."; 1130 LOG(LS_INFO) << "Waiting to verify certificate until digest is known.";
1132 return 1; 1131 return 1;
1133 } 1132 }
1134 1133
1135 return stream->VerifyPeerCertificate(); 1134 return stream->VerifyPeerCertificate();
1136 } 1135 }
(...skipping 75 matching lines...)
1212 } 1211 }
1213 1212
1214 return false; 1213 return false;
1215 } 1214 }
1216 1215
1217 void OpenSSLStreamAdapter::enable_time_callback_for_testing() { 1216 void OpenSSLStreamAdapter::enable_time_callback_for_testing() {
1218 g_use_time_callback_for_testing = true; 1217 g_use_time_callback_for_testing = true;
1219 } 1218 }
1220 1219
1221 } // namespace rtc 1220 } // namespace rtc
OLDNEW
« no previous file with comments | « rtc_base/opensslidentity_unittest.cc ('k') | rtc_base/sslstreamadapter_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine