search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
roll skia to 4276
[chromium-blink-merge.git] / net / base / cert_verify_proc_mac.cc
blob49798b5afd00d28dedddb298d21e0bef15ab5bfc
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/base/cert_verify_proc_mac.h"
6
7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h>
10
11 #include "base/logging.h"
12 #include "base/mac/mac_logging.h"
13 #include "base/mac/scoped_cftyperef.h"
14 #include "base/sha1.h"
15 #include "base/string_piece.h"
16 #include "crypto/nss_util.h"
17 #include "crypto/sha2.h"
18 #include "net/base/asn1_util.h"
19 #include "net/base/cert_status_flags.h"
20 #include "net/base/cert_verify_result.h"
21 #include "net/base/crl_set.h"
22 #include "net/base/net_errors.h"
23 #include "net/base/test_root_certs.h"
24 #include "net/base/x509_certificate.h"
25 #include "net/base/x509_certificate_known_roots_mac.h"
26 #include "net/base/x509_util_mac.h"
27
28 // From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with
29 // SecTrustCopyExtendedResult.
30 #ifndef kSecEVOrganizationName
31 #define kSecEVOrganizationName CFSTR("Organization")
32 #endif
33
34 using base::mac::ScopedCFTypeRef;
35
36 namespace net {
37
38 namespace {
39
40 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef,
41 CFDictionaryRef*);
42
43 int NetErrorFromOSStatus(OSStatus status) {
44 switch (status) {
45 case noErr:
46 return OK;
47 case errSecNotAvailable:
48 case errSecNoCertificateModule:
49 case errSecNoPolicyModule:
50 return ERR_NOT_IMPLEMENTED;
51 case errSecAuthFailed:
52 return ERR_ACCESS_DENIED;
53 default: {
54 OSSTATUS_LOG(ERROR, status) << "Unknown error mapped to ERR_FAILED";
55 return ERR_FAILED;
56 }
57 }
58 }
59
60 CertStatus CertStatusFromOSStatus(OSStatus status) {
61 switch (status) {
62 case noErr:
63 return 0;
64
65 case CSSMERR_TP_INVALID_ANCHOR_CERT:
66 case CSSMERR_TP_NOT_TRUSTED:
67 case CSSMERR_TP_INVALID_CERT_AUTHORITY:
68 return CERT_STATUS_AUTHORITY_INVALID;
69
70 case CSSMERR_TP_CERT_EXPIRED:
71 case CSSMERR_TP_CERT_NOT_VALID_YET:
72 // "Expired" and "not yet valid" collapse into a single status.
73 return CERT_STATUS_DATE_INVALID;
74
75 case CSSMERR_TP_CERT_REVOKED:
76 case CSSMERR_TP_CERT_SUSPENDED:
77 return CERT_STATUS_REVOKED;
78
79 case CSSMERR_APPLETP_HOSTNAME_MISMATCH:
80 return CERT_STATUS_COMMON_NAME_INVALID;
81
82 case CSSMERR_APPLETP_CRL_NOT_FOUND:
83 case CSSMERR_APPLETP_OCSP_UNAVAILABLE:
84 case CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK:
85 return CERT_STATUS_NO_REVOCATION_MECHANISM;
86
87 case CSSMERR_APPLETP_CRL_EXPIRED:
88 case CSSMERR_APPLETP_CRL_NOT_VALID_YET:
89 case CSSMERR_APPLETP_CRL_SERVER_DOWN:
90 case CSSMERR_APPLETP_CRL_NOT_TRUSTED:
91 case CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT:
92 case CSSMERR_APPLETP_CRL_POLICY_FAIL:
93 case CSSMERR_APPLETP_OCSP_BAD_RESPONSE:
94 case CSSMERR_APPLETP_OCSP_BAD_REQUEST:
95 case CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED:
96 case CSSMERR_APPLETP_NETWORK_FAILURE:
97 case CSSMERR_APPLETP_OCSP_NOT_TRUSTED:
98 case CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT:
99 case CSSMERR_APPLETP_OCSP_SIG_ERROR:
100 case CSSMERR_APPLETP_OCSP_NO_SIGNER:
101 case CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ:
102 case CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR:
103 case CSSMERR_APPLETP_OCSP_RESP_TRY_LATER:
104 case CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED:
105 case CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED:
106 case CSSMERR_APPLETP_OCSP_NONCE_MISMATCH:
107 // We asked for a revocation check, but didn't get it.
108 return CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
109
110 case CSSMERR_APPLETP_CRL_BAD_URI:
111 case CSSMERR_APPLETP_IDP_FAIL:
112 return CERT_STATUS_INVALID;
113
114 case CSSMERR_CSP_UNSUPPORTED_KEY_SIZE:
115 // Mapping UNSUPPORTED_KEY_SIZE to CERT_STATUS_WEAK_KEY is not strictly
116 // accurate, as the error may have been returned due to a key size
117 // that exceeded the maximum supported. However, within
118 // CertVerifyProcMac::VerifyInternal(), this code should only be
119 // encountered as a certificate status code, and only when the key size
120 // is smaller than the minimum required (1024 bits).
121 return CERT_STATUS_WEAK_KEY;
122
123 default: {
124 // Failure was due to something Chromium doesn't define a
125 // specific status for (such as basic constraints violation, or
126 // unknown critical extension)
127 OSSTATUS_LOG(WARNING, status)
128 << "Unknown error mapped to CERT_STATUS_INVALID";
129 return CERT_STATUS_INVALID;
130 }
131 }
132 }
133
134 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
135 // validate a certificate for an SSL server. |hostname| contains the name of
136 // the SSL server that the certificate should be verified against. |flags| is
137 // a bitwise-OR of VerifyFlags that can further alter how trust is validated,
138 // such as how revocation is checked. If successful, returns noErr, and
139 // stores the resultant array of SecPolicyRefs in |policies|.
140 OSStatus CreateTrustPolicies(const std::string& hostname,
141 int flags,
142 ScopedCFTypeRef<CFArrayRef>* policies) {
143 ScopedCFTypeRef<CFMutableArrayRef> local_policies(
144 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
145 if (!local_policies)
146 return memFullErr;
147
148 SecPolicyRef ssl_policy;
149 OSStatus status = x509_util::CreateSSLServerPolicy(hostname, &ssl_policy);
150 if (status)
151 return status;
152 CFArrayAppendValue(local_policies, ssl_policy);
153 CFRelease(ssl_policy);
154
155 // Explicitly add revocation policies, in order to override system
156 // revocation checking policies and instead respect the application-level
157 // revocation preference.
158 status = x509_util::CreateRevocationPolicies(
159 (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
160 local_policies);
161 if (status)
162 return status;
163
164 policies->reset(local_policies.release());
165 return noErr;
166 }
167
168 // Saves some information about the certificate chain |cert_chain| in
169 // |*verify_result|. The caller MUST initialize |*verify_result| before
170 // calling this function.
171 void GetCertChainInfo(CFArrayRef cert_chain,
172 CSSM_TP_APPLE_EVIDENCE_INFO* chain_info,
173 CertVerifyResult* verify_result) {
174 SecCertificateRef verified_cert = NULL;
175 std::vector<SecCertificateRef> verified_chain;
176 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {
177 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
178 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
179 if (i == 0) {
180 verified_cert = chain_cert;
181 } else {
182 verified_chain.push_back(chain_cert);
183 }
184
185 if ((chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_IN_ANCHORS) ||
186 (chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_ROOT)) {
187 // The current certificate is either in the user's trusted store or is
188 // a root (self-signed) certificate. Ignore the signature algorithm for
189 // these certificates, as it is meaningless for security. We allow
190 // self-signed certificates (i == 0 & IS_ROOT), since we accept that
191 // any security assertions by such a cert are inherently meaningless.
192 continue;
193 }
194
195 x509_util::CSSMCachedCertificate cached_cert;
196 OSStatus status = cached_cert.Init(chain_cert);
197 if (status)
198 continue;
199 x509_util::CSSMFieldValue signature_field;
200 status = cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm,
201 &signature_field);
202 if (status || !signature_field.field())
203 continue;
204 // Match the behaviour of OS X system tools and defensively check that
205 // sizes are appropriate. This would indicate a critical failure of the
206 // OS X certificate library, but based on history, it is best to play it
207 // safe.
208 const CSSM_X509_ALGORITHM_IDENTIFIER* sig_algorithm =
209 signature_field.GetAs<CSSM_X509_ALGORITHM_IDENTIFIER>();
210 if (!sig_algorithm)
211 continue;
212
213 const CSSM_OID* alg_oid = &sig_algorithm->algorithm;
214 if (CSSMOIDEqual(alg_oid, &CSSMOID_MD2WithRSA)) {
215 verify_result->has_md2 = true;
216 if (i != 0)
217 verify_result->has_md2_ca = true;
218 } else if (CSSMOIDEqual(alg_oid, &CSSMOID_MD4WithRSA)) {
219 verify_result->has_md4 = true;
220 } else if (CSSMOIDEqual(alg_oid, &CSSMOID_MD5WithRSA)) {
221 verify_result->has_md5 = true;
222 if (i != 0)
223 verify_result->has_md5_ca = true;
224 }
225 }
226 if (!verified_cert)
227 return;
228
229 verify_result->verified_cert =
230 X509Certificate::CreateFromHandle(verified_cert, verified_chain);
231 }
232
233 void AppendPublicKeyHashes(CFArrayRef chain,
234 std::vector<SHA1Fingerprint>* hashes) {
235 const CFIndex n = CFArrayGetCount(chain);
236 for (CFIndex i = 0; i < n; i++) {
237 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
238 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
239
240 CSSM_DATA cert_data;
241 OSStatus err = SecCertificateGetData(cert, &cert_data);
242 DCHECK_EQ(err, noErr);
243 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
244 cert_data.Length);
245 base::StringPiece spki_bytes;
246 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
247 continue;
248
249 SHA1Fingerprint hash;
250 CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data);
251 hashes->push_back(hash);
252 }
253 }
254
255 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) {
256 if (CFArrayGetCount(chain) == 0)
257 return true;
258
259 // We iterate from the root certificate down to the leaf, keeping track of
260 // the issuer's SPKI at each step.
261 std::string issuer_spki_hash;
262 for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) {
263 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(
264 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
265
266 CSSM_DATA cert_data;
267 OSStatus err = SecCertificateGetData(cert, &cert_data);
268 if (err != noErr) {
269 NOTREACHED();
270 continue;
271 }
272 base::StringPiece der_bytes(reinterpret_cast<const char*>(cert_data.Data),
273 cert_data.Length);
274 base::StringPiece spki;
275 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) {
276 NOTREACHED();
277 continue;
278 }
279
280 const std::string spki_hash = crypto::SHA256HashString(spki);
281 x509_util::CSSMCachedCertificate cached_cert;
282 if (cached_cert.Init(cert) != CSSM_OK) {
283 NOTREACHED();
284 continue;
285 }
286 x509_util::CSSMFieldValue serial_number;
287 err = cached_cert.GetField(&CSSMOID_X509V1SerialNumber, &serial_number);
288 if (err || !serial_number.field()) {
289 NOTREACHED();
290 continue;
291 }
292
293 base::StringPiece serial(
294 reinterpret_cast<const char*>(serial_number.field()->Data),
295 serial_number.field()->Length);
296
297 CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
298
299 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
300 result = crl_set->CheckSerial(serial, issuer_spki_hash);
301
302 issuer_spki_hash = spki_hash;
303
304 switch (result) {
305 case CRLSet::REVOKED:
306 return false;
307 case CRLSet::UNKNOWN:
308 case CRLSet::GOOD:
309 continue;
310 default:
311 NOTREACHED();
312 return false;
313 }
314 }
315
316 return true;
317 }
318
319 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
320 // that we recognise as a standard root.
321 // static
322 bool IsIssuedByKnownRoot(CFArrayRef chain) {
323 int n = CFArrayGetCount(chain);
324 if (n < 1)
325 return false;
326 SecCertificateRef root_ref = reinterpret_cast<SecCertificateRef>(
327 const_cast<void*>(CFArrayGetValueAtIndex(chain, n - 1)));
328 SHA1Fingerprint hash = X509Certificate::CalculateFingerprint(root_ref);
329 return IsSHA1HashInSortedArray(
330 hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
331 }
332
333 } // namespace
334
335 CertVerifyProcMac::CertVerifyProcMac() {}
336
337 CertVerifyProcMac::~CertVerifyProcMac() {}
338
339 int CertVerifyProcMac::VerifyInternal(X509Certificate* cert,
340 const std::string& hostname,
341 int flags,
342 CRLSet* crl_set,
343 CertVerifyResult* verify_result) {
344 ScopedCFTypeRef<CFArrayRef> trust_policies;
345 OSStatus status = CreateTrustPolicies(hostname, flags, &trust_policies);
346 if (status)
347 return NetErrorFromOSStatus(status);
348
349 // Create and configure a SecTrustRef, which takes our certificate(s)
350 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an
351 // array of certificates, the first of which is the certificate we're
352 // verifying, and the subsequent (optional) certificates are used for
353 // chain building.
354 ScopedCFTypeRef<CFArrayRef> cert_array(cert->CreateOSCertChainForCert());
355
356 // From here on, only one thread can be active at a time. We have had a number
357 // of sporadic crashes in the SecTrustEvaluate call below, way down inside
358 // Apple's cert code, which we suspect are caused by a thread-safety issue.
359 // So as a speculative fix allow only one thread to use SecTrust on this cert.
360 base::AutoLock lock(verification_lock_);
361
362 SecTrustRef trust_ref = NULL;
363 status = SecTrustCreateWithCertificates(cert_array, trust_policies,
364 &trust_ref);
365 if (status)
366 return NetErrorFromOSStatus(status);
367 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref);
368
369 if (TestRootCerts::HasInstance()) {
370 status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref);
371 if (status)
372 return NetErrorFromOSStatus(status);
373 }
374
375 CSSM_APPLE_TP_ACTION_DATA tp_action_data;
376 memset(&tp_action_data, 0, sizeof(tp_action_data));
377 tp_action_data.Version = CSSM_APPLE_TP_ACTION_VERSION;
378 // Allow CSSM to download any missing intermediate certificates if an
379 // authorityInfoAccess extension or issuerAltName extension is present.
380 tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
381 CSSM_TP_ACTION_TRUST_SETTINGS;
382
383 if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
384 // Require a positive result from an OCSP responder or a CRL (or both)
385 // for every certificate in the chain. The Apple TP automatically
386 // excludes the self-signed root from this requirement. If a certificate
387 // is missing both a crlDistributionPoints extension and an
388 // authorityInfoAccess extension with an OCSP responder URL, then we
389 // will get a kSecTrustResultRecoverableTrustFailure back from
390 // SecTrustEvaluate(), with a
391 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
392 // we'll set our own result to include
393 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
394 // present, and a check fails (server unavailable, OCSP retry later,
395 // signature mismatch), then we'll set our own result to include
396 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
397 tp_action_data.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
398 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
399
400 // Note, even if revocation checking is disabled, SecTrustEvaluate() will
401 // modify the OCSP options so as to attempt OCSP checking if it believes a
402 // certificate may chain to an EV root. However, because network fetches
403 // are disabled in CreateTrustPolicies() when revocation checking is
404 // disabled, these will only go against the local cache.
405 }
406
407 CFDataRef action_data_ref =
408 CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
409 reinterpret_cast<UInt8*>(&tp_action_data),
410 sizeof(tp_action_data), kCFAllocatorNull);
411 if (!action_data_ref)
412 return ERR_OUT_OF_MEMORY;
413 ScopedCFTypeRef<CFDataRef> scoped_action_data_ref(action_data_ref);
414 status = SecTrustSetParameters(trust_ref, CSSM_TP_ACTION_DEFAULT,
415 action_data_ref);
416 if (status)
417 return NetErrorFromOSStatus(status);
418
419 // Verify the certificate. A non-zero result from SecTrustGetResult()
420 // indicates that some fatal error occurred and the chain couldn't be
421 // processed, not that the chain contains no errors. We need to examine the
422 // output of SecTrustGetResult() to determine that.
423 SecTrustResultType trust_result;
424 status = SecTrustEvaluate(trust_ref, &trust_result);
425 if (status)
426 return NetErrorFromOSStatus(status);
427 CFArrayRef completed_chain = NULL;
428 CSSM_TP_APPLE_EVIDENCE_INFO* chain_info;
429 status = SecTrustGetResult(trust_ref, &trust_result, &completed_chain,
430 &chain_info);
431 if (status)
432 return NetErrorFromOSStatus(status);
433 ScopedCFTypeRef<CFArrayRef> scoped_completed_chain(completed_chain);
434
435 if (crl_set && !CheckRevocationWithCRLSet(completed_chain, crl_set))
436 verify_result->cert_status |= CERT_STATUS_REVOKED;
437
438 GetCertChainInfo(scoped_completed_chain.get(), chain_info, verify_result);
439
440 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
441 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
442 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping
443 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only
444 // error was due to an unsupported key size.
445 bool policy_failed = false;
446 bool weak_key = false;
447
448 // Evaluate the results
449 OSStatus cssm_result;
450 switch (trust_result) {
451 case kSecTrustResultUnspecified:
452 case kSecTrustResultProceed:
453 // Certificate chain is valid and trusted ("unspecified" indicates that
454 // the user has not explicitly set a trust setting)
455 break;
456
457 case kSecTrustResultDeny:
458 case kSecTrustResultConfirm:
459 // Certificate chain is explicitly untrusted. For kSecTrustResultConfirm,
460 // we're following what Secure Transport does and treating it as
461 // "deny".
462 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
463 break;
464
465 case kSecTrustResultRecoverableTrustFailure:
466 // Certificate chain has a failure that can be overridden by the user.
467 status = SecTrustGetCssmResultCode(trust_ref, &cssm_result);
468 if (status)
469 return NetErrorFromOSStatus(status);
470 if (cssm_result == CSSMERR_TP_VERIFY_ACTION_FAILED) {
471 policy_failed = true;
472 } else {
473 verify_result->cert_status |= CertStatusFromOSStatus(cssm_result);
474 }
475 // Walk the chain of error codes in the CSSM_TP_APPLE_EVIDENCE_INFO
476 // structure which can catch multiple errors from each certificate.
477 for (CFIndex index = 0, chain_count = CFArrayGetCount(completed_chain);
478 index < chain_count; ++index) {
479 if (chain_info[index].StatusBits & CSSM_CERT_STATUS_EXPIRED ||
480 chain_info[index].StatusBits & CSSM_CERT_STATUS_NOT_VALID_YET)
481 verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
482 if (!IsCertStatusError(verify_result->cert_status) &&
483 chain_info[index].NumStatusCodes == 0) {
484 LOG(WARNING) << "chain_info[" << index << "].NumStatusCodes is 0"
485 ", chain_info[" << index << "].StatusBits is "
486 << chain_info[index].StatusBits;
487 }
488 for (uint32 status_code_index = 0;
489 status_code_index < chain_info[index].NumStatusCodes;
490 ++status_code_index) {
491 CertStatus mapped_status = CertStatusFromOSStatus(
492 chain_info[index].StatusCodes[status_code_index]);
493 if (mapped_status == CERT_STATUS_WEAK_KEY)
494 weak_key = true;
495 verify_result->cert_status |= mapped_status;
496 }
497 }
498 if (policy_failed && !weak_key) {
499 // If CSSMERR_TP_VERIFY_ACTION_FAILED wasn't returned due to a weak
500 // key, map it back to an appropriate error code.
501 verify_result->cert_status |= CertStatusFromOSStatus(cssm_result);
502 }
503 if (!IsCertStatusError(verify_result->cert_status)) {
504 LOG(ERROR) << "cssm_result=" << cssm_result;
505 verify_result->cert_status |= CERT_STATUS_INVALID;
506 NOTREACHED();
507 }
508 break;
509
510 default:
511 status = SecTrustGetCssmResultCode(trust_ref, &cssm_result);
512 if (status)
513 return NetErrorFromOSStatus(status);
514 verify_result->cert_status |= CertStatusFromOSStatus(cssm_result);
515 if (!IsCertStatusError(verify_result->cert_status)) {
516 LOG(WARNING) << "trust_result=" << trust_result;
517 verify_result->cert_status |= CERT_STATUS_INVALID;
518 }
519 break;
520 }
521
522 // Perform hostname verification independent of SecTrustEvaluate. In order to
523 // do so, mask off any reported name errors first.
524 verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
525 if (!cert->VerifyNameMatch(hostname))
526 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
527
528 // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
529 // compatible with Windows, which in turn implements this behavior to be
530 // compatible with WinHTTP, which doesn't report this error (bug 3004).
531 verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
532
533 if (IsCertStatusError(verify_result->cert_status))
534 return MapCertStatusToNetError(verify_result->cert_status);
535
536 if (flags & X509Certificate::VERIFY_EV_CERT) {
537 // Determine the certificate's EV status using SecTrustCopyExtendedResult(),
538 // which we need to look up because the function wasn't added until
539 // Mac OS X 10.5.7.
540 // Note: "ExtendedResult" means extended validation results.
541 CFBundleRef bundle =
542 CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
543 if (bundle) {
544 SecTrustCopyExtendedResultFuncPtr copy_extended_result =
545 reinterpret_cast<SecTrustCopyExtendedResultFuncPtr>(
546 CFBundleGetFunctionPointerForName(bundle,
547 CFSTR("SecTrustCopyExtendedResult")));
548 if (copy_extended_result) {
549 CFDictionaryRef ev_dict_temp = NULL;
550 status = copy_extended_result(trust_ref, &ev_dict_temp);
551 ScopedCFTypeRef<CFDictionaryRef> ev_dict(ev_dict_temp);
552 ev_dict_temp = NULL;
553 if (status == noErr && ev_dict) {
554 // In 10.7.3, SecTrustCopyExtendedResult returns noErr and populates
555 // ev_dict even for non-EV certificates, but only EV certificates
556 // will cause ev_dict to contain kSecEVOrganizationName. In previous
557 // releases, SecTrustCopyExtendedResult would only return noErr and
558 // populate ev_dict for EV certificates, but would always include
559 // kSecEVOrganizationName in that case, so checking for this key is
560 // appropriate for all known versions of SecTrustCopyExtendedResult.
561 // The actual organization name is unneeded here and can be accessed
562 // through other means. All that matters here is the OS' conception
563 // of whether or not the certificate is EV.
564 if (CFDictionaryContainsKey(ev_dict,
565 kSecEVOrganizationName)) {
566 verify_result->cert_status |= CERT_STATUS_IS_EV;
567 }
568 }
569 }
570 }
571 }
572
573 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
574 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
575
576 return OK;
577 }
578
579 } // namespace net