mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-18 15:55:36 +00:00
Bug 1680321 - Rewrite CertIsSelfSigned using pkix r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D99266
This commit is contained in:
parent
130063d43f
commit
fe3a7bf2ef
@ -11,6 +11,7 @@
|
||||
#include "CTDiversityPolicy.h"
|
||||
#include "CTKnownLogs.h"
|
||||
#include "CTLogVerifier.h"
|
||||
#include "CSTrustDomain.h"
|
||||
#include "ExtendedValidation.h"
|
||||
#include "MultiLogCTVerifier.h"
|
||||
#include "NSSCertDBTrustDomain.h"
|
||||
@ -26,6 +27,7 @@
|
||||
#include "pk11pub.h"
|
||||
#include "mozpkix/pkix.h"
|
||||
#include "mozpkix/pkixnss.h"
|
||||
#include "mozpkix/pkixutil.h"
|
||||
#include "secmod.h"
|
||||
|
||||
using namespace mozilla::ct;
|
||||
@ -870,20 +872,29 @@ Result CertVerifier::VerifyCert(
|
||||
}
|
||||
|
||||
static bool CertIsSelfSigned(const UniqueCERTCertificate& cert, void* pinarg) {
|
||||
if (!SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject)) {
|
||||
Input certInput;
|
||||
Result rv = certInput.Init(cert->derCert.data, cert->derCert.len);
|
||||
if (rv != Success) {
|
||||
return false;
|
||||
}
|
||||
// we don't use the certificate for path building, so this parameter doesn't
|
||||
// matter
|
||||
EndEntityOrCA notUsedForPaths = EndEntityOrCA::MustBeEndEntity;
|
||||
BackCert backCert(certInput, notUsedForPaths, nullptr);
|
||||
rv = backCert.Init();
|
||||
if (rv != Success) {
|
||||
return false;
|
||||
}
|
||||
if (!InputsAreEqual(backCert.GetIssuer(), backCert.GetSubject())) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check that the certificate is signed with the cert's spki.
|
||||
SECStatus rv = CERT_VerifySignedDataWithPublicKeyInfo(
|
||||
const_cast<CERTSignedData*>(&cert->signatureWrap),
|
||||
const_cast<CERTSubjectPublicKeyInfo*>(&cert->subjectPublicKeyInfo),
|
||||
pinarg);
|
||||
if (rv != SECSuccess) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
nsTArray<nsTArray<uint8_t>> emptyCertList;
|
||||
// CSTrustDomain is only used for the signature verification callbacks
|
||||
mozilla::psm::CSTrustDomain trustDomain(emptyCertList);
|
||||
rv = VerifySignedData(trustDomain, backCert.GetSignedData(),
|
||||
backCert.GetSubjectPublicKeyInfo());
|
||||
return rv == Success;
|
||||
}
|
||||
|
||||
Result CertVerifier::VerifySSLServerCert(
|
||||
|
Loading…
Reference in New Issue
Block a user