File: certificate_util.cc

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (80 lines) | stat: -rw-r--r-- 2,848 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/ash/attestation/certificate_util.h"

#include "base/containers/span.h"
#include "base/logging.h"
#include "base/memory/scoped_refptr.h"
#include "base/notreached.h"
#include "base/time/time.h"
#include "net/cert/x509_certificate.h"
#include "third_party/boringssl/src/pki/pem.h"

namespace ash {
namespace attestation {

CertificateExpiryStatus CheckCertificateExpiry(
    const std::string& certificate_chain,
    base::TimeDelta expiry_threshold) {
  bool is_expiring_soon = false;
  bool invalid_certificate_found = false;
  bool any_certificate_found = false;
  bssl::PEMTokenizer pem_tokenizer(certificate_chain, {"CERTIFICATE"});
  while (pem_tokenizer.GetNext()) {
    any_certificate_found = true;
    scoped_refptr<net::X509Certificate> x509 =
        net::X509Certificate::CreateFromBytes(
            base::as_byte_span(pem_tokenizer.data()));
    if (!x509.get() || x509->valid_expiry().is_null()) {
      // In theory this should not happen but in practice parsing X.509 can be
      // brittle and there are a lot of factors including which underlying
      // module is parsing the certificate, whether that module performs more
      // checks than just ASN.1/DER format, and the server module that generated
      // the certificate(s).
      invalid_certificate_found = true;
      continue;
    }
    const base::Time current_time = base::Time::Now();
    if (current_time > x509->valid_expiry()) {
      // Found valid expired token, other tokens can be ignored.
      return CertificateExpiryStatus::kExpired;
    }
    if (current_time + expiry_threshold > x509->valid_expiry()) {
      // Check this flag after the loop to not to loose possible expired tokens.
      is_expiring_soon = true;
    }
  }
  if (is_expiring_soon) {
    // Found at least one expiring soon token and can ignore invalid tokens.
    return CertificateExpiryStatus::kExpiringSoon;
  }
  if (invalid_certificate_found) {
    return CertificateExpiryStatus::kInvalidX509;
  }
  if (!any_certificate_found) {
    return CertificateExpiryStatus::kInvalidPemChain;
  }
  return CertificateExpiryStatus::kValid;
}

std::string CertificateExpiryStatusToString(CertificateExpiryStatus status) {
  switch (status) {
    case CertificateExpiryStatus::kValid:
      return "Valid";
    case CertificateExpiryStatus::kExpiringSoon:
      return "ExpiringSoon";
    case CertificateExpiryStatus::kExpired:
      return "Expired";
    case CertificateExpiryStatus::kInvalidPemChain:
      return "InvalidPemChain";
    case CertificateExpiryStatus::kInvalidX509:
      return "InvalidX509";
  }

  NOTREACHED() << "Unknown certificate status";
}

}  // namespace attestation
}  // namespace ash