net/cert/known_roots_win.cc - chromium/src - Git at Google

 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/known_roots_win.h"

 #include "base/metrics/histogram_macros.h"
 #include "crypto/sha2.h"
 #include "net/base/hash_value.h"
 #include "net/cert/x509_certificate_known_roots_win.h"
 #include "net/cert/x509_util_win.h"

 namespace net {

 bool IsKnownRoot(PCCERT_CONTEXT cert) {
   SHA256HashValue hash = x509_util::CalculateFingerprint256(cert);
   bool is_builtin =
       IsSHA256HashInSortedArray(HashValue(hash), kKnownRootCertSHA256Hashes,
                                 kKnownRootCertSHA256HashesLength);

   // Test to see if the use of a built-in set of known roots on Windows can be
   // replaced with using AuthRoot's SHA-256 property. On any system other than
   // a fresh RTM with no AuthRoot updates, this property should always exist for
   // roots delivered via AuthRoot.stl, but should not exist on any manually or
   // administratively deployed roots.
   BYTE hash_prop[32] = {0};
   DWORD size = sizeof(hash_prop);
   bool found_property =
       CertGetCertificateContextProperty(
           cert, CERT_AUTH_ROOT_SHA256_HASH_PROP_ID, &hash_prop, &size) &&
       size == sizeof(hash_prop);

   enum BuiltinStatus {
     BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET = 0,
     BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET = 1,
     BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET = 2,
     BUILT_IN_PROPERTY_FOUND_BUILTIN_SET = 3,
     BUILT_IN_MAX_VALUE,
   } status;
   if (!found_property && !is_builtin) {
     status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET;
   } else if (!found_property && is_builtin) {
     status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET;
   } else if (found_property && !is_builtin) {
     status = BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET;
   } else if (found_property && is_builtin) {
     status = BUILT_IN_PROPERTY_FOUND_BUILTIN_SET;
   } else {
     status = BUILT_IN_MAX_VALUE;
   }
   UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status,
                             BUILT_IN_MAX_VALUE);

   return is_builtin;
 }

 }  // namespace net
	// Copyright (c) 2017 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/known_roots_win.h"

	#include "base/metrics/histogram_macros.h"
	#include "crypto/sha2.h"
	#include "net/base/hash_value.h"
	#include "net/cert/x509_certificate_known_roots_win.h"
	#include "net/cert/x509_util_win.h"

	namespace net {

	bool IsKnownRoot(PCCERT_CONTEXT cert) {
	SHA256HashValue hash = x509_util::CalculateFingerprint256(cert);
	bool is_builtin =
	IsSHA256HashInSortedArray(HashValue(hash), kKnownRootCertSHA256Hashes,
	kKnownRootCertSHA256HashesLength);

	// Test to see if the use of a built-in set of known roots on Windows can be
	// replaced with using AuthRoot's SHA-256 property. On any system other than
	// a fresh RTM with no AuthRoot updates, this property should always exist for
	// roots delivered via AuthRoot.stl, but should not exist on any manually or
	// administratively deployed roots.
	BYTE hash_prop[32] = {0};
	DWORD size = sizeof(hash_prop);
	bool found_property =
	CertGetCertificateContextProperty(
	cert, CERT_AUTH_ROOT_SHA256_HASH_PROP_ID, &hash_prop, &size) &&
	size == sizeof(hash_prop);

	enum BuiltinStatus {
	BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET = 0,
	BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET = 1,
	BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET = 2,
	BUILT_IN_PROPERTY_FOUND_BUILTIN_SET = 3,
	BUILT_IN_MAX_VALUE,
	} status;
	if (!found_property && !is_builtin) {
	status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_NOT_SET;
	} else if (!found_property && is_builtin) {
	status = BUILT_IN_PROPERTY_NOT_FOUND_BUILTIN_SET;
	} else if (found_property && !is_builtin) {
	status = BUILT_IN_PROPERTY_FOUND_BUILTIN_NOT_SET;
	} else if (found_property && is_builtin) {
	status = BUILT_IN_PROPERTY_FOUND_BUILTIN_SET;
	} else {
	status = BUILT_IN_MAX_VALUE;
	}
	UMA_HISTOGRAM_ENUMERATION("Net.SSL_AuthRootConsistency", status,
	BUILT_IN_MAX_VALUE);

	return is_builtin;
	}

	} // namespace net