Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(389)

Side by Side Diff: net/base/x509_certificate_ios.cc

Issue 10928107: Support x509 certificate on iOS. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master
Patch Set: Revert unneeded changes Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/base/x509_certificate.h"
6
7 #include <cert.h>
8 #include <CommonCrypto/CommonDigest.h>
9 #include <cryptohi.h>
10 #include <keyhi.h>
11 #include <nss.h>
12 #include <pk11pub.h>
13 #include <prerror.h>
14 #include <prtime.h>
15 #include <prtypes.h>
16 #include <secder.h>
17 #include <secerr.h>
18 #include <Security/Security.h>
19 #include <sslerr.h>
20 #include <vector>
Ryan Sleevi 2012/09/12 19:34:44 nit: It is not immediately clear to me, based on h
21
22 #include "base/logging.h"
23 #include "base/mac/scoped_cftyperef.h"
24 #include "base/memory/scoped_ptr.h"
25 #include "base/pickle.h"
26 #include "base/time.h"
27 #include "crypto/nss_util.h"
28 #include "crypto/scoped_nss_types.h"
29 #include "net/base/asn1_util.h"
30 #include "net/base/cert_status_flags.h"
31 #include "net/base/cert_verify_result.h"
32 #include "net/base/ev_root_ca_metadata.h"
33 #include "net/base/net_errors.h"
34 #include "net/base/x509_util_ios.h"
35 #include "net/base/x509_util_nss.h"
36
37 using base::mac::ScopedCFTypeRef;
38
39 namespace net {
40 namespace {
41 // Test that a given |cert_handle| is actually a valid X.509 certificate, and
42 // return true if it is.
43 //
44 // SecCertificateCreateFromData() does not return any errors if called with
Ryan Sleevi 2012/09/12 19:34:44 Turns out Apple fixed this in OS X 10.8, and I'd b
45 // invalid data, as long as data is present. The actual decoding of the
46 // certificate does not happen until an API that requires a CSSM handle is
47 // called. Use SecCertificateCopySubjectSummary to check that the certificate
48 // parsed as a valid X.509 certificate.
49 bool IsValidOSCertHandle(SecCertificateRef cert_handle) {
50 ScopedCFTypeRef<CFStringRef> sanity_check(
51 SecCertificateCopySubjectSummary(cert_handle));
52 return sanity_check != NULL;
53 }
54 } // namespace
55
56 void X509Certificate::Initialize() {
57 x509_util_ios::NSSCertificate nss_cert(cert_handle_);
58 CERTCertificate* cert_handle = nss_cert.cert_handle();
59
60 x509_util::ParsePrincipal(&cert_handle->subject, &subject_);
61 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);
62
63 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);
64 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);
65
66 fingerprint_ = CalculateFingerprint(cert_handle_);
67 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
68
69 serial_number_ = x509_util::ParseSerialNumber(cert_handle);
70 }
71
72 // static
73 X509Certificate* X509Certificate::CreateSelfSigned(
74 crypto::RSAPrivateKey* key,
75 const std::string& subject,
76 uint32 serial_number,
77 base::TimeDelta valid_duration) {
78 DCHECK(key);
79 DCHECK(!subject.empty());
80 NOTIMPLEMENTED();
81 return NULL;
82 }
83
84 void X509Certificate::GetSubjectAltName(
85 std::vector<std::string>* dns_names,
86 std::vector<std::string>* ip_addrs) const {
87 x509_util_ios::NSSCertificate nss_cert(cert_handle_);
88 x509_util::GetSubjectAltName(nss_cert.cert_handle(), dns_names, ip_addrs);
89 }
90
91 // static
92 bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle,
93 std::string* encoded) {
94 ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));
95 if (!der_data)
96 return false;
97 encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
98 CFDataGetLength(der_data));
99 return true;
100 }
101
102 // static
103 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
104 X509Certificate::OSCertHandle b) {
105 DCHECK(a && b);
106 if (a == b)
107 return true;
108 if (CFEqual(a, b))
109 return true;
110 ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));
111 ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));
112 return a_data && b_data &&
113 CFDataGetLength(a_data) == CFDataGetLength(b_data) &&
114 memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),
115 CFDataGetLength(a_data)) == 0;
Ryan Sleevi 2012/09/12 19:34:44 As a follow-up, it would be good to test if lines
droger 2012/09/13 13:03:05 The unit tests pass if I simply return CFEqual(a,
116 }
117
118 // static
119 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
120 const char* data, int length) {
121 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(
122 kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length,
123 kCFAllocatorNull));
124 if (!cert_data)
125 return NULL;
126 OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);
127 if (!cert_handle)
128 return NULL;
129 if (!IsValidOSCertHandle(cert_handle)) {
130 CFRelease(cert_handle);
131 return NULL;
132 }
133 return cert_handle;
134 }
135
136 // static
137 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
138 const char* data,
139 int length,
140 Format format) {
141 return x509_util::CreateOSCertHandlesFromBytes(data, length, format);
142 }
143
144 // static
145 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
146 OSCertHandle handle) {
147 if (!handle)
148 return NULL;
149 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
150 }
151
152 // static
153 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
154 CFRelease(cert_handle);
155 }
156
157 // static
158 SHA1HashValue X509Certificate::CalculateFingerprint(
159 OSCertHandle cert) {
160 SHA1HashValue sha1;
161 memset(sha1.data, 0, sizeof(sha1.data));
162
163 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
164 if (!cert_data)
165 return sha1;
166 DCHECK(CFDataGetBytePtr(cert_data));
167 DCHECK_NE(CFDataGetLength(cert_data), 0);
Ryan Sleevi 2012/09/12 19:34:44 nit: DCHECK_NE(expected, actual)
168 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data);
169
170 return sha1;
171 }
172
173 // static
174 SHA1HashValue X509Certificate::CalculateCAFingerprint(
175 const OSCertHandles& intermediates) {
176 SHA1HashValue sha1;
177 memset(sha1.data, 0, sizeof(sha1.data));
178
179 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so
180 // we don't check their return values.
181 CC_SHA1_CTX sha1_ctx;
182 CC_SHA1_Init(&sha1_ctx);
183 for (size_t i = 0; i < intermediates.size(); ++i) {
184 ScopedCFTypeRef<CFDataRef>
185 cert_data(SecCertificateCopyData(intermediates[i]));
186 if (!cert_data)
187 return sha1;
188 CC_SHA1_Update(&sha1_ctx,
189 CFDataGetBytePtr(cert_data),
190 CFDataGetLength(cert_data));
191 }
192 CC_SHA1_Final(sha1.data, &sha1_ctx);
193 return sha1;
194 }
195
196 // static
197 X509Certificate::OSCertHandle
198 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) {
199 return x509_util::ReadOSCertHandleFromPickle(pickle_iter);
200 }
201
202 // static
203 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
204 Pickle* pickle) {
205 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
206 if (!cert_data)
207 return false;
208
209 return pickle->WriteData(
210 reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
211 CFDataGetLength(cert_data));
212 }
213
214 // static
215 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
216 size_t* size_bits,
217 PublicKeyType* type) {
218 x509_util_ios::NSSCertificate nss_cert(cert_handle);
219 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);
220 }
221
222 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698