OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/x509_certificate.h" | |
6 | |
7 #include <cert.h> | |
8 #include <CommonCrypto/CommonDigest.h> | |
9 #include <cryptohi.h> | |
10 #include <keyhi.h> | |
11 #include <nss.h> | |
12 #include <pk11pub.h> | |
13 #include <prerror.h> | |
14 #include <prtime.h> | |
15 #include <prtypes.h> | |
16 #include <secder.h> | |
17 #include <secerr.h> | |
18 #include <Security/Security.h> | |
19 #include <sslerr.h> | |
20 #include <vector> | |
Ryan Sleevi
2012/09/12 19:34:44
nit: It is not immediately clear to me, based on h
| |
21 | |
22 #include "base/logging.h" | |
23 #include "base/mac/scoped_cftyperef.h" | |
24 #include "base/memory/scoped_ptr.h" | |
25 #include "base/pickle.h" | |
26 #include "base/time.h" | |
27 #include "crypto/nss_util.h" | |
28 #include "crypto/scoped_nss_types.h" | |
29 #include "net/base/asn1_util.h" | |
30 #include "net/base/cert_status_flags.h" | |
31 #include "net/base/cert_verify_result.h" | |
32 #include "net/base/ev_root_ca_metadata.h" | |
33 #include "net/base/net_errors.h" | |
34 #include "net/base/x509_util_ios.h" | |
35 #include "net/base/x509_util_nss.h" | |
36 | |
37 using base::mac::ScopedCFTypeRef; | |
38 | |
39 namespace net { | |
40 namespace { | |
41 // Test that a given |cert_handle| is actually a valid X.509 certificate, and | |
42 // return true if it is. | |
43 // | |
44 // SecCertificateCreateFromData() does not return any errors if called with | |
Ryan Sleevi
2012/09/12 19:34:44
Turns out Apple fixed this in OS X 10.8, and I'd b
| |
45 // invalid data, as long as data is present. The actual decoding of the | |
46 // certificate does not happen until an API that requires a CSSM handle is | |
47 // called. Use SecCertificateCopySubjectSummary to check that the certificate | |
48 // parsed as a valid X.509 certificate. | |
49 bool IsValidOSCertHandle(SecCertificateRef cert_handle) { | |
50 ScopedCFTypeRef<CFStringRef> sanity_check( | |
51 SecCertificateCopySubjectSummary(cert_handle)); | |
52 return sanity_check != NULL; | |
53 } | |
54 } // namespace | |
55 | |
56 void X509Certificate::Initialize() { | |
57 x509_util_ios::NSSCertificate nss_cert(cert_handle_); | |
58 CERTCertificate* cert_handle = nss_cert.cert_handle(); | |
59 | |
60 x509_util::ParsePrincipal(&cert_handle->subject, &subject_); | |
61 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_); | |
62 | |
63 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_); | |
64 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_); | |
65 | |
66 fingerprint_ = CalculateFingerprint(cert_handle_); | |
67 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); | |
68 | |
69 serial_number_ = x509_util::ParseSerialNumber(cert_handle); | |
70 } | |
71 | |
72 // static | |
73 X509Certificate* X509Certificate::CreateSelfSigned( | |
74 crypto::RSAPrivateKey* key, | |
75 const std::string& subject, | |
76 uint32 serial_number, | |
77 base::TimeDelta valid_duration) { | |
78 DCHECK(key); | |
79 DCHECK(!subject.empty()); | |
80 NOTIMPLEMENTED(); | |
81 return NULL; | |
82 } | |
83 | |
84 void X509Certificate::GetSubjectAltName( | |
85 std::vector<std::string>* dns_names, | |
86 std::vector<std::string>* ip_addrs) const { | |
87 x509_util_ios::NSSCertificate nss_cert(cert_handle_); | |
88 x509_util::GetSubjectAltName(nss_cert.cert_handle(), dns_names, ip_addrs); | |
89 } | |
90 | |
91 // static | |
92 bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle, | |
93 std::string* encoded) { | |
94 ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle)); | |
95 if (!der_data) | |
96 return false; | |
97 encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)), | |
98 CFDataGetLength(der_data)); | |
99 return true; | |
100 } | |
101 | |
102 // static | |
103 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, | |
104 X509Certificate::OSCertHandle b) { | |
105 DCHECK(a && b); | |
106 if (a == b) | |
107 return true; | |
108 if (CFEqual(a, b)) | |
109 return true; | |
110 ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a)); | |
111 ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b)); | |
112 return a_data && b_data && | |
113 CFDataGetLength(a_data) == CFDataGetLength(b_data) && | |
114 memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data), | |
115 CFDataGetLength(a_data)) == 0; | |
Ryan Sleevi
2012/09/12 19:34:44
As a follow-up, it would be good to test if lines
droger
2012/09/13 13:03:05
The unit tests pass if I simply return CFEqual(a,
| |
116 } | |
117 | |
118 // static | |
119 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | |
120 const char* data, int length) { | |
121 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( | |
122 kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length, | |
123 kCFAllocatorNull)); | |
124 if (!cert_data) | |
125 return NULL; | |
126 OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data); | |
127 if (!cert_handle) | |
128 return NULL; | |
129 if (!IsValidOSCertHandle(cert_handle)) { | |
130 CFRelease(cert_handle); | |
131 return NULL; | |
132 } | |
133 return cert_handle; | |
134 } | |
135 | |
136 // static | |
137 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( | |
138 const char* data, | |
139 int length, | |
140 Format format) { | |
141 return x509_util::CreateOSCertHandlesFromBytes(data, length, format); | |
142 } | |
143 | |
144 // static | |
145 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( | |
146 OSCertHandle handle) { | |
147 if (!handle) | |
148 return NULL; | |
149 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); | |
150 } | |
151 | |
152 // static | |
153 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | |
154 CFRelease(cert_handle); | |
155 } | |
156 | |
157 // static | |
158 SHA1HashValue X509Certificate::CalculateFingerprint( | |
159 OSCertHandle cert) { | |
160 SHA1HashValue sha1; | |
161 memset(sha1.data, 0, sizeof(sha1.data)); | |
162 | |
163 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); | |
164 if (!cert_data) | |
165 return sha1; | |
166 DCHECK(CFDataGetBytePtr(cert_data)); | |
167 DCHECK_NE(CFDataGetLength(cert_data), 0); | |
Ryan Sleevi
2012/09/12 19:34:44
nit: DCHECK_NE(expected, actual)
| |
168 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data); | |
169 | |
170 return sha1; | |
171 } | |
172 | |
173 // static | |
174 SHA1HashValue X509Certificate::CalculateCAFingerprint( | |
175 const OSCertHandles& intermediates) { | |
176 SHA1HashValue sha1; | |
177 memset(sha1.data, 0, sizeof(sha1.data)); | |
178 | |
179 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so | |
180 // we don't check their return values. | |
181 CC_SHA1_CTX sha1_ctx; | |
182 CC_SHA1_Init(&sha1_ctx); | |
183 for (size_t i = 0; i < intermediates.size(); ++i) { | |
184 ScopedCFTypeRef<CFDataRef> | |
185 cert_data(SecCertificateCopyData(intermediates[i])); | |
186 if (!cert_data) | |
187 return sha1; | |
188 CC_SHA1_Update(&sha1_ctx, | |
189 CFDataGetBytePtr(cert_data), | |
190 CFDataGetLength(cert_data)); | |
191 } | |
192 CC_SHA1_Final(sha1.data, &sha1_ctx); | |
193 return sha1; | |
194 } | |
195 | |
196 // static | |
197 X509Certificate::OSCertHandle | |
198 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) { | |
199 return x509_util::ReadOSCertHandleFromPickle(pickle_iter); | |
200 } | |
201 | |
202 // static | |
203 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, | |
204 Pickle* pickle) { | |
205 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle)); | |
206 if (!cert_data) | |
207 return false; | |
208 | |
209 return pickle->WriteData( | |
210 reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)), | |
211 CFDataGetLength(cert_data)); | |
212 } | |
213 | |
214 // static | |
215 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, | |
216 size_t* size_bits, | |
217 PublicKeyType* type) { | |
218 x509_util_ios::NSSCertificate nss_cert(cert_handle); | |
219 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type); | |
220 } | |
221 | |
222 } // namespace net | |
OLD | NEW |