net/base/x509_certificate_ios.cc - Issue 11579002: Add X509Certificate::IsIssuedByEncoded()

Side by Side Diff: net/base/x509_certificate_ios.cc

Issue 11579002: Add X509Certificate::IsIssuedByEncoded() (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Add missing base files (damn you git cl upload) Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <Security/Security.h>	8 #include <Security/Security.h>

9 #include <vector>	9 #include <vector>

10	10

(...skipping 51 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
62 x509_util::ParsePrincipal(&cert_handle->subject, &subject_);	62 x509_util::ParsePrincipal(&cert_handle->subject, &subject_);

63 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);	63 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);

64 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);	64 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);

65 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);	65 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);

66 serial_number_ = x509_util::ParseSerialNumber(cert_handle);	66 serial_number_ = x509_util::ParseSerialNumber(cert_handle);

67 }	67 }

68 fingerprint_ = CalculateFingerprint(cert_handle_);	68 fingerprint_ = CalculateFingerprint(cert_handle_);

69 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);	69 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);

70 }	70 }

71	71

	72 bool X509Certificate::IsIssuedByEncoded(

	73 const std::vector<std::string>& valid_issuers) {

	74 if (x509_util::IsCertNameItemInIssuerList(&cert_handle_->derIssuer,

	75 valid_issuers))
	Ryan Sleevi 2012/12/13 19:49:05 It's a shame to have to reparse the CERTName here It's a shame to have to reparse the CERTName here (we have it in cert_handle->issuer) digit1 2012/12/14 17:54:33 I know, but cert_handle->issuer is a CertPrincipal Show quoted text On 2012/12/13 19:49:05, Ryan Sleevi wrote: > It's a shame to have to reparse the CERTName here (we have it in > cert_handle->issuer) I know, but cert_handle->issuer is a CertPrincipal which, has you already mentioned, should only be used for presentation. That's why I intentionally avoided using it here. I also wanted to use CERT_CompareName(), unfortunately NSS doesn't seem to provide _any_ API to create a CERTName object from its DER-encoded representation. The only alternative seems to create multiple CERTRDN objects first, then pass then to CERT_CreateName() / CERT_AddRDN(), amd each CERTRDN is created from a list of CERTAVA objects. This is much more work, it requires parsing the DER encoded issuer names explicitely, and I'm not sure it will be much better than comparing the DER-encoded representations directly. I'd be happy if you or wtc@ had a better suggestion for this issue. Ryan Sleevi 2012/12/14 18:16:42 cert_handle->issuer is a CERTName, which is the ca Show quoted text On 2012/12/14 17:54:33, digit1 wrote: > On 2012/12/13 19:49:05, Ryan Sleevi wrote: > > It's a shame to have to reparse the CERTName here (we have it in > > cert_handle->issuer) > > I know, but cert_handle->issuer is a CertPrincipal which, has you already > mentioned, should only be used for presentation. That's why I intentionally > avoided using it here. cert_handle->issuer is a CERTName, which is the canonical type, not a CertPrincipal. Note, I was talking about cert_handle->issuer, not this->issuer_ Show quoted text > > I also wanted to use CERT_CompareName(), unfortunately NSS doesn't seem to > provide _any_ API to create a CERTName object from its DER-encoded > representation. The only alternative seems to create multiple CERTRDN objects > first, then pass then to CERT_CreateName() / CERT_AddRDN(), amd each CERTRDN is > created from a list of CERTAVA objects. typedef scoped_ptr_malloc<CERTName, NSSDestroyer<CERTName, CERT_DestroyName> > ScopedCERTName; SECItem data; data.len = ... data.data = ...; ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena.get()); return false; ScopedCERTName name(PORT_ArenaZNew(arena, CERTName)); if (!name.get()) return false; SECStatus rv = SEC_ASN1DecodeItem(arena.get(), name.get(), SEC_ASN1_GET(CERT_NameTemplate), &data); if (rv != SECSuccess) return false; /* Setting ->arena will ensure that name releases arena when it's done. If this is all stack local, then you don't need to do this and just let the arena pool handle cleanup / name->arena = arena.release(); / do something with a CERTName here / return true; Show quoted text > > This is much more work, it requires parsing the DER encoded issuer names > explicitely, and I'm not sure it will be much better than comparing the > DER-encoded representations directly. It also yields the RFC-correct output, which comparing the DER-encoded representations does not. Show quoted text > > I'd be happy if you or wtc@ had a better suggestion for this issue. > digit1* 2012/12/18 16:19:24 Thank you so much for this, I've implemented this Thank you so much for this, I've implemented this in net/base/x509_util_nss.cc, this makes the use of CERT_CompareName() possible.
	76 return true;

	77

	78 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();

	79 it != intermediate_ca_certs_.end(); ++it) {

	80 if (x509_util::IsCertNameItemInIssuerList(&(*it)->derSubject,

	81 valid_issuers))

	82 return true;
	Ryan Sleevi 2012/12/13 19:49:05 BUG: Rather then checking the subject, you should BUG: Rather then checking the subject, you should be checking issuer names here as well. It's legal for intermediate_ca_certs[.size() - 1].issuer == some_valid_issuer, which would be missed by this algorithm. digit1 2012/12/14 17:54:33 That makes sense, I'll fix all checks. That makes sense, I'll fix all checks.
	83 }

	84 return false;

	85 }

	86

72 // static	87 // static

73 X509Certificate* X509Certificate::CreateSelfSigned(	88 X509Certificate* X509Certificate::CreateSelfSigned(

74 crypto::RSAPrivateKey* key,	89 crypto::RSAPrivateKey* key,

75 const std::string& subject,	90 const std::string& subject,

76 uint32 serial_number,	91 uint32 serial_number,

77 base::TimeDelta valid_duration) {	92 base::TimeDelta valid_duration) {

78 DCHECK(key);	93 DCHECK(key);

79 DCHECK(!subject.empty());	94 DCHECK(!subject.empty());

80 NOTIMPLEMENTED();	95 NOTIMPLEMENTED();

81 return NULL;	96 return NULL;

(...skipping 139 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
221	236

222 // static	237 // static

223 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,	238 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,

224 size_t* size_bits,	239 size_t* size_bits,

225 PublicKeyType* type) {	240 PublicKeyType* type) {

226 x509_util_ios::NSSCertificate nss_cert(cert_handle);	241 x509_util_ios::NSSCertificate nss_cert(cert_handle);

227 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);	242 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);

228 }	243 }

229	244

230 } // namespace net	245 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/x509_certificate.h ('k') | net/base/x509_certificate_mac.cc » ('j') | net/base/x509_certificate_mac.cc » ('J')