1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/cert/x509_certificate.h"
6
7#include <CommonCrypto/CommonDigest.h>
8#include <Security/Security.h>
9
10#include <cert.h>
11#include <cryptohi.h>
12#include <keyhi.h>
13#include <nss.h>
14#include <pk11pub.h>
15#include <prerror.h>
16#include <prtime.h>
17#include <prtypes.h>
18#include <secder.h>
19#include <secerr.h>
20#include <sslerr.h>
21
22#include <vector>
23
24#include "base/logging.h"
25#include "base/mac/scoped_cftyperef.h"
26#include "base/memory/scoped_ptr.h"
27#include "base/pickle.h"
28#include "base/time/time.h"
29#include "crypto/nss_util.h"
30#include "crypto/scoped_nss_types.h"
31#include "net/base/net_errors.h"
32#include "net/cert/asn1_util.h"
33#include "net/cert/cert_status_flags.h"
34#include "net/cert/cert_verify_result.h"
35#include "net/cert/ev_root_ca_metadata.h"
36#include "net/cert/x509_util_ios.h"
37#include "net/cert/x509_util_nss.h"
38
39using base::ScopedCFTypeRef;
40
41namespace net {
42namespace {
43// Returns true if a given |cert_handle| is actually a valid X.509 certificate
44// handle.
45//
46// SecCertificateCreateFromData() does not always force the immediate parsing of
47// the certificate, and as such, may return a SecCertificateRef for an
48// invalid/unparsable certificate. Force parsing to occur to ensure that the
49// SecCertificateRef is correct. On later versions where
50// SecCertificateCreateFromData() immediately parses, rather than lazily, this
51// call is cheap, as the subject is cached.
52bool IsValidOSCertHandle(SecCertificateRef cert_handle) {
53  ScopedCFTypeRef<CFStringRef> sanity_check(
54      SecCertificateCopySubjectSummary(cert_handle));
55  return sanity_check != NULL;
56}
57}  // namespace
58
59void X509Certificate::Initialize() {
60  x509_util_ios::NSSCertificate nss_cert(cert_handle_);
61  CERTCertificate* cert_handle = nss_cert.cert_handle();
62  if (cert_handle) {
63    x509_util::ParsePrincipal(&cert_handle->subject, &subject_);
64    x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);
65    x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);
66    x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);
67    serial_number_ = x509_util::ParseSerialNumber(cert_handle);
68  }
69  fingerprint_ = CalculateFingerprint(cert_handle_);
70  ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
71}
72
73bool X509Certificate::IsIssuedByEncoded(
74    const std::vector<std::string>& valid_issuers) {
75  x509_util_ios::NSSCertChain nss_chain(this);
76  // Convert to scoped CERTName* list.
77  std::vector<CERTName*> issuers;
78  crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
79  if (!x509_util::GetIssuersFromEncodedList(valid_issuers,
80                                            arena.get(),
81                                            &issuers)) {
82    return false;
83  }
84  return x509_util::IsCertificateIssuedBy(
85      nss_chain.cert_chain(), issuers);
86}
87
88void X509Certificate::GetSubjectAltName(
89    std::vector<std::string>* dns_names,
90    std::vector<std::string>* ip_addrs) const {
91  x509_util_ios::NSSCertificate nss_cert(cert_handle_);
92  CERTCertificate* cert_handle = nss_cert.cert_handle();
93  if (!cert_handle) {
94    if (dns_names)
95      dns_names->clear();
96    if (ip_addrs)
97      ip_addrs->clear();
98    return;
99  }
100  x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs);
101}
102
103// static
104bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle,
105                                    std::string* encoded) {
106  ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));
107  if (!der_data)
108    return false;
109  encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
110                  CFDataGetLength(der_data));
111  return true;
112}
113
114// static
115bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
116                                   X509Certificate::OSCertHandle b) {
117  DCHECK(a && b);
118  if (a == b)
119    return true;
120  if (CFEqual(a, b))
121    return true;
122  ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));
123  ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));
124  return a_data && b_data &&
125         CFDataGetLength(a_data) == CFDataGetLength(b_data) &&
126         memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),
127                CFDataGetLength(a_data)) == 0;
128}
129
130// static
131X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
132    const char* data, int length) {
133  ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(
134      kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length,
135      kCFAllocatorNull));
136  if (!cert_data)
137    return NULL;
138  OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);
139  if (!cert_handle)
140    return NULL;
141  if (!IsValidOSCertHandle(cert_handle)) {
142    CFRelease(cert_handle);
143    return NULL;
144  }
145  return cert_handle;
146}
147
148// static
149X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
150    const char* data,
151    int length,
152    Format format) {
153  return x509_util::CreateOSCertHandlesFromBytes(data, length, format);
154}
155
156// static
157X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
158    OSCertHandle handle) {
159  if (!handle)
160    return NULL;
161  return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
162}
163
164// static
165void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
166  CFRelease(cert_handle);
167}
168
169// static
170SHA1HashValue X509Certificate::CalculateFingerprint(
171    OSCertHandle cert) {
172  SHA1HashValue sha1;
173  memset(sha1.data, 0, sizeof(sha1.data));
174
175  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
176  if (!cert_data)
177    return sha1;
178  DCHECK(CFDataGetBytePtr(cert_data));
179  DCHECK_NE(0, CFDataGetLength(cert_data));
180  CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data);
181
182  return sha1;
183}
184
185// static
186SHA1HashValue X509Certificate::CalculateCAFingerprint(
187    const OSCertHandles& intermediates) {
188  SHA1HashValue sha1;
189  memset(sha1.data, 0, sizeof(sha1.data));
190
191  // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so
192  // we don't check their return values.
193  CC_SHA1_CTX sha1_ctx;
194  CC_SHA1_Init(&sha1_ctx);
195  for (size_t i = 0; i < intermediates.size(); ++i) {
196    ScopedCFTypeRef<CFDataRef>
197        cert_data(SecCertificateCopyData(intermediates[i]));
198    if (!cert_data)
199      return sha1;
200    CC_SHA1_Update(&sha1_ctx,
201                   CFDataGetBytePtr(cert_data),
202                   CFDataGetLength(cert_data));
203  }
204  CC_SHA1_Final(sha1.data, &sha1_ctx);
205  return sha1;
206}
207
208// static
209X509Certificate::OSCertHandle
210X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) {
211  return x509_util::ReadOSCertHandleFromPickle(pickle_iter);
212}
213
214// static
215bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
216                                                Pickle* pickle) {
217  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
218  if (!cert_data)
219    return false;
220
221  return pickle->WriteData(
222      reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
223      CFDataGetLength(cert_data));
224}
225
226// static
227void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
228                                       size_t* size_bits,
229                                       PublicKeyType* type) {
230  x509_util_ios::NSSCertificate nss_cert(cert_handle);
231  x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);
232}
233
234}  // namespace net
235