1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/cert/x509_certificate.h" 6 7#include <CommonCrypto/CommonDigest.h> 8#include <Security/Security.h> 9 10#include <cert.h> 11#include <cryptohi.h> 12#include <keyhi.h> 13#include <nss.h> 14#include <pk11pub.h> 15#include <prerror.h> 16#include <prtime.h> 17#include <prtypes.h> 18#include <secder.h> 19#include <secerr.h> 20#include <sslerr.h> 21 22#include <vector> 23 24#include "base/logging.h" 25#include "base/mac/scoped_cftyperef.h" 26#include "base/memory/scoped_ptr.h" 27#include "base/pickle.h" 28#include "base/time/time.h" 29#include "crypto/nss_util.h" 30#include "crypto/scoped_nss_types.h" 31#include "net/base/net_errors.h" 32#include "net/cert/asn1_util.h" 33#include "net/cert/cert_status_flags.h" 34#include "net/cert/cert_verify_result.h" 35#include "net/cert/ev_root_ca_metadata.h" 36#include "net/cert/x509_util_ios.h" 37#include "net/cert/x509_util_nss.h" 38 39using base::ScopedCFTypeRef; 40 41namespace net { 42namespace { 43// Returns true if a given |cert_handle| is actually a valid X.509 certificate 44// handle. 45// 46// SecCertificateCreateFromData() does not always force the immediate parsing of 47// the certificate, and as such, may return a SecCertificateRef for an 48// invalid/unparsable certificate. Force parsing to occur to ensure that the 49// SecCertificateRef is correct. On later versions where 50// SecCertificateCreateFromData() immediately parses, rather than lazily, this 51// call is cheap, as the subject is cached. 52bool IsValidOSCertHandle(SecCertificateRef cert_handle) { 53 ScopedCFTypeRef<CFStringRef> sanity_check( 54 SecCertificateCopySubjectSummary(cert_handle)); 55 return sanity_check != NULL; 56} 57} // namespace 58 59void X509Certificate::Initialize() { 60 x509_util_ios::NSSCertificate nss_cert(cert_handle_); 61 CERTCertificate* cert_handle = nss_cert.cert_handle(); 62 if (cert_handle) { 63 x509_util::ParsePrincipal(&cert_handle->subject, &subject_); 64 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_); 65 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_); 66 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_); 67 serial_number_ = x509_util::ParseSerialNumber(cert_handle); 68 } 69 fingerprint_ = CalculateFingerprint(cert_handle_); 70 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); 71} 72 73bool X509Certificate::IsIssuedByEncoded( 74 const std::vector<std::string>& valid_issuers) { 75 x509_util_ios::NSSCertChain nss_chain(this); 76 // Convert to scoped CERTName* list. 77 std::vector<CERTName*> issuers; 78 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); 79 if (!x509_util::GetIssuersFromEncodedList(valid_issuers, 80 arena.get(), 81 &issuers)) { 82 return false; 83 } 84 return x509_util::IsCertificateIssuedBy( 85 nss_chain.cert_chain(), issuers); 86} 87 88void X509Certificate::GetSubjectAltName( 89 std::vector<std::string>* dns_names, 90 std::vector<std::string>* ip_addrs) const { 91 x509_util_ios::NSSCertificate nss_cert(cert_handle_); 92 CERTCertificate* cert_handle = nss_cert.cert_handle(); 93 if (!cert_handle) { 94 if (dns_names) 95 dns_names->clear(); 96 if (ip_addrs) 97 ip_addrs->clear(); 98 return; 99 } 100 x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs); 101} 102 103// static 104bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle, 105 std::string* encoded) { 106 ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle)); 107 if (!der_data) 108 return false; 109 encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)), 110 CFDataGetLength(der_data)); 111 return true; 112} 113 114// static 115bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, 116 X509Certificate::OSCertHandle b) { 117 DCHECK(a && b); 118 if (a == b) 119 return true; 120 if (CFEqual(a, b)) 121 return true; 122 ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a)); 123 ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b)); 124 return a_data && b_data && 125 CFDataGetLength(a_data) == CFDataGetLength(b_data) && 126 memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data), 127 CFDataGetLength(a_data)) == 0; 128} 129 130// static 131X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( 132 const char* data, int length) { 133 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( 134 kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length, 135 kCFAllocatorNull)); 136 if (!cert_data) 137 return NULL; 138 OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data); 139 if (!cert_handle) 140 return NULL; 141 if (!IsValidOSCertHandle(cert_handle)) { 142 CFRelease(cert_handle); 143 return NULL; 144 } 145 return cert_handle; 146} 147 148// static 149X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( 150 const char* data, 151 int length, 152 Format format) { 153 return x509_util::CreateOSCertHandlesFromBytes(data, length, format); 154} 155 156// static 157X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( 158 OSCertHandle handle) { 159 if (!handle) 160 return NULL; 161 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); 162} 163 164// static 165void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { 166 CFRelease(cert_handle); 167} 168 169// static 170SHA1HashValue X509Certificate::CalculateFingerprint( 171 OSCertHandle cert) { 172 SHA1HashValue sha1; 173 memset(sha1.data, 0, sizeof(sha1.data)); 174 175 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); 176 if (!cert_data) 177 return sha1; 178 DCHECK(CFDataGetBytePtr(cert_data)); 179 DCHECK_NE(0, CFDataGetLength(cert_data)); 180 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data); 181 182 return sha1; 183} 184 185// static 186SHA1HashValue X509Certificate::CalculateCAFingerprint( 187 const OSCertHandles& intermediates) { 188 SHA1HashValue sha1; 189 memset(sha1.data, 0, sizeof(sha1.data)); 190 191 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so 192 // we don't check their return values. 193 CC_SHA1_CTX sha1_ctx; 194 CC_SHA1_Init(&sha1_ctx); 195 for (size_t i = 0; i < intermediates.size(); ++i) { 196 ScopedCFTypeRef<CFDataRef> 197 cert_data(SecCertificateCopyData(intermediates[i])); 198 if (!cert_data) 199 return sha1; 200 CC_SHA1_Update(&sha1_ctx, 201 CFDataGetBytePtr(cert_data), 202 CFDataGetLength(cert_data)); 203 } 204 CC_SHA1_Final(sha1.data, &sha1_ctx); 205 return sha1; 206} 207 208// static 209X509Certificate::OSCertHandle 210X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) { 211 return x509_util::ReadOSCertHandleFromPickle(pickle_iter); 212} 213 214// static 215bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, 216 Pickle* pickle) { 217 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle)); 218 if (!cert_data) 219 return false; 220 221 return pickle->WriteData( 222 reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)), 223 CFDataGetLength(cert_data)); 224} 225 226// static 227void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, 228 size_t* size_bits, 229 PublicKeyType* type) { 230 x509_util_ios::NSSCertificate nss_cert(cert_handle); 231 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type); 232} 233 234} // namespace net 235