x509_certificate.cc revision 5c02ac1a9c1b504631c0a3d2b6e737b5d738bae1
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/cert/x509_certificate.h" 6 7#include <stdlib.h> 8 9#include <algorithm> 10#include <map> 11#include <string> 12#include <vector> 13 14#include "base/base64.h" 15#include "base/lazy_instance.h" 16#include "base/logging.h" 17#include "base/memory/singleton.h" 18#include "base/metrics/histogram.h" 19#include "base/pickle.h" 20#include "base/sha1.h" 21#include "base/strings/string_piece.h" 22#include "base/strings/string_util.h" 23#include "base/synchronization/lock.h" 24#include "base/time/time.h" 25#include "net/base/net_util.h" 26#include "net/base/registry_controlled_domains/registry_controlled_domain.h" 27#include "net/cert/pem_tokenizer.h" 28#include "url/url_canon.h" 29 30namespace net { 31 32namespace { 33 34// Indicates the order to use when trying to decode binary data, which is 35// based on (speculation) as to what will be most common -> least common 36const X509Certificate::Format kFormatDecodePriority[] = { 37 X509Certificate::FORMAT_SINGLE_CERTIFICATE, 38 X509Certificate::FORMAT_PKCS7 39}; 40 41// The PEM block header used for DER certificates 42const char kCertificateHeader[] = "CERTIFICATE"; 43// The PEM block header used for PKCS#7 data 44const char kPKCS7Header[] = "PKCS7"; 45 46#if !defined(USE_NSS) 47// A thread-safe cache for OS certificate handles. 48// 49// Within each of the supported underlying crypto libraries, a certificate 50// handle is represented as a ref-counted object that contains the parsed 51// data for the certificate. In addition, the underlying OS handle may also 52// contain a copy of the original ASN.1 DER used to constructed the handle. 53// 54// In order to reduce the memory usage when multiple SSL connections exist, 55// with each connection storing the server's identity certificate plus any 56// intermediates supplied, the certificate handles are cached. Any two 57// X509Certificates that were created from the same ASN.1 DER data, 58// regardless of where that data came from, will share the same underlying 59// OS certificate handle. 60class X509CertificateCache { 61 public: 62 // Performs a compare-and-swap like operation. If an OS certificate handle 63 // for the same certificate data as |*cert_handle| already exists in the 64 // cache, the original |*cert_handle| will be freed and |cert_handle| 65 // will be updated to point to a duplicated reference to the existing cached 66 // certificate, with the caller taking ownership of this duplicated handle. 67 // If an equivalent OS certificate handle is not found, a duplicated 68 // reference to |*cert_handle| will be added to the cache. In either case, 69 // upon return, the caller fully owns |*cert_handle| and is responsible for 70 // calling FreeOSCertHandle(), after first calling Remove(). 71 void InsertOrUpdate(X509Certificate::OSCertHandle* cert_handle); 72 73 // Decrements the cache reference count for |cert_handle|, a handle that was 74 // previously obtained by calling InsertOrUpdate(). If this is the last 75 // cached reference held, this will remove the handle from the cache. The 76 // caller retains ownership of |cert_handle| and remains responsible for 77 // calling FreeOSCertHandle() to release the underlying OS certificate 78 void Remove(X509Certificate::OSCertHandle cert_handle); 79 80 private: 81 // A single entry in the cache. Certificates will be keyed by their SHA1 82 // fingerprints, but will not be considered equivalent unless the entire 83 // certificate data matches. 84 struct Entry { 85 Entry() : cert_handle(NULL), ref_count(0) {} 86 87 X509Certificate::OSCertHandle cert_handle; 88 89 // Increased by each call to InsertOrUpdate(), and balanced by each call 90 // to Remove(). When it equals 0, all references created by 91 // InsertOrUpdate() have been released, so the cache entry will be removed 92 // the cached OS certificate handle will be freed. 93 int ref_count; 94 }; 95 typedef std::map<SHA1HashValue, Entry, SHA1HashValueLessThan> CertMap; 96 97 // Obtain an instance of X509CertificateCache via a LazyInstance. 98 X509CertificateCache() {} 99 ~X509CertificateCache() {} 100 friend struct base::DefaultLazyInstanceTraits<X509CertificateCache>; 101 102 // You must acquire this lock before using any private data of this object 103 // You must not block while holding this lock. 104 base::Lock lock_; 105 106 // The certificate cache. You must acquire |lock_| before using |cache_|. 107 CertMap cache_; 108 109 DISALLOW_COPY_AND_ASSIGN(X509CertificateCache); 110}; 111 112base::LazyInstance<X509CertificateCache>::Leaky 113 g_x509_certificate_cache = LAZY_INSTANCE_INITIALIZER; 114 115void X509CertificateCache::InsertOrUpdate( 116 X509Certificate::OSCertHandle* cert_handle) { 117 DCHECK(cert_handle); 118 SHA1HashValue fingerprint = 119 X509Certificate::CalculateFingerprint(*cert_handle); 120 121 X509Certificate::OSCertHandle old_handle = NULL; 122 { 123 base::AutoLock lock(lock_); 124 CertMap::iterator pos = cache_.find(fingerprint); 125 if (pos == cache_.end()) { 126 // A cached entry was not found, so initialize a new entry. The entry 127 // assumes ownership of the current |*cert_handle|. 128 Entry cache_entry; 129 cache_entry.cert_handle = *cert_handle; 130 cache_entry.ref_count = 0; 131 CertMap::value_type cache_value(fingerprint, cache_entry); 132 pos = cache_.insert(cache_value).first; 133 } else { 134 bool is_same_cert = 135 X509Certificate::IsSameOSCert(*cert_handle, pos->second.cert_handle); 136 if (!is_same_cert) { 137 // Two certificates don't match, due to a SHA1 hash collision. Given 138 // the low probability, the simplest solution is to not cache the 139 // certificate, which should not affect performance too negatively. 140 return; 141 } 142 // A cached entry was found and will be used instead of the caller's 143 // handle. Ensure the caller's original handle will be freed, since 144 // ownership is assumed. 145 old_handle = *cert_handle; 146 } 147 // Whether an existing cached handle or a new handle, increment the 148 // cache's reference count and return a handle that the caller can own. 149 ++pos->second.ref_count; 150 *cert_handle = X509Certificate::DupOSCertHandle(pos->second.cert_handle); 151 } 152 // If the caller's handle was replaced with a cached handle, free the 153 // original handle now. This is done outside of the lock because 154 // |old_handle| may be the only handle for this particular certificate, so 155 // freeing it may be complex or resource-intensive and does not need to 156 // be guarded by the lock. 157 if (old_handle) { 158 X509Certificate::FreeOSCertHandle(old_handle); 159 DHISTOGRAM_COUNTS("X509CertificateReuseCount", 1); 160 } 161} 162 163void X509CertificateCache::Remove(X509Certificate::OSCertHandle cert_handle) { 164 SHA1HashValue fingerprint = 165 X509Certificate::CalculateFingerprint(cert_handle); 166 base::AutoLock lock(lock_); 167 168 CertMap::iterator pos = cache_.find(fingerprint); 169 if (pos == cache_.end()) 170 return; // A hash collision where the winning cert was already freed. 171 172 bool is_same_cert = X509Certificate::IsSameOSCert(cert_handle, 173 pos->second.cert_handle); 174 if (!is_same_cert) 175 return; // A hash collision where the winning cert is still around. 176 177 if (--pos->second.ref_count == 0) { 178 // The last reference to |cert_handle| has been removed, so release the 179 // Entry's OS handle and remove the Entry. The caller still holds a 180 // reference to |cert_handle| and is responsible for freeing it. 181 X509Certificate::FreeOSCertHandle(pos->second.cert_handle); 182 cache_.erase(pos); 183 } 184} 185#endif // !defined(USE_NSS) 186 187// See X509CertificateCache::InsertOrUpdate. NSS has a built-in cache, so there 188// is no point in wrapping another cache around it. 189void InsertOrUpdateCache(X509Certificate::OSCertHandle* cert_handle) { 190#if !defined(USE_NSS) 191 g_x509_certificate_cache.Pointer()->InsertOrUpdate(cert_handle); 192#endif 193} 194 195// See X509CertificateCache::Remove. 196void RemoveFromCache(X509Certificate::OSCertHandle cert_handle) { 197#if !defined(USE_NSS) 198 g_x509_certificate_cache.Pointer()->Remove(cert_handle); 199#endif 200} 201 202// Utility to split |src| on the first occurrence of |c|, if any. |right| will 203// either be empty if |c| was not found, or will contain the remainder of the 204// string including the split character itself. 205void SplitOnChar(const base::StringPiece& src, 206 char c, 207 base::StringPiece* left, 208 base::StringPiece* right) { 209 size_t pos = src.find(c); 210 if (pos == base::StringPiece::npos) { 211 *left = src; 212 right->clear(); 213 } else { 214 *left = src.substr(0, pos); 215 *right = src.substr(pos); 216 } 217} 218 219} // namespace 220 221bool X509Certificate::LessThan::operator()( 222 const scoped_refptr<X509Certificate>& lhs, 223 const scoped_refptr<X509Certificate>& rhs) const { 224 if (lhs.get() == rhs.get()) 225 return false; 226 227 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, 228 sizeof(lhs->fingerprint_.data)); 229 if (rv != 0) 230 return rv < 0; 231 232 rv = memcmp(lhs->ca_fingerprint_.data, rhs->ca_fingerprint_.data, 233 sizeof(lhs->ca_fingerprint_.data)); 234 return rv < 0; 235} 236 237X509Certificate::X509Certificate(const std::string& subject, 238 const std::string& issuer, 239 base::Time start_date, 240 base::Time expiration_date) 241 : subject_(subject), 242 issuer_(issuer), 243 valid_start_(start_date), 244 valid_expiry_(expiration_date), 245 cert_handle_(NULL) { 246 memset(fingerprint_.data, 0, sizeof(fingerprint_.data)); 247 memset(ca_fingerprint_.data, 0, sizeof(ca_fingerprint_.data)); 248} 249 250// static 251X509Certificate* X509Certificate::CreateFromHandle( 252 OSCertHandle cert_handle, 253 const OSCertHandles& intermediates) { 254 DCHECK(cert_handle); 255 return new X509Certificate(cert_handle, intermediates); 256} 257 258// static 259X509Certificate* X509Certificate::CreateFromDERCertChain( 260 const std::vector<base::StringPiece>& der_certs) { 261 if (der_certs.empty()) 262 return NULL; 263 264 X509Certificate::OSCertHandles intermediate_ca_certs; 265 for (size_t i = 1; i < der_certs.size(); i++) { 266 OSCertHandle handle = CreateOSCertHandleFromBytes( 267 const_cast<char*>(der_certs[i].data()), der_certs[i].size()); 268 if (!handle) 269 break; 270 intermediate_ca_certs.push_back(handle); 271 } 272 273 OSCertHandle handle = NULL; 274 // Return NULL if we failed to parse any of the certs. 275 if (der_certs.size() - 1 == intermediate_ca_certs.size()) { 276 handle = CreateOSCertHandleFromBytes( 277 const_cast<char*>(der_certs[0].data()), der_certs[0].size()); 278 } 279 280 X509Certificate* cert = NULL; 281 if (handle) { 282 cert = CreateFromHandle(handle, intermediate_ca_certs); 283 FreeOSCertHandle(handle); 284 } 285 286 for (size_t i = 0; i < intermediate_ca_certs.size(); i++) 287 FreeOSCertHandle(intermediate_ca_certs[i]); 288 289 return cert; 290} 291 292// static 293X509Certificate* X509Certificate::CreateFromBytes(const char* data, 294 int length) { 295 OSCertHandle cert_handle = CreateOSCertHandleFromBytes(data, length); 296 if (!cert_handle) 297 return NULL; 298 299 X509Certificate* cert = CreateFromHandle(cert_handle, OSCertHandles()); 300 FreeOSCertHandle(cert_handle); 301 return cert; 302} 303 304// static 305X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle, 306 PickleIterator* pickle_iter, 307 PickleType type) { 308 if (type == PICKLETYPE_CERTIFICATE_CHAIN_V3) { 309 int chain_length = 0; 310 if (!pickle_iter->ReadLength(&chain_length)) 311 return NULL; 312 313 std::vector<base::StringPiece> cert_chain; 314 const char* data = NULL; 315 int data_length = 0; 316 for (int i = 0; i < chain_length; ++i) { 317 if (!pickle_iter->ReadData(&data, &data_length)) 318 return NULL; 319 cert_chain.push_back(base::StringPiece(data, data_length)); 320 } 321 return CreateFromDERCertChain(cert_chain); 322 } 323 324 // Legacy / Migration code. This should eventually be removed once 325 // sufficient time has passed that all pickles serialized prior to 326 // PICKLETYPE_CERTIFICATE_CHAIN_V3 have been removed. 327 OSCertHandle cert_handle = ReadOSCertHandleFromPickle(pickle_iter); 328 if (!cert_handle) 329 return NULL; 330 331 OSCertHandles intermediates; 332 uint32 num_intermediates = 0; 333 if (type != PICKLETYPE_SINGLE_CERTIFICATE) { 334 if (!pickle_iter->ReadUInt32(&num_intermediates)) { 335 FreeOSCertHandle(cert_handle); 336 return NULL; 337 } 338 339#if defined(OS_POSIX) && !defined(OS_MACOSX) && defined(__x86_64__) 340 // On 64-bit Linux (and any other 64-bit platforms), the intermediate count 341 // might really be a 64-bit field since we used to use Pickle::WriteSize(), 342 // which writes either 32 or 64 bits depending on the architecture. Since 343 // x86-64 is little-endian, if that happens, the next 32 bits will be all 344 // zeroes (the high bits) and the 32 bits we already read above are the 345 // correct value (we assume there are never more than 2^32 - 1 intermediate 346 // certificates in a chain; in practice, more than a dozen or so is 347 // basically unheard of). Since it's invalid for a certificate to start with 348 // 32 bits of zeroes, we check for that here and skip it if we find it. We 349 // save a copy of the pickle iterator to restore in case we don't get 32 350 // bits of zeroes. Now we always write 32 bits, so after a while, these old 351 // cached pickles will all get replaced. 352 // TODO(mdm): remove this compatibility code in April 2013 or so. 353 PickleIterator saved_iter = *pickle_iter; 354 uint32 zero_check = 0; 355 if (!pickle_iter->ReadUInt32(&zero_check)) { 356 // This may not be an error. If there are no intermediates, and we're 357 // reading an old 32-bit pickle, and there's nothing else after this in 358 // the pickle, we should report success. Note that it is technically 359 // possible for us to skip over zeroes that should have occurred after 360 // an empty certificate list; to avoid this going forward, only do this 361 // backward-compatibility stuff for PICKLETYPE_CERTIFICATE_CHAIN_V1 362 // which comes from the pickle version number in http_response_info.cc. 363 if (num_intermediates) { 364 FreeOSCertHandle(cert_handle); 365 return NULL; 366 } 367 } 368 if (zero_check) 369 *pickle_iter = saved_iter; 370#endif // defined(OS_POSIX) && !defined(OS_MACOSX) && defined(__x86_64__) 371 372 for (uint32 i = 0; i < num_intermediates; ++i) { 373 OSCertHandle intermediate = ReadOSCertHandleFromPickle(pickle_iter); 374 if (!intermediate) 375 break; 376 intermediates.push_back(intermediate); 377 } 378 } 379 380 X509Certificate* cert = NULL; 381 if (intermediates.size() == num_intermediates) 382 cert = CreateFromHandle(cert_handle, intermediates); 383 FreeOSCertHandle(cert_handle); 384 for (size_t i = 0; i < intermediates.size(); ++i) 385 FreeOSCertHandle(intermediates[i]); 386 387 return cert; 388} 389 390// static 391CertificateList X509Certificate::CreateCertificateListFromBytes( 392 const char* data, int length, int format) { 393 OSCertHandles certificates; 394 395 // Check to see if it is in a PEM-encoded form. This check is performed 396 // first, as both OS X and NSS will both try to convert if they detect 397 // PEM encoding, except they don't do it consistently between the two. 398 base::StringPiece data_string(data, length); 399 std::vector<std::string> pem_headers; 400 401 // To maintain compatibility with NSS/Firefox, CERTIFICATE is a universally 402 // valid PEM block header for any format. 403 pem_headers.push_back(kCertificateHeader); 404 if (format & FORMAT_PKCS7) 405 pem_headers.push_back(kPKCS7Header); 406 407 PEMTokenizer pem_tok(data_string, pem_headers); 408 while (pem_tok.GetNext()) { 409 std::string decoded(pem_tok.data()); 410 411 OSCertHandle handle = NULL; 412 if (format & FORMAT_PEM_CERT_SEQUENCE) 413 handle = CreateOSCertHandleFromBytes(decoded.c_str(), decoded.size()); 414 if (handle != NULL) { 415 // Parsed a DER encoded certificate. All PEM blocks that follow must 416 // also be DER encoded certificates wrapped inside of PEM blocks. 417 format = FORMAT_PEM_CERT_SEQUENCE; 418 certificates.push_back(handle); 419 continue; 420 } 421 422 // If the first block failed to parse as a DER certificate, and 423 // formats other than PEM are acceptable, check to see if the decoded 424 // data is one of the accepted formats. 425 if (format & ~FORMAT_PEM_CERT_SEQUENCE) { 426 for (size_t i = 0; certificates.empty() && 427 i < arraysize(kFormatDecodePriority); ++i) { 428 if (format & kFormatDecodePriority[i]) { 429 certificates = CreateOSCertHandlesFromBytes(decoded.c_str(), 430 decoded.size(), kFormatDecodePriority[i]); 431 } 432 } 433 } 434 435 // Stop parsing after the first block for any format but a sequence of 436 // PEM-encoded DER certificates. The case of FORMAT_PEM_CERT_SEQUENCE 437 // is handled above, and continues processing until a certificate fails 438 // to parse. 439 break; 440 } 441 442 // Try each of the formats, in order of parse preference, to see if |data| 443 // contains the binary representation of a Format, if it failed to parse 444 // as a PEM certificate/chain. 445 for (size_t i = 0; certificates.empty() && 446 i < arraysize(kFormatDecodePriority); ++i) { 447 if (format & kFormatDecodePriority[i]) 448 certificates = CreateOSCertHandlesFromBytes(data, length, 449 kFormatDecodePriority[i]); 450 } 451 452 CertificateList results; 453 // No certificates parsed. 454 if (certificates.empty()) 455 return results; 456 457 for (OSCertHandles::iterator it = certificates.begin(); 458 it != certificates.end(); ++it) { 459 X509Certificate* result = CreateFromHandle(*it, OSCertHandles()); 460 results.push_back(scoped_refptr<X509Certificate>(result)); 461 FreeOSCertHandle(*it); 462 } 463 464 return results; 465} 466 467void X509Certificate::Persist(Pickle* pickle) { 468 DCHECK(cert_handle_); 469 // This would be an absolutely insane number of intermediates. 470 if (intermediate_ca_certs_.size() > static_cast<size_t>(INT_MAX) - 1) { 471 NOTREACHED(); 472 return; 473 } 474 if (!pickle->WriteInt( 475 static_cast<int>(intermediate_ca_certs_.size() + 1)) || 476 !WriteOSCertHandleToPickle(cert_handle_, pickle)) { 477 NOTREACHED(); 478 return; 479 } 480 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { 481 if (!WriteOSCertHandleToPickle(intermediate_ca_certs_[i], pickle)) { 482 NOTREACHED(); 483 return; 484 } 485 } 486} 487 488void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const { 489 GetSubjectAltName(dns_names, NULL); 490 if (dns_names->empty()) 491 dns_names->push_back(subject_.common_name); 492} 493 494bool X509Certificate::HasExpired() const { 495 return base::Time::Now() > valid_expiry(); 496} 497 498bool X509Certificate::Equals(const X509Certificate* other) const { 499 return IsSameOSCert(cert_handle_, other->cert_handle_); 500} 501 502// static 503bool X509Certificate::VerifyHostname( 504 const std::string& hostname, 505 const std::string& cert_common_name, 506 const std::vector<std::string>& cert_san_dns_names, 507 const std::vector<std::string>& cert_san_ip_addrs, 508 bool* common_name_fallback_used) { 509 DCHECK(!hostname.empty()); 510 // Perform name verification following http://tools.ietf.org/html/rfc6125. 511 // The terminology used in this method is as per that RFC:- 512 // Reference identifier == the host the local user/agent is intending to 513 // access, i.e. the thing displayed in the URL bar. 514 // Presented identifier(s) == name(s) the server knows itself as, in its cert. 515 516 // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. 517 const std::string host_or_ip = hostname.find(':') != std::string::npos ? 518 "[" + hostname + "]" : hostname; 519 url::CanonHostInfo host_info; 520 std::string reference_name = CanonicalizeHost(host_or_ip, &host_info); 521 // CanonicalizeHost does not normalize absolute vs relative DNS names. If 522 // the input name was absolute (included trailing .), normalize it as if it 523 // was relative. 524 if (!reference_name.empty() && *reference_name.rbegin() == '.') 525 reference_name.resize(reference_name.size() - 1); 526 if (reference_name.empty()) 527 return false; 528 529 // Allow fallback to Common name matching? 530 const bool common_name_fallback = cert_san_dns_names.empty() && 531 cert_san_ip_addrs.empty(); 532 *common_name_fallback_used = common_name_fallback; 533 534 // Fully handle all cases where |hostname| contains an IP address. 535 if (host_info.IsIPAddress()) { 536 if (common_name_fallback && host_info.family == url::CanonHostInfo::IPV4) { 537 // Fallback to Common name matching. As this is deprecated and only 538 // supported for compatibility refuse it for IPv6 addresses. 539 return reference_name == cert_common_name; 540 } 541 base::StringPiece ip_addr_string( 542 reinterpret_cast<const char*>(host_info.address), 543 host_info.AddressLength()); 544 return std::find(cert_san_ip_addrs.begin(), cert_san_ip_addrs.end(), 545 ip_addr_string) != cert_san_ip_addrs.end(); 546 } 547 548 // |reference_domain| is the remainder of |host| after the leading host 549 // component is stripped off, but includes the leading dot e.g. 550 // "www.f.com" -> ".f.com". 551 // If there is no meaningful domain part to |host| (e.g. it contains no dots) 552 // then |reference_domain| will be empty. 553 base::StringPiece reference_host, reference_domain; 554 SplitOnChar(reference_name, '.', &reference_host, &reference_domain); 555 bool allow_wildcards = false; 556 if (!reference_domain.empty()) { 557 DCHECK(reference_domain.starts_with(".")); 558 559 // Do not allow wildcards for public/ICANN registry controlled domains - 560 // that is, prevent *.com or *.co.uk as valid presented names, but do not 561 // prevent *.appspot.com (a private registry controlled domain). 562 // In addition, unknown top-level domains (such as 'intranet' domains or 563 // new TLDs/gTLDs not yet added to the registry controlled domain dataset) 564 // are also implicitly prevented. 565 // Because |reference_domain| must contain at least one name component that 566 // is not registry controlled, this ensures that all reference domains 567 // contain at least three domain components when using wildcards. 568 size_t registry_length = 569 registry_controlled_domains::GetRegistryLength( 570 reference_name, 571 registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, 572 registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); 573 574 // Because |reference_name| was already canonicalized, the following 575 // should never happen. 576 CHECK_NE(std::string::npos, registry_length); 577 578 // Account for the leading dot in |reference_domain|. 579 bool is_registry_controlled = 580 registry_length != 0 && 581 registry_length == (reference_domain.size() - 1); 582 583 // Additionally, do not attempt wildcard matching for purely numeric 584 // hostnames. 585 allow_wildcards = 586 !is_registry_controlled && 587 reference_name.find_first_not_of("0123456789.") != std::string::npos; 588 } 589 590 // Now step through the DNS names doing wild card comparison (if necessary) 591 // on each against the reference name. If subjectAltName is empty, then 592 // fallback to use the common name instead. 593 std::vector<std::string> common_name_as_vector; 594 const std::vector<std::string>* presented_names = &cert_san_dns_names; 595 if (common_name_fallback) { 596 // Note: there's a small possibility cert_common_name is an international 597 // domain name in non-standard encoding (e.g. UTF8String or BMPString 598 // instead of A-label). As common name fallback is deprecated we're not 599 // doing anything specific to deal with this. 600 common_name_as_vector.push_back(cert_common_name); 601 presented_names = &common_name_as_vector; 602 } 603 for (std::vector<std::string>::const_iterator it = 604 presented_names->begin(); 605 it != presented_names->end(); ++it) { 606 // Catch badly corrupt cert names up front. 607 if (it->empty() || it->find('\0') != std::string::npos) { 608 DVLOG(1) << "Bad name in cert: " << *it; 609 continue; 610 } 611 std::string presented_name(StringToLowerASCII(*it)); 612 613 // Remove trailing dot, if any. 614 if (*presented_name.rbegin() == '.') 615 presented_name.resize(presented_name.length() - 1); 616 617 // The hostname must be at least as long as the cert name it is matching, 618 // as we require the wildcard (if present) to match at least one character. 619 if (presented_name.length() > reference_name.length()) 620 continue; 621 622 base::StringPiece presented_host, presented_domain; 623 SplitOnChar(presented_name, '.', &presented_host, &presented_domain); 624 625 if (presented_domain != reference_domain) 626 continue; 627 628 base::StringPiece pattern_begin, pattern_end; 629 SplitOnChar(presented_host, '*', &pattern_begin, &pattern_end); 630 631 if (pattern_end.empty()) { // No '*' in the presented_host 632 if (presented_host == reference_host) 633 return true; 634 continue; 635 } 636 pattern_end.remove_prefix(1); // move past the * 637 638 if (!allow_wildcards) 639 continue; 640 641 // * must not match a substring of an IDN A label; just a whole fragment. 642 if (reference_host.starts_with("xn--") && 643 !(pattern_begin.empty() && pattern_end.empty())) 644 continue; 645 646 if (reference_host.starts_with(pattern_begin) && 647 reference_host.ends_with(pattern_end)) 648 return true; 649 } 650 return false; 651} 652 653bool X509Certificate::VerifyNameMatch(const std::string& hostname, 654 bool* common_name_fallback_used) const { 655 std::vector<std::string> dns_names, ip_addrs; 656 GetSubjectAltName(&dns_names, &ip_addrs); 657 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs, 658 common_name_fallback_used); 659} 660 661// static 662bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded, 663 std::string* pem_encoded) { 664 if (der_encoded.empty()) 665 return false; 666 std::string b64_encoded; 667 base::Base64Encode(der_encoded, &b64_encoded); 668 *pem_encoded = "-----BEGIN CERTIFICATE-----\n"; 669 670 // Divide the Base-64 encoded data into 64-character chunks, as per 671 // 4.3.2.4 of RFC 1421. 672 static const size_t kChunkSize = 64; 673 size_t chunks = (b64_encoded.size() + (kChunkSize - 1)) / kChunkSize; 674 for (size_t i = 0, chunk_offset = 0; i < chunks; 675 ++i, chunk_offset += kChunkSize) { 676 pem_encoded->append(b64_encoded, chunk_offset, kChunkSize); 677 pem_encoded->append("\n"); 678 } 679 pem_encoded->append("-----END CERTIFICATE-----\n"); 680 return true; 681} 682 683// static 684bool X509Certificate::GetPEMEncoded(OSCertHandle cert_handle, 685 std::string* pem_encoded) { 686 std::string der_encoded; 687 if (!GetDEREncoded(cert_handle, &der_encoded)) 688 return false; 689 return GetPEMEncodedFromDER(der_encoded, pem_encoded); 690} 691 692bool X509Certificate::GetPEMEncodedChain( 693 std::vector<std::string>* pem_encoded) const { 694 std::vector<std::string> encoded_chain; 695 std::string pem_data; 696 if (!GetPEMEncoded(os_cert_handle(), &pem_data)) 697 return false; 698 encoded_chain.push_back(pem_data); 699 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { 700 if (!GetPEMEncoded(intermediate_ca_certs_[i], &pem_data)) 701 return false; 702 encoded_chain.push_back(pem_data); 703 } 704 pem_encoded->swap(encoded_chain); 705 return true; 706} 707 708X509Certificate::X509Certificate(OSCertHandle cert_handle, 709 const OSCertHandles& intermediates) 710 : cert_handle_(DupOSCertHandle(cert_handle)) { 711 InsertOrUpdateCache(&cert_handle_); 712 for (size_t i = 0; i < intermediates.size(); ++i) { 713 // Duplicate the incoming certificate, as the caller retains ownership 714 // of |intermediates|. 715 OSCertHandle intermediate = DupOSCertHandle(intermediates[i]); 716 // Update the cache, which will assume ownership of the duplicated 717 // handle and return a suitable equivalent, potentially from the cache. 718 InsertOrUpdateCache(&intermediate); 719 intermediate_ca_certs_.push_back(intermediate); 720 } 721 // Platform-specific initialization. 722 Initialize(); 723} 724 725X509Certificate::~X509Certificate() { 726 if (cert_handle_) { 727 RemoveFromCache(cert_handle_); 728 FreeOSCertHandle(cert_handle_); 729 } 730 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { 731 RemoveFromCache(intermediate_ca_certs_[i]); 732 FreeOSCertHandle(intermediate_ca_certs_[i]); 733 } 734} 735 736} // namespace net 737