1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/cert/x509_certificate.h" 6 7 #include <CommonCrypto/CommonDigest.h> 8 #include <Security/Security.h> 9 10 #include <cert.h> 11 #include <cryptohi.h> 12 #include <keyhi.h> 13 #include <nss.h> 14 #include <pk11pub.h> 15 #include <prerror.h> 16 #include <prtime.h> 17 #include <prtypes.h> 18 #include <secder.h> 19 #include <secerr.h> 20 #include <sslerr.h> 21 22 #include <vector> 23 24 #include "base/logging.h" 25 #include "base/mac/scoped_cftyperef.h" 26 #include "base/memory/scoped_ptr.h" 27 #include "base/pickle.h" 28 #include "base/time/time.h" 29 #include "crypto/nss_util.h" 30 #include "crypto/scoped_nss_types.h" 31 #include "net/base/net_errors.h" 32 #include "net/cert/asn1_util.h" 33 #include "net/cert/cert_status_flags.h" 34 #include "net/cert/cert_verify_result.h" 35 #include "net/cert/ev_root_ca_metadata.h" 36 #include "net/cert/x509_util_ios.h" 37 #include "net/cert/x509_util_nss.h" 38 39 using base::ScopedCFTypeRef; 40 41 namespace net { 42 namespace { 43 // Returns true if a given |cert_handle| is actually a valid X.509 certificate 44 // handle. 45 // 46 // SecCertificateCreateFromData() does not always force the immediate parsing of 47 // the certificate, and as such, may return a SecCertificateRef for an 48 // invalid/unparsable certificate. Force parsing to occur to ensure that the 49 // SecCertificateRef is correct. On later versions where 50 // SecCertificateCreateFromData() immediately parses, rather than lazily, this 51 // call is cheap, as the subject is cached. 52 bool IsValidOSCertHandle(SecCertificateRef cert_handle) { 53 ScopedCFTypeRef<CFStringRef> sanity_check( 54 SecCertificateCopySubjectSummary(cert_handle)); 55 return sanity_check != NULL; 56 } 57 } // namespace 58 59 void X509Certificate::Initialize() { 60 x509_util_ios::NSSCertificate nss_cert(cert_handle_); 61 CERTCertificate* cert_handle = nss_cert.cert_handle(); 62 if (cert_handle) { 63 x509_util::ParsePrincipal(&cert_handle->subject, &subject_); 64 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_); 65 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_); 66 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_); 67 serial_number_ = x509_util::ParseSerialNumber(cert_handle); 68 } 69 fingerprint_ = CalculateFingerprint(cert_handle_); 70 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); 71 } 72 73 bool X509Certificate::IsIssuedByEncoded( 74 const std::vector<std::string>& valid_issuers) { 75 x509_util_ios::NSSCertChain nss_chain(this); 76 // Convert to scoped CERTName* list. 77 std::vector<CERTName*> issuers; 78 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); 79 if (!x509_util::GetIssuersFromEncodedList(valid_issuers, 80 arena.get(), 81 &issuers)) { 82 return false; 83 } 84 return x509_util::IsCertificateIssuedBy( 85 nss_chain.cert_chain(), issuers); 86 } 87 88 void X509Certificate::GetSubjectAltName( 89 std::vector<std::string>* dns_names, 90 std::vector<std::string>* ip_addrs) const { 91 x509_util_ios::NSSCertificate nss_cert(cert_handle_); 92 CERTCertificate* cert_handle = nss_cert.cert_handle(); 93 if (!cert_handle) { 94 if (dns_names) 95 dns_names->clear(); 96 if (ip_addrs) 97 ip_addrs->clear(); 98 return; 99 } 100 x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs); 101 } 102 103 // static 104 bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle, 105 std::string* encoded) { 106 ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle)); 107 if (!der_data) 108 return false; 109 encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)), 110 CFDataGetLength(der_data)); 111 return true; 112 } 113 114 // static 115 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, 116 X509Certificate::OSCertHandle b) { 117 DCHECK(a && b); 118 if (a == b) 119 return true; 120 if (CFEqual(a, b)) 121 return true; 122 ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a)); 123 ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b)); 124 return a_data && b_data && 125 CFDataGetLength(a_data) == CFDataGetLength(b_data) && 126 memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data), 127 CFDataGetLength(a_data)) == 0; 128 } 129 130 // static 131 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( 132 const char* data, int length) { 133 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( 134 kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length, 135 kCFAllocatorNull)); 136 if (!cert_data) 137 return NULL; 138 OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data); 139 if (!cert_handle) 140 return NULL; 141 if (!IsValidOSCertHandle(cert_handle)) { 142 CFRelease(cert_handle); 143 return NULL; 144 } 145 return cert_handle; 146 } 147 148 // static 149 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( 150 const char* data, 151 int length, 152 Format format) { 153 return x509_util::CreateOSCertHandlesFromBytes(data, length, format); 154 } 155 156 // static 157 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( 158 OSCertHandle handle) { 159 if (!handle) 160 return NULL; 161 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); 162 } 163 164 // static 165 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { 166 CFRelease(cert_handle); 167 } 168 169 // static 170 SHA1HashValue X509Certificate::CalculateFingerprint( 171 OSCertHandle cert) { 172 SHA1HashValue sha1; 173 memset(sha1.data, 0, sizeof(sha1.data)); 174 175 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); 176 if (!cert_data) 177 return sha1; 178 DCHECK(CFDataGetBytePtr(cert_data)); 179 DCHECK_NE(0, CFDataGetLength(cert_data)); 180 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data); 181 182 return sha1; 183 } 184 185 // static 186 SHA1HashValue X509Certificate::CalculateCAFingerprint( 187 const OSCertHandles& intermediates) { 188 SHA1HashValue sha1; 189 memset(sha1.data, 0, sizeof(sha1.data)); 190 191 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so 192 // we don't check their return values. 193 CC_SHA1_CTX sha1_ctx; 194 CC_SHA1_Init(&sha1_ctx); 195 for (size_t i = 0; i < intermediates.size(); ++i) { 196 ScopedCFTypeRef<CFDataRef> 197 cert_data(SecCertificateCopyData(intermediates[i])); 198 if (!cert_data) 199 return sha1; 200 CC_SHA1_Update(&sha1_ctx, 201 CFDataGetBytePtr(cert_data), 202 CFDataGetLength(cert_data)); 203 } 204 CC_SHA1_Final(sha1.data, &sha1_ctx); 205 return sha1; 206 } 207 208 // static 209 X509Certificate::OSCertHandle 210 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) { 211 return x509_util::ReadOSCertHandleFromPickle(pickle_iter); 212 } 213 214 // static 215 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, 216 Pickle* pickle) { 217 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle)); 218 if (!cert_data) 219 return false; 220 221 return pickle->WriteData( 222 reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)), 223 CFDataGetLength(cert_data)); 224 } 225 226 // static 227 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, 228 size_t* size_bits, 229 PublicKeyType* type) { 230 x509_util_ios::NSSCertificate nss_cert(cert_handle); 231 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type); 232 } 233 234 } // namespace net 235
