Bring the handling of <keygen> and support for the application/x-x509-user-ce...

net/base/cert_database_win.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_database.h"
 
 #include <windows.h>
 #include <wincrypt.h>
 #pragma comment(lib, "crypt32.lib")
 
 #include "base/logging.h"
+#include "base/scoped_ptr.h"
 #include "base/string_util.h"
+#include "base/time.h"
+#include "base/crypto/scoped_capi_types.h"
 #include "net/base/keygen_handler.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 
 namespace net {
 
 namespace {
 
-// Returns an encoded version of SubjectPublicKeyInfo from |cert| that is
-// compatible with KeygenHandler::Cache. If the cert cannot be converted, an
-// empty string is returned.
-std::string GetSubjectPublicKeyInfo(const X509Certificate* cert) {
-  DCHECK(cert);
+typedef base::ScopedCAPIHandle<PCCERT_CHAIN_CONTEXT,
+    base::CAPIDestroyerVOID<PCCERT_CHAIN_CONTEXT,
+                            CertFreeCertificateChain> >
+    ScopedPCCERT_CHAIN_CONTEXT;
+typedef base::ScopedCAPIHandle<HCERTSTORE,
+    base::CAPIDestroyerWithFlags<HCERTSTORE, CertCloseStore, 0> >
+    ScopedHCERTSTORE;
 
-  std::string result;
-  if (!cert->os_cert_handle() || !cert->os_cert_handle()->pCertInfo)
-    return result;
+// From an arbitrary, unordered list of certificate, attempt to import every
+// certificate that:
+//  1) Is a CA
+//  2) Results in a valid certificate chain
+void ImportValidIntermediates(
+    const X509Certificate::OSCertHandles& intermediates) {
 
-  BOOL ok;
-  DWORD size = 0;
-  PCERT_PUBLIC_KEY_INFO key_info =
-      &(cert->os_cert_handle()->pCertInfo->SubjectPublicKeyInfo);
-  ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info,
-                         NULL, &size);
-  if (!ok)
-    return result;
+  // First, create a local in memory store. The handles in intermediates may
+  // be from one or more stores, or not even be in a formal store (eg: when
+  // decoded from a byte sequence by X509Certificate), and thus may not be
+  // picked up by the default HCERTCHAINENGINE when it's attempting to build
+  ScopedHCERTSTORE temp_store(
+      CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL,
+                    CERT_STORE_CREATE_NEW_FLAG, NULL));
+  if (temp_store == NULL)
+    return;
 
-  ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info,
-                         reinterpret_cast<BYTE*>(WriteInto(&result, size + 1)),
-                         &size);
-  if (!ok) {
-    result.clear();
-    return result;
+  // Add links to all of the existing contexts into the temp store, so
+  // that they will be available to chain building.
+  for (X509Certificate::OSCertHandles::const_iterator it =
+      intermediates.begin(); it != intermediates.end(); ++it) {
+    BOOL added = CertAddCertificateLinkToStore(
+        temp_store, *it, CERT_STORE_ADD_USE_EXISTING, NULL);
   }
 
-  // Per MSDN, the resultant structure may be smaller than the original size
-  // supplied, so shrink to the actual size output.
-  result.resize(size);
+  std::vector<PCCERT_CONTEXT> to_add;
+  FILETIME now = base::Time::Now().ToFileTime();
+  CERT_CHAIN_PARA chain_params;
+  memset(&chain_params, 0, sizeof(chain_params));
+  chain_params.cbSize = sizeof(chain_params);
 
-  return result;
-}
+  // For every certificate, attempt to build a chain to an existing trust
+  // root, where each certificate is minimally valid to be used as a CA
+  // certificate (measured by adherance to basicConstraints restrictions,
+  // if any, not by key usage)
+  size_t offset = 0;
+  for (X509Certificate::OSCertHandles::const_iterator it =
+      intermediates.begin(); it != intermediates.end(); ++it, ++offset) {
+    ScopedPCCERT_CHAIN_CONTEXT chain_context;
+    if (!CertGetCertificateChain(NULL, *it, &now, temp_store, &chain_params,
+                                 CERT_CHAIN_CACHE_END_CERT |
+                                 CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE,
+                                 NULL, chain_context.receive())) {
+      DPLOG(WARNING) << "Unable to get the certificate chain for "
+                     << "intermediate " << offset << ". Skipping import of "
+                     << "this certificate.";
+      continue;
+    }
 
-// Returns true if |cert| was successfully modified to reference |location| to
-// obtain the associated private key.
-bool LinkCertToPrivateKey(X509Certificate* cert,
-                          KeygenHandler::KeyLocation location) {
-  DCHECK(cert);
+    CERT_CHAIN_POLICY_PARA chain_policy_params;
+    memset(&chain_policy_params, 0, sizeof(chain_policy_params));
+    chain_policy_params.cbSize = sizeof(chain_policy_params);
+    chain_policy_params.dwFlags =
+        BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG;
 
-  CRYPT_KEY_PROV_INFO prov_info = { 0 };
-  prov_info.pwszContainerName =
-      const_cast<LPWSTR>(location.container_name.c_str());
-  prov_info.pwszProvName =
-      const_cast<LPWSTR>(location.provider_name.c_str());
+    CERT_CHAIN_POLICY_STATUS chain_policy_status;
+    memset(&chain_policy_status, 0, sizeof(chain_policy_status));
+    chain_policy_status.cbSize = sizeof(chain_policy_status);
 
-  // Implicit by it being from KeygenHandler, which only supports RSA keys.
-  prov_info.dwProvType = PROV_RSA_FULL;
-  prov_info.dwKeySpec = AT_KEYEXCHANGE;
+    // TODO(rsleevi): In the event of bridge/federated chains, where
+    // chain_context contains more than one SIMPLE_CHAINS, check what
+    // the result will be if the chain context is:
+    //   cChain = 2
+    //   rgpChain[0] = Valid chain
+    //   rgpChain[1] = Invalid chain
+    if (!CertVerifyCertificateChainPolicy(
+        CERT_CHAIN_POLICY_BASIC_CONSTRAINTS, chain_context,
+        &chain_policy_params, &chain_policy_status)) {
+      DPLOG(WARNING) << "Unable to get validate the certificate chain for "
+                     << "intermediate " << offset << ". Skipping import of "
+                     << "this certificate.";
+      continue;
+    }
 
-  BOOL ok = CertSetCertificateContextProperty(cert->os_cert_handle(),
-                                              CERT_KEY_PROV_INFO_PROP_ID, 0,
-                                              &prov_info);
-  return ok != FALSE;
+    if (chain_policy_status.dwError != 0) {
+      DLOG(WARNING) << "Chain for intermediate " << offset << " returned: "
+                    << std::endl << " Error: " << chain_policy_status.dwError
+                    << std::endl << " Chain Index: "
+                    << chain_policy_status.lChainIndex
+                    << std::endl << " Element Index: "
+                    << chain_policy_status.lElementIndex;
+      continue;
+    }
+
+    // With CryptoAPI, there may be multiple chains for a given certificate,
+    // such as the case with bridged CAs. For each chain, iterate through the
+    // certificates that make up the chain. If the certificate was one of the
+    // supplied intermediates, then it is appropriate to add to the
+    // intermediate list.
+    for (DWORD i = 0; i < chain_context.get()->cChain; ++i) {
+      for (DWORD j = 0; j < chain_context.get()->rgpChain[i]->cElement; ++j) {
+        PCCERT_CONTEXT cert_in_temp_store = CertFindCertificateInStore(
+            temp_store.get(), X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
+            CERT_FIND_EXISTING,
+            chain_context.get()->rgpChain[i]->rgpElement[j], NULL);
+        if (cert_in_temp_store != NULL)
+          to_add.push_back(cert_in_temp_store);
+      }
+    }
+  }
+
+  // After sifting through all of |intermediates|, add any certificates that
+  // passed the checks.
+  if (!to_add.empty()) {
+    ScopedHCERTSTORE intermediate_db(CertOpenSystemStore(NULL, L"CA"));
+    if (intermediate_db) {
+      for (std::vector<PCCERT_CONTEXT>::iterator it = to_add.begin();
+          it != to_add.end(); ++it) {
+        CertAddCertificateContextToStore(intermediate_db, *it,
+                                         CERT_STORE_ADD_USE_EXISTING, NULL);
+      }
+    }
+  }
+
+  for (std::vector<PCCERT_CONTEXT>::iterator it = to_add.begin();
+    it != to_add.end(); ++it) {
+      BOOL freed = CertFreeCertificateContext(*it);
+      DCHECK(freed);
+  }
 }
 
 }  // namespace
 
 CertDatabase::CertDatabase() {
 }
 
 int CertDatabase::CheckUserCert(X509Certificate* cert) {
   if (!cert)
     return ERR_CERT_INVALID;
   if (cert->HasExpired())
     return ERR_CERT_DATE_INVALID;
 
-  std::string encoded_info = GetSubjectPublicKeyInfo(cert);
-  KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance();
-  KeygenHandler::KeyLocation location;
-
-  if (encoded_info.empty() || !cache->Find(encoded_info, &location) ||
-      !LinkCertToPrivateKey(cert, location))
+  BOOL found = CryptFindCertificateKeyProvInfo(cert->os_cert_handle(),
+                                               0, NULL);
+  if (!found)
     return ERR_NO_PRIVATE_KEY_FOR_CERT;
 
   return OK;
 }
 
 int CertDatabase::AddUserCert(X509Certificate* cert) {
   // TODO(rsleevi): Would it be more appropriate to have the CertDatabase take
   // construction parameters (Keychain filepath on Mac OS X, PKCS #11 slot on
   // NSS, and Store Type / Path) here? For now, certs will be stashed into the
   // user's personal store, which will not automatically mark them as trusted,
   // but will allow them to be used for client auth.
-  HCERTSTORE cert_db = CertOpenSystemStore(NULL, L"MY");
+  ScopedHCERTSTORE cert_db(CertOpenSystemStore(NULL, L"MY"));
   if (!cert_db)
     return ERR_ADD_USER_CERT_FAILED;
 
   BOOL added = CertAddCertificateContextToStore(cert_db,
                                                 cert->os_cert_handle(),
                                                 CERT_STORE_ADD_USE_EXISTING,
                                                 NULL);
 
-  CertCloseStore(cert_db, 0);
+  ImportValidIntermediates(cert->GetIntermediateCertificates());
 
   if (!added)
     return ERR_ADD_USER_CERT_FAILED;
 
   return OK;
 }
 
 }  // namespace net