Bring the handling of <keygen> and support for the application/x-x509-user-ce...

net/base/x509_certificate.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #if defined(OS_MACOSX)
 #include <Security/Security.h>
 #elif defined(USE_NSS)
 #include <cert.h>
 #endif
 
 #include "base/histogram.h"
 #include "base/logging.h"
-#include "base/time.h"
+#include "base/string_piece.h"
+#include "net/base/pem_tokenizer.h"
 
 namespace net {
 
 namespace {
 
 // Returns true if this cert fingerprint is the null (all zero) fingerprint.
 // We use this as a bogus fingerprint value.
 bool IsNullFingerprint(const X509Certificate::Fingerprint& fingerprint) {
   for (size_t i = 0; i < arraysize(fingerprint.data); ++i) {
     if (fingerprint.data[i] != 0)
@@ skipping 125 matching lines @@
 
   // Otherwise, allocate and cache a new object.
   X509Certificate* cert = new X509Certificate(cert_handle, source,
                                               intermediates);
   cache->Insert(cert);
   return cert;
 }
 
 // static
 X509Certificate* X509Certificate::CreateFromBytes(const char* data,
-                                                  int length) {
-  OSCertHandle cert_handle = CreateOSCertHandleFromBytes(data, length);
-  if (!cert_handle)
+                                                  size_t length,
+                                                  int format) {
+  OSCertHandles certificates;
+
+  // Indicates the order to use when trying to decode binary data, which is
+  // based on (speculation) as to what will be most common -> least common
+  // TODO(rsleevi): Calculate metrics as to which formats end up being
+  // encountered and re-arrange this based on actual data.
+  static CertificateFormat formats[] = { FORMAT_DER, FORMAT_PKCS7,
+      FORMAT_LEGACY_NETSCAPE };
+
+  // If it wasn't PEM encoded, try each of the binary formats in order of
+  // their probability until one successfully decodes.
+  for (size_t i = 0; certificates.empty() && i < arraysize(formats);
+      ++i) {
+    if (format & formats[i])
+      certificates = CreateOSCertHandlesFromBytes(data, length, formats[i]);
+  }
+
+  // No certs were read. Check to see if this is perhaps a PEM-wrapped version.
+  if (certificates.empty()) {
+    base::StringPiece data_string(data, length);
+    std::vector<std::string> pem_headers;
+
+    // To maintain compatibility with NSS/Firefox, CERTIFICATE is a universally
+    // valid PEM block header.
+    pem_headers.push_back("CERTIFICATE");
+    if (format & FORMAT_PKCS7)
+      pem_headers.push_back("PKCS7");
+
+    PEMTokenizer pem_tok(&data_string, pem_headers);
+    while (pem_tok.GetNext()) {
+      std::string decoded(pem_tok.data());
+
+      // Try a single cert decode first. If this succeeds, then the data is
+      // likely a PEM cert sequence and thus all PEM blocks should be parsed
+      // as certificates. If it doesn't parse as a single certificate, then
+      // this is potentially one of the other formats, in which case only the
+      // first PEM block is consulted.
+      OSCertHandle handle = NULL;
+      if (format & FORMAT_PEM)
+        handle = CreateOSCertHandleFromBytes(decoded.c_str(), decoded.size());
+      if (handle != NULL) {
+        format = FORMAT_PEM;
+        certificates.push_back(handle);
+      } else {
+        // If this is the first block, and other formats are specified, try to
+        // decode using the binary contents from the PEM block
+        if (format & ~FORMAT_PEM)
+          return CreateFromBytes(decoded.c_str(), decoded.size(), format);
+
+        // When parsing PEM, the first bad block encountered terminates
+        // parsing
+        break;
+      }
+    }
+  }
+
+  // No certificates parsed.
+  if (certificates.empty())
     return NULL;
 
-  return CreateFromHandle(cert_handle,
-                          SOURCE_LONE_CERT_IMPORT,
-                          OSCertHandles());
+  X509Certificate* result = CreateFromHandle(certificates.front(),
+      SOURCE_LONE_CERT_IMPORT,
+      certificates.size() == 1 ? OSCertHandles() :
+          OSCertHandles(++certificates.begin(), certificates.end()));
+
+  // CreateFromHandle duplicates the handles to the intermediates, but does
+  // not do so for the primary certificate. Ensure that every intermediate is
+  // freed
+  for (OSCertHandles::iterator it = ++certificates.begin();
+      it != certificates.end(); ++it) {
+    FreeOSCertHandle(*it);
+  }
+
+  return result;
 }
 
 X509Certificate::X509Certificate(OSCertHandle cert_handle,
                                  Source source,
                                  const OSCertHandles& intermediates)
     : cert_handle_(cert_handle),
       source_(source) {
-#if defined(OS_MACOSX) || defined(OS_WIN)
   // Copy/retain the intermediate cert handles.
   for (size_t i = 0; i < intermediates.size(); ++i)
     intermediate_ca_certs_.push_back(DupOSCertHandle(intermediates[i]));
-#endif
   // Platform-specific initialization.
   Initialize();
 }
 
 X509Certificate::X509Certificate(const std::string& subject,
                                  const std::string& issuer,
                                  base::Time start_date,
                                  base::Time expiration_date)
     : subject_(subject),
       issuer_(issuer),
       valid_start_(start_date),
       valid_expiry_(expiration_date),
       cert_handle_(NULL),
       source_(SOURCE_UNUSED) {
   memset(fingerprint_.data, 0, sizeof(fingerprint_.data));
 }
 
 X509Certificate::~X509Certificate() {
   // We might not be in the cache, but it is safe to remove ourselves anyway.
   X509Certificate::Cache::GetInstance()->Remove(this);
   if (cert_handle_)
     FreeOSCertHandle(cert_handle_);
-#if defined(OS_MACOSX) || defined(OS_WIN)
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i)
     FreeOSCertHandle(intermediate_ca_certs_[i]);
-#endif
 }
 
 bool X509Certificate::HasExpired() const {
   return base::Time::Now() > valid_expiry();
 }
 
 bool X509Certificate::HasIntermediateCertificate(OSCertHandle cert) {
-#if defined(OS_MACOSX) || defined(OS_WIN)
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     if (IsSameOSCert(cert, intermediate_ca_certs_[i]))
       return true;
   }
   return false;
-#else
-  return true;
-#endif
 }
 
 bool X509Certificate::HasIntermediateCertificates(const OSCertHandles& certs) {
   for (size_t i = 0; i < certs.size(); ++i) {
     if (!HasIntermediateCertificate(certs[i]))
       return false;
   }
   return true;
 }
 
 }  // namespace net