Bring the handling of <keygen> and support for the application/x-x509-user-ce...

net/base/x509_certificate_mac.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <Security/Security.h>
 #include <time.h>
 
+#include "base/file_path.h"
+#include "base/file_util.h"
 #include "base/scoped_cftyperef.h"
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/sys_string_conversions.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/net_errors.h"
 
 using base::Time;
 
@@ skipping 330 matching lines @@
 
   // Evaluate trust, which creates the cert chain.
   SecTrustResultType status;
   CSSM_TP_APPLE_EVIDENCE_INFO* status_chain;
   result = SecTrustEvaluate(trust, &status);
   if (result)
     return result;
   return SecTrustGetResult(trust, &status, out_cert_chain, &status_chain);
 }
 
+void AddCertificatesFromData(const char* data, size_t length,
+                             SecExternalFormat format,
+                             X509Certificate::OSCertHandles* output) {
+  // In order to use SecKeychainItemImport successfully, a destination
+  // keychain must be specified to receive the created objects. Further,
+  // the created objects remain valid only for as long as the keychain does.
+  // In order to match the handling on Windows/NSS, which has the handles
+  // valid for an arbitrary length of time, a temporary keychain is created,
+  // the certificates are imported into it, and then free-standing
+  // certificates are created from the DER representation of the original
+  // keychain item.
+  FilePath temp_file;
+  if (!file_util::CreateTemporaryFile(&temp_file))
+    return;
+
+  SecExternalFormat input_format = format;
+  scoped_cftyperef<CFDataRef> local_data(CFDataCreateWithBytesNoCopy(
+      kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
+      length, kCFAllocatorDefault);
+
+  scoped_cftyperef<SecKeychainRef> temp_keychain;
+  SecKeychainRef keychain = NULL;
+  OSStatus rv = SecKeychainCreate(temp_file.value().c_str(), 0, NULL, FALSE,
+                                  NULL, &keychain);
+  if (rv != noErr) {
+    DLOG(WARNING) << rv << " Unable to create temporary keychain at "
+                  << temp_file.value();
+    return;
+  }
+
+  temp_keychain.reset(keychain);
+  keychain = NULL;
+
+  CFArrayRef items = NULL;
+  rv = SecKeychainItemImport(local_data, NULL, &input_format, NULL,
+                             0, NULL, NULL, temp_keychain, &items);
+  if (rv != noErr) {
+    scoped_cftyperef<CFArrayRef> scoped_items(items);
+    CFTypeID certTypeID = SecCertificateGetTypeID();
+
+    for (CFIndex i = 0; i < CFArrayGetCount(items); ++i) {
+      SecKeychainItemRef item = CFArrayGetValueAtIndex(items, i);
+
+      // While inputFormat implies only certificates will be imported, if/when
+      // other formats (eg: PKCS#12) are supported, this may also include
+      // private keys or other items types, so filter appropriately.
+      if (CFGetTypeID(item) == certTypeID) {
+        // Create a freestanding SecCertificateRef from the keychain item.
+        // Unfortunately, this invokes a double-parse of the DER data, which
+        // is less than optimally efficient.
+        scoped_cftyperef<CFDataRef> scoped_cert_data =
+            SecCertificateCopyData(reinterpret_cast<SecCertificateRef>(item));
+        if (scoped_cert_data == NULL)
+          continue;
+
+        SecCertificateRef cert = SecCertificateCreateWithData(NULL,
+            scoped_cert_data);
+        if (cert == NULL)
+          continue;
+
+        output->push_back(cert);
+      }
+    } else {
+      DLOG(WARNING) << rv << " Unable to import items from data of length "
+                    << length;
+  }
+
+  rv = SecKeychainDelete(temp_keychain);
+  if (rv != noErr) {
+    DLOG(WARNING) << rv << " Unable to remove temporary keychain at "
+                  << temp_file.value();
+  }
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
   const CSSM_X509_NAME* name;
   OSStatus status = SecCertificateGetSubject(cert_handle_, &name);
   if (!status) {
     subject_.Parse(name);
   }
   status = SecCertificateGetIssuer(cert_handle_, &name);
   if (!status) {
     issuer_.Parse(name);
   }
 
   GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotBefore,
                     &valid_start_);
   GetCertDateForOID(cert_handle_, CSSMOID_X509V1ValidityNotAfter,
                     &valid_expiry_);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
 }
 
 // static
 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle,
                                                    void** pickle_iter) {
   const char* data;
   int length;
   if (!pickle.ReadData(pickle_iter, &data, &length))
     return NULL;
 
-  return CreateFromBytes(data, length);
+  return CreateFromBytes(data, length, X509Certificate::FORMAT_DER);
 }
 
 void X509Certificate::Persist(Pickle* pickle) {
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert_handle_, &cert_data);
   if (status) {
     NOTREACHED();
     return;
   }
 
@@ skipping 239 matching lines @@
 bool X509Certificate::VerifyEV() const {
   // We don't call this private method, but we do need to implement it because
   // it's defined in x509_certificate.h. We perform EV checking in the
   // Verify() above.
   NOTREACHED();
   return false;
 }
 
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
-    const char* data, int length) {
+    const char* data, size_t length) {
   CSSM_DATA cert_data;
   cert_data.Data = const_cast<uint8*>(reinterpret_cast<const uint8*>(data));
   cert_data.Length = length;
 
   OSCertHandle cert_handle = NULL;
   OSStatus status = SecCertificateCreateFromData(&cert_data,
                                                  CSSM_CERT_X_509v3,
                                                  CSSM_CERT_ENCODING_BER,
                                                  &cert_handle);
   if (status)
     return NULL;
 
   return cert_handle;
 }
 
 // static
+X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
+    const char* data, size_t length, CertificateFormat format) {
+  OSCertHandles results;
+
+  switch (format) {
+    case FORMAT_DER:
+      {
+        OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
+        if (handle)
+          results.push_back(handle);
+      }
+      break;
+    case FORMAT_PKCS7:
+      AddCertificatesFromData(data, length, kSecFormatPKCS7, &results);
+      break;
+    case FORMAT_LEGACY_NETSCAPE:
+      AddCertificatesFromData(data, length, kSecFormatNetscapeCertSequence,
+                              &results);
+      break;
+    default:
+      NOTREACHED() << "Certificate format " << format << " unimplemented";
+      break;
+  }
+
+  return results;
+}
+
+// static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
     OSCertHandle handle) {
   if (!handle)
     return NULL;
   return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   CFRelease(cert_handle);
@@ skipping 79 matching lines @@
     NULL,
     CSSM_APPLE_TP_SSL_CLIENT
   };
   return CreatePolicy(&CSSMOID_APPLE_TP_SSL,
                       &tp_ssl_options,
                       sizeof(tp_ssl_options),
                       out_policy);
 }
 
 // static
-bool X509Certificate::GetSSLClientCertificates (
+bool X509Certificate::GetSSLClientCertificates(
     const std::string& server_domain,
     const std::vector<Principal>& valid_issuers,
     std::vector<scoped_refptr<X509Certificate> >* certs) {
   scoped_cftyperef<SecIdentityRef> preferred_identity;
   if (!server_domain.empty()) {
     // See if there's an identity preference for this domain:
     scoped_cftyperef<CFStringRef> domain_str(
         base::SysUTF8ToCFStringRef("https://" + server_domain));
     SecIdentityRef identity = NULL;
     if (SecIdentityCopyPreference(domain_str,
                                   0,
-                                  NULL, // validIssuers argument is ignored :(
+                                  NULL,  // validIssuers argument is ignored :(
                                   &identity) == noErr)
       preferred_identity.reset(identity);
   }
 
   // Now enumerate the identities in the available keychains.
   SecIdentitySearchRef search = nil;
   OSStatus err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
   scoped_cftyperef<SecIdentitySearchRef> scoped_search(search);
   while (!err) {
     SecIdentityRef identity = NULL;
@@ skipping 71 matching lines @@
   // Append the intermediate certs from SecTrust to the result array:
   if (cert_chain) {
     int chain_count = CFArrayGetCount(cert_chain);
     if (chain_count > 1) {
       CFArrayAppendArray(chain,
                          cert_chain,
                          CFRangeMake(1, chain_count - 1));
     }
     CFRelease(cert_chain);
   }
-exit:
+ exit:
   if (result)
     LOG(ERROR) << "CreateIdentityCertificateChain error " << result;
   return chain.release();
 }
 
 }  // namespace net