Bring the handling of <keygen> and support for the application/x-x509-user-ce...

net/base/x509_certificate_nss.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prtime.h>
 #include <secder.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
+#include <limits>
+
 #include "base/logging.h"
 #include "base/pickle.h"
 #include "base/time.h"
 #include "base/nss_util.h"
+#include "base/crypto/scoped_nss_types.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 
 namespace net {
 
 namespace {
 
-class ScopedCERTCertificate {
- public:
-  explicit ScopedCERTCertificate(CERTCertificate* cert)
-      : cert_(cert) {}
-
-  ~ScopedCERTCertificate() {
-    if (cert_)
-      CERT_DestroyCertificate(cert_);
-  }
-
- private:
-  CERTCertificate* cert_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedCERTCertificate);
-};
-
-class ScopedCERTCertList {
- public:
-  explicit ScopedCERTCertList(CERTCertList* cert_list)
-      : cert_list_(cert_list) {}
-
-  ~ScopedCERTCertList() {
-    if (cert_list_)
-      CERT_DestroyCertList(cert_list_);
-  }
-
- private:
-  CERTCertList* cert_list_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedCERTCertList);
-};
-
-class ScopedCERTCertificatePolicies {
- public:
-  explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies)
-      : policies_(policies) {}
-
-  ~ScopedCERTCertificatePolicies() {
-    if (policies_)
-      CERT_DestroyCertificatePoliciesExtension(policies_);
-  }
-
- private:
-  CERTCertificatePolicies* policies_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedCERTCertificatePolicies);
-};
+typedef scoped_ptr_malloc<CERTCertificatePolicies,
+    base::NSSDestroyer<CERTCertificatePolicies,
+        CERT_DestroyCertificatePoliciesExtension> >
+    ScopedCERTCertificatePolicies;
 
 // ScopedCERTValOutParam manages destruction of values in the CERTValOutParam
 // array that cvout points to.  cvout must be initialized as passed to
 // CERT_PKIXVerifyCert, so that the array must be terminated with
 // cert_po_end type.
 // When it goes out of scope, it destroys values of cert_po_trustAnchor
 // and cert_po_certList types, but doesn't release the array itself.
 class ScopedCERTValOutParam {
  public:
   explicit ScopedCERTValOutParam(CERTValOutParam* cvout)
@@ skipping 477 matching lines @@
     SECOidTag oid_tag = policy_info->oid;
     if (oid_tag == SEC_OID_UNKNOWN)
       continue;
     if (oid_tag == ev_policy_tag)
       return true;
   }
   LOG(ERROR) << "No EV Policy Tag";
   return false;
 }
 
+struct CollectCertsCallbackArgs {
+  X509Certificate::OSCertHandle (*createFn)(const char* data, size_t length);
+  X509Certificate::OSCertHandles* results;
+};
+
+SECStatus PR_CALLBACK
+CollectCertsCallback(void* arg, SECItem** certs, int numcerts) {
+  if (numcerts < 0)
+    return SECFailure;  // In the event of wrapping
+
+  CollectCertsCallbackArgs* args =
+      reinterpret_cast<CollectCertsCallbackArgs*>(arg);
+
+  for (int i = 0; i < numcerts; ++i) {
+    X509Certificate::OSCertHandle handle = args->createFn(
+        reinterpret_cast<char*>(certs[i]->data), certs[i]->len);
+    if (handle)
+      args->results->push_back(handle);
+  }
+
+  return SECSuccess;
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
   ParsePrincipal(&cert_handle_->subject, &subject_);
   ParsePrincipal(&cert_handle_->issuer, &issuer_);
 
   ParseDate(&cert_handle_->validity.notBefore, &valid_start_);
   ParseDate(&cert_handle_->validity.notAfter, &valid_expiry_);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
 }
 
 // static
 X509Certificate* X509Certificate::CreateFromPickle(const Pickle& pickle,
                                                    void** pickle_iter) {
   const char* data;
   int length;
   if (!pickle.ReadData(pickle_iter, &data, &length))
     return NULL;
 
-  return CreateFromBytes(data, length);
+  return CreateFromBytes(data, length, FORMAT_DER);
 }
 
 void X509Certificate::Persist(Pickle* pickle) {
   pickle->WriteData(reinterpret_cast<const char*>(cert_handle_->derCert.data),
                     cert_handle_->derCert.len);
 }
 
 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
   dns_names->clear();
 
@@ skipping 108 matching lines @@
     return false;
 
   if (!CheckCertPolicies(cert_handle_, ev_policy_tag))
     return false;
 
   return true;
 }
 
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
-    const char* data, int length) {
+    const char* data, size_t length) {
+  if (length > static_cast<size_t>(std::numeric_limits<unsigned int>::max()))
+    return NULL;
+
   base::EnsureNSSInit();
 
   if (!NSS_IsInitialized())
     return NULL;
 
-  // Make a copy of |data| since CERT_DecodeCertPackage might modify it.
-  char* data_copy = new char[length];
-  memcpy(data_copy, data, length);
+  SECItem der_cert;
+  der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
+  der_cert.len  = static_cast<unsigned int>(length);
+  der_cert.type = siDERCertBuffer;
 
   // Parse into a certificate structure.
-  CERTCertificate* cert = CERT_DecodeCertFromPackage(data_copy, length);
-  delete [] data_copy;
+  CERTCertificate* cert =
+      CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
+                              PR_FALSE, PR_TRUE);
   if (!cert)
-    LOG(ERROR) << "Couldn't parse a certificate from " << length << " bytes";
+    return NULL;
+
   return cert;
 }
 
 // static
+X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
+    const char* data, size_t length, CertificateFormat format) {
+  OSCertHandles results;
+
+  if (length > static_cast<size_t>(std::numeric_limits<int>::max()))
+    return results;
+
+  switch (format) {
+    case FORMAT_DER:
+      {
+        OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
+        if (handle)
+          results.push_back(handle);
+      }
+      break;
+    case FORMAT_LEGACY_NETSCAPE:
+    case FORMAT_PKCS7:
+      {
+        // Make a copy since CERT_DecodeCertPackage may modify it
+        scoped_array<char> data_copy(new char[length]);
+        memcpy(data_copy.get(), data, length);
+
+        CollectCertsCallbackArgs args;
+        args.results = &results;
+        args.createFn = &X509Certificate::CreateOSCertHandleFromBytes;
+
+        SECStatus result = CERT_DecodeCertPackage(data_copy.get(),
+            static_cast<int>(length), CollectCertsCallback, &args);
+        if (result != SECSuccess)
+          results.clear();
+      }
+      break;
+    default:
+      NOTREACHED() << "Certificate format " << format << " unimplemented";
+      break;
+  }
+
+  return results;
+}
+
+// static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
     OSCertHandle cert_handle) {
   return CERT_DupCertificate(cert_handle);
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   CERT_DestroyCertificate(cert_handle);
 }
 
 // static
 X509Certificate::Fingerprint X509Certificate::CalculateFingerprint(
     OSCertHandle cert) {
   Fingerprint sha1;
   memset(sha1.data, 0, sizeof(sha1.data));
 
   DCHECK(NULL != cert->derCert.data);
   DCHECK(0 != cert->derCert.len);
 
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, sha1.data,
                               cert->derCert.data, cert->derCert.len);
   DCHECK(rv == SECSuccess);
 
   return sha1;
 }
 
 }  // namespace net