Add ability to create self signed certs to mac.

net/base/x509_certificate_mac.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <Security/Security.h>
 #include <time.h>
 
+#include <map>
+
+#include "base/crypto/cssm_init.h"
+#include "base/crypto/rsa_private_key.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
+#include "base/nss_util.h"
 #include "base/pickle.h"
 #include "base/singleton.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/sys_string_conversions.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_root_certs.h"
+#include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h"
 
 using base::mac::ScopedCFTypeRef;
 using base::Time;
 
 namespace net {
 
 namespace {
 
 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef,
                                                       CFDictionaryRef*);
@@ skipping 331 matching lines @@
       // is properly decoded as a PKCS#7, whether PEM or not, which avoids
       // the need to fallback to internal decoding.
       if (IsValidOSCertHandle(cert)) {
         CFRetain(cert);
         output->push_back(cert);
       }
     }
   }
 }
 
+struct CSSMOIDCompare {
+  bool operator()(const CSSM_OID* a, const CSSM_OID* b) const {
+    return a < b;
+  }
+};
+
+typedef std::map<const CSSM_OID*, std::string, CSSMOIDCompare> CSSMOIDMap;
+
+bool CERTNameToCSSMOIDMap(CERTName* name, CSSMOIDMap* out_values) {

[Ryan Sleevi, 2011/02/05 00:23:37]

BUG: I could be reading wrong, but I don't think this is converting between the
CERTName and the CSSM OIDs correctly.

The concern is that by using a CSSMOIDMap, the ordering that originally appears
in the CERTName is lost, instead replaced with the ordering of the CSSM_OIDs in
memory. Since the ordering is significant, this will probably cause trouble.

I would think using a vector of pair<const CSSM_OID*, std::string> when
converting here, and then converting that into a vector<CSSM_APPLE_TP_NAME_OID>
below at line 513, should preserve the relative sequence order.

It won't, however, be guaranteed return the same name that NSS sees, in that
multi-AVA RDNs (which NSS and CryptoAPI support) are NOT preserved by using
CSSM_APPLE_TP_NAME_OID. Instead, each multi-AVA RDN is flattened into a sequence
of single-AVA RDNs. If this is problematic, then its be necessary to use
CSSM_CL_CertCreateTemplate, which takes a CSSM_X509_NAME. This is (under the
hood) what is Apple's TP is doing (see
security_apple_x509_tp-33583\lib\tpCredRequest.cpp makeCertTemplate)

[dmac, 2011/02/08 01:23:45]

Done.

+  struct OIDCSSMMap {
+    SECOidTag sec_OID_;
+    const CSSM_OID* cssm_OID_;
+  };
+
+  const OIDCSSMMap kOIDs[] = {
+      { SEC_OID_AVA_COMMON_NAME, &CSSMOID_CommonName },
+      { SEC_OID_AVA_COUNTRY_NAME, &CSSMOID_CountryName },
+      { SEC_OID_AVA_LOCALITY, &CSSMOID_LocalityName },
+      { SEC_OID_AVA_STATE_OR_PROVINCE, &CSSMOID_StateProvinceName },
+      { SEC_OID_AVA_STREET_ADDRESS, &CSSMOID_StreetAddress },
+      { SEC_OID_AVA_ORGANIZATION_NAME, &CSSMOID_OrganizationName },
+      { SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, &CSSMOID_OrganizationalUnitName },
+      { SEC_OID_AVA_DN_QUALIFIER, &CSSMOID_DNQualifier },
+      { SEC_OID_RFC1274_UID, &CSSMOID_UniqueIdentifier },
+      { SEC_OID_PKCS9_EMAIL_ADDRESS, &CSSMOID_EmailAddress },
+  };
+
+  CERTRDN** rdns = name->rdns;
+  for (size_t rdn = 0; rdns[rdn]; ++rdn) {
+    CERTAVA** avas = rdns[rdn]->avas;
+    for (size_t pair = 0; avas[pair] != 0; ++pair) {
+      SECOidTag tag = CERT_GetAVATag(avas[pair]);
+      if (tag == SEC_OID_UNKNOWN) {
+        return false;
+      }
+      bool found_oid = false;
+      for (size_t oid = 0; oid < ARRAYSIZE_UNSAFE(kOIDs); ++oid) {
+        if (kOIDs[oid].sec_OID_ == tag) {
+          SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value);
+          if (!decode_item) {
+            return false;
+          }
+          // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote.
+          std::string value(reinterpret_cast<char*>(decode_item->data),
+                            decode_item->len);
+          (*out_values)[kOIDs[oid].cssm_OID_] = value;
+          SECITEM_FreeItem(decode_item, PR_TRUE);
+          found_oid = true;
+          break;
+        }
+      }
+      if (!found_oid) {
+        DLOG(ERROR) << "Unrecognized OID: " << tag;
+      }
+    }
+  }
+  return true;
+}
+
+class ScopedCertName {
+ public:
+  explicit ScopedCertName(CERTName* name) : name_(name) { }
+  ~ScopedCertName() {
+    if (name_) CERT_DestroyName(name_);
+  }
+  operator CERTName*() { return name_; }
+
+ private:
+  CERTName* name_;
+};
+
 }  // namespace
 
 void X509Certificate::Initialize() {
   const CSSM_X509_NAME* name;
   OSStatus status = SecCertificateGetSubject(cert_handle_, &name);
   if (!status)
     subject_.Parse(name);
 
   status = SecCertificateGetIssuer(cert_handle_, &name);
   if (!status)
@@ skipping 17 matching lines @@
 
   return CreateFromBytes(data, length);
 }
 
 // static
 X509Certificate* X509Certificate::CreateSelfSigned(
     base::RSAPrivateKey* key,
     const std::string& subject,
     uint32 serial_number,
     base::TimeDelta valid_duration) {
-  // TODO(port): Implement.
-  return NULL;
+  DCHECK(key);
+  DCHECK(subject.length() > 0);

[Ryan Sleevi, 2011/02/05 00:23:37]

nit: DCHECK(!subject.empty()) or DCHECK_GT(subject.length(), 0u)

+
+  // There is a comment in
+  // http://www.opensource.apple.com/source/security_certtool/security_certtool-31828/src/CertTool.cpp
+  // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have
+  // their high bit set. We will continue though and mask it out below.
+  if (serial_number & 0x80000000) {
+    LOG(ERROR) << "serial_number has high bit set " << serial_number;
+  }
+
+  // NSS is used to parse the subject string into a set of
+  // CSSM_OID/string pairs. There doesn't appear to be a system routine for
+  // parsing Distinguished Name strings.
+  base::EnsureNSSInit();
+
+  CSSMOIDMap subject_name_oids;
+  ScopedCertName subject_name(
+      CERT_AsciiToName(const_cast<char*>(subject.c_str())));
+  if (!CERTNameToCSSMOIDMap(subject_name, &subject_name_oids)) {
+    DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject;
+    return NULL;
+  }
+
+  // Convert the map of oid/string pairs into an array of
+  // CSSM_APPLE_TP_NAME_OIDs.
+  std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names;
+  for(CSSMOIDMap::iterator iter = subject_name_oids.begin();
+      iter != subject_name_oids.end(); ++iter) {
+    CSSM_APPLE_TP_NAME_OID cssm_subject_name;
+    cssm_subject_name.oid = iter->first;
+    cssm_subject_name.string = iter->second.c_str();
+    cssm_subject_names.push_back(cssm_subject_name);
+  }
+
+  if (cssm_subject_names.size() == 0) {
+    DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject;
+    return NULL;
+  }
+
+  // Set up a certificate request.
+  CSSM_APPLE_TP_CERT_REQUEST certReq;
+  memset(&certReq, 0, sizeof(certReq));
+  certReq.challengeString = NULL;
+  certReq.cspHand = base::GetSharedCSPHandle();
+  certReq.clHand = base::GetSharedCLHandle();
+  certReq.numSubjectNames = cssm_subject_names.size();
+  certReq.subjectNames = &cssm_subject_names[0];
+  // See comment about serial numbers above.
+  certReq.serialNumber = serial_number & 0x7f000000;
+  certReq.numIssuerNames = 0; // Root.
+  certReq.issuerNames = NULL;
+  certReq.issuerNameX509 = NULL;
+  certReq.certPublicKey = key->public_key();
+  certReq.issuerPrivateKey = key->key();
+  // This is the Apple defaults.

[Ryan Sleevi, 2011/02/05 00:23:37]

world's smallest nit: defaults -> default or this is -> these are

[dmac, 2011/02/08 01:23:45]

Done.

+  certReq.signatureAlg = CSSM_ALGID_SHA1WithRSA;
+  certReq.signatureOid = CSSMOID_SHA1WithRSA;
+  certReq.notBefore = 0;
+  certReq.notAfter = valid_duration.InSeconds();

[Ryan Sleevi, 2011/02/05 00:23:37]

nit: InSeconds() returns an Int64, but notAfter expects a uint32. Admitted
extreme edge case, but should there be anything special here to handle it?

[dmac, 2011/02/08 01:23:45]

Done.

+  certReq.numExtensions = 0;
+  certReq.extensions = NULL;
+
+  CSSM_TP_REQUEST_SET reqSet;
+  reqSet.NumberOfRequests = 1;
+  reqSet.Requests = &certReq;
+
+  CSSM_FIELD policyId;
+  memset(&policyId, 0, sizeof(policyId));
+  policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
+
+  CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext;
+  memset(&callerAuthContext, 0, sizeof(callerAuthContext));
+  callerAuthContext.Policy.NumberOfPolicyIds = 1;
+  callerAuthContext.Policy.PolicyIds = &policyId;
+
+  CSSM_TP_HANDLE tp_handle = base::GetSharedTPHandle();
+  base::ScopedCSSMData refId;
+  sint32 estTime;
+  CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(
+      tp_handle, NULL, CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet,
+      &callerAuthContext, &estTime, refId);
+  if(crtn) {
+    DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn;
+    return NULL;
+  }
+
+  CSSM_BOOL confirmRequired;
+  base::ScopedCSSMTPtr<CSSM_TP_RESULT_SET> resultSet;
+  crtn = CSSM_TP_RetrieveCredResult(tp_handle, refId, NULL, &estTime,
+                                    &confirmRequired, &resultSet.receive());
+  if (crtn) {
+    DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn;
+    return NULL;
+  }
+
+  if (confirmRequired) {

[Ryan Sleevi, 2011/02/05 00:23:37]

BUG/nit? If confirmRequired is true, it's still possible that the is
memory/responses in resultSet needs to be freed.

For what it's worth, Apple's TP doesn't set confirmRequired, so it's up to you
if you want to use that knowledge here.

[dmac, 2011/02/08 01:23:45]

Done.

+    DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation";
+    return NULL;
+  }
+

[Ryan Sleevi, 2011/02/05 00:23:37]

BUG: Check that resultSet->NumberOfResults == 1 before using resultSet->Results
/ encCert

[dmac, 2011/02/08 01:23:45]

Done.

+  CSSM_ENCODED_CERT* encCert =
+      reinterpret_cast<CSSM_ENCODED_CERT*>(resultSet->Results);
+  base::mac::ScopedCFTypeRef<SecCertificateRef> scoped_cert;
+  {
+    base::AutoLock sec_lock(base::GetMacSecurityServicesLock());

[Ryan Sleevi, 2011/02/05 00:23:37]

You shouldn't need to lock here. It's only needed for routines that modify the
keychain.

[dmac, 2011/02/08 01:23:45]

Done.

+    SecCertificateRef certificate_ref = NULL;
+    OSStatus os_status = SecCertificateCreateFromData(&encCert->CertBlob,
+        encCert->CertType, encCert->CertEncoding, &certificate_ref);
+    if (os_status != 0) {
+      DLOG(ERROR) << "SecCertificateCreateFromData failed: " << os_status;
+      return NULL;
+    }
+    scoped_cert.reset(certificate_ref);
+  }

[Ryan Sleevi, 2011/02/05 00:23:37]

BUG: You also need to free
resultSet->Results
and
encCert->CertBlob.Data (see apple_x509_tp-33583\lib\tpCredRequest.cpp
AppleTPSession::RetrieveCredResult)

[dmac, 2011/02/08 01:23:45]

Done.

+  return CreateFromHandle(
+     scoped_cert, X509Certificate::SOURCE_LONE_CERT_IMPORT,
+     X509Certificate::OSCertHandles());
 }
 
 void X509Certificate::Persist(Pickle* pickle) {
   CSSM_DATA cert_data;
   OSStatus status = SecCertificateGetData(cert_handle_, &cert_data);
   if (status) {
     NOTREACHED();
     return;
   }
 
@@ skipping 506 matching lines @@
   if (result) {
     LOG(ERROR) << "SecIdentityCreateWithCertificate error " << result;
     return NULL;
   }
   ScopedCFTypeRef<CFMutableArrayRef> chain(
       CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks));
   CFArrayAppendValue(chain, identity);
 
   CFArrayRef cert_chain = NULL;
   result = CopyCertChain(cert_handle_, &cert_chain);
+  ScopedCFTypeRef<CFArrayRef> scoped_cert_chain(cert_chain);
   if (result) {
     LOG(ERROR) << "CreateIdentityCertificateChain error " << result;
     return chain.release();
   }
 
   // Append the intermediate certs from SecTrust to the result array:
   if (cert_chain) {
     int chain_count = CFArrayGetCount(cert_chain);
     if (chain_count > 1) {
       CFArrayAppendArray(chain,
                          cert_chain,
                          CFRangeMake(1, chain_count - 1));
     }
-    CFRelease(cert_chain);
   }
 
   return chain.release();
 }
 
 }  // namespace net