| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 9 #include <time.h> | 9 #include <time.h> |
| 10 | 10 |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/crypto/cssm_init.h" | |
| 14 #include "base/crypto/rsa_private_key.h" | |
| 15 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 16 #include "base/logging.h" | 14 #include "base/logging.h" |
| 17 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 18 #include "base/nss_util.h" | |
| 19 #include "base/pickle.h" | 16 #include "base/pickle.h" |
| 20 #include "base/mac/scoped_cftyperef.h" | 17 #include "base/mac/scoped_cftyperef.h" |
| 21 #include "base/sys_string_conversions.h" | 18 #include "base/sys_string_conversions.h" |
| 19 #include "crypto/cssm_init.h" |
| 20 #include "crypto/nss_util.h" |
| 21 #include "crypto/rsa_private_key.h" |
| 22 #include "net/base/cert_status_flags.h" | 22 #include "net/base/cert_status_flags.h" |
| 23 #include "net/base/cert_verify_result.h" | 23 #include "net/base/cert_verify_result.h" |
| 24 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
| 25 #include "net/base/test_root_certs.h" | 25 #include "net/base/test_root_certs.h" |
| 26 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" | 26 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" |
| 27 | 27 |
| 28 using base::mac::ScopedCFTypeRef; | 28 using base::mac::ScopedCFTypeRef; |
| 29 using base::Time; | 29 using base::Time; |
| 30 | 30 |
| 31 namespace net { | 31 namespace net { |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 475 | 475 |
| 476 class ScopedEncodedCertResults { | 476 class ScopedEncodedCertResults { |
| 477 public: | 477 public: |
| 478 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) | 478 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) |
| 479 : results_(results) { } | 479 : results_(results) { } |
| 480 ~ScopedEncodedCertResults() { | 480 ~ScopedEncodedCertResults() { |
| 481 if (results_) { | 481 if (results_) { |
| 482 CSSM_ENCODED_CERT* encCert = | 482 CSSM_ENCODED_CERT* encCert = |
| 483 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); | 483 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); |
| 484 for (uint32 i = 0; i < results_->NumberOfResults; i++) { | 484 for (uint32 i = 0; i < results_->NumberOfResults; i++) { |
| 485 base::CSSMFree(encCert[i].CertBlob.Data); | 485 crypto::CSSMFree(encCert[i].CertBlob.Data); |
| 486 } | 486 } |
| 487 } | 487 } |
| 488 base::CSSMFree(results_->Results); | 488 crypto::CSSMFree(results_->Results); |
| 489 base::CSSMFree(results_); | 489 crypto::CSSMFree(results_); |
| 490 } | 490 } |
| 491 | 491 |
| 492 private: | 492 private: |
| 493 CSSM_TP_RESULT_SET* results_; | 493 CSSM_TP_RESULT_SET* results_; |
| 494 }; | 494 }; |
| 495 | 495 |
| 496 } // namespace | 496 } // namespace |
| 497 | 497 |
| 498 void X509Certificate::Initialize() { | 498 void X509Certificate::Initialize() { |
| 499 const CSSM_X509_NAME* name; | 499 const CSSM_X509_NAME* name; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 520 const char* data; | 520 const char* data; |
| 521 int length; | 521 int length; |
| 522 if (!pickle.ReadData(pickle_iter, &data, &length)) | 522 if (!pickle.ReadData(pickle_iter, &data, &length)) |
| 523 return NULL; | 523 return NULL; |
| 524 | 524 |
| 525 return CreateFromBytes(data, length); | 525 return CreateFromBytes(data, length); |
| 526 } | 526 } |
| 527 | 527 |
| 528 // static | 528 // static |
| 529 X509Certificate* X509Certificate::CreateSelfSigned( | 529 X509Certificate* X509Certificate::CreateSelfSigned( |
| 530 base::RSAPrivateKey* key, | 530 crypto::RSAPrivateKey* key, |
| 531 const std::string& subject, | 531 const std::string& subject, |
| 532 uint32 serial_number, | 532 uint32 serial_number, |
| 533 base::TimeDelta valid_duration) { | 533 base::TimeDelta valid_duration) { |
| 534 DCHECK(key); | 534 DCHECK(key); |
| 535 DCHECK(!subject.empty()); | 535 DCHECK(!subject.empty()); |
| 536 | 536 |
| 537 if (valid_duration.InSeconds() > UINT32_MAX) { | 537 if (valid_duration.InSeconds() > UINT32_MAX) { |
| 538 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); | 538 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); |
| 539 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); | 539 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); |
| 540 } | 540 } |
| 541 | 541 |
| 542 // There is a comment in | 542 // There is a comment in |
| 543 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp | 543 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp |
| 544 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have | 544 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have |
| 545 // their high bit set. We will continue though and mask it out below. | 545 // their high bit set. We will continue though and mask it out below. |
| 546 if (serial_number & 0x80000000) | 546 if (serial_number & 0x80000000) |
| 547 LOG(ERROR) << "serial_number has high bit set " << serial_number; | 547 LOG(ERROR) << "serial_number has high bit set " << serial_number; |
| 548 | 548 |
| 549 // NSS is used to parse the subject string into a set of | 549 // NSS is used to parse the subject string into a set of |
| 550 // CSSM_OID/string pairs. There doesn't appear to be a system routine for | 550 // CSSM_OID/string pairs. There doesn't appear to be a system routine for |
| 551 // parsing Distinguished Name strings. | 551 // parsing Distinguished Name strings. |
| 552 base::EnsureNSSInit(); | 552 crypto::EnsureNSSInit(); |
| 553 | 553 |
| 554 CSSMOIDStringVector subject_name_oids; | 554 CSSMOIDStringVector subject_name_oids; |
| 555 ScopedCertName subject_name( | 555 ScopedCertName subject_name( |
| 556 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); | 556 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); |
| 557 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { | 557 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { |
| 558 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; | 558 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; |
| 559 return NULL; | 559 return NULL; |
| 560 } | 560 } |
| 561 | 561 |
| 562 // Convert the map of oid/string pairs into an array of | 562 // Convert the map of oid/string pairs into an array of |
| 563 // CSSM_APPLE_TP_NAME_OIDs. | 563 // CSSM_APPLE_TP_NAME_OIDs. |
| 564 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; | 564 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; |
| 565 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); | 565 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); |
| 566 iter != subject_name_oids.end(); ++iter) { | 566 iter != subject_name_oids.end(); ++iter) { |
| 567 CSSM_APPLE_TP_NAME_OID cssm_subject_name; | 567 CSSM_APPLE_TP_NAME_OID cssm_subject_name; |
| 568 cssm_subject_name.oid = iter->oid_; | 568 cssm_subject_name.oid = iter->oid_; |
| 569 cssm_subject_name.string = iter->string_.c_str(); | 569 cssm_subject_name.string = iter->string_.c_str(); |
| 570 cssm_subject_names.push_back(cssm_subject_name); | 570 cssm_subject_names.push_back(cssm_subject_name); |
| 571 } | 571 } |
| 572 | 572 |
| 573 if (cssm_subject_names.empty()) { | 573 if (cssm_subject_names.empty()) { |
| 574 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; | 574 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; |
| 575 return NULL; | 575 return NULL; |
| 576 } | 576 } |
| 577 | 577 |
| 578 // Set up a certificate request. | 578 // Set up a certificate request. |
| 579 CSSM_APPLE_TP_CERT_REQUEST certReq; | 579 CSSM_APPLE_TP_CERT_REQUEST certReq; |
| 580 memset(&certReq, 0, sizeof(certReq)); | 580 memset(&certReq, 0, sizeof(certReq)); |
| 581 certReq.cspHand = base::GetSharedCSPHandle(); | 581 certReq.cspHand = crypto::GetSharedCSPHandle(); |
| 582 certReq.clHand = base::GetSharedCLHandle(); | 582 certReq.clHand = crypto::GetSharedCLHandle(); |
| 583 // See comment about serial numbers above. | 583 // See comment about serial numbers above. |
| 584 certReq.serialNumber = serial_number & 0x7fffffff; | 584 certReq.serialNumber = serial_number & 0x7fffffff; |
| 585 certReq.numSubjectNames = cssm_subject_names.size(); | 585 certReq.numSubjectNames = cssm_subject_names.size(); |
| 586 certReq.subjectNames = &cssm_subject_names[0]; | 586 certReq.subjectNames = &cssm_subject_names[0]; |
| 587 certReq.numIssuerNames = 0; // Root. | 587 certReq.numIssuerNames = 0; // Root. |
| 588 certReq.issuerNames = NULL; | 588 certReq.issuerNames = NULL; |
| 589 certReq.issuerNameX509 = NULL; | 589 certReq.issuerNameX509 = NULL; |
| 590 certReq.certPublicKey = key->public_key(); | 590 certReq.certPublicKey = key->public_key(); |
| 591 certReq.issuerPrivateKey = key->key(); | 591 certReq.issuerPrivateKey = key->key(); |
| 592 // These are the Apple defaults. | 592 // These are the Apple defaults. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 604 | 604 |
| 605 CSSM_FIELD policyId; | 605 CSSM_FIELD policyId; |
| 606 memset(&policyId, 0, sizeof(policyId)); | 606 memset(&policyId, 0, sizeof(policyId)); |
| 607 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; | 607 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; |
| 608 | 608 |
| 609 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; | 609 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; |
| 610 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); | 610 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); |
| 611 callerAuthContext.Policy.NumberOfPolicyIds = 1; | 611 callerAuthContext.Policy.NumberOfPolicyIds = 1; |
| 612 callerAuthContext.Policy.PolicyIds = &policyId; | 612 callerAuthContext.Policy.PolicyIds = &policyId; |
| 613 | 613 |
| 614 CSSM_TP_HANDLE tp_handle = base::GetSharedTPHandle(); | 614 CSSM_TP_HANDLE tp_handle = crypto::GetSharedTPHandle(); |
| 615 CSSM_DATA refId; | 615 CSSM_DATA refId; |
| 616 memset(&refId, 0, sizeof(refId)); | 616 memset(&refId, 0, sizeof(refId)); |
| 617 sint32 estTime; | 617 sint32 estTime; |
| 618 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, | 618 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, |
| 619 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, | 619 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, |
| 620 &estTime, &refId); | 620 &estTime, &refId); |
| 621 if(crtn) { | 621 if(crtn) { |
| 622 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; | 622 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; |
| 623 return NULL; | 623 return NULL; |
| 624 } | 624 } |
| 625 | 625 |
| 626 CSSM_BOOL confirmRequired; | 626 CSSM_BOOL confirmRequired; |
| 627 CSSM_TP_RESULT_SET *resultSet = NULL; | 627 CSSM_TP_RESULT_SET *resultSet = NULL; |
| 628 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, | 628 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, |
| 629 &confirmRequired, &resultSet); | 629 &confirmRequired, &resultSet); |
| 630 ScopedEncodedCertResults scopedResults(resultSet); | 630 ScopedEncodedCertResults scopedResults(resultSet); |
| 631 base::CSSMFree(refId.Data); | 631 crypto::CSSMFree(refId.Data); |
| 632 if (crtn) { | 632 if (crtn) { |
| 633 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; | 633 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; |
| 634 return NULL; | 634 return NULL; |
| 635 } | 635 } |
| 636 | 636 |
| 637 if (confirmRequired) { | 637 if (confirmRequired) { |
| 638 // Potential leak here of resultSet. |confirmRequired| should never be | 638 // Potential leak here of resultSet. |confirmRequired| should never be |
| 639 // true. | 639 // true. |
| 640 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; | 640 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; |
| 641 return NULL; | 641 return NULL; |
| (...skipping 565 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1207 CFArrayAppendArray(chain, | 1207 CFArrayAppendArray(chain, |
| 1208 cert_chain, | 1208 cert_chain, |
| 1209 CFRangeMake(1, chain_count - 1)); | 1209 CFRangeMake(1, chain_count - 1)); |
| 1210 } | 1210 } |
| 1211 } | 1211 } |
| 1212 | 1212 |
| 1213 return chain.release(); | 1213 return chain.release(); |
| 1214 } | 1214 } |
| 1215 | 1215 |
| 1216 } // namespace net | 1216 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6805019:
Move crypto files out of base, to a top level directory. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/