| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 9 #include <time.h> | 9 #include <time.h> |
| 10 | 10 |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/crypto/cssm_init.h" | |
| 14 #include "base/crypto/rsa_private_key.h" | |
| 15 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 16 #include "base/logging.h" | 14 #include "base/logging.h" |
| 17 #include "base/mac/scoped_cftyperef.h" | 15 #include "base/mac/scoped_cftyperef.h" |
| 18 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 19 #include "base/nss_util.h" | |
| 20 #include "base/pickle.h" | 17 #include "base/pickle.h" |
| 21 #include "base/sha1.h" | 18 #include "base/sha1.h" |
| 22 #include "base/sys_string_conversions.h" | 19 #include "base/sys_string_conversions.h" |
| 20 #include "crypto/cssm_init.h" |
| 21 #include "crypto/nss_util.h" |
| 22 #include "crypto/rsa_private_key.h" |
| 23 #include "net/base/cert_status_flags.h" | 23 #include "net/base/cert_status_flags.h" |
| 24 #include "net/base/cert_verify_result.h" | 24 #include "net/base/cert_verify_result.h" |
| 25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
| 26 #include "net/base/test_root_certs.h" | 26 #include "net/base/test_root_certs.h" |
| 27 #include "net/base/x509_certificate_known_roots_mac.h" | 27 #include "net/base/x509_certificate_known_roots_mac.h" |
| 28 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" | 28 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" |
| 29 | 29 |
| 30 using base::mac::ScopedCFTypeRef; | 30 using base::mac::ScopedCFTypeRef; |
| 31 using base::Time; | 31 using base::Time; |
| 32 | 32 |
| (...skipping 444 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 477 | 477 |
| 478 class ScopedEncodedCertResults { | 478 class ScopedEncodedCertResults { |
| 479 public: | 479 public: |
| 480 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) | 480 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) |
| 481 : results_(results) { } | 481 : results_(results) { } |
| 482 ~ScopedEncodedCertResults() { | 482 ~ScopedEncodedCertResults() { |
| 483 if (results_) { | 483 if (results_) { |
| 484 CSSM_ENCODED_CERT* encCert = | 484 CSSM_ENCODED_CERT* encCert = |
| 485 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); | 485 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); |
| 486 for (uint32 i = 0; i < results_->NumberOfResults; i++) { | 486 for (uint32 i = 0; i < results_->NumberOfResults; i++) { |
| 487 base::CSSMFree(encCert[i].CertBlob.Data); | 487 crypto::CSSMFree(encCert[i].CertBlob.Data); |
| 488 } | 488 } |
| 489 } | 489 } |
| 490 base::CSSMFree(results_->Results); | 490 crypto::CSSMFree(results_->Results); |
| 491 base::CSSMFree(results_); | 491 crypto::CSSMFree(results_); |
| 492 } | 492 } |
| 493 | 493 |
| 494 private: | 494 private: |
| 495 CSSM_TP_RESULT_SET* results_; | 495 CSSM_TP_RESULT_SET* results_; |
| 496 }; | 496 }; |
| 497 | 497 |
| 498 } // namespace | 498 } // namespace |
| 499 | 499 |
| 500 void X509Certificate::Initialize() { | 500 void X509Certificate::Initialize() { |
| 501 const CSSM_X509_NAME* name; | 501 const CSSM_X509_NAME* name; |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 536 const char* data; | 536 const char* data; |
| 537 int length; | 537 int length; |
| 538 if (!pickle.ReadData(pickle_iter, &data, &length)) | 538 if (!pickle.ReadData(pickle_iter, &data, &length)) |
| 539 return NULL; | 539 return NULL; |
| 540 | 540 |
| 541 return CreateFromBytes(data, length); | 541 return CreateFromBytes(data, length); |
| 542 } | 542 } |
| 543 | 543 |
| 544 // static | 544 // static |
| 545 X509Certificate* X509Certificate::CreateSelfSigned( | 545 X509Certificate* X509Certificate::CreateSelfSigned( |
| 546 base::RSAPrivateKey* key, | 546 crypto::RSAPrivateKey* key, |
| 547 const std::string& subject, | 547 const std::string& subject, |
| 548 uint32 serial_number, | 548 uint32 serial_number, |
| 549 base::TimeDelta valid_duration) { | 549 base::TimeDelta valid_duration) { |
| 550 DCHECK(key); | 550 DCHECK(key); |
| 551 DCHECK(!subject.empty()); | 551 DCHECK(!subject.empty()); |
| 552 | 552 |
| 553 if (valid_duration.InSeconds() > UINT32_MAX) { | 553 if (valid_duration.InSeconds() > UINT32_MAX) { |
| 554 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); | 554 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); |
| 555 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); | 555 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); |
| 556 } | 556 } |
| 557 | 557 |
| 558 // There is a comment in | 558 // There is a comment in |
| 559 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp | 559 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp |
| 560 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have | 560 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have |
| 561 // their high bit set. We will continue though and mask it out below. | 561 // their high bit set. We will continue though and mask it out below. |
| 562 if (serial_number & 0x80000000) | 562 if (serial_number & 0x80000000) |
| 563 LOG(ERROR) << "serial_number has high bit set " << serial_number; | 563 LOG(ERROR) << "serial_number has high bit set " << serial_number; |
| 564 | 564 |
| 565 // NSS is used to parse the subject string into a set of | 565 // NSS is used to parse the subject string into a set of |
| 566 // CSSM_OID/string pairs. There doesn't appear to be a system routine for | 566 // CSSM_OID/string pairs. There doesn't appear to be a system routine for |
| 567 // parsing Distinguished Name strings. | 567 // parsing Distinguished Name strings. |
| 568 base::EnsureNSSInit(); | 568 crypto::EnsureNSSInit(); |
| 569 | 569 |
| 570 CSSMOIDStringVector subject_name_oids; | 570 CSSMOIDStringVector subject_name_oids; |
| 571 ScopedCertName subject_name( | 571 ScopedCertName subject_name( |
| 572 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); | 572 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); |
| 573 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { | 573 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { |
| 574 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; | 574 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; |
| 575 return NULL; | 575 return NULL; |
| 576 } | 576 } |
| 577 | 577 |
| 578 // Convert the map of oid/string pairs into an array of | 578 // Convert the map of oid/string pairs into an array of |
| 579 // CSSM_APPLE_TP_NAME_OIDs. | 579 // CSSM_APPLE_TP_NAME_OIDs. |
| 580 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; | 580 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; |
| 581 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); | 581 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); |
| 582 iter != subject_name_oids.end(); ++iter) { | 582 iter != subject_name_oids.end(); ++iter) { |
| 583 CSSM_APPLE_TP_NAME_OID cssm_subject_name; | 583 CSSM_APPLE_TP_NAME_OID cssm_subject_name; |
| 584 cssm_subject_name.oid = iter->oid_; | 584 cssm_subject_name.oid = iter->oid_; |
| 585 cssm_subject_name.string = iter->string_.c_str(); | 585 cssm_subject_name.string = iter->string_.c_str(); |
| 586 cssm_subject_names.push_back(cssm_subject_name); | 586 cssm_subject_names.push_back(cssm_subject_name); |
| 587 } | 587 } |
| 588 | 588 |
| 589 if (cssm_subject_names.empty()) { | 589 if (cssm_subject_names.empty()) { |
| 590 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; | 590 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; |
| 591 return NULL; | 591 return NULL; |
| 592 } | 592 } |
| 593 | 593 |
| 594 // Set up a certificate request. | 594 // Set up a certificate request. |
| 595 CSSM_APPLE_TP_CERT_REQUEST certReq; | 595 CSSM_APPLE_TP_CERT_REQUEST certReq; |
| 596 memset(&certReq, 0, sizeof(certReq)); | 596 memset(&certReq, 0, sizeof(certReq)); |
| 597 certReq.cspHand = base::GetSharedCSPHandle(); | 597 certReq.cspHand = crypto::GetSharedCSPHandle(); |
| 598 certReq.clHand = base::GetSharedCLHandle(); | 598 certReq.clHand = crypto::GetSharedCLHandle(); |
| 599 // See comment about serial numbers above. | 599 // See comment about serial numbers above. |
| 600 certReq.serialNumber = serial_number & 0x7fffffff; | 600 certReq.serialNumber = serial_number & 0x7fffffff; |
| 601 certReq.numSubjectNames = cssm_subject_names.size(); | 601 certReq.numSubjectNames = cssm_subject_names.size(); |
| 602 certReq.subjectNames = &cssm_subject_names[0]; | 602 certReq.subjectNames = &cssm_subject_names[0]; |
| 603 certReq.numIssuerNames = 0; // Root. | 603 certReq.numIssuerNames = 0; // Root. |
| 604 certReq.issuerNames = NULL; | 604 certReq.issuerNames = NULL; |
| 605 certReq.issuerNameX509 = NULL; | 605 certReq.issuerNameX509 = NULL; |
| 606 certReq.certPublicKey = key->public_key(); | 606 certReq.certPublicKey = key->public_key(); |
| 607 certReq.issuerPrivateKey = key->key(); | 607 certReq.issuerPrivateKey = key->key(); |
| 608 // These are the Apple defaults. | 608 // These are the Apple defaults. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 620 | 620 |
| 621 CSSM_FIELD policyId; | 621 CSSM_FIELD policyId; |
| 622 memset(&policyId, 0, sizeof(policyId)); | 622 memset(&policyId, 0, sizeof(policyId)); |
| 623 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; | 623 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; |
| 624 | 624 |
| 625 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; | 625 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; |
| 626 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); | 626 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); |
| 627 callerAuthContext.Policy.NumberOfPolicyIds = 1; | 627 callerAuthContext.Policy.NumberOfPolicyIds = 1; |
| 628 callerAuthContext.Policy.PolicyIds = &policyId; | 628 callerAuthContext.Policy.PolicyIds = &policyId; |
| 629 | 629 |
| 630 CSSM_TP_HANDLE tp_handle = base::GetSharedTPHandle(); | 630 CSSM_TP_HANDLE tp_handle = crypto::GetSharedTPHandle(); |
| 631 CSSM_DATA refId; | 631 CSSM_DATA refId; |
| 632 memset(&refId, 0, sizeof(refId)); | 632 memset(&refId, 0, sizeof(refId)); |
| 633 sint32 estTime; | 633 sint32 estTime; |
| 634 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, | 634 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, |
| 635 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, | 635 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, |
| 636 &estTime, &refId); | 636 &estTime, &refId); |
| 637 if(crtn) { | 637 if(crtn) { |
| 638 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; | 638 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; |
| 639 return NULL; | 639 return NULL; |
| 640 } | 640 } |
| 641 | 641 |
| 642 CSSM_BOOL confirmRequired; | 642 CSSM_BOOL confirmRequired; |
| 643 CSSM_TP_RESULT_SET *resultSet = NULL; | 643 CSSM_TP_RESULT_SET *resultSet = NULL; |
| 644 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, | 644 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, |
| 645 &confirmRequired, &resultSet); | 645 &confirmRequired, &resultSet); |
| 646 ScopedEncodedCertResults scopedResults(resultSet); | 646 ScopedEncodedCertResults scopedResults(resultSet); |
| 647 base::CSSMFree(refId.Data); | 647 crypto::CSSMFree(refId.Data); |
| 648 if (crtn) { | 648 if (crtn) { |
| 649 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; | 649 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; |
| 650 return NULL; | 650 return NULL; |
| 651 } | 651 } |
| 652 | 652 |
| 653 if (confirmRequired) { | 653 if (confirmRequired) { |
| 654 // Potential leak here of resultSet. |confirmRequired| should never be | 654 // Potential leak here of resultSet. |confirmRequired| should never be |
| 655 // true. | 655 // true. |
| 656 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; | 656 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; |
| 657 return NULL; | 657 return NULL; |
| (...skipping 567 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1225 CFArrayAppendArray(chain, | 1225 CFArrayAppendArray(chain, |
| 1226 cert_chain, | 1226 cert_chain, |
| 1227 CFRangeMake(1, chain_count - 1)); | 1227 CFRangeMake(1, chain_count - 1)); |
| 1228 } | 1228 } |
| 1229 } | 1229 } |
| 1230 | 1230 |
| 1231 return chain.release(); | 1231 return chain.release(); |
| 1232 } | 1232 } |
| 1233 | 1233 |
| 1234 } // namespace net | 1234 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6805019:
Move crypto files out of base, to a top level directory. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/