| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 9 #include <time.h> | 9 #include <time.h> |
| 10 | 10 |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/crypto/cssm_init.h" | |
| 14 #include "base/crypto/rsa_private_key.h" | |
| 15 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 16 #include "base/logging.h" | 14 #include "base/logging.h" |
| 17 #include "base/mac/scoped_cftyperef.h" | 15 #include "base/mac/scoped_cftyperef.h" |
| 18 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 19 #include "base/nss_util.h" | |
| 20 #include "base/pickle.h" | 17 #include "base/pickle.h" |
| 21 #include "base/sha1.h" | 18 #include "base/sha1.h" |
| 22 #include "base/sys_string_conversions.h" | 19 #include "base/sys_string_conversions.h" |
| 20 #include "crypto/cssm_init.h" |
| 21 #include "crypto/nss_util.h" |
| 22 #include "crypto/rsa_private_key.h" |
| 23 #include "net/base/asn1_util.h" | 23 #include "net/base/asn1_util.h" |
| 24 #include "net/base/cert_status_flags.h" | 24 #include "net/base/cert_status_flags.h" |
| 25 #include "net/base/cert_verify_result.h" | 25 #include "net/base/cert_verify_result.h" |
| 26 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
| 27 #include "net/base/test_root_certs.h" | 27 #include "net/base/test_root_certs.h" |
| 28 #include "net/base/x509_certificate_known_roots_mac.h" | 28 #include "net/base/x509_certificate_known_roots_mac.h" |
| 29 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" | 29 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h" |
| 30 | 30 |
| 31 using base::mac::ScopedCFTypeRef; | 31 using base::mac::ScopedCFTypeRef; |
| 32 using base::Time; | 32 using base::Time; |
| (...skipping 445 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 478 | 478 |
| 479 class ScopedEncodedCertResults { | 479 class ScopedEncodedCertResults { |
| 480 public: | 480 public: |
| 481 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) | 481 explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results) |
| 482 : results_(results) { } | 482 : results_(results) { } |
| 483 ~ScopedEncodedCertResults() { | 483 ~ScopedEncodedCertResults() { |
| 484 if (results_) { | 484 if (results_) { |
| 485 CSSM_ENCODED_CERT* encCert = | 485 CSSM_ENCODED_CERT* encCert = |
| 486 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); | 486 reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results); |
| 487 for (uint32 i = 0; i < results_->NumberOfResults; i++) { | 487 for (uint32 i = 0; i < results_->NumberOfResults; i++) { |
| 488 base::CSSMFree(encCert[i].CertBlob.Data); | 488 crypto::CSSMFree(encCert[i].CertBlob.Data); |
| 489 } | 489 } |
| 490 } | 490 } |
| 491 base::CSSMFree(results_->Results); | 491 crypto::CSSMFree(results_->Results); |
| 492 base::CSSMFree(results_); | 492 crypto::CSSMFree(results_); |
| 493 } | 493 } |
| 494 | 494 |
| 495 private: | 495 private: |
| 496 CSSM_TP_RESULT_SET* results_; | 496 CSSM_TP_RESULT_SET* results_; |
| 497 }; | 497 }; |
| 498 | 498 |
| 499 void AppendPublicKeyHashes(CFArrayRef chain, | 499 void AppendPublicKeyHashes(CFArrayRef chain, |
| 500 std::vector<SHA1Fingerprint>* hashes) { | 500 std::vector<SHA1Fingerprint>* hashes) { |
| 501 const CFIndex n = CFArrayGetCount(chain); | 501 const CFIndex n = CFArrayGetCount(chain); |
| 502 for (CFIndex i = 0; i < n; i++) { | 502 for (CFIndex i = 0; i < n; i++) { |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 559 const char* data; | 559 const char* data; |
| 560 int length; | 560 int length; |
| 561 if (!pickle.ReadData(pickle_iter, &data, &length)) | 561 if (!pickle.ReadData(pickle_iter, &data, &length)) |
| 562 return NULL; | 562 return NULL; |
| 563 | 563 |
| 564 return CreateFromBytes(data, length); | 564 return CreateFromBytes(data, length); |
| 565 } | 565 } |
| 566 | 566 |
| 567 // static | 567 // static |
| 568 X509Certificate* X509Certificate::CreateSelfSigned( | 568 X509Certificate* X509Certificate::CreateSelfSigned( |
| 569 base::RSAPrivateKey* key, | 569 crypto::RSAPrivateKey* key, |
| 570 const std::string& subject, | 570 const std::string& subject, |
| 571 uint32 serial_number, | 571 uint32 serial_number, |
| 572 base::TimeDelta valid_duration) { | 572 base::TimeDelta valid_duration) { |
| 573 DCHECK(key); | 573 DCHECK(key); |
| 574 DCHECK(!subject.empty()); | 574 DCHECK(!subject.empty()); |
| 575 | 575 |
| 576 if (valid_duration.InSeconds() > UINT32_MAX) { | 576 if (valid_duration.InSeconds() > UINT32_MAX) { |
| 577 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); | 577 LOG(ERROR) << "valid_duration too big" << valid_duration.InSeconds(); |
| 578 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); | 578 valid_duration = base::TimeDelta::FromSeconds(UINT32_MAX); |
| 579 } | 579 } |
| 580 | 580 |
| 581 // There is a comment in | 581 // There is a comment in |
| 582 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp | 582 // http://www.opensource.apple.com/source/security_certtool/security_certtool-
31828/src/CertTool.cpp |
| 583 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have | 583 // that serial_numbers being passed into CSSM_TP_SubmitCredRequest can't have |
| 584 // their high bit set. We will continue though and mask it out below. | 584 // their high bit set. We will continue though and mask it out below. |
| 585 if (serial_number & 0x80000000) | 585 if (serial_number & 0x80000000) |
| 586 LOG(ERROR) << "serial_number has high bit set " << serial_number; | 586 LOG(ERROR) << "serial_number has high bit set " << serial_number; |
| 587 | 587 |
| 588 // NSS is used to parse the subject string into a set of | 588 // NSS is used to parse the subject string into a set of |
| 589 // CSSM_OID/string pairs. There doesn't appear to be a system routine for | 589 // CSSM_OID/string pairs. There doesn't appear to be a system routine for |
| 590 // parsing Distinguished Name strings. | 590 // parsing Distinguished Name strings. |
| 591 base::EnsureNSSInit(); | 591 crypto::EnsureNSSInit(); |
| 592 | 592 |
| 593 CSSMOIDStringVector subject_name_oids; | 593 CSSMOIDStringVector subject_name_oids; |
| 594 ScopedCertName subject_name( | 594 ScopedCertName subject_name( |
| 595 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); | 595 CERT_AsciiToName(const_cast<char*>(subject.c_str()))); |
| 596 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { | 596 if (!CERTNameToCSSMOIDVector(subject_name, &subject_name_oids)) { |
| 597 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; | 597 DLOG(ERROR) << "Unable to generate CSSMOIDMap from " << subject; |
| 598 return NULL; | 598 return NULL; |
| 599 } | 599 } |
| 600 | 600 |
| 601 // Convert the map of oid/string pairs into an array of | 601 // Convert the map of oid/string pairs into an array of |
| 602 // CSSM_APPLE_TP_NAME_OIDs. | 602 // CSSM_APPLE_TP_NAME_OIDs. |
| 603 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; | 603 std::vector<CSSM_APPLE_TP_NAME_OID> cssm_subject_names; |
| 604 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); | 604 for(CSSMOIDStringVector::iterator iter = subject_name_oids.begin(); |
| 605 iter != subject_name_oids.end(); ++iter) { | 605 iter != subject_name_oids.end(); ++iter) { |
| 606 CSSM_APPLE_TP_NAME_OID cssm_subject_name; | 606 CSSM_APPLE_TP_NAME_OID cssm_subject_name; |
| 607 cssm_subject_name.oid = iter->oid_; | 607 cssm_subject_name.oid = iter->oid_; |
| 608 cssm_subject_name.string = iter->string_.c_str(); | 608 cssm_subject_name.string = iter->string_.c_str(); |
| 609 cssm_subject_names.push_back(cssm_subject_name); | 609 cssm_subject_names.push_back(cssm_subject_name); |
| 610 } | 610 } |
| 611 | 611 |
| 612 if (cssm_subject_names.empty()) { | 612 if (cssm_subject_names.empty()) { |
| 613 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; | 613 DLOG(ERROR) << "cssm_subject_names.size() == 0. Input: " << subject; |
| 614 return NULL; | 614 return NULL; |
| 615 } | 615 } |
| 616 | 616 |
| 617 // Set up a certificate request. | 617 // Set up a certificate request. |
| 618 CSSM_APPLE_TP_CERT_REQUEST certReq; | 618 CSSM_APPLE_TP_CERT_REQUEST certReq; |
| 619 memset(&certReq, 0, sizeof(certReq)); | 619 memset(&certReq, 0, sizeof(certReq)); |
| 620 certReq.cspHand = base::GetSharedCSPHandle(); | 620 certReq.cspHand = crypto::GetSharedCSPHandle(); |
| 621 certReq.clHand = base::GetSharedCLHandle(); | 621 certReq.clHand = crypto::GetSharedCLHandle(); |
| 622 // See comment about serial numbers above. | 622 // See comment about serial numbers above. |
| 623 certReq.serialNumber = serial_number & 0x7fffffff; | 623 certReq.serialNumber = serial_number & 0x7fffffff; |
| 624 certReq.numSubjectNames = cssm_subject_names.size(); | 624 certReq.numSubjectNames = cssm_subject_names.size(); |
| 625 certReq.subjectNames = &cssm_subject_names[0]; | 625 certReq.subjectNames = &cssm_subject_names[0]; |
| 626 certReq.numIssuerNames = 0; // Root. | 626 certReq.numIssuerNames = 0; // Root. |
| 627 certReq.issuerNames = NULL; | 627 certReq.issuerNames = NULL; |
| 628 certReq.issuerNameX509 = NULL; | 628 certReq.issuerNameX509 = NULL; |
| 629 certReq.certPublicKey = key->public_key(); | 629 certReq.certPublicKey = key->public_key(); |
| 630 certReq.issuerPrivateKey = key->key(); | 630 certReq.issuerPrivateKey = key->key(); |
| 631 // These are the Apple defaults. | 631 // These are the Apple defaults. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 643 | 643 |
| 644 CSSM_FIELD policyId; | 644 CSSM_FIELD policyId; |
| 645 memset(&policyId, 0, sizeof(policyId)); | 645 memset(&policyId, 0, sizeof(policyId)); |
| 646 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; | 646 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN; |
| 647 | 647 |
| 648 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; | 648 CSSM_TP_CALLERAUTH_CONTEXT callerAuthContext; |
| 649 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); | 649 memset(&callerAuthContext, 0, sizeof(callerAuthContext)); |
| 650 callerAuthContext.Policy.NumberOfPolicyIds = 1; | 650 callerAuthContext.Policy.NumberOfPolicyIds = 1; |
| 651 callerAuthContext.Policy.PolicyIds = &policyId; | 651 callerAuthContext.Policy.PolicyIds = &policyId; |
| 652 | 652 |
| 653 CSSM_TP_HANDLE tp_handle = base::GetSharedTPHandle(); | 653 CSSM_TP_HANDLE tp_handle = crypto::GetSharedTPHandle(); |
| 654 CSSM_DATA refId; | 654 CSSM_DATA refId; |
| 655 memset(&refId, 0, sizeof(refId)); | 655 memset(&refId, 0, sizeof(refId)); |
| 656 sint32 estTime; | 656 sint32 estTime; |
| 657 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, | 657 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL, |
| 658 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, | 658 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext, |
| 659 &estTime, &refId); | 659 &estTime, &refId); |
| 660 if(crtn) { | 660 if(crtn) { |
| 661 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; | 661 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn; |
| 662 return NULL; | 662 return NULL; |
| 663 } | 663 } |
| 664 | 664 |
| 665 CSSM_BOOL confirmRequired; | 665 CSSM_BOOL confirmRequired; |
| 666 CSSM_TP_RESULT_SET *resultSet = NULL; | 666 CSSM_TP_RESULT_SET *resultSet = NULL; |
| 667 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, | 667 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime, |
| 668 &confirmRequired, &resultSet); | 668 &confirmRequired, &resultSet); |
| 669 ScopedEncodedCertResults scopedResults(resultSet); | 669 ScopedEncodedCertResults scopedResults(resultSet); |
| 670 base::CSSMFree(refId.Data); | 670 crypto::CSSMFree(refId.Data); |
| 671 if (crtn) { | 671 if (crtn) { |
| 672 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; | 672 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn; |
| 673 return NULL; | 673 return NULL; |
| 674 } | 674 } |
| 675 | 675 |
| 676 if (confirmRequired) { | 676 if (confirmRequired) { |
| 677 // Potential leak here of resultSet. |confirmRequired| should never be | 677 // Potential leak here of resultSet. |confirmRequired| should never be |
| 678 // true. | 678 // true. |
| 679 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; | 679 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult required confirmation"; |
| 680 return NULL; | 680 return NULL; |
| (...skipping 568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1249 CFArrayAppendArray(chain, | 1249 CFArrayAppendArray(chain, |
| 1250 cert_chain, | 1250 cert_chain, |
| 1251 CFRangeMake(1, chain_count - 1)); | 1251 CFRangeMake(1, chain_count - 1)); |
| 1252 } | 1252 } |
| 1253 } | 1253 } |
| 1254 | 1254 |
| 1255 return chain.release(); | 1255 return chain.release(); |
| 1256 } | 1256 } |
| 1257 | 1257 |
| 1258 } // namespace net | 1258 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6805019:
Move crypto files out of base, to a top level directory. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/