Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(668)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_util_nss.cc

Issue 1076063002: Remove certificates from Channel ID (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: cleanup Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/x509_util.cc ('k') | net/cert/x509_util_nss_unittest.cc » ('j') | net/quic/test_tools/crypto_test_utils_nss.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_util.h" 5 #include "net/cert/x509_util.h"
6 #include "net/cert/x509_util_nss.h" 6 #include "net/cert/x509_util_nss.h"
7 7
8 #include <cert.h> // Must be included before certdb.h 8 #include <cert.h> // Must be included before certdb.h
9 #include <certdb.h> 9 #include <certdb.h>
10 #include <cryptohi.h> 10 #include <cryptohi.h>
(...skipping 15 matching lines...) Expand all
26 #include "crypto/nss_util_internal.h" 26 #include "crypto/nss_util_internal.h"
27 #include "crypto/rsa_private_key.h" 27 #include "crypto/rsa_private_key.h"
28 #include "crypto/scoped_nss_types.h" 28 #include "crypto/scoped_nss_types.h"
29 #include "crypto/third_party/nss/chromium-nss.h" 29 #include "crypto/third_party/nss/chromium-nss.h"
30 #include "net/cert/x509_certificate.h" 30 #include "net/cert/x509_certificate.h"
31 31
32 namespace net { 32 namespace net {
33 33
34 namespace { 34 namespace {
35 35
36 class ChannelIDOIDWrapper {
37 public:
38 static ChannelIDOIDWrapper* GetInstance() {
39 // Instantiated as a leaky singleton to allow the singleton to be
40 // constructed on a worker thead that is not joined when a process
41 // shuts down.
42 return Singleton<ChannelIDOIDWrapper,
43 LeakySingletonTraits<ChannelIDOIDWrapper> >::get();
44 }
45
46 SECOidTag domain_bound_cert_oid_tag() const {
47 return domain_bound_cert_oid_tag_;
48 }
49
50 private:
51 friend struct DefaultSingletonTraits<ChannelIDOIDWrapper>;
52
53 ChannelIDOIDWrapper();
54
55 SECOidTag domain_bound_cert_oid_tag_;
56
57 DISALLOW_COPY_AND_ASSIGN(ChannelIDOIDWrapper);
58 };
59
60 ChannelIDOIDWrapper::ChannelIDOIDWrapper()
61 : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) {
62 // 1.3.6.1.4.1.11129.2.1.6
63 // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
64 // certificateExtensions.originBoundCertificate)
65 static const uint8 kObCertOID[] = {
66 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06
67 };
68 SECOidData oid_data;
69 memset(&oid_data, 0, sizeof(oid_data));
70 oid_data.oid.data = const_cast<uint8*>(kObCertOID);
71 oid_data.oid.len = sizeof(kObCertOID);
72 oid_data.offset = SEC_OID_UNKNOWN;
73 oid_data.desc = "Origin Bound Certificate";
74 oid_data.mechanism = CKM_INVALID_MECHANISM;
75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data);
77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN)
78 LOG(ERROR) << "OB_CERT OID tag creation failed";
79 }
80
81 // Creates a Certificate object that may be passed to the SignCertificate 36 // Creates a Certificate object that may be passed to the SignCertificate
82 // method to generate an X509 certificate. 37 // method to generate an X509 certificate.
83 // Returns NULL if an error is encountered in the certificate creation 38 // Returns NULL if an error is encountered in the certificate creation
84 // process. 39 // process.
85 // Caller responsible for freeing returned certificate object. 40 // Caller responsible for freeing returned certificate object.
86 CERTCertificate* CreateCertificate( 41 CERTCertificate* CreateCertificate(
87 SECKEYPublicKey* public_key, 42 SECKEYPublicKey* public_key,
88 const std::string& subject, 43 const std::string& subject,
89 uint32 serial_number, 44 uint32 serial_number,
90 base::Time not_valid_before, 45 base::Time not_valid_before,
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after
232 crypto::BaseTimeToPRTime(not_valid_before), 187 crypto::BaseTimeToPRTime(not_valid_before),
233 crypto::BaseTimeToPRTime(not_valid_after)); 188 crypto::BaseTimeToPRTime(not_valid_after));
234 189
235 if (!validity) 190 if (!validity)
236 return false; 191 return false;
237 192
238 CERT_DestroyValidity(validity); 193 CERT_DestroyValidity(validity);
239 return true; 194 return true;
240 } 195 }
241 196
242 bool CreateChannelIDEC(crypto::ECPrivateKey* key, 197 #if defined(USE_NSS) || defined(OS_IOS)
243 DigestAlgorithm alg, 198 void ParsePrincipal(CERTName* name, CertPrincipal* principal) {
244 const std::string& domain, 199 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument.
245 uint32 serial_number, 200 #if NSS_VMINOR >= 15
246 base::Time not_valid_before, 201 typedef char* (*CERTGetNameFunc)(const CERTName* name);
247 base::Time not_valid_after, 202 #else
248 std::string* der_cert) { 203 typedef char* (*CERTGetNameFunc)(CERTName* name);
249 DCHECK(key); 204 #endif
250 205
251 CERTCertificate* cert = CreateCertificate(key->public_key(), 206 // TODO(jcampan): add business_category and serial_number.
252 "CN=anonymous.invalid", 207 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and
253 serial_number, 208 // CERT_GetDomainComponentName functions, but they return only the most
254 not_valid_before, 209 // general (the first) RDN. NSS doesn't have a function for the street
255 not_valid_after); 210 // address.
256 211 static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS,
257 if (!cert) 212 SEC_OID_AVA_ORGANIZATION_NAME,
258 return false; 213 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
259 214 SEC_OID_AVA_DC};
260 // Create opaque handle used to add extensions later. 215
261 void* cert_handle; 216 std::vector<std::string>* values[] = {&principal->street_addresses,
262 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { 217 &principal->organization_names,
263 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; 218 &principal->organization_unit_names,
264 CERT_DestroyCertificate(cert); 219 &principal->domain_components};
265 return false; 220 DCHECK_EQ(arraysize(kOIDs), arraysize(values));
266 } 221
267 222 CERTRDN** rdns = name->rdns;
268 // Create SECItem for IA5String encoding. 223 for (size_t rdn = 0; rdns[rdn]; ++rdn) {
269 SECItem domain_string_item = { 224 CERTAVA** avas = rdns[rdn]->avas;
270 siAsciiString, 225 for (size_t pair = 0; avas[pair] != 0; ++pair) {
271 (unsigned char*)domain.data(), 226 SECOidTag tag = CERT_GetAVATag(avas[pair]);
272 static_cast<unsigned>(domain.size()) 227 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
273 }; 228 if (kOIDs[oid] == tag) {
274 229 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value);
275 // IA5Encode and arena allocate SECItem 230 if (!decode_item)
276 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( 231 break;
277 cert->arena, NULL, &domain_string_item, 232 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote.
278 SEC_ASN1_GET(SEC_IA5StringTemplate)); 233 std::string value(reinterpret_cast<char*>(decode_item->data),
279 if (asn1_domain_string == NULL) { 234 decode_item->len);
280 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" 235 values[oid]->push_back(value);
281 " extension"; 236 SECITEM_FreeItem(decode_item, PR_TRUE);
282 CERT_DestroyCertificate(cert); 237 break;
283 return false; 238 }
284 } 239 }
285 240 }
286 // Add the extension to the opaque handle 241 }
287 if (CERT_AddExtension( 242
288 cert_handle, 243 // Get CN, L, S, and C.
289 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), 244 CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName,
290 asn1_domain_string, 245 CERT_GetLocalityName,
291 PR_TRUE, 246 CERT_GetStateName,
292 PR_TRUE) != SECSuccess){ 247 CERT_GetCountryName};
293 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; 248 std::string* single_values[4] = {&principal->common_name,
294 CERT_DestroyCertificate(cert); 249 &principal->locality_name,
295 return false; 250 &principal->state_or_province_name,
296 } 251 &principal->country_name};
297 252 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) {
298 // Copy extension into x509 cert 253 char* value = get_name_funcs[i](name);
299 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ 254 if (value) {
300 LOG(ERROR) << "Unable to copy extension to X509 cert"; 255 single_values[i]->assign(value);
301 CERT_DestroyCertificate(cert); 256 PORT_Free(value);
302 return false; 257 }
303 } 258 }
304 259 }
305 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { 260
306 CERT_DestroyCertificate(cert); 261 void ParseDate(const SECItem* der_date, base::Time* result) {
307 return false; 262 PRTime prtime;
308 } 263 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date);
309 264 DCHECK_EQ(SECSuccess, rv);
310 DCHECK(cert->derCert.len); 265 *result = crypto::PRTimeToBaseTime(prtime);
311 // XXX copied from X509Certificate::GetDEREncoded 266 }
312 der_cert->clear(); 267
313 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), 268 std::string ParseSerialNumber(const CERTCertificate* certificate) {
314 cert->derCert.len); 269 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data),
315 CERT_DestroyCertificate(cert); 270 certificate->serialNumber.len);
316 return true; 271 }
317 } 272
273 void GetSubjectAltName(CERTCertificate* cert_handle,
274 std::vector<std::string>* dns_names,
275 std::vector<std::string>* ip_addrs) {
276 if (dns_names)
277 dns_names->clear();
278 if (ip_addrs)
279 ip_addrs->clear();
280
281 SECItem alt_name;
282 SECStatus rv = CERT_FindCertExtension(
283 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
284 if (rv != SECSuccess)
285 return;
286
287 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
288 DCHECK(arena != NULL);
289
290 CERTGeneralName* alt_name_list;
291 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name);
292 SECITEM_FreeItem(&alt_name, PR_FALSE);
293
294 CERTGeneralName* name = alt_name_list;
295 while (name) {
296 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs
297 // respectively, both of which can be byte copied from
298 // SECItemType::data into the appropriate output vector.
299 if (dns_names && name->type == certDNSName) {
300 dns_names->push_back(
301 std::string(reinterpret_cast<char*>(name->name.other.data),
302 name->name.other.len));
303 } else if (ip_addrs && name->type == certIPAddress) {
304 ip_addrs->push_back(
305 std::string(reinterpret_cast<char*>(name->name.other.data),
306 name->name.other.len));
307 }
308 name = CERT_GetNextGeneralName(name);
309 if (name == alt_name_list)
310 break;
311 }
312 PORT_FreeArena(arena, PR_FALSE);
313 }
314
315 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(
316 const char* data,
317 int length,
318 X509Certificate::Format format) {
319 X509Certificate::OSCertHandles results;
320 if (length < 0)
321 return results;
322
323 crypto::EnsureNSSInit();
324
325 if (!NSS_IsInitialized())
326 return results;
327
328 switch (format) {
329 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: {
330 X509Certificate::OSCertHandle handle =
331 X509Certificate::CreateOSCertHandleFromBytes(data, length);
332 if (handle)
333 results.push_back(handle);
334 break;
335 }
336 case X509Certificate::FORMAT_PKCS7: {
337 // Make a copy since CERT_DecodeCertPackage may modify it
338 std::vector<char> data_copy(data, data + length);
339
340 SECStatus result = CERT_DecodeCertPackage(&data_copy[0], length,
341 CollectCertsCallback, &results);
342 if (result != SECSuccess)
343 results.clear();
344 break;
345 }
346 default:
347 NOTREACHED() << "Certificate format " << format << " unimplemented";
348 break;
349 }
350
351 return results;
352 }
353
354 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle(
355 PickleIterator* pickle_iter) {
356 const char* data;
357 int length;
358 if (!pickle_iter->ReadData(&data, &length))
359 return NULL;
360
361 return X509Certificate::CreateOSCertHandleFromBytes(data, length);
362 }
363
364 void GetPublicKeyInfo(CERTCertificate* handle,
365 size_t* size_bits,
366 X509Certificate::PublicKeyType* type) {
367 // Since we might fail, set the output parameters to default values first.
368 *type = X509Certificate::kPublicKeyTypeUnknown;
369 *size_bits = 0;
370
371 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle));
372 if (!key.get())
373 return;
374
375 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get());
376
377 switch (key->keyType) {
378 case rsaKey:
379 *type = X509Certificate::kPublicKeyTypeRSA;
380 break;
381 case dsaKey:
382 *type = X509Certificate::kPublicKeyTypeDSA;
383 break;
384 case dhKey:
385 *type = X509Certificate::kPublicKeyTypeDH;
386 break;
387 case ecKey:
388 *type = X509Certificate::kPublicKeyTypeECDSA;
389 break;
390 default:
391 *type = X509Certificate::kPublicKeyTypeUnknown;
392 *size_bits = 0;
393 break;
394 }
395 }
396
397 bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers,
398 PLArenaPool* arena,
399 std::vector<CERTName*>* out) {
400 std::vector<CERTName*> result;
401 for (size_t n = 0; n < encoded_issuers.size(); ++n) {
402 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]);
403 if (name != NULL)
404 result.push_back(name);
405 }
406
407 if (result.size() == encoded_issuers.size()) {
408 out->swap(result);
409 return true;
410 }
411
412 for (size_t n = 0; n < result.size(); ++n)
413 CERT_DestroyName(result[n]);
414 return false;
415 }
416
417 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain,
418 const std::vector<CERTName*>& valid_issuers) {
419 for (size_t n = 0; n < cert_chain.size(); ++n) {
420 CERTName* cert_issuer = &cert_chain[n]->issuer;
421 for (size_t i = 0; i < valid_issuers.size(); ++i) {
422 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual)
423 return true;
424 }
425 }
426 return false;
427 }
428
429 std::string GetUniqueNicknameForSlot(const std::string& nickname,
430 const SECItem* subject,
431 PK11SlotInfo* slot) {
432 int index = 2;
433 std::string new_name = nickname;
434 std::string temp_nickname = new_name;
435 std::string token_name;
436
437 if (!slot)
438 return new_name;
439
440 if (!PK11_IsInternalKeySlot(slot)) {
441 token_name.assign(PK11_GetTokenName(slot));
442 token_name.append(":");
443
444 temp_nickname = token_name + new_name;
445 }
446
447 while (SEC_CertNicknameConflict(temp_nickname.c_str(),
448 const_cast<SECItem*>(subject),
449 CERT_GetDefaultCertDB())) {
450 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++);
451 temp_nickname = token_name + new_name;
452 }
453
454 return new_name;
455 }
456
457 #endif // defined(USE_NSS) || defined(OS_IOS)
318 458
319 } // namespace x509_util 459 } // namespace x509_util
320 460
321 } // namespace net 461 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_util.cc ('k') | net/cert/x509_util_nss_unittest.cc » ('j') | net/quic/test_tools/crypto_test_utils_nss.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698