Chromium Code Reviews Chromium Code Reviews
Issue 1076063002:
Remove certificates from Channel ID (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
| 9 #include <certdb.h> | 9 #include <certdb.h> |
| 10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 26 #include "crypto/nss_util_internal.h" | 26 #include "crypto/nss_util_internal.h" |
| 27 #include "crypto/rsa_private_key.h" | 27 #include "crypto/rsa_private_key.h" |
| 28 #include "crypto/scoped_nss_types.h" | 28 #include "crypto/scoped_nss_types.h" |
| 29 #include "crypto/third_party/nss/chromium-nss.h" | 29 #include "crypto/third_party/nss/chromium-nss.h" |
| 30 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
| 31 | 31 |
| 32 namespace net { | 32 namespace net { |
| 33 | 33 |
| 34 namespace { | 34 namespace { |
| 35 | 35 |
| 36 class ChannelIDOIDWrapper { | |
| 37 public: | |
| 38 static ChannelIDOIDWrapper* GetInstance() { | |
| 39 // Instantiated as a leaky singleton to allow the singleton to be | |
| 40 // constructed on a worker thead that is not joined when a process | |
| 41 // shuts down. | |
| 42 return Singleton<ChannelIDOIDWrapper, | |
| 43 LeakySingletonTraits<ChannelIDOIDWrapper> >::get(); | |
| 44 } | |
| 45 | |
| 46 SECOidTag domain_bound_cert_oid_tag() const { | |
| 47 return domain_bound_cert_oid_tag_; | |
| 48 } | |
| 49 | |
| 50 private: | |
| 51 friend struct DefaultSingletonTraits<ChannelIDOIDWrapper>; | |
| 52 | |
| 53 ChannelIDOIDWrapper(); | |
| 54 | |
| 55 SECOidTag domain_bound_cert_oid_tag_; | |
| 56 | |
| 57 DISALLOW_COPY_AND_ASSIGN(ChannelIDOIDWrapper); | |
| 58 }; | |
| 59 | |
| 60 ChannelIDOIDWrapper::ChannelIDOIDWrapper() | |
| 61 : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) { | |
| 62 // 1.3.6.1.4.1.11129.2.1.6 | |
| 63 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. | |
| 64 // certificateExtensions.originBoundCertificate) | |
| 65 static const uint8 kObCertOID[] = { | |
| 66 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06 | |
| 67 }; | |
| 68 SECOidData oid_data; | |
| 69 memset(&oid_data, 0, sizeof(oid_data)); | |
| 70 oid_data.oid.data = const_cast<uint8*>(kObCertOID); | |
| 71 oid_data.oid.len = sizeof(kObCertOID); | |
| 72 oid_data.offset = SEC_OID_UNKNOWN; | |
| 73 oid_data.desc = "Origin Bound Certificate"; | |
| 74 oid_data.mechanism = CKM_INVALID_MECHANISM; | |
| 75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; | |
| 76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); | |
| 77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) | |
| 78 LOG(ERROR) << "OB_CERT OID tag creation failed"; | |
| 79 } | |
| 80 | |
| 81 // Creates a Certificate object that may be passed to the SignCertificate | 36 // Creates a Certificate object that may be passed to the SignCertificate |
| 82 // method to generate an X509 certificate. | 37 // method to generate an X509 certificate. |
| 83 // Returns NULL if an error is encountered in the certificate creation | 38 // Returns NULL if an error is encountered in the certificate creation |
| 84 // process. | 39 // process. |
| 85 // Caller responsible for freeing returned certificate object. | 40 // Caller responsible for freeing returned certificate object. |
| 86 CERTCertificate* CreateCertificate( | 41 CERTCertificate* CreateCertificate( |
| 87 SECKEYPublicKey* public_key, | 42 SECKEYPublicKey* public_key, |
| 88 const std::string& subject, | 43 const std::string& subject, |
| 89 uint32 serial_number, | 44 uint32 serial_number, |
| 90 base::Time not_valid_before, | 45 base::Time not_valid_before, |
| (...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 232 crypto::BaseTimeToPRTime(not_valid_before), | 187 crypto::BaseTimeToPRTime(not_valid_before), |
| 233 crypto::BaseTimeToPRTime(not_valid_after)); | 188 crypto::BaseTimeToPRTime(not_valid_after)); |
| 234 | 189 |
| 235 if (!validity) | 190 if (!validity) |
| 236 return false; | 191 return false; |
| 237 | 192 |
| 238 CERT_DestroyValidity(validity); | 193 CERT_DestroyValidity(validity); |
| 239 return true; | 194 return true; |
| 240 } | 195 } |
| 241 | 196 |
| 242 bool CreateChannelIDEC(crypto::ECPrivateKey* key, | 197 #if defined(USE_NSS) || defined(OS_IOS) |
| 243 DigestAlgorithm alg, | 198 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
|
mattm
2015/04/30 00:30:11
Looks like a bad merge here actually.
nharper
2015/04/30 20:31:55
Done.
| |
| 244 const std::string& domain, | 199 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. |
| 245 uint32 serial_number, | 200 #if NSS_VMINOR >= 15 |
| 246 base::Time not_valid_before, | 201 typedef char* (*CERTGetNameFunc)(const CERTName* name); |
| 247 base::Time not_valid_after, | 202 #else |
| 248 std::string* der_cert) { | 203 typedef char* (*CERTGetNameFunc)(CERTName* name); |
| 249 DCHECK(key); | 204 #endif |
| 250 | 205 |
| 251 CERTCertificate* cert = CreateCertificate(key->public_key(), | 206 // TODO(jcampan): add business_category and serial_number. |
| 252 "CN=anonymous.invalid", | 207 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
| 253 serial_number, | 208 // CERT_GetDomainComponentName functions, but they return only the most |
| 254 not_valid_before, | 209 // general (the first) RDN. NSS doesn't have a function for the street |
| 255 not_valid_after); | 210 // address. |
| 256 | 211 static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS, |
| 257 if (!cert) | 212 SEC_OID_AVA_ORGANIZATION_NAME, |
| 258 return false; | 213 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, |
| 259 | 214 SEC_OID_AVA_DC}; |
| 260 // Create opaque handle used to add extensions later. | 215 |
| 261 void* cert_handle; | 216 std::vector<std::string>* values[] = {&principal->street_addresses, |
| 262 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | 217 &principal->organization_names, |
| 263 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | 218 &principal->organization_unit_names, |
| 264 CERT_DestroyCertificate(cert); | 219 &principal->domain_components}; |
| 265 return false; | 220 DCHECK_EQ(arraysize(kOIDs), arraysize(values)); |
| 266 } | 221 |
| 267 | 222 CERTRDN** rdns = name->rdns; |
| 268 // Create SECItem for IA5String encoding. | 223 for (size_t rdn = 0; rdns[rdn]; ++rdn) { |
| 269 SECItem domain_string_item = { | 224 CERTAVA** avas = rdns[rdn]->avas; |
| 270 siAsciiString, | 225 for (size_t pair = 0; avas[pair] != 0; ++pair) { |
| 271 (unsigned char*)domain.data(), | 226 SECOidTag tag = CERT_GetAVATag(avas[pair]); |
| 272 static_cast<unsigned>(domain.size()) | 227 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { |
| 273 }; | 228 if (kOIDs[oid] == tag) { |
| 274 | 229 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); |
| 275 // IA5Encode and arena allocate SECItem | 230 if (!decode_item) |
| 276 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( | 231 break; |
| 277 cert->arena, NULL, &domain_string_item, | 232 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. |
| 278 SEC_ASN1_GET(SEC_IA5StringTemplate)); | 233 std::string value(reinterpret_cast<char*>(decode_item->data), |
| 279 if (asn1_domain_string == NULL) { | 234 decode_item->len); |
| 280 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" | 235 values[oid]->push_back(value); |
| 281 " extension"; | 236 SECITEM_FreeItem(decode_item, PR_TRUE); |
| 282 CERT_DestroyCertificate(cert); | 237 break; |
| 283 return false; | 238 } |
| 284 } | 239 } |
| 285 | 240 } |
| 286 // Add the extension to the opaque handle | 241 } |
| 287 if (CERT_AddExtension( | 242 |
| 288 cert_handle, | 243 // Get CN, L, S, and C. |
| 289 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), | 244 CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName, |
| 290 asn1_domain_string, | 245 CERT_GetLocalityName, |
| 291 PR_TRUE, | 246 CERT_GetStateName, |
| 292 PR_TRUE) != SECSuccess){ | 247 CERT_GetCountryName}; |
| 293 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; | 248 std::string* single_values[4] = {&principal->common_name, |
| 294 CERT_DestroyCertificate(cert); | 249 &principal->locality_name, |
| 295 return false; | 250 &principal->state_or_province_name, |
| 296 } | 251 &principal->country_name}; |
| 297 | 252 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { |
| 298 // Copy extension into x509 cert | 253 char* value = get_name_funcs[i](name); |
| 299 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | 254 if (value) { |
| 300 LOG(ERROR) << "Unable to copy extension to X509 cert"; | 255 single_values[i]->assign(value); |
| 301 CERT_DestroyCertificate(cert); | 256 PORT_Free(value); |
| 302 return false; | 257 } |
| 303 } | 258 } |
| 304 | 259 } |
| 305 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | 260 |
| 306 CERT_DestroyCertificate(cert); | 261 void ParseDate(const SECItem* der_date, base::Time* result) { |
| 307 return false; | 262 PRTime prtime; |
| 308 } | 263 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); |
| 309 | 264 DCHECK_EQ(SECSuccess, rv); |
| 310 DCHECK(cert->derCert.len); | 265 *result = crypto::PRTimeToBaseTime(prtime); |
| 311 // XXX copied from X509Certificate::GetDEREncoded | 266 } |
| 312 der_cert->clear(); | 267 |
| 313 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | 268 std::string ParseSerialNumber(const CERTCertificate* certificate) { |
| 314 cert->derCert.len); | 269 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), |
| 315 CERT_DestroyCertificate(cert); | 270 certificate->serialNumber.len); |
| 316 return true; | 271 } |
| 317 } | 272 |
| 273 void GetSubjectAltName(CERTCertificate* cert_handle, | |
| 274 std::vector<std::string>* dns_names, | |
| 275 std::vector<std::string>* ip_addrs) { | |
| 276 if (dns_names) | |
| 277 dns_names->clear(); | |
| 278 if (ip_addrs) | |
| 279 ip_addrs->clear(); | |
| 280 | |
| 281 SECItem alt_name; | |
| 282 SECStatus rv = CERT_FindCertExtension( | |
| 283 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name); | |
| 284 if (rv != SECSuccess) | |
| 285 return; | |
| 286 | |
| 287 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
| 288 DCHECK(arena != NULL); | |
| 289 | |
| 290 CERTGeneralName* alt_name_list; | |
| 291 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); | |
| 292 SECITEM_FreeItem(&alt_name, PR_FALSE); | |
| 293 | |
| 294 CERTGeneralName* name = alt_name_list; | |
| 295 while (name) { | |
| 296 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs | |
| 297 // respectively, both of which can be byte copied from | |
| 298 // SECItemType::data into the appropriate output vector. | |
| 299 if (dns_names && name->type == certDNSName) { | |
| 300 dns_names->push_back( | |
| 301 std::string(reinterpret_cast<char*>(name->name.other.data), | |
| 302 name->name.other.len)); | |
| 303 } else if (ip_addrs && name->type == certIPAddress) { | |
| 304 ip_addrs->push_back( | |
| 305 std::string(reinterpret_cast<char*>(name->name.other.data), | |
| 306 name->name.other.len)); | |
| 307 } | |
| 308 name = CERT_GetNextGeneralName(name); | |
| 309 if (name == alt_name_list) | |
| 310 break; | |
| 311 } | |
| 312 PORT_FreeArena(arena, PR_FALSE); | |
| 313 } | |
| 314 | |
| 315 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( | |
| 316 const char* data, | |
| 317 int length, | |
| 318 X509Certificate::Format format) { | |
| 319 X509Certificate::OSCertHandles results; | |
| 320 if (length < 0) | |
| 321 return results; | |
| 322 | |
| 323 crypto::EnsureNSSInit(); | |
| 324 | |
| 325 if (!NSS_IsInitialized()) | |
| 326 return results; | |
| 327 | |
| 328 switch (format) { | |
| 329 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { | |
| 330 X509Certificate::OSCertHandle handle = | |
| 331 X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
| 332 if (handle) | |
| 333 results.push_back(handle); | |
| 334 break; | |
| 335 } | |
| 336 case X509Certificate::FORMAT_PKCS7: { | |
| 337 // Make a copy since CERT_DecodeCertPackage may modify it | |
| 338 std::vector<char> data_copy(data, data + length); | |
| 339 | |
| 340 SECStatus result = CERT_DecodeCertPackage(&data_copy[0], length, | |
| 341 CollectCertsCallback, &results); | |
| 342 if (result != SECSuccess) | |
| 343 results.clear(); | |
| 344 break; | |
| 345 } | |
| 346 default: | |
| 347 NOTREACHED() << "Certificate format " << format << " unimplemented"; | |
| 348 break; | |
| 349 } | |
| 350 | |
| 351 return results; | |
| 352 } | |
| 353 | |
| 354 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( | |
| 355 PickleIterator* pickle_iter) { | |
| 356 const char* data; | |
| 357 int length; | |
| 358 if (!pickle_iter->ReadData(&data, &length)) | |
| 359 return NULL; | |
| 360 | |
| 361 return X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
| 362 } | |
| 363 | |
| 364 void GetPublicKeyInfo(CERTCertificate* handle, | |
| 365 size_t* size_bits, | |
| 366 X509Certificate::PublicKeyType* type) { | |
| 367 // Since we might fail, set the output parameters to default values first. | |
| 368 *type = X509Certificate::kPublicKeyTypeUnknown; | |
| 369 *size_bits = 0; | |
| 370 | |
| 371 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); | |
| 372 if (!key.get()) | |
| 373 return; | |
| 374 | |
| 375 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); | |
| 376 | |
| 377 switch (key->keyType) { | |
| 378 case rsaKey: | |
| 379 *type = X509Certificate::kPublicKeyTypeRSA; | |
| 380 break; | |
| 381 case dsaKey: | |
| 382 *type = X509Certificate::kPublicKeyTypeDSA; | |
| 383 break; | |
| 384 case dhKey: | |
| 385 *type = X509Certificate::kPublicKeyTypeDH; | |
| 386 break; | |
| 387 case ecKey: | |
| 388 *type = X509Certificate::kPublicKeyTypeECDSA; | |
| 389 break; | |
| 390 default: | |
| 391 *type = X509Certificate::kPublicKeyTypeUnknown; | |
| 392 *size_bits = 0; | |
| 393 break; | |
| 394 } | |
| 395 } | |
| 396 | |
| 397 bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers, | |
| 398 PLArenaPool* arena, | |
| 399 std::vector<CERTName*>* out) { | |
| 400 std::vector<CERTName*> result; | |
| 401 for (size_t n = 0; n < encoded_issuers.size(); ++n) { | |
| 402 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]); | |
| 403 if (name != NULL) | |
| 404 result.push_back(name); | |
| 405 } | |
| 406 | |
| 407 if (result.size() == encoded_issuers.size()) { | |
| 408 out->swap(result); | |
| 409 return true; | |
| 410 } | |
| 411 | |
| 412 for (size_t n = 0; n < result.size(); ++n) | |
| 413 CERT_DestroyName(result[n]); | |
| 414 return false; | |
| 415 } | |
| 416 | |
| 417 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, | |
| 418 const std::vector<CERTName*>& valid_issuers) { | |
| 419 for (size_t n = 0; n < cert_chain.size(); ++n) { | |
| 420 CERTName* cert_issuer = &cert_chain[n]->issuer; | |
| 421 for (size_t i = 0; i < valid_issuers.size(); ++i) { | |
| 422 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual) | |
| 423 return true; | |
| 424 } | |
| 425 } | |
| 426 return false; | |
| 427 } | |
| 428 | |
| 429 std::string GetUniqueNicknameForSlot(const std::string& nickname, | |
| 430 const SECItem* subject, | |
| 431 PK11SlotInfo* slot) { | |
| 432 int index = 2; | |
| 433 std::string new_name = nickname; | |
| 434 std::string temp_nickname = new_name; | |
| 435 std::string token_name; | |
| 436 | |
| 437 if (!slot) | |
| 438 return new_name; | |
| 439 | |
| 440 if (!PK11_IsInternalKeySlot(slot)) { | |
| 441 token_name.assign(PK11_GetTokenName(slot)); | |
| 442 token_name.append(":"); | |
| 443 | |
| 444 temp_nickname = token_name + new_name; | |
| 445 } | |
| 446 | |
| 447 while (SEC_CertNicknameConflict(temp_nickname.c_str(), | |
| 448 const_cast<SECItem*>(subject), | |
| 449 CERT_GetDefaultCertDB())) { | |
| 450 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++); | |
| 451 temp_nickname = token_name + new_name; | |
| 452 } | |
| 453 | |
| 454 return new_name; | |
| 455 } | |
| 456 | |
| 457 #endif // defined(USE_NSS) || defined(OS_IOS) | |
| 318 | 458 |
| 319 } // namespace x509_util | 459 } // namespace x509_util |
| 320 | 460 |
| 321 } // namespace net | 461 } // namespace net |
| OLD | NEW |
