OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
7 | 7 |
8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
9 #include <certdb.h> | 9 #include <certdb.h> |
10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
(...skipping 15 matching lines...) Expand all Loading... | |
26 #include "crypto/nss_util_internal.h" | 26 #include "crypto/nss_util_internal.h" |
27 #include "crypto/rsa_private_key.h" | 27 #include "crypto/rsa_private_key.h" |
28 #include "crypto/scoped_nss_types.h" | 28 #include "crypto/scoped_nss_types.h" |
29 #include "crypto/third_party/nss/chromium-nss.h" | 29 #include "crypto/third_party/nss/chromium-nss.h" |
30 #include "net/cert/x509_certificate.h" | 30 #include "net/cert/x509_certificate.h" |
31 | 31 |
32 namespace net { | 32 namespace net { |
33 | 33 |
34 namespace { | 34 namespace { |
35 | 35 |
36 class ChannelIDOIDWrapper { | |
37 public: | |
38 static ChannelIDOIDWrapper* GetInstance() { | |
39 // Instantiated as a leaky singleton to allow the singleton to be | |
40 // constructed on a worker thead that is not joined when a process | |
41 // shuts down. | |
42 return Singleton<ChannelIDOIDWrapper, | |
43 LeakySingletonTraits<ChannelIDOIDWrapper> >::get(); | |
44 } | |
45 | |
46 SECOidTag domain_bound_cert_oid_tag() const { | |
47 return domain_bound_cert_oid_tag_; | |
48 } | |
49 | |
50 private: | |
51 friend struct DefaultSingletonTraits<ChannelIDOIDWrapper>; | |
52 | |
53 ChannelIDOIDWrapper(); | |
54 | |
55 SECOidTag domain_bound_cert_oid_tag_; | |
56 | |
57 DISALLOW_COPY_AND_ASSIGN(ChannelIDOIDWrapper); | |
58 }; | |
59 | |
60 ChannelIDOIDWrapper::ChannelIDOIDWrapper() | |
61 : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) { | |
62 // 1.3.6.1.4.1.11129.2.1.6 | |
63 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. | |
64 // certificateExtensions.originBoundCertificate) | |
65 static const uint8 kObCertOID[] = { | |
66 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06 | |
67 }; | |
68 SECOidData oid_data; | |
69 memset(&oid_data, 0, sizeof(oid_data)); | |
70 oid_data.oid.data = const_cast<uint8*>(kObCertOID); | |
71 oid_data.oid.len = sizeof(kObCertOID); | |
72 oid_data.offset = SEC_OID_UNKNOWN; | |
73 oid_data.desc = "Origin Bound Certificate"; | |
74 oid_data.mechanism = CKM_INVALID_MECHANISM; | |
75 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; | |
76 domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); | |
77 if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) | |
78 LOG(ERROR) << "OB_CERT OID tag creation failed"; | |
79 } | |
80 | |
81 // Creates a Certificate object that may be passed to the SignCertificate | 36 // Creates a Certificate object that may be passed to the SignCertificate |
82 // method to generate an X509 certificate. | 37 // method to generate an X509 certificate. |
83 // Returns NULL if an error is encountered in the certificate creation | 38 // Returns NULL if an error is encountered in the certificate creation |
84 // process. | 39 // process. |
85 // Caller responsible for freeing returned certificate object. | 40 // Caller responsible for freeing returned certificate object. |
86 CERTCertificate* CreateCertificate( | 41 CERTCertificate* CreateCertificate( |
87 SECKEYPublicKey* public_key, | 42 SECKEYPublicKey* public_key, |
88 const std::string& subject, | 43 const std::string& subject, |
89 uint32 serial_number, | 44 uint32 serial_number, |
90 base::Time not_valid_before, | 45 base::Time not_valid_before, |
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
232 crypto::BaseTimeToPRTime(not_valid_before), | 187 crypto::BaseTimeToPRTime(not_valid_before), |
233 crypto::BaseTimeToPRTime(not_valid_after)); | 188 crypto::BaseTimeToPRTime(not_valid_after)); |
234 | 189 |
235 if (!validity) | 190 if (!validity) |
236 return false; | 191 return false; |
237 | 192 |
238 CERT_DestroyValidity(validity); | 193 CERT_DestroyValidity(validity); |
239 return true; | 194 return true; |
240 } | 195 } |
241 | 196 |
242 bool CreateChannelIDEC(crypto::ECPrivateKey* key, | 197 #if defined(USE_NSS) || defined(OS_IOS) |
243 DigestAlgorithm alg, | 198 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
mattm
2015/04/30 00:30:11
Looks like a bad merge here actually.
nharper
2015/04/30 20:31:55
Done.
| |
244 const std::string& domain, | 199 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. |
245 uint32 serial_number, | 200 #if NSS_VMINOR >= 15 |
246 base::Time not_valid_before, | 201 typedef char* (*CERTGetNameFunc)(const CERTName* name); |
247 base::Time not_valid_after, | 202 #else |
248 std::string* der_cert) { | 203 typedef char* (*CERTGetNameFunc)(CERTName* name); |
249 DCHECK(key); | 204 #endif |
250 | 205 |
251 CERTCertificate* cert = CreateCertificate(key->public_key(), | 206 // TODO(jcampan): add business_category and serial_number. |
252 "CN=anonymous.invalid", | 207 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
253 serial_number, | 208 // CERT_GetDomainComponentName functions, but they return only the most |
254 not_valid_before, | 209 // general (the first) RDN. NSS doesn't have a function for the street |
255 not_valid_after); | 210 // address. |
256 | 211 static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS, |
257 if (!cert) | 212 SEC_OID_AVA_ORGANIZATION_NAME, |
258 return false; | 213 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, |
259 | 214 SEC_OID_AVA_DC}; |
260 // Create opaque handle used to add extensions later. | 215 |
261 void* cert_handle; | 216 std::vector<std::string>* values[] = {&principal->street_addresses, |
262 if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { | 217 &principal->organization_names, |
263 LOG(ERROR) << "Unable to get opaque handle for adding extensions"; | 218 &principal->organization_unit_names, |
264 CERT_DestroyCertificate(cert); | 219 &principal->domain_components}; |
265 return false; | 220 DCHECK_EQ(arraysize(kOIDs), arraysize(values)); |
266 } | 221 |
267 | 222 CERTRDN** rdns = name->rdns; |
268 // Create SECItem for IA5String encoding. | 223 for (size_t rdn = 0; rdns[rdn]; ++rdn) { |
269 SECItem domain_string_item = { | 224 CERTAVA** avas = rdns[rdn]->avas; |
270 siAsciiString, | 225 for (size_t pair = 0; avas[pair] != 0; ++pair) { |
271 (unsigned char*)domain.data(), | 226 SECOidTag tag = CERT_GetAVATag(avas[pair]); |
272 static_cast<unsigned>(domain.size()) | 227 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { |
273 }; | 228 if (kOIDs[oid] == tag) { |
274 | 229 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); |
275 // IA5Encode and arena allocate SECItem | 230 if (!decode_item) |
276 SECItem* asn1_domain_string = SEC_ASN1EncodeItem( | 231 break; |
277 cert->arena, NULL, &domain_string_item, | 232 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. |
278 SEC_ASN1_GET(SEC_IA5StringTemplate)); | 233 std::string value(reinterpret_cast<char*>(decode_item->data), |
279 if (asn1_domain_string == NULL) { | 234 decode_item->len); |
280 LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" | 235 values[oid]->push_back(value); |
281 " extension"; | 236 SECITEM_FreeItem(decode_item, PR_TRUE); |
282 CERT_DestroyCertificate(cert); | 237 break; |
283 return false; | 238 } |
284 } | 239 } |
285 | 240 } |
286 // Add the extension to the opaque handle | 241 } |
287 if (CERT_AddExtension( | 242 |
288 cert_handle, | 243 // Get CN, L, S, and C. |
289 ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), | 244 CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName, |
290 asn1_domain_string, | 245 CERT_GetLocalityName, |
291 PR_TRUE, | 246 CERT_GetStateName, |
292 PR_TRUE) != SECSuccess){ | 247 CERT_GetCountryName}; |
293 LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; | 248 std::string* single_values[4] = {&principal->common_name, |
294 CERT_DestroyCertificate(cert); | 249 &principal->locality_name, |
295 return false; | 250 &principal->state_or_province_name, |
296 } | 251 &principal->country_name}; |
297 | 252 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { |
298 // Copy extension into x509 cert | 253 char* value = get_name_funcs[i](name); |
299 if (CERT_FinishExtensions(cert_handle) != SECSuccess){ | 254 if (value) { |
300 LOG(ERROR) << "Unable to copy extension to X509 cert"; | 255 single_values[i]->assign(value); |
301 CERT_DestroyCertificate(cert); | 256 PORT_Free(value); |
302 return false; | 257 } |
303 } | 258 } |
304 | 259 } |
305 if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { | 260 |
306 CERT_DestroyCertificate(cert); | 261 void ParseDate(const SECItem* der_date, base::Time* result) { |
307 return false; | 262 PRTime prtime; |
308 } | 263 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); |
309 | 264 DCHECK_EQ(SECSuccess, rv); |
310 DCHECK(cert->derCert.len); | 265 *result = crypto::PRTimeToBaseTime(prtime); |
311 // XXX copied from X509Certificate::GetDEREncoded | 266 } |
312 der_cert->clear(); | 267 |
313 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | 268 std::string ParseSerialNumber(const CERTCertificate* certificate) { |
314 cert->derCert.len); | 269 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), |
315 CERT_DestroyCertificate(cert); | 270 certificate->serialNumber.len); |
316 return true; | 271 } |
317 } | 272 |
273 void GetSubjectAltName(CERTCertificate* cert_handle, | |
274 std::vector<std::string>* dns_names, | |
275 std::vector<std::string>* ip_addrs) { | |
276 if (dns_names) | |
277 dns_names->clear(); | |
278 if (ip_addrs) | |
279 ip_addrs->clear(); | |
280 | |
281 SECItem alt_name; | |
282 SECStatus rv = CERT_FindCertExtension( | |
283 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name); | |
284 if (rv != SECSuccess) | |
285 return; | |
286 | |
287 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
288 DCHECK(arena != NULL); | |
289 | |
290 CERTGeneralName* alt_name_list; | |
291 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); | |
292 SECITEM_FreeItem(&alt_name, PR_FALSE); | |
293 | |
294 CERTGeneralName* name = alt_name_list; | |
295 while (name) { | |
296 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs | |
297 // respectively, both of which can be byte copied from | |
298 // SECItemType::data into the appropriate output vector. | |
299 if (dns_names && name->type == certDNSName) { | |
300 dns_names->push_back( | |
301 std::string(reinterpret_cast<char*>(name->name.other.data), | |
302 name->name.other.len)); | |
303 } else if (ip_addrs && name->type == certIPAddress) { | |
304 ip_addrs->push_back( | |
305 std::string(reinterpret_cast<char*>(name->name.other.data), | |
306 name->name.other.len)); | |
307 } | |
308 name = CERT_GetNextGeneralName(name); | |
309 if (name == alt_name_list) | |
310 break; | |
311 } | |
312 PORT_FreeArena(arena, PR_FALSE); | |
313 } | |
314 | |
315 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( | |
316 const char* data, | |
317 int length, | |
318 X509Certificate::Format format) { | |
319 X509Certificate::OSCertHandles results; | |
320 if (length < 0) | |
321 return results; | |
322 | |
323 crypto::EnsureNSSInit(); | |
324 | |
325 if (!NSS_IsInitialized()) | |
326 return results; | |
327 | |
328 switch (format) { | |
329 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { | |
330 X509Certificate::OSCertHandle handle = | |
331 X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
332 if (handle) | |
333 results.push_back(handle); | |
334 break; | |
335 } | |
336 case X509Certificate::FORMAT_PKCS7: { | |
337 // Make a copy since CERT_DecodeCertPackage may modify it | |
338 std::vector<char> data_copy(data, data + length); | |
339 | |
340 SECStatus result = CERT_DecodeCertPackage(&data_copy[0], length, | |
341 CollectCertsCallback, &results); | |
342 if (result != SECSuccess) | |
343 results.clear(); | |
344 break; | |
345 } | |
346 default: | |
347 NOTREACHED() << "Certificate format " << format << " unimplemented"; | |
348 break; | |
349 } | |
350 | |
351 return results; | |
352 } | |
353 | |
354 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( | |
355 PickleIterator* pickle_iter) { | |
356 const char* data; | |
357 int length; | |
358 if (!pickle_iter->ReadData(&data, &length)) | |
359 return NULL; | |
360 | |
361 return X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
362 } | |
363 | |
364 void GetPublicKeyInfo(CERTCertificate* handle, | |
365 size_t* size_bits, | |
366 X509Certificate::PublicKeyType* type) { | |
367 // Since we might fail, set the output parameters to default values first. | |
368 *type = X509Certificate::kPublicKeyTypeUnknown; | |
369 *size_bits = 0; | |
370 | |
371 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); | |
372 if (!key.get()) | |
373 return; | |
374 | |
375 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); | |
376 | |
377 switch (key->keyType) { | |
378 case rsaKey: | |
379 *type = X509Certificate::kPublicKeyTypeRSA; | |
380 break; | |
381 case dsaKey: | |
382 *type = X509Certificate::kPublicKeyTypeDSA; | |
383 break; | |
384 case dhKey: | |
385 *type = X509Certificate::kPublicKeyTypeDH; | |
386 break; | |
387 case ecKey: | |
388 *type = X509Certificate::kPublicKeyTypeECDSA; | |
389 break; | |
390 default: | |
391 *type = X509Certificate::kPublicKeyTypeUnknown; | |
392 *size_bits = 0; | |
393 break; | |
394 } | |
395 } | |
396 | |
397 bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers, | |
398 PLArenaPool* arena, | |
399 std::vector<CERTName*>* out) { | |
400 std::vector<CERTName*> result; | |
401 for (size_t n = 0; n < encoded_issuers.size(); ++n) { | |
402 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]); | |
403 if (name != NULL) | |
404 result.push_back(name); | |
405 } | |
406 | |
407 if (result.size() == encoded_issuers.size()) { | |
408 out->swap(result); | |
409 return true; | |
410 } | |
411 | |
412 for (size_t n = 0; n < result.size(); ++n) | |
413 CERT_DestroyName(result[n]); | |
414 return false; | |
415 } | |
416 | |
417 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, | |
418 const std::vector<CERTName*>& valid_issuers) { | |
419 for (size_t n = 0; n < cert_chain.size(); ++n) { | |
420 CERTName* cert_issuer = &cert_chain[n]->issuer; | |
421 for (size_t i = 0; i < valid_issuers.size(); ++i) { | |
422 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual) | |
423 return true; | |
424 } | |
425 } | |
426 return false; | |
427 } | |
428 | |
429 std::string GetUniqueNicknameForSlot(const std::string& nickname, | |
430 const SECItem* subject, | |
431 PK11SlotInfo* slot) { | |
432 int index = 2; | |
433 std::string new_name = nickname; | |
434 std::string temp_nickname = new_name; | |
435 std::string token_name; | |
436 | |
437 if (!slot) | |
438 return new_name; | |
439 | |
440 if (!PK11_IsInternalKeySlot(slot)) { | |
441 token_name.assign(PK11_GetTokenName(slot)); | |
442 token_name.append(":"); | |
443 | |
444 temp_nickname = token_name + new_name; | |
445 } | |
446 | |
447 while (SEC_CertNicknameConflict(temp_nickname.c_str(), | |
448 const_cast<SECItem*>(subject), | |
449 CERT_GetDefaultCertDB())) { | |
450 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++); | |
451 temp_nickname = token_name + new_name; | |
452 } | |
453 | |
454 return new_name; | |
455 } | |
456 | |
457 #endif // defined(USE_NSS) || defined(OS_IOS) | |
318 | 458 |
319 } // namespace x509_util | 459 } // namespace x509_util |
320 | 460 |
321 } // namespace net | 461 } // namespace net |
OLD | NEW |