Index: net/cert/x509_util_nss.cc |
diff --git a/net/cert/x509_util_nss.cc b/net/cert/x509_util_nss.cc |
index ecdf08ba8d741d7b96aaace1669fd69d69874059..abc4fe8274ee041fba49c5a8ddbf25f745550997 100644 |
--- a/net/cert/x509_util_nss.cc |
+++ b/net/cert/x509_util_nss.cc |
@@ -33,51 +33,6 @@ namespace net { |
namespace { |
-class ChannelIDOIDWrapper { |
- public: |
- static ChannelIDOIDWrapper* GetInstance() { |
- // Instantiated as a leaky singleton to allow the singleton to be |
- // constructed on a worker thead that is not joined when a process |
- // shuts down. |
- return Singleton<ChannelIDOIDWrapper, |
- LeakySingletonTraits<ChannelIDOIDWrapper> >::get(); |
- } |
- |
- SECOidTag domain_bound_cert_oid_tag() const { |
- return domain_bound_cert_oid_tag_; |
- } |
- |
- private: |
- friend struct DefaultSingletonTraits<ChannelIDOIDWrapper>; |
- |
- ChannelIDOIDWrapper(); |
- |
- SECOidTag domain_bound_cert_oid_tag_; |
- |
- DISALLOW_COPY_AND_ASSIGN(ChannelIDOIDWrapper); |
-}; |
- |
-ChannelIDOIDWrapper::ChannelIDOIDWrapper() |
- : domain_bound_cert_oid_tag_(SEC_OID_UNKNOWN) { |
- // 1.3.6.1.4.1.11129.2.1.6 |
- // (iso.org.dod.internet.private.enterprises.google.googleSecurity. |
- // certificateExtensions.originBoundCertificate) |
- static const uint8 kObCertOID[] = { |
- 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x06 |
- }; |
- SECOidData oid_data; |
- memset(&oid_data, 0, sizeof(oid_data)); |
- oid_data.oid.data = const_cast<uint8*>(kObCertOID); |
- oid_data.oid.len = sizeof(kObCertOID); |
- oid_data.offset = SEC_OID_UNKNOWN; |
- oid_data.desc = "Origin Bound Certificate"; |
- oid_data.mechanism = CKM_INVALID_MECHANISM; |
- oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; |
- domain_bound_cert_oid_tag_ = SECOID_AddEntry(&oid_data); |
- if (domain_bound_cert_oid_tag_ == SEC_OID_UNKNOWN) |
- LOG(ERROR) << "OB_CERT OID tag creation failed"; |
-} |
- |
// Creates a Certificate object that may be passed to the SignCertificate |
// method to generate an X509 certificate. |
// Returns NULL if an error is encountered in the certificate creation |
@@ -239,83 +194,268 @@ bool IsSupportedValidityRange(base::Time not_valid_before, |
return true; |
} |
-bool CreateChannelIDEC(crypto::ECPrivateKey* key, |
- DigestAlgorithm alg, |
- const std::string& domain, |
- uint32 serial_number, |
- base::Time not_valid_before, |
- base::Time not_valid_after, |
- std::string* der_cert) { |
- DCHECK(key); |
+#if defined(USE_NSS) || defined(OS_IOS) |
+void ParsePrincipal(CERTName* name, CertPrincipal* principal) { |
mattm
2015/04/30 00:30:11
Looks like a bad merge here actually.
nharper
2015/04/30 20:31:55
Done.
|
+// Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. |
+#if NSS_VMINOR >= 15 |
+ typedef char* (*CERTGetNameFunc)(const CERTName* name); |
+#else |
+ typedef char* (*CERTGetNameFunc)(CERTName* name); |
+#endif |
+ |
+ // TODO(jcampan): add business_category and serial_number. |
+ // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and |
+ // CERT_GetDomainComponentName functions, but they return only the most |
+ // general (the first) RDN. NSS doesn't have a function for the street |
+ // address. |
+ static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS, |
+ SEC_OID_AVA_ORGANIZATION_NAME, |
+ SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, |
+ SEC_OID_AVA_DC}; |
+ |
+ std::vector<std::string>* values[] = {&principal->street_addresses, |
+ &principal->organization_names, |
+ &principal->organization_unit_names, |
+ &principal->domain_components}; |
+ DCHECK_EQ(arraysize(kOIDs), arraysize(values)); |
+ |
+ CERTRDN** rdns = name->rdns; |
+ for (size_t rdn = 0; rdns[rdn]; ++rdn) { |
+ CERTAVA** avas = rdns[rdn]->avas; |
+ for (size_t pair = 0; avas[pair] != 0; ++pair) { |
+ SECOidTag tag = CERT_GetAVATag(avas[pair]); |
+ for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { |
+ if (kOIDs[oid] == tag) { |
+ SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); |
+ if (!decode_item) |
+ break; |
+ // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. |
+ std::string value(reinterpret_cast<char*>(decode_item->data), |
+ decode_item->len); |
+ values[oid]->push_back(value); |
+ SECITEM_FreeItem(decode_item, PR_TRUE); |
+ break; |
+ } |
+ } |
+ } |
+ } |
- CERTCertificate* cert = CreateCertificate(key->public_key(), |
- "CN=anonymous.invalid", |
- serial_number, |
- not_valid_before, |
- not_valid_after); |
+ // Get CN, L, S, and C. |
+ CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName, |
+ CERT_GetLocalityName, |
+ CERT_GetStateName, |
+ CERT_GetCountryName}; |
+ std::string* single_values[4] = {&principal->common_name, |
+ &principal->locality_name, |
+ &principal->state_or_province_name, |
+ &principal->country_name}; |
+ for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { |
+ char* value = get_name_funcs[i](name); |
+ if (value) { |
+ single_values[i]->assign(value); |
+ PORT_Free(value); |
+ } |
+ } |
+} |
- if (!cert) |
- return false; |
+void ParseDate(const SECItem* der_date, base::Time* result) { |
+ PRTime prtime; |
+ SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); |
+ DCHECK_EQ(SECSuccess, rv); |
+ *result = crypto::PRTimeToBaseTime(prtime); |
+} |
- // Create opaque handle used to add extensions later. |
- void* cert_handle; |
- if ((cert_handle = CERT_StartCertExtensions(cert)) == NULL) { |
- LOG(ERROR) << "Unable to get opaque handle for adding extensions"; |
- CERT_DestroyCertificate(cert); |
- return false; |
+std::string ParseSerialNumber(const CERTCertificate* certificate) { |
+ return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), |
+ certificate->serialNumber.len); |
+} |
+ |
+void GetSubjectAltName(CERTCertificate* cert_handle, |
+ std::vector<std::string>* dns_names, |
+ std::vector<std::string>* ip_addrs) { |
+ if (dns_names) |
+ dns_names->clear(); |
+ if (ip_addrs) |
+ ip_addrs->clear(); |
+ |
+ SECItem alt_name; |
+ SECStatus rv = CERT_FindCertExtension( |
+ cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name); |
+ if (rv != SECSuccess) |
+ return; |
+ |
+ PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
+ DCHECK(arena != NULL); |
+ |
+ CERTGeneralName* alt_name_list; |
+ alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); |
+ SECITEM_FreeItem(&alt_name, PR_FALSE); |
+ |
+ CERTGeneralName* name = alt_name_list; |
+ while (name) { |
+ // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs |
+ // respectively, both of which can be byte copied from |
+ // SECItemType::data into the appropriate output vector. |
+ if (dns_names && name->type == certDNSName) { |
+ dns_names->push_back( |
+ std::string(reinterpret_cast<char*>(name->name.other.data), |
+ name->name.other.len)); |
+ } else if (ip_addrs && name->type == certIPAddress) { |
+ ip_addrs->push_back( |
+ std::string(reinterpret_cast<char*>(name->name.other.data), |
+ name->name.other.len)); |
+ } |
+ name = CERT_GetNextGeneralName(name); |
+ if (name == alt_name_list) |
+ break; |
} |
+ PORT_FreeArena(arena, PR_FALSE); |
+} |
- // Create SECItem for IA5String encoding. |
- SECItem domain_string_item = { |
- siAsciiString, |
- (unsigned char*)domain.data(), |
- static_cast<unsigned>(domain.size()) |
- }; |
- |
- // IA5Encode and arena allocate SECItem |
- SECItem* asn1_domain_string = SEC_ASN1EncodeItem( |
- cert->arena, NULL, &domain_string_item, |
- SEC_ASN1_GET(SEC_IA5StringTemplate)); |
- if (asn1_domain_string == NULL) { |
- LOG(ERROR) << "Unable to get ASN1 encoding for domain in domain_bound_cert" |
- " extension"; |
- CERT_DestroyCertificate(cert); |
- return false; |
+X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( |
+ const char* data, |
+ int length, |
+ X509Certificate::Format format) { |
+ X509Certificate::OSCertHandles results; |
+ if (length < 0) |
+ return results; |
+ |
+ crypto::EnsureNSSInit(); |
+ |
+ if (!NSS_IsInitialized()) |
+ return results; |
+ |
+ switch (format) { |
+ case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { |
+ X509Certificate::OSCertHandle handle = |
+ X509Certificate::CreateOSCertHandleFromBytes(data, length); |
+ if (handle) |
+ results.push_back(handle); |
+ break; |
+ } |
+ case X509Certificate::FORMAT_PKCS7: { |
+ // Make a copy since CERT_DecodeCertPackage may modify it |
+ std::vector<char> data_copy(data, data + length); |
+ |
+ SECStatus result = CERT_DecodeCertPackage(&data_copy[0], length, |
+ CollectCertsCallback, &results); |
+ if (result != SECSuccess) |
+ results.clear(); |
+ break; |
+ } |
+ default: |
+ NOTREACHED() << "Certificate format " << format << " unimplemented"; |
+ break; |
} |
- // Add the extension to the opaque handle |
- if (CERT_AddExtension( |
- cert_handle, |
- ChannelIDOIDWrapper::GetInstance()->domain_bound_cert_oid_tag(), |
- asn1_domain_string, |
- PR_TRUE, |
- PR_TRUE) != SECSuccess){ |
- LOG(ERROR) << "Unable to add domain bound cert extension to opaque handle"; |
- CERT_DestroyCertificate(cert); |
- return false; |
+ return results; |
+} |
+ |
+X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( |
+ PickleIterator* pickle_iter) { |
+ const char* data; |
+ int length; |
+ if (!pickle_iter->ReadData(&data, &length)) |
+ return NULL; |
+ |
+ return X509Certificate::CreateOSCertHandleFromBytes(data, length); |
+} |
+ |
+void GetPublicKeyInfo(CERTCertificate* handle, |
+ size_t* size_bits, |
+ X509Certificate::PublicKeyType* type) { |
+ // Since we might fail, set the output parameters to default values first. |
+ *type = X509Certificate::kPublicKeyTypeUnknown; |
+ *size_bits = 0; |
+ |
+ crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); |
+ if (!key.get()) |
+ return; |
+ |
+ *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); |
+ |
+ switch (key->keyType) { |
+ case rsaKey: |
+ *type = X509Certificate::kPublicKeyTypeRSA; |
+ break; |
+ case dsaKey: |
+ *type = X509Certificate::kPublicKeyTypeDSA; |
+ break; |
+ case dhKey: |
+ *type = X509Certificate::kPublicKeyTypeDH; |
+ break; |
+ case ecKey: |
+ *type = X509Certificate::kPublicKeyTypeECDSA; |
+ break; |
+ default: |
+ *type = X509Certificate::kPublicKeyTypeUnknown; |
+ *size_bits = 0; |
+ break; |
} |
+} |
- // Copy extension into x509 cert |
- if (CERT_FinishExtensions(cert_handle) != SECSuccess){ |
- LOG(ERROR) << "Unable to copy extension to X509 cert"; |
- CERT_DestroyCertificate(cert); |
- return false; |
+bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers, |
+ PLArenaPool* arena, |
+ std::vector<CERTName*>* out) { |
+ std::vector<CERTName*> result; |
+ for (size_t n = 0; n < encoded_issuers.size(); ++n) { |
+ CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]); |
+ if (name != NULL) |
+ result.push_back(name); |
} |
- if (!SignCertificate(cert, key->key(), ToSECOid(alg))) { |
- CERT_DestroyCertificate(cert); |
- return false; |
+ if (result.size() == encoded_issuers.size()) { |
+ out->swap(result); |
+ return true; |
} |
- DCHECK(cert->derCert.len); |
- // XXX copied from X509Certificate::GetDEREncoded |
- der_cert->clear(); |
- der_cert->append(reinterpret_cast<char*>(cert->derCert.data), |
- cert->derCert.len); |
- CERT_DestroyCertificate(cert); |
- return true; |
+ for (size_t n = 0; n < result.size(); ++n) |
+ CERT_DestroyName(result[n]); |
+ return false; |
} |
+bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, |
+ const std::vector<CERTName*>& valid_issuers) { |
+ for (size_t n = 0; n < cert_chain.size(); ++n) { |
+ CERTName* cert_issuer = &cert_chain[n]->issuer; |
+ for (size_t i = 0; i < valid_issuers.size(); ++i) { |
+ if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual) |
+ return true; |
+ } |
+ } |
+ return false; |
+} |
+ |
+std::string GetUniqueNicknameForSlot(const std::string& nickname, |
+ const SECItem* subject, |
+ PK11SlotInfo* slot) { |
+ int index = 2; |
+ std::string new_name = nickname; |
+ std::string temp_nickname = new_name; |
+ std::string token_name; |
+ |
+ if (!slot) |
+ return new_name; |
+ |
+ if (!PK11_IsInternalKeySlot(slot)) { |
+ token_name.assign(PK11_GetTokenName(slot)); |
+ token_name.append(":"); |
+ |
+ temp_nickname = token_name + new_name; |
+ } |
+ |
+ while (SEC_CertNicknameConflict(temp_nickname.c_str(), |
+ const_cast<SECItem*>(subject), |
+ CERT_GetDefaultCertDB())) { |
+ base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++); |
+ temp_nickname = token_name + new_name; |
+ } |
+ |
+ return new_name; |
+} |
+ |
+#endif // defined(USE_NSS) || defined(OS_IOS) |
+ |
} // namespace x509_util |
} // namespace net |