Port certificate verification to iOS.

net/base/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/cert_verify_proc_nss.h"
 
 #include <string>
 #include <vector>
 
 #include <cert.h>
@@ skipping 10 matching lines @@
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/crl_set.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
 #include "net/base/x509_util_nss.h"
 
+#if defined(OS_IOS)
+#include <CommonCrypto/CommonDigest.h>
+#include "net/base/x509_util_ios.h"
+#endif  // defined(OS_IOS)
+
 namespace net {
 
 namespace {
 
 typedef scoped_ptr_malloc<
     CERTCertificatePolicies,
     crypto::NSSDestroyer<CERTCertificatePolicies,
                          CERT_DestroyCertificatePoliciesExtension> >
     ScopedCERTCertificatePolicies;
 
@@ skipping 179 matching lines @@
       case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
         verify_result->has_md4 = true;
         break;
       default:
         break;
     }
   }
 
   if (root_cert)
     verified_chain.push_back(root_cert);
+#if defined(OS_IOS)
+  verify_result->verified_cert =
+      x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain);
+#else
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+#endif  // defined(OS_IOS)
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
 
   // This magic name is taken from
   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
@@ skipping 65 matching lines @@
         NOTREACHED();
         return kCRLSetError;
     }
   }
 
   return kCRLSetOk;
 }
 
 // Forward declarations.
 SECStatus RetryPKIXVerifyCertWithWorkarounds(
-    X509Certificate::OSCertHandle cert_handle, int num_policy_oids,
+    CERTCertificate* cert_handle, int num_policy_oids,
     bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
     CERTValOutParam* cvout);
-SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle);
+SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
 
 // Call CERT_PKIXVerifyCert for the cert_handle.
 // Verification results are stored in an array of CERTValOutParam.
 // If policy_oids is not NULL and num_policy_oids is positive, policies
 // are also checked.
 // Caller must initialize cvout before calling this function.
-SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle,
+SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
                          bool check_revocation,
                          bool cert_io_enabled,
                          const SECOidTag* policy_oids,
                          int num_policy_oids,
                          CERTValOutParam* cvout) {
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
 
   // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.
   // 1. NSS may use one key to verify a CRL signed with another key,
@@ skipping 102 matching lines @@
     rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
                                             cert_io_enabled, &cvin, cvout);
   }
   return rv;
 }
 
 // PKIXVerifyCert calls this function to work around some bugs in
 // CERT_PKIXVerifyCert.  All the arguments of this function are either the
 // arguments or local variables of PKIXVerifyCert.
 SECStatus RetryPKIXVerifyCertWithWorkarounds(
-    X509Certificate::OSCertHandle cert_handle, int num_policy_oids,
+    CERTCertificate* cert_handle, int num_policy_oids,
     bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
     CERTValOutParam* cvout) {
   // We call this function when the first CERT_PKIXVerifyCert call in
   // PKIXVerifyCert failed,  so we initialize |rv| to SECFailure.
   SECStatus rv = SECFailure;
   int nss_error = PORT_GetError();
   CERTValInParam in_param;
 
   // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate
   // CA certificate, so we retry with cert_pi_useAIACertFetch.
@@ skipping 60 matching lines @@
   }
 
   return rv;
 }
 
 // Decodes the certificatePolicies extension of the certificate.  Returns
 // NULL if the certificate doesn't have the extension or the extension can't
 // be decoded.  The returned value must be freed with a
 // CERT_DestroyCertificatePoliciesExtension call.
 CERTCertificatePolicies* DecodeCertPolicies(
-    X509Certificate::OSCertHandle cert_handle) {
+    CERTCertificate* cert_handle) {
   SECItem policy_ext;
   SECStatus rv = CERT_FindCertExtension(cert_handle,
                                         SEC_OID_X509_CERTIFICATE_POLICIES,
                                         &policy_ext);
   if (rv != SECSuccess)
     return NULL;
   CERTCertificatePolicies* policies =
       CERT_DecodeCertificatePoliciesExtension(&policy_ext);
   SECITEM_FreeItem(&policy_ext, PR_FALSE);
   return policies;
 }
 
 // Returns the OID tag for the first certificate policy in the certificate's
 // certificatePolicies extension.  Returns SEC_OID_UNKNOWN if the certificate
 // has no certificate policy.
-SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle) {
+SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) {
   ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
   if (!policies.get())
     return SEC_OID_UNKNOWN;
 
   CERTPolicyInfo* policy_info = policies->policyInfos[0];
   if (!policy_info)
     return SEC_OID_UNKNOWN;
   if (policy_info->oid != SEC_OID_UNKNOWN)
     return policy_info->oid;
 
   // The certificate policy is unknown to NSS.  We need to create a dynamic
   // OID tag for the policy.
   SECOidData od;
   od.oid.len = policy_info->policyID.len;
   od.oid.data = policy_info->policyID.data;
   od.offset = SEC_OID_UNKNOWN;
   // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
   // default description here.  The description doesn't need to be unique for
   // each OID.
   od.desc = "a certificate policy";
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
 HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA1);
+#if defined(OS_IOS)
+  CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
+#else
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(SECSuccess, rv);
+#endif
   return hash;
 }
 
 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
   HashValue hash(HASH_VALUE_SHA256);
+#if defined(OS_IOS)
+  CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
+#else
   SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
                               cert->derPublicKey.data, cert->derPublicKey.len);
   DCHECK_EQ(rv, SECSuccess);
+#endif
   return hash;
 }
 
 void AppendPublicKeyHashes(CERTCertList* cert_list,
                            CERTCertificate* root_cert,
                            HashValueVector* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     hashes->push_back(CertPublicKeyHashSHA1(node->cert));
@@ skipping 83 matching lines @@
   // the old path, might have been revoked.
   if (crl_set) {
     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
         cvout[cvout_cert_list_index].value.pointer.chain,
         cvout[cvout_trust_anchor_index].value.pointer.cert,
         crl_set);
     if (crl_set_result == kCRLSetRevoked)
       return false;
   }
 
+#if defined(OS_IOS)
+  SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
+#else
   SHA1HashValue fingerprint =
       X509Certificate::CalculateFingerprint(root_ca);
+#endif
   return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
 }
 
 }  // namespace
 
 CertVerifyProcNSS::CertVerifyProcNSS() {}
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 int CertVerifyProcNSS::VerifyInternal(X509Certificate* cert,
                                       const std::string& hostname,
                                       int flags,
                                       CRLSet* crl_set,
                                       CertVerifyResult* verify_result) {
+#if defined(OS_IOS)
+  // For iOS, the entire chain must be loaded into NSS's in-memory certificate
+  // store.
+  x509_util_ios::NSSCertChain scoped_chain(cert);
+  CERTCertificate* cert_handle = scoped_chain.cert_handle();
+#else
   CERTCertificate* cert_handle = cert->os_cert_handle();
+#endif  // defined(OS_IOS)
+
   // Make sure that the hostname matches with the common name of the cert.
   SECStatus status = CERT_VerifyCertName(cert_handle, hostname.c_str());
   if (status != SECSuccess)
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
 
   // Make sure that the cert is valid now.
   SECCertTimeValidity validity = CERT_CheckCertValidTimes(
       cert_handle, PR_Now(), PR_TRUE);
   if (validity != secCertTimeValid)
     verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
@@ skipping 72 matching lines @@
 
   if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate &&
       VerifyEV(cert_handle, flags, crl_set, metadata, ev_policy_oid)) {
     verify_result->cert_status |= CERT_STATUS_IS_EV;
   }
 
   return OK;
 }
 
 }  // namespace net