net/cert/x509_util_nss_certs.cc - Issue 1720653002: Add new functions to handle UPN and email addresses

Side by Side Diff: net/cert/x509_util_nss_certs.cc

Issue 1720653002: Add new functions to handle UPN and email addresses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rename function; reorder NET_EXPORT Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <cert.h> // Must be included before certdb.h	5 #include <cert.h> // Must be included before certdb.h

6 #include <certdb.h>	6 #include <certdb.h>

7 #include <cryptohi.h>	7 #include <cryptohi.h>

8 #include <nss.h>	8 #include <nss.h>

9 #include <pk11pub.h>	9 #include <pk11pub.h>

10 #include <prerror.h>	10 #include <prerror.h>

(...skipping 15 matching lines...) Expand all Loading...
26 #include "crypto/scoped_nss_types.h"	26 #include "crypto/scoped_nss_types.h"

27 #include "crypto/third_party/nss/chromium-nss.h"	27 #include "crypto/third_party/nss/chromium-nss.h"

28 #include "net/cert/x509_certificate.h"	28 #include "net/cert/x509_certificate.h"

29 #include "net/cert/x509_util.h"	29 #include "net/cert/x509_util.h"

30 #include "net/cert/x509_util_nss.h"	30 #include "net/cert/x509_util_nss.h"

31	31

32 namespace net {	32 namespace net {

33	33

34 namespace {	34 namespace {

35	35

	36 // Microsoft User Principal Name: 1.3.6.1.4.1.311.20.2.3

	37 const uint8_t kUpnOid[] = {0x2b, 0x6, 0x1, 0x4, 0x1,

	38 0x82, 0x37, 0x14, 0x2, 0x3};

	39

36 // Callback for CERT_DecodeCertPackage(), used in	40 // Callback for CERT_DecodeCertPackage(), used in

37 // CreateOSCertHandlesFromBytes().	41 // CreateOSCertHandlesFromBytes().

38 SECStatus PR_CALLBACK	42 SECStatus PR_CALLBACK

39 CollectCertsCallback(void* arg, SECItem** certs, int num_certs) {	43 CollectCertsCallback(void* arg, SECItem** certs, int num_certs) {

40 X509Certificate::OSCertHandles* results =	44 X509Certificate::OSCertHandles* results =

41 reinterpret_cast<X509Certificate::OSCertHandles*>(arg);	45 reinterpret_cast<X509Certificate::OSCertHandles*>(arg);

42	46

43 for (int i = 0; i < num_certs; ++i) {	47 for (int i = 0; i < num_certs; ++i) {

44 X509Certificate::OSCertHandle handle =	48 X509Certificate::OSCertHandle handle =

45 X509Certificate::CreateOSCertHandleFromBytes(	49 X509Certificate::CreateOSCertHandleFromBytes(

(...skipping 147 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
193 std::string(reinterpret_cast<char*>(name->name.other.data),	197 std::string(reinterpret_cast<char*>(name->name.other.data),

194 name->name.other.len));	198 name->name.other.len));

195 }	199 }

196 name = CERT_GetNextGeneralName(name);	200 name = CERT_GetNextGeneralName(name);

197 if (name == alt_name_list)	201 if (name == alt_name_list)

198 break;	202 break;

199 }	203 }

200 PORT_FreeArena(arena, PR_FALSE);	204 PORT_FreeArena(arena, PR_FALSE);

201 }	205 }

202	206

	207 CERTGeneralNameTypeEnum SANTypeToGeneralNameType(SubjectAltNameType type) {

	208 switch (type) {

	209 case SAN_RFC822_NAME:

	210 return certRFC822Name;

	211 case SAN_DNS_NAME:

	212 return certDNSName;

	213 case SAN_URI:

	214 return certURI;

	215 case SAN_IP_ADDRESS:

	216 return certIPAddress;

	217 case SAN_UPN:

	218 return certOtherName;

	219 }

	220 NOTREACHED();

	221 return certOtherName;

	222 }

	223

	224 void GetSubjectAltNameByType(CERTCertificate* cert_handle,

	225 SubjectAltNameType type,

	226 std::vector<std::string>* names) {

	227 crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0));

	228 DCHECK(alt_name.get());

	229

	230 SECStatus rv = CERT_FindCertExtension(

	231 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get());

	232 if (rv != SECSuccess)

	233 return;

	234

	235 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));

	236 DCHECK(arena.get());

	237

	238 CERTGeneralName* alt_name_list;

	239 alt_name_list = CERT_DecodeAltNameExtension(arena.get(), alt_name.get());

	240

	241 CERTGeneralName* name = alt_name_list;

	242 while (name) {

	243 if (name->type == SANTypeToGeneralNameType(type)) {

	244 switch (type) {

	245 case SAN_RFC822_NAME:

	246 case SAN_DNS_NAME:

	247 case SAN_URI:

	248 case SAN_IP_ADDRESS:

	249 names->push_back(

	250 std::string(reinterpret_cast<char*>(name->name.other.data),

	251 name->name.other.len));

	252 break;

	253 case SAN_UPN:

	254 OtherName* on = &name->name.OthName;

	255 if (on->oid.len == sizeof(kUpnOid) &&

	256 !memcmp(on->oid.data, kUpnOid, sizeof(kUpnOid))) {
	Ryan Sleevi 2016/03/01 00:28:29 The use of ! for values that return <0,0,>0 has be The use of ! for values that return <0,0,>0 has been a huge source of bugs, both security and otherwise. if (on->oid.len == sizeof(kUpnOid) && memcmp(...) == 0) { } Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:29, Ryan Sleevi wrote: > The use of ! for values that return <0,0,>0 has been a huge source of bugs, both > security and otherwise. > > if (on->oid.len == sizeof(kUpnOid) && > memcmp(...) == 0) { > } Done.
	257 SECItem decoded;

	258 if (SEC_ASN1DecodeItem(arena.get(), &decoded,
	Ryan Sleevi 2016/03/01 00:28:28 SECURITY: DO not use this function in any way wh SECURITY: DO not use this function in any way whatsoever. It is NOT safe to use! The idiomatic NSS way is SEC_QuickDERDecodeItem(...); alternatively, we've been updating code to use //net/der (as seen in //net/cert/internal/parse_name). For now, use QuickDER Kevin Cernekee 2016/03/01 19:28:01 Done. Show quoted text On 2016/03/01 00:28:28, Ryan Sleevi wrote: > SECURITY: DO not use this function in any way whatsoever. It is NOT safe to > use! > > The idiomatic NSS way is SEC_QuickDERDecodeItem(...); alternatively, we've been > updating code to use //net/der (as seen in //net/cert/internal/parse_name). For > now, use QuickDER Done.
	259 SEC_ASN1_GET(SEC_UTF8StringTemplate),

	260 &name->name.OthName.name) == SECSuccess) {

	261 names->push_back(std::string(

	262 reinterpret_cast<char*>(decoded.data), decoded.len));

	263 }

	264 }

	265 break;

	266 }

	267 }

	268 name = CERT_GetNextGeneralName(name);

	269 if (name == alt_name_list)

	270 break;

	271 }

	272 }

	273

203 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(	274 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(

204 const char* data,	275 const char* data,

205 size_t length,	276 size_t length,

206 X509Certificate::Format format) {	277 X509Certificate::Format format) {

207 X509Certificate::OSCertHandles results;	278 X509Certificate::OSCertHandles results;

208	279

209 crypto::EnsureNSSInit();	280 crypto::EnsureNSSInit();

210	281

211 if (!NSS_IsInitialized())	282 if (!NSS_IsInitialized())

212 return results;	283 return results;

(...skipping 124 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
337 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++);	408 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++);

338 temp_nickname = token_name + new_name;	409 temp_nickname = token_name + new_name;

339 }	410 }

340	411

341 return new_name;	412 return new_name;

342 }	413 }

343	414

344 } // namespace x509_util	415 } // namespace x509_util

345	416

346 } // namespace net	417 } // namespace net

OLD	NEW

« net/cert/x509_util_nss.h ('K') | « net/cert/x509_util_nss.h ('k') | no next file » | no next file with comments »