Adding iOS OpenSSL Implementation

net/cert/x509_certificate_openssl_ios.cc

Index: net/cert/x509_certificate_openssl_ios.cc
diff --git a/net/cert/x509_certificate_openssl.cc b/net/cert/x509_certificate_openssl_ios.cc
similarity index 61%
copy from net/cert/x509_certificate_openssl.cc
copy to net/cert/x509_certificate_openssl_ios.cc
index ec31e6e371b98b0ebfba80a80cbe7f28312b4d70..4966b9b02925f74800511e5d3b3d1e5e9cdabbb0 100644
--- a/net/cert/x509_certificate_openssl.cc
+++ b/net/cert/x509_certificate_openssl_ios.cc
@@ -1,36 +1,26 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
-#include <openssl/asn1.h>
-#include <openssl/bytestring.h>
-#include <openssl/crypto.h>
-#include <openssl/obj_mac.h>
-#include <openssl/pem.h>
-#include <openssl/sha.h>
-#include <openssl/ssl.h>
+#include <CommonCrypto/CommonDigest.h>
+#include <Security/Security.h>
+
+#include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#include "base/macros.h"
-#include "base/memory/singleton.h"
-#include "base/numerics/safe_conversions.h"
+#include "base/mac/scoped_cftyperef.h"
 #include "base/pickle.h"
-#include "base/sha1.h"
-#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/ip_address_number.h"
-#include "net/base/net_errors.h"
 #include "net/cert/x509_util_openssl.h"
+#include "net/ssl/openssl_ssl_util.h"
 
-#if defined(OS_ANDROID)
-#include "base/logging.h"
-#include "net/android/network_library.h"
-#endif
+using base::ScopedCFTypeRef;
 
 namespace net {
 
@@ -39,6 +29,21 @@ namespace {
 using ScopedGENERAL_NAMES =
     crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>;
 
+// Returns true if a given |cert_handle| is actually a valid X.509 certificate
+// handle.
+//
+// SecCertificateCreateFromData() does not always force the immediate parsing of
+// the certificate, and as such, may return a SecCertificateRef for an
+// invalid/unparsable certificate. Force parsing to occur to ensure that the
+// SecCertificateRef is correct. On later versions where
+// SecCertificateCreateFromData() immediately parses, rather than lazily, this
+// call is cheap, as the subject is cached.
+bool IsValidOSCertHandle(SecCertificateRef cert_handle) {
+  ScopedCFTypeRef<CFStringRef> sanity_check(
+      SecCertificateCopySubjectSummary(cert_handle));
+  return sanity_check != NULL;

[Ryan Sleevi, 2016/03/24 20:17:42]

nullptr?

[svaldez, 2016/03/25 16:54:12]

Done.

+}
+
 void CreateOSCertHandlesFromPKCS7Bytes(
     const char* data,
     size_t length,
@@ -52,9 +57,12 @@ void CreateOSCertHandlesFromPKCS7Bytes(
 
   if (PKCS7_get_certificates(certs, &der_data)) {
     for (size_t i = 0; i < sk_X509_num(certs); ++i) {
-      X509* x509_cert =
-          X509Certificate::DupOSCertHandle(sk_X509_value(certs, i));
-      handles->push_back(x509_cert);
+      X509* x509_cert = sk_X509_value(certs, i);
+      base::StringPiece der;
+      if (!x509_util::GetDER(x509_cert, &der))
+        return;
+      handles->push_back(X509Certificate::CreateOSCertHandleFromBytes(
+          der.data(), der.length()));
     }
   }
   sk_X509_pop_free(certs, X509_free);
@@ -72,7 +80,7 @@ void ParsePrincipalValues(X509_NAME* name,
   }
 }
 
-void ParsePrincipal(X509Certificate::OSCertHandle cert,
+void ParsePrincipal(X509Certificate::OSCertHandle os_cert,
                     X509_NAME* x509_name,
                     CertPrincipal* principal) {
   if (!x509_name)
@@ -97,12 +105,15 @@ void ParsePrincipal(X509Certificate::OSCertHandle cert,
                                       &principal->country_name);
 }
 
-void ParseSubjectAltName(X509Certificate::OSCertHandle cert,
+void ParseSubjectAltName(X509Certificate::OSCertHandle os_cert,
                          std::vector<std::string>* dns_names,
                          std::vector<std::string>* ip_addresses) {
   DCHECK(dns_names || ip_addresses);
-  int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
-  X509_EXTENSION* alt_name_ext = X509_get_ext(cert, index);
+  ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+  if (!cert.get())
+    return;
+  int index = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);
+  X509_EXTENSION* alt_name_ext = X509_get_ext(cert.get(), index);
   if (!alt_name_ext)
     return;
 
@@ -139,38 +150,8 @@ void ParseSubjectAltName(X509Certificate::OSCertHandle cert,
   }
 }
 
-class X509InitSingleton {
- public:
-  static X509InitSingleton* GetInstance() {
-    // We allow the X509 store to leak, because it is used from a non-joinable
-    // worker that is not stopped on shutdown, hence may still be using
-    // OpenSSL library after the AtExit runner has completed.
-    return base::Singleton<X509InitSingleton, base::LeakySingletonTraits<
-                                                  X509InitSingleton>>::get();
-  }
-  X509_STORE* store() const { return store_.get(); }
-
-  void ResetCertStore() {
-    store_.reset(X509_STORE_new());
-    DCHECK(store_.get());
-    X509_STORE_set_default_paths(store_.get());
-    // TODO(joth): Enable CRL (see X509_STORE_set_flags(X509_V_FLAG_CRL_CHECK)).
-  }
-
- private:
-  friend struct base::DefaultSingletonTraits<X509InitSingleton>;
-  X509InitSingleton() {
-    crypto::EnsureOpenSSLInit();
-    ResetCertStore();
-  }
-
-  crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free> store_;
-
-  DISALLOW_COPY_AND_ASSIGN(X509InitSingleton);
-};
-
 // Used to free a list of X509_NAMEs and the objects it points to.
-void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) {
+void sk_X509_NAME_free_all(STACK_OF(X509_NAME) * sk) {
   sk_X509_NAME_pop_free(sk, X509_NAME_free);
 }
 
@@ -178,25 +159,26 @@ void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) {
 
 // static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
-    OSCertHandle cert_handle) {
-  DCHECK(cert_handle);
-  return X509_up_ref(cert_handle);
+    OSCertHandle handle) {
+  if (!handle)
+    return NULL;

[Ryan Sleevi, 2016/03/24 20:17:42]

nullptr

[svaldez, 2016/03/25 16:54:11]

Done.

+  return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
-  // Decrement the ref-count for the cert and, if all references are gone,
-  // free the memory and any application-specific data associated with the
-  // certificate.
-  X509_free(cert_handle);
+  if (cert_handle)
+    CFRelease(cert_handle);
 }
 
 void X509Certificate::Initialize() {
   crypto::EnsureOpenSSLInit();
   fingerprint_ = CalculateFingerprint(cert_handle_);
   ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
-
-  ASN1_INTEGER* serial_num = X509_get_serialNumber(cert_handle_);
+  ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);
+  if (!x509_cert.get())

[Ryan Sleevi, 2016/03/24 20:17:42]

You can drop the .get() [or should be able to, in a scoped_ptr world]

[svaldez, 2016/03/25 16:54:12]

Done.

+    return;
+  ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get());
   if (serial_num) {
     // ASN1_INTEGERS represent the decoded number, in a format internal to
     // OpenSSL. Most notably, this may have leading zeroes stripped off for
@@ -211,34 +193,41 @@ void X509Certificate::Initialize() {
     DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size());
   }
 
-  ParsePrincipal(cert_handle_, X509_get_subject_name(cert_handle_), &subject_);
-  ParsePrincipal(cert_handle_, X509_get_issuer_name(cert_handle_), &issuer_);
-  x509_util::ParseDate(X509_get_notBefore(cert_handle_), &valid_start_);
-  x509_util::ParseDate(X509_get_notAfter(cert_handle_), &valid_expiry_);
-}
-
-// static
-void X509Certificate::ResetCertStore() {
-  X509InitSingleton::GetInstance()->ResetCertStore();
+  ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()),
+                 &subject_);
+  ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()), &issuer_);
+  x509_util::ParseDate(X509_get_notBefore(x509_cert.get()), &valid_start_);
+  x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_);
 }
 
 // static
 SHA1HashValue X509Certificate::CalculateFingerprint(OSCertHandle cert) {
   SHA1HashValue sha1;
-  unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data));
-  int ret = X509_digest(cert, EVP_sha1(), sha1.data, &sha1_size);
-  CHECK(ret);
-  CHECK_EQ(sha1_size, sizeof(sha1.data));
+  memset(sha1.data, 0, sizeof(sha1.data));
+
+  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
+  if (!cert_data)
+    return sha1;
+  DCHECK(CFDataGetBytePtr(cert_data));
+  DCHECK_NE(0, CFDataGetLength(cert_data));
+  CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data);
+
   return sha1;
 }
 
 // static
 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
   SHA256HashValue sha256;
-  unsigned int sha256_size = static_cast<unsigned int>(sizeof(sha256.data));
-  int ret = X509_digest(cert, EVP_sha256(), sha256.data, &sha256_size);
-  CHECK(ret);
-  CHECK_EQ(sha256_size, sizeof(sha256.data));
+  memset(sha256.data, 0, sizeof(sha256.data));
+
+  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
+  if (!cert_data)
+    return sha256;
+  DCHECK(CFDataGetBytePtr(cert_data));
+  DCHECK_NE(0, CFDataGetLength(cert_data));
+  CC_SHA256(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data),
+            sha256.data);
+
   return sha256;
 }
 
@@ -248,16 +237,17 @@ SHA1HashValue X509Certificate::CalculateCAFingerprint(
   SHA1HashValue sha1;
   memset(sha1.data, 0, sizeof(sha1.data));
 
-  SHA_CTX sha1_ctx;
-  SHA1_Init(&sha1_ctx);
-  base::StringPiece der;
+  CC_SHA1_CTX sha1_ctx;
+  CC_SHA1_Init(&sha1_ctx);
   for (size_t i = 0; i < intermediates.size(); ++i) {
-    if (!x509_util::GetDER(intermediates[i], &der))
+    ScopedCFTypeRef<CFDataRef> cert_data(
+        SecCertificateCopyData(intermediates[i]));
+    if (!cert_data)
       return sha1;
-    SHA1_Update(&sha1_ctx, der.data(), der.length());
+    CC_SHA1_Update(&sha1_ctx, CFDataGetBytePtr(cert_data),
+                   CFDataGetLength(cert_data));
   }
-  SHA1_Final(sha1.data, &sha1_ctx);
-
+  CC_SHA1_Final(sha1.data, &sha1_ctx);
   return sha1;
 }
 
@@ -265,13 +255,19 @@ SHA1HashValue X509Certificate::CalculateCAFingerprint(
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data,
     size_t length) {
-  crypto::EnsureOpenSSLInit();
-  const unsigned char* d2i_data =
-      reinterpret_cast<const unsigned char*>(data);
-  // Don't cache this data for x509_util::GetDER as this wire format
-  // may be not be identical from the i2d_X509 roundtrip.
-  X509* cert = d2i_X509(NULL, &d2i_data, base::checked_cast<long>(length));
-  return cert;
+  ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(
+      kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
+      base::checked_cast<CFIndex>(length), kCFAllocatorNull));
+  if (!cert_data)
+    return nullptr;
+  OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);

[Ryan Sleevi, 2016/03/24 20:17:42]

nullptr

[svaldez, 2016/03/25 16:54:12]

Done.

+  if (!cert_handle)
+    return nullptr;
+  if (!IsValidOSCertHandle(cert_handle)) {
+    CFRelease(cert_handle);
+    return nullptr;
+  }
+  return cert_handle;
 }
 
 // static
@@ -283,7 +279,8 @@ X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
 
   switch (format) {
     case FORMAT_SINGLE_CERTIFICATE: {
-      OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
+      OSCertHandle handle =
+          X509Certificate::CreateOSCertHandleFromBytes(data, length);
       if (handle)
         results.push_back(handle);
       break;
@@ -313,17 +310,16 @@ void X509Certificate::GetSubjectAltName(
 }
 
 // static
-X509_STORE* X509Certificate::cert_store() {
-  return X509InitSingleton::GetInstance()->store();
-}
-
-// static
 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
                                     std::string* encoded) {
   base::StringPiece der;
-  if (!cert_handle || !x509_util::GetDER(cert_handle, &der))
+  if (!cert_handle)
     return false;
-  encoded->assign(der.data(), der.length());
+  ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));
+  if (!der_data)
+    return false;
+  encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
+                  CFDataGetLength(der_data));
   return true;
 }
 
@@ -333,15 +329,14 @@ bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
   DCHECK(a && b);
   if (a == b)
     return true;
-
-  // X509_cmp only checks the fingerprint, but we want to compare the whole
-  // DER data. Encoding it from OSCertHandle is an expensive operation, so we
-  // cache the DER (if not already cached via X509_set_ex_data).
-  base::StringPiece der_a, der_b;
-
-  return x509_util::GetDER(a, &der_a) &&
-      x509_util::GetDER(b, &der_b) &&
-      der_a == der_b;
+  if (CFEqual(a, b))
+    return true;
+  ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));
+  ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));
+  return a_data && b_data &&
+         CFDataGetLength(a_data) == CFDataGetLength(b_data) &&
+         memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),
+                CFDataGetLength(a_data)) == 0;

[Ryan Sleevi, 2016/03/24 20:17:42]

You don't need lines 334-339 for iOS.

OS X < 10.6 had a bug with respect to CFEqual only comparing at the pointer type
(that is, SecCertificateRef didn't have an entry in the CFTypeRef for
overloading equality comparison). Since 10.6, CFEqual has implemented this logic
- length comparison and then memcmp

http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity...
is what's relevant for iOS ( SecCertificateEqual )

So the whole function is

DCHECK(a && b)
return CFEqual(a, b);

[svaldez, 2016/03/25 16:54:11]

Done.

 }
 
 // static
@@ -352,27 +347,31 @@ X509Certificate::OSCertHandle X509Certificate::ReadOSCertHandleFromPickle(
   if (!pickle_iter->ReadData(&data, &length))
     return NULL;
 
-  return CreateOSCertHandleFromBytes(data, length);
+  return X509Certificate::CreateOSCertHandleFromBytes(data, length);
 }
 
 // static
 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
                                                 base::Pickle* pickle) {
-  base::StringPiece der;
-  if (!x509_util::GetDER(cert_handle, &der))
+  ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
+  if (!cert_data)
     return false;
 
-  return pickle->WriteData(der.data(), der.length());
+  return pickle->WriteData(
+      reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
+      CFDataGetLength(cert_data));
 }
 
 // static
-void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
+void X509Certificate::GetPublicKeyInfo(OSCertHandle os_cert,
                                        size_t* size_bits,
                                        PublicKeyType* type) {
   *type = kPublicKeyTypeUnknown;
   *size_bits = 0;
-
-  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle));
+  ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+  if (!cert.get())

[Ryan Sleevi, 2016/03/24 20:17:42]

No .get()

[svaldez, 2016/03/25 16:54:12]

Done.

+    return;
+  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));
   if (!scoped_key.get())
     return;
 
@@ -382,21 +381,35 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
   switch (key->type) {
     case EVP_PKEY_RSA:
       *type = kPublicKeyTypeRSA;
-      *size_bits = EVP_PKEY_size(key) * 8;
       break;
     case EVP_PKEY_DSA:
       *type = kPublicKeyTypeDSA;
-      *size_bits = EVP_PKEY_size(key) * 8;
       break;
     case EVP_PKEY_EC:
       *type = kPublicKeyTypeECDSA;
-      *size_bits = EVP_PKEY_bits(key);
       break;
     case EVP_PKEY_DH:
       *type = kPublicKeyTypeDH;
-      *size_bits = EVP_PKEY_size(key) * 8;
       break;
   }
+  *size_bits = EVP_PKEY_bits(key);
+}
+
+bool X509Certificate::SupportsSSLClientAuth() const {
+  return false;
+}
+
+CFMutableArrayRef X509Certificate::CreateOSCertChainForCert() const {
+  CFMutableArrayRef cert_list =
+      CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+  if (!cert_list)
+    return NULL;
+
+  CFArrayAppendValue(cert_list, os_cert_handle());
+  for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i)
+    CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]);
+
+  return cert_list;
 }
 
 bool X509Certificate::IsIssuedByEncoded(
@@ -412,9 +425,8 @@ bool X509Certificate::IsIssuedByEncoded(
     return false;
 
   for (std::vector<std::string>::const_iterator it = valid_issuers.begin();
-      it != valid_issuers.end(); ++it) {
-    const unsigned char* p =
-        reinterpret_cast<const unsigned char*>(it->data());
+       it != valid_issuers.end(); ++it) {
+    const unsigned char* p = reinterpret_cast<const unsigned char*>(it->data());
     long len = static_cast<long>(it->length());
     X509_NAME* ca_name = d2i_X509_NAME(NULL, &p, len);
     if (ca_name == NULL)
@@ -425,14 +437,20 @@ bool X509Certificate::IsIssuedByEncoded(
   // Create a temporary list of X509_NAME objects corresponding
   // to the certificate chain. It doesn't own the object it points to.
   std::vector<X509_NAME*> cert_names;
-  X509_NAME* issuer = X509_get_issuer_name(cert_handle_);
+  ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);
+  if (!x509_cert.get())

[Ryan Sleevi, 2016/03/24 20:17:42]

No .get()

[svaldez, 2016/03/25 16:54:12]

Done.

+    return false;
+  X509_NAME* issuer = X509_get_issuer_name(x509_cert.get());
   if (issuer == NULL)
     return false;
 
   cert_names.push_back(issuer);
   for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
-      it != intermediate_ca_certs_.end(); ++it) {
-    issuer = X509_get_issuer_name(*it);
+       it != intermediate_ca_certs_.end(); ++it) {
+    ScopedX509 intermediate_cert = OSCertHandleToOpenSSL(*it);
+    if (!intermediate_cert.get())

[Ryan Sleevi, 2016/03/24 20:17:42]

No .get()

[svaldez, 2016/03/25 16:54:11]

Done.

+      return false;
+    issuer = X509_get_issuer_name(intermediate_cert.get());
     if (issuer == NULL)
       return false;
     cert_names.push_back(issuer);
@@ -452,13 +470,16 @@ bool X509Certificate::IsIssuedByEncoded(
 }
 
 // static
-bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
-  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle));
+bool X509Certificate::IsSelfSigned(OSCertHandle os_cert) {
+  ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);
+  if (!cert.get())

[Ryan Sleevi, 2016/03/24 20:17:42]

No .get()

[svaldez, 2016/03/25 16:54:11]

Done.

+    return false;
+  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));
   if (!scoped_key)
     return false;
 
   // NOTE: X509_verify() returns 1 in case of success, 0 or -1 on error.
-  return X509_verify(cert_handle, scoped_key.get()) == 1;
+  return X509_verify(cert.get(), scoped_key.get()) == 1;
 }
 
 }  // namespace net