OLD | NEW |
| (Empty) |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <cert.h> // Must be included before certdb.h | |
6 #include <certdb.h> | |
7 #include <cryptohi.h> | |
8 #include <nss.h> | |
9 #include <pk11pub.h> | |
10 #include <prerror.h> | |
11 #include <secder.h> | |
12 #include <secmod.h> | |
13 #include <secport.h> | |
14 | |
15 #include <memory> | |
16 | |
17 #include "base/debug/leak_annotations.h" | |
18 #include "base/logging.h" | |
19 #include "base/memory/singleton.h" | |
20 #include "base/numerics/safe_conversions.h" | |
21 #include "base/pickle.h" | |
22 #include "base/strings/stringprintf.h" | |
23 #include "crypto/ec_private_key.h" | |
24 #include "crypto/nss_util.h" | |
25 #include "crypto/nss_util_internal.h" | |
26 #include "crypto/rsa_private_key.h" | |
27 #include "crypto/scoped_nss_types.h" | |
28 #include "crypto/third_party/nss/chromium-nss.h" | |
29 #include "net/cert/x509_certificate.h" | |
30 #include "net/cert/x509_util.h" | |
31 #include "net/cert/x509_util_nss.h" | |
32 | |
33 namespace net { | |
34 | |
35 namespace { | |
36 | |
37 // Microsoft User Principal Name: 1.3.6.1.4.1.311.20.2.3 | |
38 const uint8_t kUpnOid[] = {0x2b, 0x6, 0x1, 0x4, 0x1, | |
39 0x82, 0x37, 0x14, 0x2, 0x3}; | |
40 | |
41 // Callback for CERT_DecodeCertPackage(), used in | |
42 // CreateOSCertHandlesFromBytes(). | |
43 SECStatus PR_CALLBACK | |
44 CollectCertsCallback(void* arg, SECItem** certs, int num_certs) { | |
45 X509Certificate::OSCertHandles* results = | |
46 reinterpret_cast<X509Certificate::OSCertHandles*>(arg); | |
47 | |
48 for (int i = 0; i < num_certs; ++i) { | |
49 X509Certificate::OSCertHandle handle = | |
50 X509Certificate::CreateOSCertHandleFromBytes( | |
51 reinterpret_cast<char*>(certs[i]->data), certs[i]->len); | |
52 if (handle) | |
53 results->push_back(handle); | |
54 } | |
55 | |
56 return SECSuccess; | |
57 } | |
58 | |
59 typedef std::unique_ptr<CERTName, | |
60 crypto::NSSDestroyer<CERTName, CERT_DestroyName>> | |
61 ScopedCERTName; | |
62 | |
63 // Create a new CERTName object from its encoded representation. | |
64 // |arena| is the allocation pool to use. | |
65 // |data| points to a DER-encoded X.509 DistinguishedName. | |
66 // Return a new CERTName pointer on success, or NULL. | |
67 CERTName* CreateCertNameFromEncoded(PLArenaPool* arena, | |
68 const base::StringPiece& data) { | |
69 if (!arena) | |
70 return NULL; | |
71 | |
72 ScopedCERTName name(PORT_ArenaZNew(arena, CERTName)); | |
73 if (!name.get()) | |
74 return NULL; | |
75 | |
76 SECItem item; | |
77 item.len = static_cast<unsigned int>(data.length()); | |
78 item.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())); | |
79 | |
80 SECStatus rv = SEC_ASN1DecodeItem(arena, name.get(), | |
81 SEC_ASN1_GET(CERT_NameTemplate), &item); | |
82 if (rv != SECSuccess) | |
83 return NULL; | |
84 | |
85 return name.release(); | |
86 } | |
87 | |
88 } // namespace | |
89 | |
90 namespace x509_util { | |
91 | |
92 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { | |
93 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. | |
94 #if NSS_VMINOR >= 15 | |
95 typedef char* (*CERTGetNameFunc)(const CERTName* name); | |
96 #else | |
97 typedef char* (*CERTGetNameFunc)(CERTName* name); | |
98 #endif | |
99 | |
100 // TODO(jcampan): add business_category and serial_number. | |
101 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and | |
102 // CERT_GetDomainComponentName functions, but they return only the most | |
103 // general (the first) RDN. NSS doesn't have a function for the street | |
104 // address. | |
105 static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS, | |
106 SEC_OID_AVA_ORGANIZATION_NAME, | |
107 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, | |
108 SEC_OID_AVA_DC}; | |
109 | |
110 std::vector<std::string>* values[] = {&principal->street_addresses, | |
111 &principal->organization_names, | |
112 &principal->organization_unit_names, | |
113 &principal->domain_components}; | |
114 DCHECK_EQ(arraysize(kOIDs), arraysize(values)); | |
115 | |
116 CERTRDN** rdns = name->rdns; | |
117 for (size_t rdn = 0; rdns[rdn]; ++rdn) { | |
118 CERTAVA** avas = rdns[rdn]->avas; | |
119 for (size_t pair = 0; avas[pair] != 0; ++pair) { | |
120 SECOidTag tag = CERT_GetAVATag(avas[pair]); | |
121 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { | |
122 if (kOIDs[oid] == tag) { | |
123 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); | |
124 if (!decode_item) | |
125 break; | |
126 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. | |
127 std::string value(reinterpret_cast<char*>(decode_item->data), | |
128 decode_item->len); | |
129 values[oid]->push_back(value); | |
130 SECITEM_FreeItem(decode_item, PR_TRUE); | |
131 break; | |
132 } | |
133 } | |
134 } | |
135 } | |
136 | |
137 // Get CN, L, S, and C. | |
138 CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName, | |
139 CERT_GetLocalityName, | |
140 CERT_GetStateName, | |
141 CERT_GetCountryName}; | |
142 std::string* single_values[4] = {&principal->common_name, | |
143 &principal->locality_name, | |
144 &principal->state_or_province_name, | |
145 &principal->country_name}; | |
146 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { | |
147 char* value = get_name_funcs[i](name); | |
148 if (value) { | |
149 single_values[i]->assign(value); | |
150 PORT_Free(value); | |
151 } | |
152 } | |
153 } | |
154 | |
155 void ParseDate(const SECItem* der_date, base::Time* result) { | |
156 PRTime prtime; | |
157 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); | |
158 DCHECK_EQ(SECSuccess, rv); | |
159 *result = crypto::PRTimeToBaseTime(prtime); | |
160 } | |
161 | |
162 std::string ParseSerialNumber(const CERTCertificate* certificate) { | |
163 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), | |
164 certificate->serialNumber.len); | |
165 } | |
166 | |
167 void GetSubjectAltName(CERTCertificate* cert_handle, | |
168 std::vector<std::string>* dns_names, | |
169 std::vector<std::string>* ip_addrs) { | |
170 if (dns_names) | |
171 dns_names->clear(); | |
172 if (ip_addrs) | |
173 ip_addrs->clear(); | |
174 | |
175 SECItem alt_name; | |
176 SECStatus rv = CERT_FindCertExtension( | |
177 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name); | |
178 if (rv != SECSuccess) | |
179 return; | |
180 | |
181 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
182 DCHECK(arena != NULL); | |
183 | |
184 CERTGeneralName* alt_name_list; | |
185 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); | |
186 SECITEM_FreeItem(&alt_name, PR_FALSE); | |
187 | |
188 CERTGeneralName* name = alt_name_list; | |
189 while (name) { | |
190 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs | |
191 // respectively, both of which can be byte copied from | |
192 // SECItemType::data into the appropriate output vector. | |
193 if (dns_names && name->type == certDNSName) { | |
194 dns_names->push_back( | |
195 std::string(reinterpret_cast<char*>(name->name.other.data), | |
196 name->name.other.len)); | |
197 } else if (ip_addrs && name->type == certIPAddress) { | |
198 ip_addrs->push_back( | |
199 std::string(reinterpret_cast<char*>(name->name.other.data), | |
200 name->name.other.len)); | |
201 } | |
202 name = CERT_GetNextGeneralName(name); | |
203 if (name == alt_name_list) | |
204 break; | |
205 } | |
206 PORT_FreeArena(arena, PR_FALSE); | |
207 } | |
208 | |
209 void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, | |
210 std::vector<std::string>* names) { | |
211 crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0)); | |
212 DCHECK(alt_name.get()); | |
213 | |
214 names->clear(); | |
215 SECStatus rv = CERT_FindCertExtension( | |
216 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get()); | |
217 if (rv != SECSuccess) | |
218 return; | |
219 | |
220 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
221 DCHECK(arena.get()); | |
222 | |
223 CERTGeneralName* alt_name_list; | |
224 alt_name_list = CERT_DecodeAltNameExtension(arena.get(), alt_name.get()); | |
225 | |
226 CERTGeneralName* name = alt_name_list; | |
227 while (name) { | |
228 if (name->type == certRFC822Name) { | |
229 names->push_back( | |
230 std::string(reinterpret_cast<char*>(name->name.other.data), | |
231 name->name.other.len)); | |
232 } | |
233 name = CERT_GetNextGeneralName(name); | |
234 if (name == alt_name_list) | |
235 break; | |
236 } | |
237 } | |
238 | |
239 void GetUPNSubjectAltNames(CERTCertificate* cert_handle, | |
240 std::vector<std::string>* names) { | |
241 crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0)); | |
242 DCHECK(alt_name.get()); | |
243 | |
244 names->clear(); | |
245 SECStatus rv = CERT_FindCertExtension( | |
246 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get()); | |
247 if (rv != SECSuccess) | |
248 return; | |
249 | |
250 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
251 DCHECK(arena.get()); | |
252 | |
253 CERTGeneralName* alt_name_list; | |
254 alt_name_list = CERT_DecodeAltNameExtension(arena.get(), alt_name.get()); | |
255 | |
256 CERTGeneralName* name = alt_name_list; | |
257 while (name) { | |
258 if (name->type == certOtherName) { | |
259 OtherName* on = &name->name.OthName; | |
260 if (on->oid.len == sizeof(kUpnOid) && | |
261 memcmp(on->oid.data, kUpnOid, sizeof(kUpnOid)) == 0) { | |
262 SECItem decoded; | |
263 if (SEC_QuickDERDecodeItem(arena.get(), &decoded, | |
264 SEC_ASN1_GET(SEC_UTF8StringTemplate), | |
265 &name->name.OthName.name) == SECSuccess) { | |
266 names->push_back( | |
267 std::string(reinterpret_cast<char*>(decoded.data), decoded.len)); | |
268 } | |
269 } | |
270 } | |
271 name = CERT_GetNextGeneralName(name); | |
272 if (name == alt_name_list) | |
273 break; | |
274 } | |
275 } | |
276 | |
277 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( | |
278 const char* data, | |
279 size_t length, | |
280 X509Certificate::Format format) { | |
281 X509Certificate::OSCertHandles results; | |
282 | |
283 crypto::EnsureNSSInit(); | |
284 | |
285 if (!NSS_IsInitialized()) | |
286 return results; | |
287 | |
288 switch (format) { | |
289 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { | |
290 X509Certificate::OSCertHandle handle = | |
291 X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
292 if (handle) | |
293 results.push_back(handle); | |
294 break; | |
295 } | |
296 case X509Certificate::FORMAT_PKCS7: { | |
297 // Make a copy since CERT_DecodeCertPackage may modify it | |
298 std::vector<char> data_copy(data, data + length); | |
299 | |
300 SECStatus result = CERT_DecodeCertPackage( | |
301 data_copy.data(), base::checked_cast<int>(data_copy.size()), | |
302 CollectCertsCallback, &results); | |
303 if (result != SECSuccess) | |
304 results.clear(); | |
305 break; | |
306 } | |
307 default: | |
308 NOTREACHED() << "Certificate format " << format << " unimplemented"; | |
309 break; | |
310 } | |
311 | |
312 return results; | |
313 } | |
314 | |
315 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( | |
316 base::PickleIterator* pickle_iter) { | |
317 const char* data; | |
318 int length; | |
319 if (!pickle_iter->ReadData(&data, &length)) | |
320 return NULL; | |
321 | |
322 return X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
323 } | |
324 | |
325 void GetPublicKeyInfo(CERTCertificate* handle, | |
326 size_t* size_bits, | |
327 X509Certificate::PublicKeyType* type) { | |
328 // Since we might fail, set the output parameters to default values first. | |
329 *type = X509Certificate::kPublicKeyTypeUnknown; | |
330 *size_bits = 0; | |
331 | |
332 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); | |
333 if (!key.get()) | |
334 return; | |
335 | |
336 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); | |
337 | |
338 switch (key->keyType) { | |
339 case rsaKey: | |
340 *type = X509Certificate::kPublicKeyTypeRSA; | |
341 break; | |
342 case dsaKey: | |
343 *type = X509Certificate::kPublicKeyTypeDSA; | |
344 break; | |
345 case dhKey: | |
346 *type = X509Certificate::kPublicKeyTypeDH; | |
347 break; | |
348 case ecKey: | |
349 *type = X509Certificate::kPublicKeyTypeECDSA; | |
350 break; | |
351 default: | |
352 *type = X509Certificate::kPublicKeyTypeUnknown; | |
353 *size_bits = 0; | |
354 break; | |
355 } | |
356 } | |
357 | |
358 bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers, | |
359 PLArenaPool* arena, | |
360 std::vector<CERTName*>* out) { | |
361 std::vector<CERTName*> result; | |
362 for (size_t n = 0; n < encoded_issuers.size(); ++n) { | |
363 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]); | |
364 if (name != NULL) | |
365 result.push_back(name); | |
366 } | |
367 | |
368 if (result.size() == encoded_issuers.size()) { | |
369 out->swap(result); | |
370 return true; | |
371 } | |
372 | |
373 for (size_t n = 0; n < result.size(); ++n) | |
374 CERT_DestroyName(result[n]); | |
375 return false; | |
376 } | |
377 | |
378 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, | |
379 const std::vector<CERTName*>& valid_issuers) { | |
380 for (size_t n = 0; n < cert_chain.size(); ++n) { | |
381 CERTName* cert_issuer = &cert_chain[n]->issuer; | |
382 for (size_t i = 0; i < valid_issuers.size(); ++i) { | |
383 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual) | |
384 return true; | |
385 } | |
386 } | |
387 return false; | |
388 } | |
389 | |
390 std::string GetUniqueNicknameForSlot(const std::string& nickname, | |
391 const SECItem* subject, | |
392 PK11SlotInfo* slot) { | |
393 int index = 2; | |
394 std::string new_name = nickname; | |
395 std::string temp_nickname = new_name; | |
396 std::string token_name; | |
397 | |
398 if (!slot) | |
399 return new_name; | |
400 | |
401 if (!PK11_IsInternalKeySlot(slot)) { | |
402 token_name.assign(PK11_GetTokenName(slot)); | |
403 token_name.append(":"); | |
404 | |
405 temp_nickname = token_name + new_name; | |
406 } | |
407 | |
408 while (SEC_CertNicknameConflict(temp_nickname.c_str(), | |
409 const_cast<SECItem*>(subject), | |
410 CERT_GetDefaultCertDB())) { | |
411 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++); | |
412 temp_nickname = token_name + new_name; | |
413 } | |
414 | |
415 return new_name; | |
416 } | |
417 | |
418 } // namespace x509_util | |
419 | |
420 } // namespace net | |
OLD | NEW |