Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(655)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_util_nss_certs.cc

Issue 1882433002: Removing NSS files and USE_OPENSSL flag (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixing more nits. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/x509_util_nss.cc ('k') | net/cert/x509_util_unittest.cc » ('j') | net/quic/test_tools/crypto_test_utils_chromium.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h> // Must be included before certdb.h
6 #include <certdb.h>
7 #include <cryptohi.h>
8 #include <nss.h>
9 #include <pk11pub.h>
10 #include <prerror.h>
11 #include <secder.h>
12 #include <secmod.h>
13 #include <secport.h>
14
15 #include "base/debug/leak_annotations.h"
16 #include "base/logging.h"
17 #include "base/memory/scoped_ptr.h"
18 #include "base/memory/singleton.h"
19 #include "base/numerics/safe_conversions.h"
20 #include "base/pickle.h"
21 #include "base/strings/stringprintf.h"
22 #include "crypto/ec_private_key.h"
23 #include "crypto/nss_util.h"
24 #include "crypto/nss_util_internal.h"
25 #include "crypto/rsa_private_key.h"
26 #include "crypto/scoped_nss_types.h"
27 #include "crypto/third_party/nss/chromium-nss.h"
28 #include "net/cert/x509_certificate.h"
29 #include "net/cert/x509_util.h"
30 #include "net/cert/x509_util_nss.h"
31
32 namespace net {
33
34 namespace {
35
36 // Microsoft User Principal Name: 1.3.6.1.4.1.311.20.2.3
37 const uint8_t kUpnOid[] = {0x2b, 0x6, 0x1, 0x4, 0x1,
38 0x82, 0x37, 0x14, 0x2, 0x3};
39
40 // Callback for CERT_DecodeCertPackage(), used in
41 // CreateOSCertHandlesFromBytes().
42 SECStatus PR_CALLBACK
43 CollectCertsCallback(void* arg, SECItem** certs, int num_certs) {
44 X509Certificate::OSCertHandles* results =
45 reinterpret_cast<X509Certificate::OSCertHandles*>(arg);
46
47 for (int i = 0; i < num_certs; ++i) {
48 X509Certificate::OSCertHandle handle =
49 X509Certificate::CreateOSCertHandleFromBytes(
50 reinterpret_cast<char*>(certs[i]->data), certs[i]->len);
51 if (handle)
52 results->push_back(handle);
53 }
54
55 return SECSuccess;
56 }
57
58 typedef scoped_ptr<CERTName, crypto::NSSDestroyer<CERTName, CERT_DestroyName>>
59 ScopedCERTName;
60
61 // Create a new CERTName object from its encoded representation.
62 // |arena| is the allocation pool to use.
63 // |data| points to a DER-encoded X.509 DistinguishedName.
64 // Return a new CERTName pointer on success, or NULL.
65 CERTName* CreateCertNameFromEncoded(PLArenaPool* arena,
66 const base::StringPiece& data) {
67 if (!arena)
68 return NULL;
69
70 ScopedCERTName name(PORT_ArenaZNew(arena, CERTName));
71 if (!name.get())
72 return NULL;
73
74 SECItem item;
75 item.len = static_cast<unsigned int>(data.length());
76 item.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data.data()));
77
78 SECStatus rv = SEC_ASN1DecodeItem(arena, name.get(),
79 SEC_ASN1_GET(CERT_NameTemplate), &item);
80 if (rv != SECSuccess)
81 return NULL;
82
83 return name.release();
84 }
85
86 } // namespace
87
88 namespace x509_util {
89
90 void ParsePrincipal(CERTName* name, CertPrincipal* principal) {
91 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument.
92 #if NSS_VMINOR >= 15
93 typedef char* (*CERTGetNameFunc)(const CERTName* name);
94 #else
95 typedef char* (*CERTGetNameFunc)(CERTName* name);
96 #endif
97
98 // TODO(jcampan): add business_category and serial_number.
99 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and
100 // CERT_GetDomainComponentName functions, but they return only the most
101 // general (the first) RDN. NSS doesn't have a function for the street
102 // address.
103 static const SECOidTag kOIDs[] = {SEC_OID_AVA_STREET_ADDRESS,
104 SEC_OID_AVA_ORGANIZATION_NAME,
105 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
106 SEC_OID_AVA_DC};
107
108 std::vector<std::string>* values[] = {&principal->street_addresses,
109 &principal->organization_names,
110 &principal->organization_unit_names,
111 &principal->domain_components};
112 DCHECK_EQ(arraysize(kOIDs), arraysize(values));
113
114 CERTRDN** rdns = name->rdns;
115 for (size_t rdn = 0; rdns[rdn]; ++rdn) {
116 CERTAVA** avas = rdns[rdn]->avas;
117 for (size_t pair = 0; avas[pair] != 0; ++pair) {
118 SECOidTag tag = CERT_GetAVATag(avas[pair]);
119 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) {
120 if (kOIDs[oid] == tag) {
121 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value);
122 if (!decode_item)
123 break;
124 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote.
125 std::string value(reinterpret_cast<char*>(decode_item->data),
126 decode_item->len);
127 values[oid]->push_back(value);
128 SECITEM_FreeItem(decode_item, PR_TRUE);
129 break;
130 }
131 }
132 }
133 }
134
135 // Get CN, L, S, and C.
136 CERTGetNameFunc get_name_funcs[4] = {CERT_GetCommonName,
137 CERT_GetLocalityName,
138 CERT_GetStateName,
139 CERT_GetCountryName};
140 std::string* single_values[4] = {&principal->common_name,
141 &principal->locality_name,
142 &principal->state_or_province_name,
143 &principal->country_name};
144 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) {
145 char* value = get_name_funcs[i](name);
146 if (value) {
147 single_values[i]->assign(value);
148 PORT_Free(value);
149 }
150 }
151 }
152
153 void ParseDate(const SECItem* der_date, base::Time* result) {
154 PRTime prtime;
155 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date);
156 DCHECK_EQ(SECSuccess, rv);
157 *result = crypto::PRTimeToBaseTime(prtime);
158 }
159
160 std::string ParseSerialNumber(const CERTCertificate* certificate) {
161 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data),
162 certificate->serialNumber.len);
163 }
164
165 void GetSubjectAltName(CERTCertificate* cert_handle,
166 std::vector<std::string>* dns_names,
167 std::vector<std::string>* ip_addrs) {
168 if (dns_names)
169 dns_names->clear();
170 if (ip_addrs)
171 ip_addrs->clear();
172
173 SECItem alt_name;
174 SECStatus rv = CERT_FindCertExtension(
175 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
176 if (rv != SECSuccess)
177 return;
178
179 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
180 DCHECK(arena != NULL);
181
182 CERTGeneralName* alt_name_list;
183 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name);
184 SECITEM_FreeItem(&alt_name, PR_FALSE);
185
186 CERTGeneralName* name = alt_name_list;
187 while (name) {
188 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs
189 // respectively, both of which can be byte copied from
190 // SECItemType::data into the appropriate output vector.
191 if (dns_names && name->type == certDNSName) {
192 dns_names->push_back(
193 std::string(reinterpret_cast<char*>(name->name.other.data),
194 name->name.other.len));
195 } else if (ip_addrs && name->type == certIPAddress) {
196 ip_addrs->push_back(
197 std::string(reinterpret_cast<char*>(name->name.other.data),
198 name->name.other.len));
199 }
200 name = CERT_GetNextGeneralName(name);
201 if (name == alt_name_list)
202 break;
203 }
204 PORT_FreeArena(arena, PR_FALSE);
205 }
206
207 void GetRFC822SubjectAltNames(CERTCertificate* cert_handle,
208 std::vector<std::string>* names) {
209 crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0));
210 DCHECK(alt_name.get());
211
212 names->clear();
213 SECStatus rv = CERT_FindCertExtension(
214 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get());
215 if (rv != SECSuccess)
216 return;
217
218 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
219 DCHECK(arena.get());
220
221 CERTGeneralName* alt_name_list;
222 alt_name_list = CERT_DecodeAltNameExtension(arena.get(), alt_name.get());
223
224 CERTGeneralName* name = alt_name_list;
225 while (name) {
226 if (name->type == certRFC822Name) {
227 names->push_back(
228 std::string(reinterpret_cast<char*>(name->name.other.data),
229 name->name.other.len));
230 }
231 name = CERT_GetNextGeneralName(name);
232 if (name == alt_name_list)
233 break;
234 }
235 }
236
237 void GetUPNSubjectAltNames(CERTCertificate* cert_handle,
238 std::vector<std::string>* names) {
239 crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0));
240 DCHECK(alt_name.get());
241
242 names->clear();
243 SECStatus rv = CERT_FindCertExtension(
244 cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get());
245 if (rv != SECSuccess)
246 return;
247
248 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
249 DCHECK(arena.get());
250
251 CERTGeneralName* alt_name_list;
252 alt_name_list = CERT_DecodeAltNameExtension(arena.get(), alt_name.get());
253
254 CERTGeneralName* name = alt_name_list;
255 while (name) {
256 if (name->type == certOtherName) {
257 OtherName* on = &name->name.OthName;
258 if (on->oid.len == sizeof(kUpnOid) &&
259 memcmp(on->oid.data, kUpnOid, sizeof(kUpnOid)) == 0) {
260 SECItem decoded;
261 if (SEC_QuickDERDecodeItem(arena.get(), &decoded,
262 SEC_ASN1_GET(SEC_UTF8StringTemplate),
263 &name->name.OthName.name) == SECSuccess) {
264 names->push_back(
265 std::string(reinterpret_cast<char*>(decoded.data), decoded.len));
266 }
267 }
268 }
269 name = CERT_GetNextGeneralName(name);
270 if (name == alt_name_list)
271 break;
272 }
273 }
274
275 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes(
276 const char* data,
277 size_t length,
278 X509Certificate::Format format) {
279 X509Certificate::OSCertHandles results;
280
281 crypto::EnsureNSSInit();
282
283 if (!NSS_IsInitialized())
284 return results;
285
286 switch (format) {
287 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: {
288 X509Certificate::OSCertHandle handle =
289 X509Certificate::CreateOSCertHandleFromBytes(data, length);
290 if (handle)
291 results.push_back(handle);
292 break;
293 }
294 case X509Certificate::FORMAT_PKCS7: {
295 // Make a copy since CERT_DecodeCertPackage may modify it
296 std::vector<char> data_copy(data, data + length);
297
298 SECStatus result = CERT_DecodeCertPackage(
299 data_copy.data(), base::checked_cast<int>(data_copy.size()),
300 CollectCertsCallback, &results);
301 if (result != SECSuccess)
302 results.clear();
303 break;
304 }
305 default:
306 NOTREACHED() << "Certificate format " << format << " unimplemented";
307 break;
308 }
309
310 return results;
311 }
312
313 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle(
314 base::PickleIterator* pickle_iter) {
315 const char* data;
316 int length;
317 if (!pickle_iter->ReadData(&data, &length))
318 return NULL;
319
320 return X509Certificate::CreateOSCertHandleFromBytes(data, length);
321 }
322
323 void GetPublicKeyInfo(CERTCertificate* handle,
324 size_t* size_bits,
325 X509Certificate::PublicKeyType* type) {
326 // Since we might fail, set the output parameters to default values first.
327 *type = X509Certificate::kPublicKeyTypeUnknown;
328 *size_bits = 0;
329
330 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle));
331 if (!key.get())
332 return;
333
334 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get());
335
336 switch (key->keyType) {
337 case rsaKey:
338 *type = X509Certificate::kPublicKeyTypeRSA;
339 break;
340 case dsaKey:
341 *type = X509Certificate::kPublicKeyTypeDSA;
342 break;
343 case dhKey:
344 *type = X509Certificate::kPublicKeyTypeDH;
345 break;
346 case ecKey:
347 *type = X509Certificate::kPublicKeyTypeECDSA;
348 break;
349 default:
350 *type = X509Certificate::kPublicKeyTypeUnknown;
351 *size_bits = 0;
352 break;
353 }
354 }
355
356 bool GetIssuersFromEncodedList(const std::vector<std::string>& encoded_issuers,
357 PLArenaPool* arena,
358 std::vector<CERTName*>* out) {
359 std::vector<CERTName*> result;
360 for (size_t n = 0; n < encoded_issuers.size(); ++n) {
361 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]);
362 if (name != NULL)
363 result.push_back(name);
364 }
365
366 if (result.size() == encoded_issuers.size()) {
367 out->swap(result);
368 return true;
369 }
370
371 for (size_t n = 0; n < result.size(); ++n)
372 CERT_DestroyName(result[n]);
373 return false;
374 }
375
376 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain,
377 const std::vector<CERTName*>& valid_issuers) {
378 for (size_t n = 0; n < cert_chain.size(); ++n) {
379 CERTName* cert_issuer = &cert_chain[n]->issuer;
380 for (size_t i = 0; i < valid_issuers.size(); ++i) {
381 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual)
382 return true;
383 }
384 }
385 return false;
386 }
387
388 std::string GetUniqueNicknameForSlot(const std::string& nickname,
389 const SECItem* subject,
390 PK11SlotInfo* slot) {
391 int index = 2;
392 std::string new_name = nickname;
393 std::string temp_nickname = new_name;
394 std::string token_name;
395
396 if (!slot)
397 return new_name;
398
399 if (!PK11_IsInternalKeySlot(slot)) {
400 token_name.assign(PK11_GetTokenName(slot));
401 token_name.append(":");
402
403 temp_nickname = token_name + new_name;
404 }
405
406 while (SEC_CertNicknameConflict(temp_nickname.c_str(),
407 const_cast<SECItem*>(subject),
408 CERT_GetDefaultCertDB())) {
409 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++);
410 temp_nickname = token_name + new_name;
411 }
412
413 return new_name;
414 }
415
416 } // namespace x509_util
417
418 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_util_nss.cc ('k') | net/cert/x509_util_unittest.cc » ('j') | net/quic/test_tools/crypto_test_utils_chromium.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698