net/cert/x509_certificate_ios.cc - Issue 1882433002: Removing NSS files and USE_OPENSSL flag

Unified Diff: net/cert/x509_certificate_ios.cc

Issue 1882433002: Removing NSS files and USE_OPENSSL flag (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fixing header ordering. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/x509_certificate_ios.cc

diff --git a/net/cert/x509_certificate_ios.cc b/net/cert/x509_certificate_ios.cc

index d458589872d461595e8e87596f29b31a040fdc90..96ed1dea5102028e2f4a7761003c712b382748b3 100644

--- a/net/cert/x509_certificate_ios.cc

+++ b/net/cert/x509_certificate_ios.cc

@@ -1,4 +1,4 @@

// Use of this source code is governed by a BSD-style license that can be

// found in the LICENSE file.

@@ -7,40 +7,28 @@

#include <CommonCrypto/CommonDigest.h>

#include <Security/Security.h>

-#include <cert.h>

-#include <cryptohi.h>

-#include <keyhi.h>

-#include <nss.h>

-#include <pk11pub.h>

-#include <prerror.h>

-#include <prtime.h>

-#include <prtypes.h>

-#include <secder.h>

-#include <secerr.h>

-#include <sslerr.h>

-#include <vector>

-#include "base/logging.h"

+#include <openssl/x509.h>

+#include <openssl/x509v3.h>

#include "base/mac/scoped_cftyperef.h"

-#include "base/memory/scoped_ptr.h"

-#include "base/numerics/safe_conversions.h"

#include "base/pickle.h"

-#include "base/time/time.h"

-#include "crypto/nss_util.h"

-#include "crypto/scoped_nss_types.h"

-#include "net/base/net_errors.h"

-#include "net/cert/asn1_util.h"

-#include "net/cert/cert_status_flags.h"

-#include "net/cert/cert_verify_result.h"

-#include "net/cert/ev_root_ca_metadata.h"

-#include "net/cert/x509_util_ios.h"

-#include "net/cert/x509_util_nss.h"

+#include "base/strings/string_piece.h"

+#include "base/strings/string_util.h"

+#include "crypto/openssl_util.h"

+#include "crypto/scoped_openssl_types.h"

+#include "net/base/ip_address_number.h"

+#include "net/cert/x509_util_openssl.h"

+#include "net/ssl/openssl_ssl_util.h"

using base::ScopedCFTypeRef;

namespace net {

namespace {

+using ScopedGENERAL_NAMES =

+ crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>;

// Returns true if a given |cert_handle| is actually a valid X.509 certificate

// handle.

@@ -53,115 +41,127 @@ namespace {

bool IsValidOSCertHandle(SecCertificateRef cert_handle) {

ScopedCFTypeRef<CFStringRef> sanity_check(

SecCertificateCopySubjectSummary(cert_handle));

- return sanity_check != NULL;

+ return sanity_check != nullptr;

}

-} // namespace

-void X509Certificate::Initialize() {

- x509_util_ios::NSSCertificate nss_cert(cert_handle_);

- CERTCertificate* cert_handle = nss_cert.cert_handle();

- if (cert_handle) {

- x509_util::ParsePrincipal(&cert_handle->subject, &subject_);

- x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);

- x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);

- x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);

- serial_number_ = x509_util::ParseSerialNumber(cert_handle);

+void CreateOSCertHandlesFromPKCS7Bytes(

+ const char* data,

+ size_t length,

+ X509Certificate::OSCertHandles* handles) {

+ crypto::EnsureOpenSSLInit();

+ crypto::OpenSSLErrStackTracer err_cleaner(FROM_HERE);

+ CBS der_data;

+ CBS_init(&der_data, reinterpret_cast<const uint8_t*>(data), length);

+ STACK_OF(X509)* certs = sk_X509_new_null();

+ if (PKCS7_get_certificates(certs, &der_data)) {

+ for (size_t i = 0; i < sk_X509_num(certs); ++i) {

+ X509* x509_cert = sk_X509_value(certs, i);

+ base::StringPiece der;

+ if (!x509_util::GetDER(x509_cert, &der))

+ return;

+ handles->push_back(X509Certificate::CreateOSCertHandleFromBytes(

+ der.data(), der.length()));

+ }

}

- fingerprint_ = CalculateFingerprint(cert_handle_);

- ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);

+ sk_X509_pop_free(certs, X509_free);

}

-bool X509Certificate::IsIssuedByEncoded(

- const std::vector<std::string>& valid_issuers) {

- x509_util_ios::NSSCertChain nss_chain(this);

- // Convert to scoped CERTName* list.

- std::vector<CERTName*> issuers;

- crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));

- if (!x509_util::GetIssuersFromEncodedList(valid_issuers,

- arena.get(),

- &issuers)) {

- return false;

+void ParsePrincipalValues(X509_NAME* name,

+ int nid,

+ std::vector<std::string>* fields) {

+ for (int index = -1;

+ (index = X509_NAME_get_index_by_NID(name, nid, index)) != -1;) {

+ std::string field;

+ if (!x509_util::ParsePrincipalValueByIndex(name, index, &field))

+ break;

+ fields->push_back(field);

}

- return x509_util::IsCertificateIssuedBy(

- nss_chain.cert_chain(), issuers);

}

-void X509Certificate::GetSubjectAltName(

- std::vector<std::string>* dns_names,

- std::vector<std::string>* ip_addrs) const {

- x509_util_ios::NSSCertificate nss_cert(cert_handle_);

- CERTCertificate* cert_handle = nss_cert.cert_handle();

- if (!cert_handle) {

- if (dns_names)

- dns_names->clear();

- if (ip_addrs)

- ip_addrs->clear();

+void ParsePrincipal(X509Certificate::OSCertHandle os_cert,

+ X509_NAME* x509_name,

+ CertPrincipal* principal) {

+ if (!x509_name)

return;

- }

- x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs);

-// static

-bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle,

- std::string* encoded) {

- if (!cert_handle)

- return false;

- ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));

- if (!der_data)

- return false;

- encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),

- CFDataGetLength(der_data));

- return true;

+ ParsePrincipalValues(x509_name, NID_streetAddress,

+ &principal->street_addresses);

+ ParsePrincipalValues(x509_name, NID_organizationName,

+ &principal->organization_names);

+ ParsePrincipalValues(x509_name, NID_organizationalUnitName,

+ &principal->organization_unit_names);

+ ParsePrincipalValues(x509_name, NID_domainComponent,

+ &principal->domain_components);

-// static

-bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,

- X509Certificate::OSCertHandle b) {

- DCHECK(a && b);

- if (a == b)

- return true;

- if (CFEqual(a, b))

- return true;

- ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));

- ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));

- return a_data && b_data &&

- CFDataGetLength(a_data) == CFDataGetLength(b_data) &&

- memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),

- CFDataGetLength(a_data)) == 0;

+ x509_util::ParsePrincipalValueByNID(x509_name, NID_commonName,

+ &principal->common_name);

+ x509_util::ParsePrincipalValueByNID(x509_name, NID_localityName,

+ &principal->locality_name);

+ x509_util::ParsePrincipalValueByNID(x509_name, NID_stateOrProvinceName,

+ &principal->state_or_province_name);

+ x509_util::ParsePrincipalValueByNID(x509_name, NID_countryName,

+ &principal->country_name);

}

-// static

-X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(

- const char* data,

- size_t length) {

- ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(

- kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),

- base::checked_cast<CFIndex>(length), kCFAllocatorNull));

- if (!cert_data)

- return nullptr;

- OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);

- if (!cert_handle)

- return nullptr;

- if (!IsValidOSCertHandle(cert_handle)) {

- CFRelease(cert_handle);

- return nullptr;

+void ParseSubjectAltName(X509Certificate::OSCertHandle os_cert,

+ std::vector<std::string>* dns_names,

+ std::vector<std::string>* ip_addresses) {

+ DCHECK(dns_names || ip_addresses);

+ ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);

+ if (!cert.get())

+ return;

+ int index = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);

+ X509_EXTENSION* alt_name_ext = X509_get_ext(cert.get(), index);

+ if (!alt_name_ext)

+ return;

+ ScopedGENERAL_NAMES alt_names(

+ reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext)));

+ if (!alt_names.get())

+ return;

+ for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) {

+ const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i);

+ if (name->type == GEN_DNS && dns_names) {

+ const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName);

+ if (!dns_name)

+ continue;

+ int dns_name_len = ASN1_STRING_length(name->d.dNSName);

+ dns_names->push_back(

+ std::string(reinterpret_cast<const char*>(dns_name), dns_name_len));

+ } else if (name->type == GEN_IPADD && ip_addresses) {

+ const unsigned char* ip_addr = name->d.iPAddress->data;

+ if (!ip_addr)

+ continue;

+ int ip_addr_len = name->d.iPAddress->length;

+ if (ip_addr_len != static_cast<int>(kIPv4AddressSize) &&

+ ip_addr_len != static_cast<int>(kIPv6AddressSize)) {

+ // http://www.ietf.org/rfc/rfc3280.txt requires subjectAltName iPAddress

+ // to have 4 or 16 bytes, whereas in a name constraint it includes a

+ // net mask hence 8 or 32 bytes. Logging to help diagnose any mixup.

+ LOG(WARNING) << "Bad sized IP Address in cert: " << ip_addr_len;

+ continue;

+ }

+ ip_addresses->push_back(

+ std::string(reinterpret_cast<const char*>(ip_addr), ip_addr_len));

+ }

}

- return cert_handle;

}

-// static

-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(

- const char* data,

- size_t length,

- Format format) {

- return x509_util::CreateOSCertHandlesFromBytes(data, length, format);

+// Used to free a list of X509_NAMEs and the objects it points to.

+void sk_X509_NAME_free_all(STACK_OF(X509_NAME) * sk) {

+ sk_X509_NAME_pop_free(sk, X509_NAME_free);

}

+} // namespace

// static

X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(

OSCertHandle handle) {

if (!handle)

- return NULL;

+ return nullptr;

return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));

}

@@ -171,9 +171,37 @@ void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {

CFRelease(cert_handle);

}

+void X509Certificate::Initialize() {

+ crypto::EnsureOpenSSLInit();

+ fingerprint_ = CalculateFingerprint(cert_handle_);

+ ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);

+ ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);

+ if (!x509_cert)

+ return;

+ ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get());

+ if (serial_num) {

+ // ASN1_INTEGERS represent the decoded number, in a format internal to

+ // OpenSSL. Most notably, this may have leading zeroes stripped off for

+ // numbers whose first byte is >= 0x80. Thus, it is necessary to

+ // re-encoded the integer back into DER, which is what the interface

+ // of X509Certificate exposes, to ensure callers get the proper (DER)

+ // value.

+ int bytes_required = i2c_ASN1_INTEGER(serial_num, nullptr);

+ unsigned char* buffer = reinterpret_cast<unsigned char*>(

+ base::WriteInto(&serial_number_, bytes_required + 1));

+ int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer);

+ DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size());

+ }

+ ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()),

+ &subject_);

+ ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()), &issuer_);

+ x509_util::ParseDate(X509_get_notBefore(x509_cert.get()), &valid_start_);

+ x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_);

// static

-SHA1HashValue X509Certificate::CalculateFingerprint(

- OSCertHandle cert) {

+SHA1HashValue X509Certificate::CalculateFingerprint(OSCertHandle cert) {

SHA1HashValue sha1;

memset(sha1.data, 0, sizeof(sha1.data));

@@ -197,8 +225,8 @@ SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {

return sha256;

DCHECK(CFDataGetBytePtr(cert_data));

DCHECK_NE(0, CFDataGetLength(cert_data));

- CC_SHA256(

- CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha256.data);

+ CC_SHA256(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data),

+ sha256.data);

return sha256;

}

@@ -209,17 +237,14 @@ SHA1HashValue X509Certificate::CalculateCAFingerprint(

SHA1HashValue sha1;

memset(sha1.data, 0, sizeof(sha1.data));

- // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so

- // we don't check their return values.

CC_SHA1_CTX sha1_ctx;

CC_SHA1_Init(&sha1_ctx);

for (size_t i = 0; i < intermediates.size(); ++i) {

- ScopedCFTypeRef<CFDataRef>

- cert_data(SecCertificateCopyData(intermediates[i]));

+ ScopedCFTypeRef<CFDataRef> cert_data(

+ SecCertificateCopyData(intermediates[i]));

if (!cert_data)

return sha1;

- CC_SHA1_Update(&sha1_ctx,

- CFDataGetBytePtr(cert_data),

+ CC_SHA1_Update(&sha1_ctx, CFDataGetBytePtr(cert_data),

CFDataGetLength(cert_data));

}

CC_SHA1_Final(sha1.data, &sha1_ctx);

@@ -227,9 +252,93 @@ SHA1HashValue X509Certificate::CalculateCAFingerprint(

}

// static

+X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(

+ const char* data,

+ size_t length) {

+ ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(

+ kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),

+ base::checked_cast<CFIndex>(length), kCFAllocatorNull));

+ if (!cert_data)

+ return nullptr;

+ OSCertHandle cert_handle = SecCertificateCreateWithData(nullptr, cert_data);

+ if (!cert_handle)

+ return nullptr;

+ if (!IsValidOSCertHandle(cert_handle)) {

+ CFRelease(cert_handle);

+ return nullptr;

+ }

+ return cert_handle;

+// static

+X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(

+ const char* data,

+ size_t length,

+ Format format) {

+ OSCertHandles results;

+ switch (format) {

+ case FORMAT_SINGLE_CERTIFICATE: {

+ OSCertHandle handle =

+ X509Certificate::CreateOSCertHandleFromBytes(data, length);

+ if (handle)

+ results.push_back(handle);

+ break;

+ }

+ case FORMAT_PKCS7: {

+ CreateOSCertHandlesFromPKCS7Bytes(data, length, &results);

+ break;

+ }

+ default: {

+ NOTREACHED() << "Certificate format " << format << " unimplemented";

+ break;

+ }

+ return results;

+void X509Certificate::GetSubjectAltName(

+ std::vector<std::string>* dns_names,

+ std::vector<std::string>* ip_addrs) const {

+ if (dns_names)

+ dns_names->clear();

+ if (ip_addrs)

+ ip_addrs->clear();

+ ParseSubjectAltName(cert_handle_, dns_names, ip_addrs);

+// static

+bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,

+ std::string* encoded) {

+ base::StringPiece der;

+ if (!cert_handle)

+ return false;

+ ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));

+ if (!der_data)

+ return false;

+ encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),

+ CFDataGetLength(der_data));

+ return true;

+// static

+bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,

+ X509Certificate::OSCertHandle b) {

+ DCHECK(a && b);

+ return CFEqual(a, b);

+// static

X509Certificate::OSCertHandle X509Certificate::ReadOSCertHandleFromPickle(

base::PickleIterator* pickle_iter) {

- return x509_util::ReadOSCertHandleFromPickle(pickle_iter);

+ const char* data;

+ int length;

+ if (!pickle_iter->ReadData(&data, &length))

+ return nullptr;

+ return X509Certificate::CreateOSCertHandleFromBytes(data, length);

}

// static

@@ -245,22 +354,121 @@ bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,

}

// static

-void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,

+void X509Certificate::GetPublicKeyInfo(OSCertHandle os_cert,

size_t* size_bits,

PublicKeyType* type) {

- x509_util_ios::NSSCertificate nss_cert(cert_handle);

- x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);

+ *type = kPublicKeyTypeUnknown;

+ *size_bits = 0;

+ ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);

+ if (!cert)

+ return;

+ crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));

+ if (!scoped_key)

+ return;

+ EVP_PKEY* key = scoped_key.get();

+ switch (key->type) {

+ case EVP_PKEY_RSA:

+ *type = kPublicKeyTypeRSA;

+ break;

+ case EVP_PKEY_DSA:

+ *type = kPublicKeyTypeDSA;

+ break;

+ case EVP_PKEY_EC:

+ *type = kPublicKeyTypeECDSA;

+ break;

+ case EVP_PKEY_DH:

+ *type = kPublicKeyTypeDH;

+ break;

+ }

+ *size_bits = EVP_PKEY_bits(key);

+bool X509Certificate::SupportsSSLClientAuth() const {

+ return false;

+CFMutableArrayRef X509Certificate::CreateOSCertChainForCert() const {

+ CFMutableArrayRef cert_list =

+ CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);

+ if (!cert_list)

+ return nullptr;

+ CFArrayAppendValue(cert_list, os_cert_handle());

+ for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i)

+ CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]);

+ return cert_list;

+bool X509Certificate::IsIssuedByEncoded(

+ const std::vector<std::string>& valid_issuers) {

+ if (valid_issuers.empty())

+ return false;

+ // Convert to a temporary list of X509_NAME objects.

+ // It will own the objects it points to.

+ crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>

+ issuer_names(sk_X509_NAME_new_null());

+ if (!issuer_names)

+ return false;

+ for (std::vector<std::string>::const_iterator it = valid_issuers.begin();

+ it != valid_issuers.end(); ++it) {

+ const unsigned char* p = reinterpret_cast<const unsigned char*>(it->data());

+ long len = static_cast<long>(it->length());

+ X509_NAME* ca_name = d2i_X509_NAME(nullptr, &p, len);

+ if (ca_name == nullptr)

+ return false;

+ sk_X509_NAME_push(issuer_names.get(), ca_name);

+ }

+ ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_);

+ if (!x509_cert)

+ return false;

+ X509_NAME* cert_issuer = X509_get_issuer_name(x509_cert.get());

+ if (cert_issuer == nullptr)

+ return false;

+ for (size_t m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) {

+ X509_NAME* issuer = sk_X509_NAME_value(issuer_names.get(), m);

+ if (X509_NAME_cmp(issuer, cert_issuer) == 0) {

+ return true;

+ }

+ for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();

+ it != intermediate_ca_certs_.end(); ++it) {

+ ScopedX509 intermediate_cert = OSCertHandleToOpenSSL(*it);

+ if (!intermediate_cert)

+ return false;

+ cert_issuer = X509_get_issuer_name(intermediate_cert.get());

+ if (cert_issuer == nullptr)

+ return false;

+ for (size_t m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) {

+ X509_NAME* issuer = sk_X509_NAME_value(issuer_names.get(), m);

+ if (X509_NAME_cmp(issuer, cert_issuer) == 0) {

+ return true;

+ }

+ return false;

}

// static

-bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {

- x509_util_ios::NSSCertificate nss_cert(cert_handle);

- crypto::ScopedSECKEYPublicKey public_key(

- CERT_ExtractPublicKey(nss_cert.cert_handle()));

- if (!public_key.get())

+bool X509Certificate::IsSelfSigned(OSCertHandle os_cert) {

+ ScopedX509 cert = OSCertHandleToOpenSSL(os_cert);

+ if (!cert)

return false;

- return SECSuccess == CERT_VerifySignedDataWithPublicKey(

- &nss_cert.cert_handle()->signatureWrap, public_key.get(), NULL);

+ crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));

+ if (!scoped_key)

+ return false;

+ // NOTE: X509_verify() returns 1 in case of success, 0 or -1 on error.

+ return X509_verify(cert.get(), scoped_key.get()) == 1;

}

} // namespace net

« net/cert/test_root_certs_unittest.cc ('K') | « net/cert/test_root_certs_unittest.cc ('k') | net/cert/x509_certificate_openssl_ios.cc » ('j') | net/cert/x509_util_nss.cc » ('J')