OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
11 #include <vector> | 11 #include <vector> |
12 | 12 |
13 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
14 #include "base/logging.h" | 14 #include "base/logging.h" |
15 #include "base/mac/mac_logging.h" | 15 #include "base/mac/mac_logging.h" |
16 #include "base/mac/scoped_cftyperef.h" | 16 #include "base/mac/scoped_cftyperef.h" |
17 #include "base/memory/singleton.h" | 17 #include "base/memory/singleton.h" |
18 #include "base/pickle.h" | 18 #include "base/pickle.h" |
19 #include "base/sha1.h" | |
20 #include "base/strings/string_piece.h" | 19 #include "base/strings/string_piece.h" |
21 #include "base/strings/sys_string_conversions.h" | 20 #include "base/strings/sys_string_conversions.h" |
22 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
23 #include "crypto/cssm_init.h" | 22 #include "crypto/cssm_init.h" |
24 #include "crypto/mac_security_services_lock.h" | 23 #include "crypto/mac_security_services_lock.h" |
25 #include "net/cert/x509_util_mac.h" | 24 #include "net/cert/x509_util_mac.h" |
26 | 25 |
27 using base::ScopedCFTypeRef; | 26 using base::ScopedCFTypeRef; |
28 using base::Time; | 27 using base::Time; |
29 | 28 |
(...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
209 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd, | 208 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd, |
210 &subject_); | 209 &subject_); |
211 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd, | 210 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd, |
212 &issuer_); | 211 &issuer_); |
213 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore, | 212 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore, |
214 &valid_start_); | 213 &valid_start_); |
215 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter, | 214 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter, |
216 &valid_expiry_); | 215 &valid_expiry_); |
217 serial_number_ = GetCertSerialNumber(cached_cert); | 216 serial_number_ = GetCertSerialNumber(cached_cert); |
218 } | 217 } |
219 | |
220 fingerprint_ = CalculateFingerprint(cert_handle_); | |
221 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); | |
222 } | 218 } |
223 | 219 |
224 bool X509Certificate::IsIssuedByEncoded( | 220 bool X509Certificate::IsIssuedByEncoded( |
225 const std::vector<std::string>& valid_issuers) { | 221 const std::vector<std::string>& valid_issuers) { |
226 if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers)) | 222 if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers)) |
227 return true; | 223 return true; |
228 | 224 |
229 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); | 225 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); |
230 it != intermediate_ca_certs_.end(); ++it) { | 226 it != intermediate_ca_certs_.end(); ++it) { |
231 if (IsCertIssuerInEncodedList(*it, valid_issuers)) | 227 if (IsCertIssuerInEncodedList(*it, valid_issuers)) |
(...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
356 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); | 352 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); |
357 } | 353 } |
358 | 354 |
359 // static | 355 // static |
360 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 356 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
361 if (cert_handle) | 357 if (cert_handle) |
362 CFRelease(cert_handle); | 358 CFRelease(cert_handle); |
363 } | 359 } |
364 | 360 |
365 // static | 361 // static |
366 SHA1HashValue X509Certificate::CalculateFingerprint( | |
367 OSCertHandle cert) { | |
368 SHA1HashValue sha1; | |
369 memset(sha1.data, 0, sizeof(sha1.data)); | |
370 | |
371 CSSM_DATA cert_data; | |
372 OSStatus status = SecCertificateGetData(cert, &cert_data); | |
373 if (status) | |
374 return sha1; | |
375 | |
376 DCHECK(cert_data.Data); | |
377 DCHECK_NE(cert_data.Length, 0U); | |
378 | |
379 CC_SHA1(cert_data.Data, cert_data.Length, sha1.data); | |
380 | |
381 return sha1; | |
382 } | |
383 | |
384 // static | |
385 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { | 362 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
386 SHA256HashValue sha256; | 363 SHA256HashValue sha256; |
387 memset(sha256.data, 0, sizeof(sha256.data)); | 364 memset(sha256.data, 0, sizeof(sha256.data)); |
388 | 365 |
389 CSSM_DATA cert_data; | 366 CSSM_DATA cert_data; |
390 OSStatus status = SecCertificateGetData(cert, &cert_data); | 367 OSStatus status = SecCertificateGetData(cert, &cert_data); |
391 if (status) | 368 if (status) |
392 return sha256; | 369 return sha256; |
393 | 370 |
394 DCHECK(cert_data.Data); | 371 DCHECK(cert_data.Data); |
395 DCHECK_NE(cert_data.Length, 0U); | 372 DCHECK_NE(cert_data.Length, 0U); |
396 | 373 |
397 CC_SHA256(cert_data.Data, cert_data.Length, sha256.data); | 374 CC_SHA256(cert_data.Data, cert_data.Length, sha256.data); |
398 | 375 |
399 return sha256; | 376 return sha256; |
400 } | 377 } |
401 | 378 |
402 // static | 379 // static |
403 SHA1HashValue X509Certificate::CalculateCAFingerprint( | 380 SHA256HashValue X509Certificate::CalculateCAFingerprint256( |
404 const OSCertHandles& intermediates) { | 381 const OSCertHandles& intermediates) { |
405 SHA1HashValue sha1; | 382 SHA256HashValue sha256; |
406 memset(sha1.data, 0, sizeof(sha1.data)); | 383 memset(sha256.data, 0, sizeof(sha256.data)); |
407 | 384 |
408 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so | 385 // The CC_SHA(3cc) man page says all CC_SHA256_xxx routines return 1, so |
409 // we don't check their return values. | 386 // we don't check their return values. |
410 CC_SHA1_CTX sha1_ctx; | 387 CC_SHA256_CTX sha256_ctx; |
411 CC_SHA1_Init(&sha1_ctx); | 388 CC_SHA256_Init(&sha256_ctx); |
412 CSSM_DATA cert_data; | 389 CSSM_DATA cert_data; |
413 for (size_t i = 0; i < intermediates.size(); ++i) { | 390 for (size_t i = 0; i < intermediates.size(); ++i) { |
414 OSStatus status = SecCertificateGetData(intermediates[i], &cert_data); | 391 OSStatus status = SecCertificateGetData(intermediates[i], &cert_data); |
415 if (status) | 392 if (status) |
416 return sha1; | 393 return sha256; |
417 CC_SHA1_Update(&sha1_ctx, cert_data.Data, cert_data.Length); | 394 CC_SHA256_Update(&sha256_ctx, cert_data.Data, cert_data.Length); |
418 } | 395 } |
419 CC_SHA1_Final(sha1.data, &sha1_ctx); | 396 CC_SHA256_Final(sha256.data, &sha256_ctx); |
420 | 397 |
421 return sha1; | 398 return sha256; |
422 } | 399 } |
423 | 400 |
424 bool X509Certificate::SupportsSSLClientAuth() const { | 401 bool X509Certificate::SupportsSSLClientAuth() const { |
425 x509_util::CSSMCachedCertificate cached_cert; | 402 x509_util::CSSMCachedCertificate cached_cert; |
426 OSStatus status = cached_cert.Init(cert_handle_); | 403 OSStatus status = cached_cert.Init(cert_handle_); |
427 if (status) | 404 if (status) |
428 return false; | 405 return false; |
429 | 406 |
430 // RFC5280 says to take the intersection of the two extensions. | 407 // RFC5280 says to take the intersection of the two extensions. |
431 // | 408 // |
(...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
574 return false; | 551 return false; |
575 | 552 |
576 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) | 553 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) |
577 return false; | 554 return false; |
578 return true; | 555 return true; |
579 } | 556 } |
580 | 557 |
581 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 558 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
582 | 559 |
583 } // namespace net | 560 } // namespace net |
OLD | NEW |