| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
| 9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
| 10 | 10 |
| 11 #include <vector> | 11 #include <vector> |
| 12 | 12 |
| 13 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/mac/mac_logging.h" | 15 #include "base/mac/mac_logging.h" |
| 16 #include "base/mac/scoped_cftyperef.h" | 16 #include "base/mac/scoped_cftyperef.h" |
| 17 #include "base/memory/singleton.h" | 17 #include "base/memory/singleton.h" |
| 18 #include "base/pickle.h" | 18 #include "base/pickle.h" |
| 19 #include "base/sha1.h" | |
| 20 #include "base/strings/string_piece.h" | 19 #include "base/strings/string_piece.h" |
| 21 #include "base/strings/sys_string_conversions.h" | 20 #include "base/strings/sys_string_conversions.h" |
| 22 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
| 23 #include "crypto/cssm_init.h" | 22 #include "crypto/cssm_init.h" |
| 24 #include "crypto/mac_security_services_lock.h" | 23 #include "crypto/mac_security_services_lock.h" |
| 25 #include "net/cert/x509_util_mac.h" | 24 #include "net/cert/x509_util_mac.h" |
| 26 | 25 |
| 27 using base::ScopedCFTypeRef; | 26 using base::ScopedCFTypeRef; |
| 28 using base::Time; | 27 using base::Time; |
| 29 | 28 |
| (...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 209 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd, | 208 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd, |
| 210 &subject_); | 209 &subject_); |
| 211 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd, | 210 GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd, |
| 212 &issuer_); | 211 &issuer_); |
| 213 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore, | 212 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore, |
| 214 &valid_start_); | 213 &valid_start_); |
| 215 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter, | 214 GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter, |
| 216 &valid_expiry_); | 215 &valid_expiry_); |
| 217 serial_number_ = GetCertSerialNumber(cached_cert); | 216 serial_number_ = GetCertSerialNumber(cached_cert); |
| 218 } | 217 } |
| 219 | |
| 220 fingerprint_ = CalculateFingerprint(cert_handle_); | |
| 221 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); | |
| 222 } | 218 } |
| 223 | 219 |
| 224 bool X509Certificate::IsIssuedByEncoded( | 220 bool X509Certificate::IsIssuedByEncoded( |
| 225 const std::vector<std::string>& valid_issuers) { | 221 const std::vector<std::string>& valid_issuers) { |
| 226 if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers)) | 222 if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers)) |
| 227 return true; | 223 return true; |
| 228 | 224 |
| 229 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); | 225 for (OSCertHandles::iterator it = intermediate_ca_certs_.begin(); |
| 230 it != intermediate_ca_certs_.end(); ++it) { | 226 it != intermediate_ca_certs_.end(); ++it) { |
| 231 if (IsCertIssuerInEncodedList(*it, valid_issuers)) | 227 if (IsCertIssuerInEncodedList(*it, valid_issuers)) |
| (...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 356 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); | 352 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle))); |
| 357 } | 353 } |
| 358 | 354 |
| 359 // static | 355 // static |
| 360 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 356 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
| 361 if (cert_handle) | 357 if (cert_handle) |
| 362 CFRelease(cert_handle); | 358 CFRelease(cert_handle); |
| 363 } | 359 } |
| 364 | 360 |
| 365 // static | 361 // static |
| 366 SHA1HashValue X509Certificate::CalculateFingerprint( | |
| 367 OSCertHandle cert) { | |
| 368 SHA1HashValue sha1; | |
| 369 memset(sha1.data, 0, sizeof(sha1.data)); | |
| 370 | |
| 371 CSSM_DATA cert_data; | |
| 372 OSStatus status = SecCertificateGetData(cert, &cert_data); | |
| 373 if (status) | |
| 374 return sha1; | |
| 375 | |
| 376 DCHECK(cert_data.Data); | |
| 377 DCHECK_NE(cert_data.Length, 0U); | |
| 378 | |
| 379 CC_SHA1(cert_data.Data, cert_data.Length, sha1.data); | |
| 380 | |
| 381 return sha1; | |
| 382 } | |
| 383 | |
| 384 // static | |
| 385 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { | 362 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
| 386 SHA256HashValue sha256; | 363 SHA256HashValue sha256; |
| 387 memset(sha256.data, 0, sizeof(sha256.data)); | 364 memset(sha256.data, 0, sizeof(sha256.data)); |
| 388 | 365 |
| 389 CSSM_DATA cert_data; | 366 CSSM_DATA cert_data; |
| 390 OSStatus status = SecCertificateGetData(cert, &cert_data); | 367 OSStatus status = SecCertificateGetData(cert, &cert_data); |
| 391 if (status) | 368 if (status) |
| 392 return sha256; | 369 return sha256; |
| 393 | 370 |
| 394 DCHECK(cert_data.Data); | 371 DCHECK(cert_data.Data); |
| 395 DCHECK_NE(cert_data.Length, 0U); | 372 DCHECK_NE(cert_data.Length, 0U); |
| 396 | 373 |
| 397 CC_SHA256(cert_data.Data, cert_data.Length, sha256.data); | 374 CC_SHA256(cert_data.Data, cert_data.Length, sha256.data); |
| 398 | 375 |
| 399 return sha256; | 376 return sha256; |
| 400 } | 377 } |
| 401 | 378 |
| 402 // static | 379 // static |
| 403 SHA1HashValue X509Certificate::CalculateCAFingerprint( | 380 SHA256HashValue X509Certificate::CalculateCAFingerprint256( |
| 404 const OSCertHandles& intermediates) { | 381 const OSCertHandles& intermediates) { |
| 405 SHA1HashValue sha1; | 382 SHA256HashValue sha256; |
| 406 memset(sha1.data, 0, sizeof(sha1.data)); | 383 memset(sha256.data, 0, sizeof(sha256.data)); |
| 407 | 384 |
| 408 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so | 385 // The CC_SHA(3cc) man page says all CC_SHA256_xxx routines return 1, so |
| 409 // we don't check their return values. | 386 // we don't check their return values. |
| 410 CC_SHA1_CTX sha1_ctx; | 387 CC_SHA256_CTX sha256_ctx; |
| 411 CC_SHA1_Init(&sha1_ctx); | 388 CC_SHA256_Init(&sha256_ctx); |
| 412 CSSM_DATA cert_data; | 389 CSSM_DATA cert_data; |
| 413 for (size_t i = 0; i < intermediates.size(); ++i) { | 390 for (size_t i = 0; i < intermediates.size(); ++i) { |
| 414 OSStatus status = SecCertificateGetData(intermediates[i], &cert_data); | 391 OSStatus status = SecCertificateGetData(intermediates[i], &cert_data); |
| 415 if (status) | 392 if (status) |
| 416 return sha1; | 393 return sha256; |
| 417 CC_SHA1_Update(&sha1_ctx, cert_data.Data, cert_data.Length); | 394 CC_SHA256_Update(&sha256_ctx, cert_data.Data, cert_data.Length); |
| 418 } | 395 } |
| 419 CC_SHA1_Final(sha1.data, &sha1_ctx); | 396 CC_SHA256_Final(sha256.data, &sha256_ctx); |
| 420 | 397 |
| 421 return sha1; | 398 return sha256; |
| 422 } | 399 } |
| 423 | 400 |
| 424 bool X509Certificate::SupportsSSLClientAuth() const { | 401 bool X509Certificate::SupportsSSLClientAuth() const { |
| 425 x509_util::CSSMCachedCertificate cached_cert; | 402 x509_util::CSSMCachedCertificate cached_cert; |
| 426 OSStatus status = cached_cert.Init(cert_handle_); | 403 OSStatus status = cached_cert.Init(cert_handle_); |
| 427 if (status) | 404 if (status) |
| 428 return false; | 405 return false; |
| 429 | 406 |
| 430 // RFC5280 says to take the intersection of the two extensions. | 407 // RFC5280 says to take the intersection of the two extensions. |
| 431 // | 408 // |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 574 return false; | 551 return false; |
| 575 | 552 |
| 576 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) | 553 if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0)) |
| 577 return false; | 554 return false; |
| 578 return true; | 555 return true; |
| 579 } | 556 } |
| 580 | 557 |
| 581 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 558 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
| 582 | 559 |
| 583 } // namespace net | 560 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2000503002:
Remove the fingerprint and ca_fingerprint from X509Certificate (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@move_cache