OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
8 #include <openssl/bytestring.h> | 8 #include <openssl/bytestring.h> |
9 #include <openssl/crypto.h> | 9 #include <openssl/crypto.h> |
10 #include <openssl/obj_mac.h> | 10 #include <openssl/obj_mac.h> |
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
186 // static | 186 // static |
187 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 187 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
188 // Decrement the ref-count for the cert and, if all references are gone, | 188 // Decrement the ref-count for the cert and, if all references are gone, |
189 // free the memory and any application-specific data associated with the | 189 // free the memory and any application-specific data associated with the |
190 // certificate. | 190 // certificate. |
191 X509_free(cert_handle); | 191 X509_free(cert_handle); |
192 } | 192 } |
193 | 193 |
194 void X509Certificate::Initialize() { | 194 void X509Certificate::Initialize() { |
195 crypto::EnsureOpenSSLInit(); | 195 crypto::EnsureOpenSSLInit(); |
196 fingerprint_ = CalculateFingerprint(cert_handle_); | |
197 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); | |
198 | 196 |
199 ASN1_INTEGER* serial_num = X509_get_serialNumber(cert_handle_); | 197 ASN1_INTEGER* serial_num = X509_get_serialNumber(cert_handle_); |
200 if (serial_num) { | 198 if (serial_num) { |
201 // ASN1_INTEGERS represent the decoded number, in a format internal to | 199 // ASN1_INTEGERS represent the decoded number, in a format internal to |
202 // OpenSSL. Most notably, this may have leading zeroes stripped off for | 200 // OpenSSL. Most notably, this may have leading zeroes stripped off for |
203 // numbers whose first byte is >= 0x80. Thus, it is necessary to | 201 // numbers whose first byte is >= 0x80. Thus, it is necessary to |
204 // re-encoded the integer back into DER, which is what the interface | 202 // re-encoded the integer back into DER, which is what the interface |
205 // of X509Certificate exposes, to ensure callers get the proper (DER) | 203 // of X509Certificate exposes, to ensure callers get the proper (DER) |
206 // value. | 204 // value. |
207 int bytes_required = i2c_ASN1_INTEGER(serial_num, NULL); | 205 int bytes_required = i2c_ASN1_INTEGER(serial_num, NULL); |
208 unsigned char* buffer = reinterpret_cast<unsigned char*>( | 206 unsigned char* buffer = reinterpret_cast<unsigned char*>( |
209 base::WriteInto(&serial_number_, bytes_required + 1)); | 207 base::WriteInto(&serial_number_, bytes_required + 1)); |
210 int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer); | 208 int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer); |
211 DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size()); | 209 DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size()); |
212 } | 210 } |
213 | 211 |
214 ParsePrincipal(cert_handle_, X509_get_subject_name(cert_handle_), &subject_); | 212 ParsePrincipal(cert_handle_, X509_get_subject_name(cert_handle_), &subject_); |
215 ParsePrincipal(cert_handle_, X509_get_issuer_name(cert_handle_), &issuer_); | 213 ParsePrincipal(cert_handle_, X509_get_issuer_name(cert_handle_), &issuer_); |
216 x509_util::ParseDate(X509_get_notBefore(cert_handle_), &valid_start_); | 214 x509_util::ParseDate(X509_get_notBefore(cert_handle_), &valid_start_); |
217 x509_util::ParseDate(X509_get_notAfter(cert_handle_), &valid_expiry_); | 215 x509_util::ParseDate(X509_get_notAfter(cert_handle_), &valid_expiry_); |
218 } | 216 } |
219 | 217 |
220 // static | 218 // static |
221 void X509Certificate::ResetCertStore() { | 219 void X509Certificate::ResetCertStore() { |
222 X509InitSingleton::GetInstance()->ResetCertStore(); | 220 X509InitSingleton::GetInstance()->ResetCertStore(); |
223 } | 221 } |
224 | 222 |
225 // static | 223 // static |
226 SHA1HashValue X509Certificate::CalculateFingerprint(OSCertHandle cert) { | |
227 SHA1HashValue sha1; | |
228 unsigned int sha1_size = static_cast<unsigned int>(sizeof(sha1.data)); | |
229 int ret = X509_digest(cert, EVP_sha1(), sha1.data, &sha1_size); | |
230 CHECK(ret); | |
231 CHECK_EQ(sha1_size, sizeof(sha1.data)); | |
232 return sha1; | |
233 } | |
234 | |
235 // static | |
236 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { | 224 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
237 SHA256HashValue sha256; | 225 SHA256HashValue sha256; |
238 unsigned int sha256_size = static_cast<unsigned int>(sizeof(sha256.data)); | 226 unsigned int sha256_size = static_cast<unsigned int>(sizeof(sha256.data)); |
239 int ret = X509_digest(cert, EVP_sha256(), sha256.data, &sha256_size); | 227 int ret = X509_digest(cert, EVP_sha256(), sha256.data, &sha256_size); |
240 CHECK(ret); | 228 CHECK(ret); |
241 CHECK_EQ(sha256_size, sizeof(sha256.data)); | 229 CHECK_EQ(sha256_size, sizeof(sha256.data)); |
242 return sha256; | 230 return sha256; |
243 } | 231 } |
244 | 232 |
245 // static | 233 // static |
246 SHA1HashValue X509Certificate::CalculateCAFingerprint( | 234 SHA256HashValue X509Certificate::CalculateCAFingerprint256( |
247 const OSCertHandles& intermediates) { | 235 const OSCertHandles& intermediates) { |
248 SHA1HashValue sha1; | 236 SHA256HashValue sha256; |
249 memset(sha1.data, 0, sizeof(sha1.data)); | 237 memset(sha256.data, 0, sizeof(sha256.data)); |
250 | 238 |
251 SHA_CTX sha1_ctx; | 239 SHA256_CTX sha256_ctx; |
252 SHA1_Init(&sha1_ctx); | 240 SHA256_Init(&sha256_ctx); |
253 base::StringPiece der; | 241 base::StringPiece der; |
254 for (size_t i = 0; i < intermediates.size(); ++i) { | 242 for (size_t i = 0; i < intermediates.size(); ++i) { |
255 if (!x509_util::GetDER(intermediates[i], &der)) | 243 if (!x509_util::GetDER(intermediates[i], &der)) |
256 return sha1; | 244 return sha256; |
257 SHA1_Update(&sha1_ctx, der.data(), der.length()); | 245 SHA256_Update(&sha256_ctx, der.data(), der.length()); |
258 } | 246 } |
259 SHA1_Final(sha1.data, &sha1_ctx); | 247 SHA256_Final(sha256.data, &sha256_ctx); |
260 | 248 |
261 return sha1; | 249 return sha256; |
262 } | 250 } |
263 | 251 |
264 // static | 252 // static |
265 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | 253 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( |
266 const char* data, | 254 const char* data, |
267 size_t length) { | 255 size_t length) { |
268 crypto::EnsureOpenSSLInit(); | 256 crypto::EnsureOpenSSLInit(); |
269 const unsigned char* d2i_data = | 257 const unsigned char* d2i_data = |
270 reinterpret_cast<const unsigned char*>(data); | 258 reinterpret_cast<const unsigned char*>(data); |
271 // Don't cache this data for x509_util::GetDER as this wire format | 259 // Don't cache this data for x509_util::GetDER as this wire format |
(...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
455 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { | 443 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { |
456 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); | 444 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); |
457 if (!scoped_key) | 445 if (!scoped_key) |
458 return false; | 446 return false; |
459 if (!X509_verify(cert_handle, scoped_key.get())) | 447 if (!X509_verify(cert_handle, scoped_key.get())) |
460 return false; | 448 return false; |
461 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK; | 449 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK; |
462 } | 450 } |
463 | 451 |
464 } // namespace net | 452 } // namespace net |
OLD | NEW |