OLD | NEW |
1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
9 | 9 |
10 #include <openssl/x509.h> | 10 #include <openssl/x509.h> |
(...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
166 } | 166 } |
167 | 167 |
168 // static | 168 // static |
169 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 169 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
170 if (cert_handle) | 170 if (cert_handle) |
171 CFRelease(cert_handle); | 171 CFRelease(cert_handle); |
172 } | 172 } |
173 | 173 |
174 void X509Certificate::Initialize() { | 174 void X509Certificate::Initialize() { |
175 crypto::EnsureOpenSSLInit(); | 175 crypto::EnsureOpenSSLInit(); |
176 fingerprint_ = CalculateFingerprint(cert_handle_); | |
177 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_); | |
178 ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_); | 176 ScopedX509 x509_cert = OSCertHandleToOpenSSL(cert_handle_); |
179 if (!x509_cert) | 177 if (!x509_cert) |
180 return; | 178 return; |
181 ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get()); | 179 ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get()); |
182 if (serial_num) { | 180 if (serial_num) { |
183 // ASN1_INTEGERS represent the decoded number, in a format internal to | 181 // ASN1_INTEGERS represent the decoded number, in a format internal to |
184 // OpenSSL. Most notably, this may have leading zeroes stripped off for | 182 // OpenSSL. Most notably, this may have leading zeroes stripped off for |
185 // numbers whose first byte is >= 0x80. Thus, it is necessary to | 183 // numbers whose first byte is >= 0x80. Thus, it is necessary to |
186 // re-encoded the integer back into DER, which is what the interface | 184 // re-encoded the integer back into DER, which is what the interface |
187 // of X509Certificate exposes, to ensure callers get the proper (DER) | 185 // of X509Certificate exposes, to ensure callers get the proper (DER) |
188 // value. | 186 // value. |
189 int bytes_required = i2c_ASN1_INTEGER(serial_num, nullptr); | 187 int bytes_required = i2c_ASN1_INTEGER(serial_num, nullptr); |
190 unsigned char* buffer = reinterpret_cast<unsigned char*>( | 188 unsigned char* buffer = reinterpret_cast<unsigned char*>( |
191 base::WriteInto(&serial_number_, bytes_required + 1)); | 189 base::WriteInto(&serial_number_, bytes_required + 1)); |
192 int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer); | 190 int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer); |
193 DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size()); | 191 DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size()); |
194 } | 192 } |
195 | 193 |
196 ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()), | 194 ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()), |
197 &subject_); | 195 &subject_); |
198 ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()), &issuer_); | 196 ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()), &issuer_); |
199 x509_util::ParseDate(X509_get_notBefore(x509_cert.get()), &valid_start_); | 197 x509_util::ParseDate(X509_get_notBefore(x509_cert.get()), &valid_start_); |
200 x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_); | 198 x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_); |
201 } | 199 } |
202 | 200 |
203 // static | 201 // static |
204 SHA1HashValue X509Certificate::CalculateFingerprint(OSCertHandle cert) { | |
205 SHA1HashValue sha1; | |
206 memset(sha1.data, 0, sizeof(sha1.data)); | |
207 | |
208 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); | |
209 if (!cert_data) | |
210 return sha1; | |
211 DCHECK(CFDataGetBytePtr(cert_data)); | |
212 DCHECK_NE(0, CFDataGetLength(cert_data)); | |
213 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data); | |
214 | |
215 return sha1; | |
216 } | |
217 | |
218 // static | |
219 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { | 202 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
220 SHA256HashValue sha256; | 203 SHA256HashValue sha256; |
221 memset(sha256.data, 0, sizeof(sha256.data)); | 204 memset(sha256.data, 0, sizeof(sha256.data)); |
222 | 205 |
223 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); | 206 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert)); |
224 if (!cert_data) | 207 if (!cert_data) |
225 return sha256; | 208 return sha256; |
226 DCHECK(CFDataGetBytePtr(cert_data)); | 209 DCHECK(CFDataGetBytePtr(cert_data)); |
227 DCHECK_NE(0, CFDataGetLength(cert_data)); | 210 DCHECK_NE(0, CFDataGetLength(cert_data)); |
228 CC_SHA256(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), | 211 CC_SHA256(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), |
229 sha256.data); | 212 sha256.data); |
230 | 213 |
231 return sha256; | 214 return sha256; |
232 } | 215 } |
233 | 216 |
234 // static | 217 // static |
235 SHA1HashValue X509Certificate::CalculateCAFingerprint( | 218 SHA256HashValue X509Certificate::CalculateCAFingerprint256( |
236 const OSCertHandles& intermediates) { | 219 const OSCertHandles& intermediates) { |
237 SHA1HashValue sha1; | 220 SHA256HashValue sha256; |
238 memset(sha1.data, 0, sizeof(sha1.data)); | 221 memset(sha256.data, 0, sizeof(sha256.data)); |
239 | 222 |
240 CC_SHA1_CTX sha1_ctx; | 223 CC_SHA256_CTX sha256_ctx; |
241 CC_SHA1_Init(&sha1_ctx); | 224 CC_SHA256_Init(&sha256_ctx); |
242 for (size_t i = 0; i < intermediates.size(); ++i) { | 225 for (size_t i = 0; i < intermediates.size(); ++i) { |
243 ScopedCFTypeRef<CFDataRef> cert_data( | 226 ScopedCFTypeRef<CFDataRef> cert_data( |
244 SecCertificateCopyData(intermediates[i])); | 227 SecCertificateCopyData(intermediates[i])); |
245 if (!cert_data) | 228 if (!cert_data) |
246 return sha1; | 229 return sha256; |
247 CC_SHA1_Update(&sha1_ctx, CFDataGetBytePtr(cert_data), | 230 CC_SHA256_Update(&sha256_ctx, CFDataGetBytePtr(cert_data), |
248 CFDataGetLength(cert_data)); | 231 CFDataGetLength(cert_data)); |
249 } | 232 } |
250 CC_SHA1_Final(sha1.data, &sha1_ctx); | 233 CC_SHA256_Final(sha256.data, &sha256_ctx); |
251 return sha1; | 234 return sha256; |
252 } | 235 } |
253 | 236 |
254 // static | 237 // static |
255 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | 238 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( |
256 const char* data, | 239 const char* data, |
257 size_t length) { | 240 size_t length) { |
258 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( | 241 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( |
259 kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data), | 242 kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data), |
260 base::checked_cast<CFIndex>(length), kCFAllocatorNull)); | 243 base::checked_cast<CFIndex>(length), kCFAllocatorNull)); |
261 if (!cert_data) | 244 if (!cert_data) |
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
465 return false; | 448 return false; |
466 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get())); | 449 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get())); |
467 if (!scoped_key) | 450 if (!scoped_key) |
468 return false; | 451 return false; |
469 if (!X509_verify(cert.get(), scoped_key.get())) | 452 if (!X509_verify(cert.get(), scoped_key.get())) |
470 return false; | 453 return false; |
471 return X509_check_issued(cert.get(), cert.get()) == X509_V_OK; | 454 return X509_check_issued(cert.get(), cert.get()) == X509_V_OK; |
472 } | 455 } |
473 | 456 |
474 } // namespace net | 457 } // namespace net |
OLD | NEW |