| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
| 8 #include <openssl/bytestring.h> | 8 #include <openssl/bytestring.h> |
| 9 #include <openssl/crypto.h> | 9 #include <openssl/crypto.h> |
| 10 #include <openssl/obj_mac.h> | 10 #include <openssl/obj_mac.h> |
| 11 #include <openssl/pem.h> | 11 #include <openssl/pem.h> |
| 12 #include <openssl/sha.h> | 12 #include <openssl/sha.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 #include <openssl/x509v3.h> | 14 #include <openssl/x509v3.h> |
| 15 | 15 |
| 16 #include "base/macros.h" | 16 #include "base/macros.h" |
| 17 #include "base/memory/singleton.h" | 17 #include "base/memory/singleton.h" |
| 18 #include "base/numerics/safe_conversions.h" | 18 #include "base/numerics/safe_conversions.h" |
| 19 #include "base/pickle.h" | 19 #include "base/pickle.h" |
| 20 #include "base/sha1.h" | 20 #include "base/sha1.h" |
| 21 #include "base/strings/string_number_conversions.h" | 21 #include "base/strings/string_number_conversions.h" |
| 22 #include "base/strings/string_piece.h" | 22 #include "base/strings/string_piece.h" |
| 23 #include "base/strings/string_util.h" | 23 #include "base/strings/string_util.h" |
| 24 #include "crypto/openssl_util.h" | 24 #include "crypto/openssl_util.h" |
| 25 #include "crypto/scoped_openssl_types.h" | |
| 26 #include "net/base/ip_address.h" | 25 #include "net/base/ip_address.h" |
| 27 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
| 28 #include "net/cert/x509_util_openssl.h" | 27 #include "net/cert/x509_util_openssl.h" |
| 29 | 28 |
| 30 #if defined(OS_ANDROID) | 29 #if defined(OS_ANDROID) |
| 31 #include "base/logging.h" | 30 #include "base/logging.h" |
| 32 #include "net/android/network_library.h" | 31 #include "net/android/network_library.h" |
| 33 #endif | 32 #endif |
| 34 | 33 |
| 35 namespace net { | 34 namespace net { |
| 36 | 35 |
| 37 namespace { | 36 namespace { |
| 38 | 37 |
| 39 using ScopedGENERAL_NAMES = | |
| 40 crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free>; | |
| 41 | |
| 42 void CreateOSCertHandlesFromPKCS7Bytes( | 38 void CreateOSCertHandlesFromPKCS7Bytes( |
| 43 const char* data, | 39 const char* data, |
| 44 size_t length, | 40 size_t length, |
| 45 X509Certificate::OSCertHandles* handles) { | 41 X509Certificate::OSCertHandles* handles) { |
| 46 crypto::EnsureOpenSSLInit(); | 42 crypto::EnsureOpenSSLInit(); |
| 47 crypto::OpenSSLErrStackTracer err_cleaner(FROM_HERE); | 43 crypto::OpenSSLErrStackTracer err_cleaner(FROM_HERE); |
| 48 | 44 |
| 49 CBS der_data; | 45 CBS der_data; |
| 50 CBS_init(&der_data, reinterpret_cast<const uint8_t*>(data), length); | 46 CBS_init(&der_data, reinterpret_cast<const uint8_t*>(data), length); |
| 51 STACK_OF(X509)* certs = sk_X509_new_null(); | 47 STACK_OF(X509)* certs = sk_X509_new_null(); |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 99 | 95 |
| 100 void ParseSubjectAltName(X509Certificate::OSCertHandle cert, | 96 void ParseSubjectAltName(X509Certificate::OSCertHandle cert, |
| 101 std::vector<std::string>* dns_names, | 97 std::vector<std::string>* dns_names, |
| 102 std::vector<std::string>* ip_addresses) { | 98 std::vector<std::string>* ip_addresses) { |
| 103 DCHECK(dns_names || ip_addresses); | 99 DCHECK(dns_names || ip_addresses); |
| 104 int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); | 100 int index = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); |
| 105 X509_EXTENSION* alt_name_ext = X509_get_ext(cert, index); | 101 X509_EXTENSION* alt_name_ext = X509_get_ext(cert, index); |
| 106 if (!alt_name_ext) | 102 if (!alt_name_ext) |
| 107 return; | 103 return; |
| 108 | 104 |
| 109 ScopedGENERAL_NAMES alt_names( | 105 bssl::UniquePtr<GENERAL_NAMES> alt_names( |
| 110 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); | 106 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(alt_name_ext))); |
| 111 if (!alt_names.get()) | 107 if (!alt_names.get()) |
| 112 return; | 108 return; |
| 113 | 109 |
| 114 for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { | 110 for (size_t i = 0; i < sk_GENERAL_NAME_num(alt_names.get()); ++i) { |
| 115 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); | 111 const GENERAL_NAME* name = sk_GENERAL_NAME_value(alt_names.get(), i); |
| 116 if (name->type == GEN_DNS && dns_names) { | 112 if (name->type == GEN_DNS && dns_names) { |
| 117 const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); | 113 const unsigned char* dns_name = ASN1_STRING_data(name->d.dNSName); |
| 118 if (!dns_name) | 114 if (!dns_name) |
| 119 continue; | 115 continue; |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 157 // TODO(joth): Enable CRL (see X509_STORE_set_flags(X509_V_FLAG_CRL_CHECK)). | 153 // TODO(joth): Enable CRL (see X509_STORE_set_flags(X509_V_FLAG_CRL_CHECK)). |
| 158 } | 154 } |
| 159 | 155 |
| 160 private: | 156 private: |
| 161 friend struct base::DefaultSingletonTraits<X509InitSingleton>; | 157 friend struct base::DefaultSingletonTraits<X509InitSingleton>; |
| 162 X509InitSingleton() { | 158 X509InitSingleton() { |
| 163 crypto::EnsureOpenSSLInit(); | 159 crypto::EnsureOpenSSLInit(); |
| 164 ResetCertStore(); | 160 ResetCertStore(); |
| 165 } | 161 } |
| 166 | 162 |
| 167 crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free> store_; | 163 bssl::UniquePtr<X509_STORE> store_; |
| 168 | 164 |
| 169 DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); | 165 DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); |
| 170 }; | 166 }; |
| 171 | 167 |
| 172 // Used to free a list of X509_NAMEs and the objects it points to. | |
| 173 void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) { | |
| 174 sk_X509_NAME_pop_free(sk, X509_NAME_free); | |
| 175 } | |
| 176 | |
| 177 } // namespace | 168 } // namespace |
| 178 | 169 |
| 179 // static | 170 // static |
| 180 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( | 171 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( |
| 181 OSCertHandle cert_handle) { | 172 OSCertHandle cert_handle) { |
| 182 DCHECK(cert_handle); | 173 DCHECK(cert_handle); |
| 183 X509_up_ref(cert_handle); | 174 X509_up_ref(cert_handle); |
| 184 return cert_handle; | 175 return cert_handle; |
| 185 } | 176 } |
| 186 | 177 |
| (...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 354 return pickle->WriteData(der.data(), der.length()); | 345 return pickle->WriteData(der.data(), der.length()); |
| 355 } | 346 } |
| 356 | 347 |
| 357 // static | 348 // static |
| 358 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, | 349 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, |
| 359 size_t* size_bits, | 350 size_t* size_bits, |
| 360 PublicKeyType* type) { | 351 PublicKeyType* type) { |
| 361 *type = kPublicKeyTypeUnknown; | 352 *type = kPublicKeyTypeUnknown; |
| 362 *size_bits = 0; | 353 *size_bits = 0; |
| 363 | 354 |
| 364 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); | 355 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle)); |
| 365 if (!scoped_key.get()) | 356 if (!scoped_key.get()) |
| 366 return; | 357 return; |
| 367 | 358 |
| 368 CHECK(scoped_key.get()); | |
| 369 EVP_PKEY* key = scoped_key.get(); | 359 EVP_PKEY* key = scoped_key.get(); |
| 370 | 360 |
| 371 switch (key->type) { | 361 switch (key->type) { |
| 372 case EVP_PKEY_RSA: | 362 case EVP_PKEY_RSA: |
| 373 *type = kPublicKeyTypeRSA; | 363 *type = kPublicKeyTypeRSA; |
| 374 *size_bits = EVP_PKEY_size(key) * 8; | 364 *size_bits = EVP_PKEY_size(key) * 8; |
| 375 break; | 365 break; |
| 376 case EVP_PKEY_DSA: | 366 case EVP_PKEY_DSA: |
| 377 *type = kPublicKeyTypeDSA; | 367 *type = kPublicKeyTypeDSA; |
| 378 *size_bits = EVP_PKEY_size(key) * 8; | 368 *size_bits = EVP_PKEY_size(key) * 8; |
| 379 break; | 369 break; |
| 380 case EVP_PKEY_EC: | 370 case EVP_PKEY_EC: |
| 381 *type = kPublicKeyTypeECDSA; | 371 *type = kPublicKeyTypeECDSA; |
| 382 *size_bits = EVP_PKEY_bits(key); | 372 *size_bits = EVP_PKEY_bits(key); |
| 383 break; | 373 break; |
| 384 case EVP_PKEY_DH: | 374 case EVP_PKEY_DH: |
| 385 *type = kPublicKeyTypeDH; | 375 *type = kPublicKeyTypeDH; |
| 386 *size_bits = EVP_PKEY_size(key) * 8; | 376 *size_bits = EVP_PKEY_size(key) * 8; |
| 387 break; | 377 break; |
| 388 } | 378 } |
| 389 } | 379 } |
| 390 | 380 |
| 391 bool X509Certificate::IsIssuedByEncoded( | 381 bool X509Certificate::IsIssuedByEncoded( |
| 392 const std::vector<std::string>& valid_issuers) { | 382 const std::vector<std::string>& valid_issuers) { |
| 393 if (valid_issuers.empty()) | 383 if (valid_issuers.empty()) |
| 394 return false; | 384 return false; |
| 395 | 385 |
| 396 // Convert to a temporary list of X509_NAME objects. | 386 // Convert to a temporary list of X509_NAME objects. |
| 397 // It will own the objects it points to. | 387 // It will own the objects it points to. |
| 398 crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all> | 388 bssl::UniquePtr<STACK_OF(X509_NAME)> issuer_names(sk_X509_NAME_new_null()); |
| 399 issuer_names(sk_X509_NAME_new_null()); | |
| 400 if (!issuer_names.get()) | 389 if (!issuer_names.get()) |
| 401 return false; | 390 return false; |
| 402 | 391 |
| 403 for (std::vector<std::string>::const_iterator it = valid_issuers.begin(); | 392 for (std::vector<std::string>::const_iterator it = valid_issuers.begin(); |
| 404 it != valid_issuers.end(); ++it) { | 393 it != valid_issuers.end(); ++it) { |
| 405 const unsigned char* p = | 394 const unsigned char* p = |
| 406 reinterpret_cast<const unsigned char*>(it->data()); | 395 reinterpret_cast<const unsigned char*>(it->data()); |
| 407 long len = static_cast<long>(it->length()); | 396 long len = static_cast<long>(it->length()); |
| 408 X509_NAME* ca_name = d2i_X509_NAME(NULL, &p, len); | 397 X509_NAME* ca_name = d2i_X509_NAME(NULL, &p, len); |
| 409 if (ca_name == NULL) | 398 if (ca_name == NULL) |
| (...skipping 25 matching lines...) Expand all Loading... |
| 435 return true; | 424 return true; |
| 436 } | 425 } |
| 437 } | 426 } |
| 438 } | 427 } |
| 439 | 428 |
| 440 return false; | 429 return false; |
| 441 } | 430 } |
| 442 | 431 |
| 443 // static | 432 // static |
| 444 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { | 433 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { |
| 445 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); | 434 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert_handle)); |
| 446 if (!scoped_key) | 435 if (!scoped_key) |
| 447 return false; | 436 return false; |
| 448 if (!X509_verify(cert_handle, scoped_key.get())) | 437 if (!X509_verify(cert_handle, scoped_key.get())) |
| 449 return false; | 438 return false; |
| 450 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK; | 439 return X509_check_issued(cert_handle, cert_handle) == X509_V_OK; |
| 451 } | 440 } |
| 452 | 441 |
| 453 } // namespace net | 442 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2400033005:
Use BoringSSL scopers in //net. (Closed)
