Mac EV verification using Chrome methods rather than OS methods.

net/cert/ev_root_ca_metadata.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ev_root_ca_metadata.h"
 
 #if defined(USE_NSS_CERTS)
 #include <cert.h>
 #include <pkcs11n.h>
 #include <secerr.h>
 #include <secoid.h>
 #elif defined(OS_WIN)
 #include <stdlib.h>
+#elif defined(OS_MACOSX)
+#include <openssl/obj.h>

[davidben, 2016/11/09 00:15:03]

#include "third_party/boringssl/src/include/openssl/obj.h"

I hate how verbose it is, but I guess it's more consistent or something. :-/

[mattm, 2016/11/10 05:40:41]

Done.

 #endif
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #if defined(USE_NSS_CERTS)
 #include "crypto/nss_util.h"
+#elif defined(OS_MACOSX)
+#include "net/der/input.h"
 #endif
 
 namespace net {
 
-#if defined(USE_NSS_CERTS) || defined(OS_WIN)
+#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX)
 // Raw metadata.
 struct EVMetadata {
   // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At
   // least one CA has different EV policies for business vs government
   // entities and, in the case of cross-signing, we might need to list another
   // CA's policy OID under the cross-signing root.
   static const size_t kMaxOIDsPerCA = 2;
   // This is the maximum length of an OID string (including the trailing NUL).
   static const size_t kMaxOIDLength = 32;
 
@@ skipping 666 matching lines @@
 }
 
 bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) {
   ExtraEVCAMap::iterator it = extra_cas_.find(fingerprint);
   if (it == extra_cas_.end())
     return false;
   extra_cas_.erase(it);
   return true;
 }
 
+#elif defined(OS_MACOSX)
+
+namespace {
+
+std::string OIDStringToDER(const char* policy) {
+  std::string der_policy;
+  int nid = OBJ_txt2nid(policy);
+  if (nid == NID_undef)
+    nid = OBJ_create(policy, nullptr, nullptr);
+  if (nid == NID_undef)
+    return der_policy;
+  uint8_t* der;
+  size_t der_len;
+  bssl::ScopedCBB cbb;
+  if (!CBB_init(cbb.get(), 0) || !OBJ_nid2cbb(cbb.get(), nid) ||
+      !CBB_finish(cbb.get(), &der, &der_len))
+    return der_policy;
+
+  DCHECK_GT(der_len, 2U);
+  DCHECK_EQ(der[0], 0x6);  // OBJECT IDENTIFIER
+  der_policy.assign(reinterpret_cast<char*>(der) + 2, der_len - 2);
+  return der_policy;
+}

[Ryan Sleevi, 2016/11/08 23:54:09]

@davidben to comment on if there's anything cleaner he wants to support.

[davidben, 2016/11/09 00:15:03]

I'll probably have to tweak this slightly at some point, but don't worry about
it. I don't think I have a good answer for it right now. (End goal is to unship
the giant OID table from Chromium and OBJ_txt2* supports looking up by
human-readable name, so it depends on the OID table.)

This is probably shorter though:

bssl::UniquePtr<ASN1_OBJECT> obj(OBJ_txt2obj(policy));
if (!policy) {
  NOTREACHED();
  return std::string();
}

return std::string(reinterpret_cast<const char*>(obj->data), obj->length);

Note: I think you may need to include openssl/asn1.h to get the definition of
ASN1_OBJECT. I'll see about fixing that later since it's kind of ridiculous.

[davidben, 2016/11/09 00:15:55]

Sorry, that should be if (!obj) {

And I guess you don't need/want the NOTREACHED() since the callers all check for
empty. Missed that bit.

[mattm, 2016/11/10 05:40:41]

Done.

+
+}  // namespace
+
+bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
+  return policy_oids_.find(policy_oid.AsString()) != policy_oids_.end();
+}
+
+bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint,
+                                      PolicyOID policy_oid) const {
+  PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint);
+  if (iter == ev_policy_.end())
+    return false;
+  for (const std::string& ev_oid : iter->second) {
+    if (der::Input(&ev_oid) == policy_oid)
+      return true;
+  }
+  return false;
+}
+
+bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint,
+                               const char* policy) {
+  if (ev_policy_.find(fingerprint) != ev_policy_.end())
+    return false;
+
+  std::string der_policy = OIDStringToDER(policy);
+  if (der_policy.empty())
+    return false;
+
+  ev_policy_[fingerprint].push_back(der_policy);
+  policy_oids_.insert(der_policy);
+  return true;
+}
+
+bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) {
+  PolicyOIDMap::iterator it = ev_policy_.find(fingerprint);
+  if (it == ev_policy_.end())
+    return false;
+  std::string oid = it->second[0];
+  ev_policy_.erase(it);
+  policy_oids_.erase(oid);
+  return true;
+}
+
 #else
 
 // These are just stub functions for platforms where we don't use this EV
 // metadata.
 
 bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint,
                                const char* policy) {
   return true;
 }
 
@@ skipping 18 matching lines @@
       PolicyOID policy;
       if (!RegisterOID(policy_oid, &policy)) {
         LOG(ERROR) << "Failed to register OID: " << policy_oid;
         continue;
       }
 
       ev_policy_[metadata.fingerprint].push_back(policy);
       policy_oids_.insert(policy);
     }
   }
+#elif defined(OS_MACOSX)
+  for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
+    const EVMetadata& metadata = ev_root_ca_metadata[i];
+    for (size_t j = 0; j < arraysize(metadata.policy_oids); j++) {
+      if (metadata.policy_oids[j][0] == '\0')
+        break;
+      const char* policy_oid = metadata.policy_oids[j];
+
+      PolicyOID policy;
+      std::string policy_der = OIDStringToDER(policy_oid);
+      if (policy_der.empty()) {
+        LOG(ERROR) << "Failed to register OID: " << policy_oid;
+        continue;
+      }
+
+      ev_policy_[metadata.fingerprint].push_back(policy_der);
+      policy_oids_.insert(policy_der);
+    }
+  }
 #endif
 }
 
 EVRootCAMetadata::~EVRootCAMetadata() { }
 
 }  // namespace net