Mac EV verification using Chrome methods rather than OS methods.

net/cert/ev_root_ca_metadata.cc

Index: net/cert/ev_root_ca_metadata.cc
diff --git a/net/cert/ev_root_ca_metadata.cc b/net/cert/ev_root_ca_metadata.cc
index 3c1f859d3dd7b20ebb982423ed45a2a9f154f908..7bd77840e29cfb94ba70f878634af101b9ed8ba2 100644
--- a/net/cert/ev_root_ca_metadata.cc
+++ b/net/cert/ev_root_ca_metadata.cc
@@ -11,17 +11,21 @@
 #include <secoid.h>
 #elif defined(OS_WIN)
 #include <stdlib.h>
+#elif defined(OS_MACOSX)
+#include <openssl/obj.h>

[davidben, 2016/11/09 00:15:03]

#include "third_party/boringssl/src/include/openssl/obj.h"

I hate how verbose it is, but I guess it's more consistent or something. :-/

[mattm, 2016/11/10 05:40:41]

Done.

 #endif
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #if defined(USE_NSS_CERTS)
 #include "crypto/nss_util.h"
+#elif defined(OS_MACOSX)
+#include "net/der/input.h"
 #endif
 
 namespace net {
 
-#if defined(USE_NSS_CERTS) || defined(OS_WIN)
+#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_MACOSX)
 // Raw metadata.
 struct EVMetadata {
   // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At
@@ -708,6 +712,72 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) {
   return true;
 }
 
+#elif defined(OS_MACOSX)
+
+namespace {
+
+std::string OIDStringToDER(const char* policy) {
+  std::string der_policy;
+  int nid = OBJ_txt2nid(policy);
+  if (nid == NID_undef)
+    nid = OBJ_create(policy, nullptr, nullptr);
+  if (nid == NID_undef)
+    return der_policy;
+  uint8_t* der;
+  size_t der_len;
+  bssl::ScopedCBB cbb;
+  if (!CBB_init(cbb.get(), 0) || !OBJ_nid2cbb(cbb.get(), nid) ||
+      !CBB_finish(cbb.get(), &der, &der_len))
+    return der_policy;
+
+  DCHECK_GT(der_len, 2U);
+  DCHECK_EQ(der[0], 0x6);  // OBJECT IDENTIFIER
+  der_policy.assign(reinterpret_cast<char*>(der) + 2, der_len - 2);
+  return der_policy;
+}

[Ryan Sleevi, 2016/11/08 23:54:09]

@davidben to comment on if there's anything cleaner he wants to support.

[davidben, 2016/11/09 00:15:03]

I'll probably have to tweak this slightly at some point, but don't worry about
it. I don't think I have a good answer for it right now. (End goal is to unship
the giant OID table from Chromium and OBJ_txt2* supports looking up by
human-readable name, so it depends on the OID table.)

This is probably shorter though:

bssl::UniquePtr<ASN1_OBJECT> obj(OBJ_txt2obj(policy));
if (!policy) {
  NOTREACHED();
  return std::string();
}

return std::string(reinterpret_cast<const char*>(obj->data), obj->length);

Note: I think you may need to include openssl/asn1.h to get the definition of
ASN1_OBJECT. I'll see about fixing that later since it's kind of ridiculous.

[davidben, 2016/11/09 00:15:55]

Sorry, that should be if (!obj) {

And I guess you don't need/want the NOTREACHED() since the callers all check for
empty. Missed that bit.

[mattm, 2016/11/10 05:40:41]

Done.

+
+}  // namespace
+
+bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
+  return policy_oids_.find(policy_oid.AsString()) != policy_oids_.end();
+}
+
+bool EVRootCAMetadata::HasEVPolicyOID(const SHA1HashValue& fingerprint,
+                                      PolicyOID policy_oid) const {
+  PolicyOIDMap::const_iterator iter = ev_policy_.find(fingerprint);
+  if (iter == ev_policy_.end())
+    return false;
+  for (const std::string& ev_oid : iter->second) {
+    if (der::Input(&ev_oid) == policy_oid)
+      return true;
+  }
+  return false;
+}
+
+bool EVRootCAMetadata::AddEVCA(const SHA1HashValue& fingerprint,
+                               const char* policy) {
+  if (ev_policy_.find(fingerprint) != ev_policy_.end())
+    return false;
+
+  std::string der_policy = OIDStringToDER(policy);
+  if (der_policy.empty())
+    return false;
+
+  ev_policy_[fingerprint].push_back(der_policy);
+  policy_oids_.insert(der_policy);
+  return true;
+}
+
+bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) {
+  PolicyOIDMap::iterator it = ev_policy_.find(fingerprint);
+  if (it == ev_policy_.end())
+    return false;
+  std::string oid = it->second[0];
+  ev_policy_.erase(it);
+  policy_oids_.erase(oid);
+  return true;
+}
+
 #else
 
 // These are just stub functions for platforms where we don't use this EV
@@ -746,6 +816,25 @@ EVRootCAMetadata::EVRootCAMetadata() {
       policy_oids_.insert(policy);
     }
   }
+#elif defined(OS_MACOSX)
+  for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) {
+    const EVMetadata& metadata = ev_root_ca_metadata[i];
+    for (size_t j = 0; j < arraysize(metadata.policy_oids); j++) {
+      if (metadata.policy_oids[j][0] == '\0')
+        break;
+      const char* policy_oid = metadata.policy_oids[j];
+
+      PolicyOID policy;
+      std::string policy_der = OIDStringToDER(policy_oid);
+      if (policy_der.empty()) {
+        LOG(ERROR) << "Failed to register OID: " << policy_oid;
+        continue;
+      }
+
+      ev_policy_[metadata.fingerprint].push_back(policy_der);
+      policy_oids_.insert(policy_der);
+    }
+  }
 #endif
 }