| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/tools/domain_security_preload_generator/cert_util.h" | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "base/base64.h" | |
| 10 #include "base/files/file_util.h" | |
| 11 #include "base/strings/string_util.h" | |
| 12 #include "base/strings/stringprintf.h" | |
| 13 #include "net/tools/domain_security_preload_generator/spki_hash.h" | |
| 14 #include "third_party/boringssl/src/include/openssl/crypto.h" | |
| 15 | |
| 16 using net::transport_security_state::SPKIHash; | |
| 17 | |
| 18 namespace { | |
| 19 | |
| 20 static const char kPEMBeginBlock[] = "-----BEGIN %s-----"; | |
| 21 static const char kPEMEndBlock[] = "-----END %s-----"; | |
| 22 | |
| 23 // Tries to extract the BASE64 encoded DER structure from |pem_input| by looking | |
| 24 // for the block type in |expected_block_type|. Only attempts the locate the | |
| 25 // first matching block. Other blocks are ignored. Returns true on success and | |
| 26 // copies the der structure to |*der_output|. Returns false on error. | |
| 27 bool ParsePEM(base::StringPiece pem_input, | |
| 28 base::StringPiece expected_block_type, | |
| 29 std::string* der_output) { | |
| 30 const std::string& block_start = | |
| 31 base::StringPrintf(kPEMBeginBlock, expected_block_type.data()); | |
| 32 const std::string& block_end = | |
| 33 base::StringPrintf(kPEMEndBlock, expected_block_type.data()); | |
| 34 | |
| 35 size_t block_start_pos = pem_input.find(block_start); | |
| 36 if (block_start_pos == std::string::npos) | |
| 37 return false; | |
| 38 size_t base64_start_pos = block_start_pos + block_start.size(); | |
| 39 | |
| 40 size_t block_end_pos = pem_input.find(block_end, base64_start_pos); | |
| 41 if (block_end_pos == std::string::npos) | |
| 42 return false; | |
| 43 | |
| 44 base::StringPiece base64_encoded = | |
| 45 pem_input.substr(base64_start_pos, block_end_pos - base64_start_pos); | |
| 46 | |
| 47 if (!base::Base64Decode( | |
| 48 base::CollapseWhitespaceASCII(base64_encoded.as_string(), true), | |
| 49 der_output)) { | |
| 50 return false; | |
| 51 } | |
| 52 | |
| 53 return true; | |
| 54 } | |
| 55 | |
| 56 // Attempts to extract the first entry of type |nid| from |*name|. Returns true | |
| 57 // if the field exists and was extracted. Returns false when the field was not | |
| 58 // found or the data could not be extracted. | |
| 59 bool ExtractFieldFromX509Name(X509_NAME* name, int nid, std::string* field) { | |
| 60 int index = X509_NAME_get_index_by_NID(name, nid, -1); | |
| 61 if (index == -1) { | |
| 62 return false; | |
| 63 } | |
| 64 | |
| 65 X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, index); | |
| 66 if (!entry) { | |
| 67 return false; | |
| 68 } | |
| 69 | |
| 70 ASN1_STRING* data = X509_NAME_ENTRY_get_data(entry); | |
| 71 if (!data) { | |
| 72 return false; | |
| 73 } | |
| 74 | |
| 75 uint8_t* buffer = nullptr; | |
| 76 size_t length = ASN1_STRING_to_UTF8(&buffer, data); | |
| 77 field->assign(reinterpret_cast<const char*>(buffer), length); | |
| 78 OPENSSL_free(buffer); | |
| 79 return true; | |
| 80 } | |
| 81 | |
| 82 } // namespace | |
| 83 | |
| 84 bssl::UniquePtr<X509> GetX509CertificateFromPEM(base::StringPiece pem_data) { | |
| 85 std::string der; | |
| 86 if (!ParsePEM(pem_data, "CERTIFICATE", &der)) { | |
| 87 return bssl::UniquePtr<X509>(); | |
| 88 } | |
| 89 | |
| 90 const uint8_t* der_data = reinterpret_cast<const uint8_t*>(der.c_str()); | |
| 91 return bssl::UniquePtr<X509>( | |
| 92 d2i_X509(NULL, &der_data, base::checked_cast<long>(der.size()))); | |
| 93 } | |
| 94 | |
| 95 bool ExtractSubjectNameFromCertificate(X509* certificate, std::string* name) { | |
| 96 DCHECK(certificate); | |
| 97 X509_NAME* subject = X509_get_subject_name(certificate); | |
| 98 if (!subject) { | |
| 99 return false; | |
| 100 } | |
| 101 | |
| 102 std::string result; | |
| 103 // Try extracting the common name first. | |
| 104 if (!ExtractFieldFromX509Name(subject, NID_commonName, &result) || | |
| 105 result.empty()) { | |
| 106 std::string organization; | |
| 107 if (!ExtractFieldFromX509Name(subject, NID_organizationName, | |
| 108 &organization)) { | |
| 109 return false; | |
| 110 } | |
| 111 | |
| 112 std::string organizational_unit; | |
| 113 if (!ExtractFieldFromX509Name(subject, NID_organizationalUnitName, | |
| 114 &organizational_unit)) { | |
| 115 return false; | |
| 116 } | |
| 117 result = organization + " " + organizational_unit; | |
| 118 } | |
| 119 | |
| 120 name->assign(result); | |
| 121 return true; | |
| 122 } | |
| 123 | |
| 124 bool CalculateSPKIHashFromCertificate(X509* certificate, SPKIHash* out_hash) { | |
| 125 DCHECK(certificate); | |
| 126 bssl::UniquePtr<EVP_PKEY> key(X509_get_pubkey(certificate)); | |
| 127 if (!key) { | |
| 128 return false; | |
| 129 } | |
| 130 | |
| 131 uint8_t* spki_der; | |
| 132 size_t spki_der_len; | |
| 133 bssl::ScopedCBB cbb; | |
| 134 if (!CBB_init(cbb.get(), 0) || | |
| 135 !EVP_marshal_public_key(cbb.get(), key.get()) || | |
| 136 !CBB_finish(cbb.get(), &spki_der, &spki_der_len)) { | |
| 137 return false; | |
| 138 } | |
| 139 | |
| 140 out_hash->CalculateFromBytes(spki_der, spki_der_len); | |
| 141 OPENSSL_free(spki_der); | |
| 142 return true; | |
| 143 } | |
| 144 | |
| 145 bool CalculateSPKIHashFromKey(base::StringPiece pem_key, SPKIHash* out_hash) { | |
| 146 std::string der; | |
| 147 bool result = ParsePEM(pem_key, "PUBLIC KEY", &der); | |
| 148 if (!result) { | |
| 149 return false; | |
| 150 } | |
| 151 | |
| 152 out_hash->CalculateFromBytes(reinterpret_cast<const uint8_t*>(der.data()), | |
| 153 der.size()); | |
| 154 return true; | |
| 155 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2632073002:
Rename domain_security_preload_generator. (Closed)
