| OLD | NEW |
|---|
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> | 8 #include <Security/Security.h> |
| 9 | 9 |
| 10 #include "base/mac/scoped_cftyperef.h" | 10 #include "base/mac/scoped_cftyperef.h" |
| 11 #include "base/pickle.h" | 11 #include "base/pickle.h" |
| 12 #include "base/strings/string_piece.h" | 12 #include "base/strings/string_piece.h" |
| 13 #include "base/strings/string_util.h" | 13 #include "base/strings/string_util.h" |
| 14 #include "crypto/openssl_util.h" | 14 #include "crypto/openssl_util.h" |
| 15 #include "net/base/ip_address.h" | 15 #include "net/base/ip_address.h" |
| 16 #include "net/cert/x509_util_ios.h" |
| 16 #include "net/cert/x509_util_openssl.h" | 17 #include "net/cert/x509_util_openssl.h" |
| 17 #include "net/ssl/openssl_ssl_util.h" | 18 #include "net/ssl/openssl_ssl_util.h" |
| 18 #include "third_party/boringssl/src/include/openssl/x509.h" | 19 #include "third_party/boringssl/src/include/openssl/x509.h" |
| 19 #include "third_party/boringssl/src/include/openssl/x509v3.h" | 20 #include "third_party/boringssl/src/include/openssl/x509v3.h" |
| 20 | 21 |
| 21 using base::ScopedCFTypeRef; | 22 using base::ScopedCFTypeRef; |
| 22 | 23 |
| 23 namespace net { | 24 namespace net { |
| 24 | 25 |
| 25 namespace { | 26 namespace { |
| 26 | 27 |
| 27 // Returns true if a given |cert_handle| is actually a valid X.509 certificate | |
| 28 // handle. | |
| 29 // | |
| 30 // SecCertificateCreateFromData() does not always force the immediate parsing of | |
| 31 // the certificate, and as such, may return a SecCertificateRef for an | |
| 32 // invalid/unparsable certificate. Force parsing to occur to ensure that the | |
| 33 // SecCertificateRef is correct. On later versions where | |
| 34 // SecCertificateCreateFromData() immediately parses, rather than lazily, this | |
| 35 // call is cheap, as the subject is cached. | |
| 36 bool IsValidOSCertHandle(SecCertificateRef cert_handle) { | |
| 37 ScopedCFTypeRef<CFStringRef> sanity_check( | |
| 38 SecCertificateCopySubjectSummary(cert_handle)); | |
| 39 return sanity_check != nullptr; | |
| 40 } | |
| 41 | |
| 42 bssl::UniquePtr<X509> OSCertHandleToOpenSSL( | 28 bssl::UniquePtr<X509> OSCertHandleToOpenSSL( |
| 43 X509Certificate::OSCertHandle os_handle) { | 29 X509Certificate::OSCertHandle os_handle) { |
| 44 std::string der_encoded; | 30 std::string der_encoded; |
| 45 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) | 31 if (!X509Certificate::GetDEREncoded(os_handle, &der_encoded)) |
| 46 return nullptr; | 32 return nullptr; |
| 47 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); | 33 const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data()); |
| 48 return bssl::UniquePtr<X509>(d2i_X509(nullptr, &bytes, der_encoded.size())); | 34 return bssl::UniquePtr<X509>(d2i_X509(nullptr, &bytes, der_encoded.size())); |
| 49 } | 35 } |
| 50 | 36 |
| 51 void CreateOSCertHandlesFromPKCS7Bytes( | 37 void CreateOSCertHandlesFromPKCS7Bytes( |
| (...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 238 CFDataGetLength(cert_data)); | 224 CFDataGetLength(cert_data)); |
| 239 } | 225 } |
| 240 CC_SHA256_Final(sha256.data, &sha256_ctx); | 226 CC_SHA256_Final(sha256.data, &sha256_ctx); |
| 241 return sha256; | 227 return sha256; |
| 242 } | 228 } |
| 243 | 229 |
| 244 // static | 230 // static |
| 245 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | 231 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( |
| 246 const char* data, | 232 const char* data, |
| 247 size_t length) { | 233 size_t length) { |
| 248 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy( | 234 return x509_util::CreateSecCertificateFromBytes( |
| 249 kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data), | 235 reinterpret_cast<const uint8_t*>(data), length); |
| 250 base::checked_cast<CFIndex>(length), kCFAllocatorNull)); | |
| 251 if (!cert_data) | |
| 252 return nullptr; | |
| 253 OSCertHandle cert_handle = SecCertificateCreateWithData(nullptr, cert_data); | |
| 254 if (!cert_handle) | |
| 255 return nullptr; | |
| 256 if (!IsValidOSCertHandle(cert_handle)) { | |
| 257 CFRelease(cert_handle); | |
| 258 return nullptr; | |
| 259 } | |
| 260 return cert_handle; | |
| 261 } | 236 } |
| 262 | 237 |
| 263 // static | 238 // static |
| 264 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( | 239 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( |
| 265 const char* data, | 240 const char* data, |
| 266 size_t length, | 241 size_t length, |
| 267 Format format) { | 242 Format format) { |
| 268 OSCertHandles results; | 243 OSCertHandles results; |
| 269 | 244 |
| 270 switch (format) { | 245 switch (format) { |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 368 case EVP_PKEY_EC: | 343 case EVP_PKEY_EC: |
| 369 *type = kPublicKeyTypeECDSA; | 344 *type = kPublicKeyTypeECDSA; |
| 370 break; | 345 break; |
| 371 case EVP_PKEY_DH: | 346 case EVP_PKEY_DH: |
| 372 *type = kPublicKeyTypeDH; | 347 *type = kPublicKeyTypeDH; |
| 373 break; | 348 break; |
| 374 } | 349 } |
| 375 *size_bits = EVP_PKEY_bits(key); | 350 *size_bits = EVP_PKEY_bits(key); |
| 376 } | 351 } |
| 377 | 352 |
| 378 CFMutableArrayRef X509Certificate::CreateOSCertChainForCert() const { | |
| 379 CFMutableArrayRef cert_list = | |
| 380 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); | |
| 381 if (!cert_list) | |
| 382 return nullptr; | |
| 383 | |
| 384 CFArrayAppendValue(cert_list, os_cert_handle()); | |
| 385 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) | |
| 386 CFArrayAppendValue(cert_list, intermediate_ca_certs_[i]); | |
| 387 | |
| 388 return cert_list; | |
| 389 } | |
| 390 | |
| 391 bool X509Certificate::IsIssuedByEncoded( | 353 bool X509Certificate::IsIssuedByEncoded( |
| 392 const std::vector<std::string>& valid_issuers) { | 354 const std::vector<std::string>& valid_issuers) { |
| 393 if (valid_issuers.empty()) | 355 if (valid_issuers.empty()) |
| 394 return false; | 356 return false; |
| 395 | 357 |
| 396 // Convert to a temporary list of X509_NAME objects. | 358 // Convert to a temporary list of X509_NAME objects. |
| 397 // It will own the objects it points to. | 359 // It will own the objects it points to. |
| 398 bssl::UniquePtr<STACK_OF(X509_NAME)> issuer_names(sk_X509_NAME_new_null()); | 360 bssl::UniquePtr<STACK_OF(X509_NAME)> issuer_names(sk_X509_NAME_new_null()); |
| 399 if (!issuer_names) | 361 if (!issuer_names) |
| 400 return false; | 362 return false; |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 450 return false; | 412 return false; |
| 451 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert.get())); | 413 bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert.get())); |
| 452 if (!scoped_key) | 414 if (!scoped_key) |
| 453 return false; | 415 return false; |
| 454 if (!X509_verify(cert.get(), scoped_key.get())) | 416 if (!X509_verify(cert.get(), scoped_key.get())) |
| 455 return false; | 417 return false; |
| 456 return X509_check_issued(cert.get(), cert.get()) == X509_V_OK; | 418 return X509_check_issued(cert.get(), cert.get()) == X509_V_OK; |
| 457 } | 419 } |
| 458 | 420 |
| 459 } // namespace net | 421 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2864133002:
Convert iOS to use X509CertificateBytes. (Closed)
