OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/memory/free_deleter.h" | 10 #include "base/memory/free_deleter.h" |
11 #include "base/numerics/safe_conversions.h" | 11 #include "base/numerics/safe_conversions.h" |
12 #include "base/pickle.h" | 12 #include "base/pickle.h" |
13 #include "base/sha1.h" | 13 #include "base/sha1.h" |
14 #include "base/strings/string_util.h" | 14 #include "base/strings/string_util.h" |
15 #include "base/strings/utf_string_conversions.h" | 15 #include "base/strings/utf_string_conversions.h" |
16 #include "crypto/capi_util.h" | 16 #include "crypto/capi_util.h" |
17 #include "crypto/scoped_capi_types.h" | 17 #include "crypto/scoped_capi_types.h" |
18 #include "crypto/sha2.h" | 18 #include "crypto/sha2.h" |
19 #include "net/base/net_errors.h" | 19 #include "net/base/net_errors.h" |
| 20 #include "net/cert/x509_util_win.h" |
20 #include "third_party/boringssl/src/include/openssl/sha.h" | 21 #include "third_party/boringssl/src/include/openssl/sha.h" |
21 | 22 |
22 using base::Time; | 23 using base::Time; |
23 | 24 |
24 namespace net { | 25 namespace net { |
25 | 26 |
26 namespace { | 27 namespace { |
27 | 28 |
28 typedef crypto::ScopedCAPIHandle< | 29 typedef crypto::ScopedCAPIHandle< |
29 HCERTSTORE, | 30 HCERTSTORE, |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
192 } | 193 } |
193 // Fast path: Found at least one subjectAltName and the caller doesn't | 194 // Fast path: Found at least one subjectAltName and the caller doesn't |
194 // need the actual values. | 195 // need the actual values. |
195 if (has_san && !ip_addrs && !dns_names) | 196 if (has_san && !ip_addrs && !dns_names) |
196 return true; | 197 return true; |
197 } | 198 } |
198 | 199 |
199 return has_san; | 200 return has_san; |
200 } | 201 } |
201 | 202 |
202 PCCERT_CONTEXT X509Certificate::CreateOSCertChainForCert() const { | |
203 // Create an in-memory certificate store to hold this certificate and | |
204 // any intermediate certificates in |intermediate_ca_certs_|. The store | |
205 // will be referenced in the returned PCCERT_CONTEXT, and will not be freed | |
206 // until the PCCERT_CONTEXT is freed. | |
207 ScopedHCERTSTORE store(CertOpenStore( | |
208 CERT_STORE_PROV_MEMORY, 0, NULL, | |
209 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL)); | |
210 if (!store.get()) | |
211 return NULL; | |
212 | |
213 // NOTE: This preserves all of the properties of |os_cert_handle()| except | |
214 // for CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_CONTEXT_PROP_ID - the two | |
215 // properties that hold access to already-opened private keys. If a handle | |
216 // has already been unlocked (eg: PIN prompt), then the first time that the | |
217 // identity is used for client auth, it may prompt the user again. | |
218 PCCERT_CONTEXT primary_cert; | |
219 BOOL ok = CertAddCertificateContextToStore(store.get(), os_cert_handle(), | |
220 CERT_STORE_ADD_ALWAYS, | |
221 &primary_cert); | |
222 if (!ok || !primary_cert) | |
223 return NULL; | |
224 | |
225 for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) { | |
226 CertAddCertificateContextToStore(store.get(), intermediate_ca_certs_[i], | |
227 CERT_STORE_ADD_ALWAYS, NULL); | |
228 } | |
229 | |
230 // Note: |store| is explicitly not released, as the call to CertCloseStore() | |
231 // when |store| goes out of scope will not actually free the store. Instead, | |
232 // the store will be freed when |primary_cert| is freed. | |
233 return primary_cert; | |
234 } | |
235 | |
236 // static | 203 // static |
237 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, | 204 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, |
238 std::string* encoded) { | 205 std::string* encoded) { |
239 if (!cert_handle || !cert_handle->pbCertEncoded || | 206 if (!cert_handle || !cert_handle->pbCertEncoded || |
240 !cert_handle->cbCertEncoded) { | 207 !cert_handle->cbCertEncoded) { |
241 return false; | 208 return false; |
242 } | 209 } |
243 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded), | 210 encoded->assign(reinterpret_cast<char*>(cert_handle->pbCertEncoded), |
244 cert_handle->cbCertEncoded); | 211 cert_handle->cbCertEncoded); |
245 return true; | 212 return true; |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
301 return CertDuplicateCertificateContext(cert_handle); | 268 return CertDuplicateCertificateContext(cert_handle); |
302 } | 269 } |
303 | 270 |
304 // static | 271 // static |
305 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { | 272 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) { |
306 CertFreeCertificateContext(cert_handle); | 273 CertFreeCertificateContext(cert_handle); |
307 } | 274 } |
308 | 275 |
309 // static | 276 // static |
310 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { | 277 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) { |
311 DCHECK(NULL != cert->pbCertEncoded); | 278 return x509_util::CalculateFingerprint256(cert); |
312 DCHECK_NE(0u, cert->cbCertEncoded); | |
313 | |
314 SHA256HashValue sha256; | |
315 size_t sha256_size = sizeof(sha256.data); | |
316 | |
317 // Use crypto::SHA256HashString for two reasons: | |
318 // * < Windows Vista does not have universal SHA-256 support. | |
319 // * More efficient on Windows > Vista (less overhead since non-default CSP | |
320 // is not needed). | |
321 base::StringPiece der_cert(reinterpret_cast<const char*>(cert->pbCertEncoded), | |
322 cert->cbCertEncoded); | |
323 crypto::SHA256HashString(der_cert, sha256.data, sha256_size); | |
324 return sha256; | |
325 } | 279 } |
326 | 280 |
327 SHA256HashValue X509Certificate::CalculateCAFingerprint256( | 281 SHA256HashValue X509Certificate::CalculateCAFingerprint256( |
328 const OSCertHandles& intermediates) { | 282 const OSCertHandles& intermediates) { |
329 SHA256HashValue sha256; | 283 SHA256HashValue sha256; |
330 memset(sha256.data, 0, sizeof(sha256.data)); | 284 memset(sha256.data, 0, sizeof(sha256.data)); |
331 | 285 |
332 SHA256_CTX ctx; | 286 SHA256_CTX ctx; |
333 if (!SHA256_Init(&ctx)) | 287 if (!SHA256_Init(&ctx)) |
334 return sha256; | 288 return sha256; |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
451 valid_issuers)) { | 405 valid_issuers)) { |
452 return true; | 406 return true; |
453 } | 407 } |
454 } | 408 } |
455 | 409 |
456 return false; | 410 return false; |
457 } | 411 } |
458 | 412 |
459 // static | 413 // static |
460 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { | 414 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) { |
461 bool valid_signature = !!CryptVerifyCertificateSignatureEx( | 415 return x509_util::IsSelfSigned(cert_handle); |
462 NULL, X509_ASN_ENCODING, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, | |
463 reinterpret_cast<void*>(const_cast<PCERT_CONTEXT>(cert_handle)), | |
464 CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, | |
465 reinterpret_cast<void*>(const_cast<PCERT_CONTEXT>(cert_handle)), 0, NULL); | |
466 if (!valid_signature) | |
467 return false; | |
468 return !!CertCompareCertificateName(X509_ASN_ENCODING, | |
469 &cert_handle->pCertInfo->Subject, | |
470 &cert_handle->pCertInfo->Issuer); | |
471 } | 416 } |
472 | 417 |
473 } // namespace net | 418 } // namespace net |
OLD | NEW |