| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include <openssl/asn1.h> | 7 #include <openssl/asn1.h> |
| 8 #include <openssl/bytestring.h> | 8 #include <openssl/bytestring.h> |
| 9 #include <openssl/crypto.h> | 9 #include <openssl/crypto.h> |
| 10 #include <openssl/obj_mac.h> | 10 #include <openssl/obj_mac.h> |
| 11 #include <openssl/pem.h> | 11 #include <openssl/pem.h> |
| 12 #include <openssl/sha.h> | 12 #include <openssl/sha.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 #include <openssl/x509v3.h> | 14 #include <openssl/x509v3.h> |
| 15 | 15 |
| 16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 17 #include "base/pickle.h" | 17 #include "base/pickle.h" |
| 18 #include "base/sha1.h" | 18 #include "base/sha1.h" |
| 19 #include "base/strings/string_number_conversions.h" | 19 #include "base/strings/string_number_conversions.h" |
| 20 #include "base/strings/string_piece.h" |
| 20 #include "base/strings/string_util.h" | 21 #include "base/strings/string_util.h" |
| 21 #include "crypto/openssl_util.h" | 22 #include "crypto/openssl_util.h" |
| 22 #include "crypto/scoped_openssl_types.h" | 23 #include "crypto/scoped_openssl_types.h" |
| 23 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
| 24 #include "net/base/net_util.h" | 25 #include "net/base/net_util.h" |
| 25 #include "net/cert/x509_util_openssl.h" | 26 #include "net/cert/x509_util_openssl.h" |
| 26 | 27 |
| 27 #if defined(OS_ANDROID) | 28 #if defined(OS_ANDROID) |
| 28 #include "base/logging.h" | 29 #include "base/logging.h" |
| 29 #include "net/android/network_library.h" | 30 #include "net/android/network_library.h" |
| (...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 128 // net mask hence 8 or 32 bytes. Logging to help diagnose any mixup. | 129 // net mask hence 8 or 32 bytes. Logging to help diagnose any mixup. |
| 129 LOG(WARNING) << "Bad sized IP Address in cert: " << ip_addr_len; | 130 LOG(WARNING) << "Bad sized IP Address in cert: " << ip_addr_len; |
| 130 continue; | 131 continue; |
| 131 } | 132 } |
| 132 ip_addresses->push_back( | 133 ip_addresses->push_back( |
| 133 std::string(reinterpret_cast<const char*>(ip_addr), ip_addr_len)); | 134 std::string(reinterpret_cast<const char*>(ip_addr), ip_addr_len)); |
| 134 } | 135 } |
| 135 } | 136 } |
| 136 } | 137 } |
| 137 | 138 |
| 138 struct DERCache { | |
| 139 unsigned char* data; | |
| 140 int data_length; | |
| 141 }; | |
| 142 | |
| 143 void DERCache_free(void* parent, void* ptr, CRYPTO_EX_DATA* ad, int idx, | |
| 144 long argl, void* argp) { | |
| 145 DERCache* der_cache = static_cast<DERCache*>(ptr); | |
| 146 if (!der_cache) | |
| 147 return; | |
| 148 if (der_cache->data) | |
| 149 OPENSSL_free(der_cache->data); | |
| 150 OPENSSL_free(der_cache); | |
| 151 } | |
| 152 | |
| 153 class X509InitSingleton { | 139 class X509InitSingleton { |
| 154 public: | 140 public: |
| 155 static X509InitSingleton* GetInstance() { | 141 static X509InitSingleton* GetInstance() { |
| 156 // We allow the X509 store to leak, because it is used from a non-joinable | 142 // We allow the X509 store to leak, because it is used from a non-joinable |
| 157 // worker that is not stopped on shutdown, hence may still be using | 143 // worker that is not stopped on shutdown, hence may still be using |
| 158 // OpenSSL library after the AtExit runner has completed. | 144 // OpenSSL library after the AtExit runner has completed. |
| 159 return Singleton<X509InitSingleton, | 145 return Singleton<X509InitSingleton, |
| 160 LeakySingletonTraits<X509InitSingleton> >::get(); | 146 LeakySingletonTraits<X509InitSingleton> >::get(); |
| 161 } | 147 } |
| 162 int der_cache_ex_index() const { return der_cache_ex_index_; } | |
| 163 X509_STORE* store() const { return store_.get(); } | 148 X509_STORE* store() const { return store_.get(); } |
| 164 | 149 |
| 165 void ResetCertStore() { | 150 void ResetCertStore() { |
| 166 store_.reset(X509_STORE_new()); | 151 store_.reset(X509_STORE_new()); |
| 167 DCHECK(store_.get()); | 152 DCHECK(store_.get()); |
| 168 X509_STORE_set_default_paths(store_.get()); | 153 X509_STORE_set_default_paths(store_.get()); |
| 169 // TODO(joth): Enable CRL (see X509_STORE_set_flags(X509_V_FLAG_CRL_CHECK)). | 154 // TODO(joth): Enable CRL (see X509_STORE_set_flags(X509_V_FLAG_CRL_CHECK)). |
| 170 } | 155 } |
| 171 | 156 |
| 172 private: | 157 private: |
| 173 friend struct DefaultSingletonTraits<X509InitSingleton>; | 158 friend struct DefaultSingletonTraits<X509InitSingleton>; |
| 174 X509InitSingleton() { | 159 X509InitSingleton() { |
| 175 crypto::EnsureOpenSSLInit(); | 160 crypto::EnsureOpenSSLInit(); |
| 176 der_cache_ex_index_ = X509_get_ex_new_index(0, 0, 0, 0, DERCache_free); | |
| 177 DCHECK_NE(der_cache_ex_index_, -1); | |
| 178 ResetCertStore(); | 161 ResetCertStore(); |
| 179 } | 162 } |
| 180 | 163 |
| 181 int der_cache_ex_index_; | |
| 182 crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free>::Type store_; | 164 crypto::ScopedOpenSSL<X509_STORE, X509_STORE_free>::Type store_; |
| 183 | 165 |
| 184 DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); | 166 DISALLOW_COPY_AND_ASSIGN(X509InitSingleton); |
| 185 }; | 167 }; |
| 186 | 168 |
| 187 // Takes ownership of |data| (which must have been allocated by OpenSSL). | |
| 188 DERCache* SetDERCache(X509Certificate::OSCertHandle cert, | |
| 189 int x509_der_cache_index, | |
| 190 unsigned char* data, | |
| 191 int data_length) { | |
| 192 DERCache* internal_cache = static_cast<DERCache*>( | |
| 193 OPENSSL_malloc(sizeof(*internal_cache))); | |
| 194 if (!internal_cache) { | |
| 195 // We took ownership of |data|, so we must free if we can't add it to | |
| 196 // |cert|. | |
| 197 OPENSSL_free(data); | |
| 198 return NULL; | |
| 199 } | |
| 200 | |
| 201 internal_cache->data = data; | |
| 202 internal_cache->data_length = data_length; | |
| 203 X509_set_ex_data(cert, x509_der_cache_index, internal_cache); | |
| 204 return internal_cache; | |
| 205 } | |
| 206 | |
| 207 // Returns true if |der_cache| points to valid data, false otherwise. | |
| 208 // (note: the DER-encoded data in |der_cache| is owned by |cert|, callers should | |
| 209 // not free it). | |
| 210 bool GetDERAndCacheIfNeeded(X509Certificate::OSCertHandle cert, | |
| 211 DERCache* der_cache) { | |
| 212 int x509_der_cache_index = | |
| 213 X509InitSingleton::GetInstance()->der_cache_ex_index(); | |
| 214 | |
| 215 // Re-encoding the DER data via i2d_X509 is an expensive operation, but it's | |
| 216 // necessary for comparing two certificates. We re-encode at most once per | |
| 217 // certificate and cache the data within the X509 cert using X509_set_ex_data. | |
| 218 DERCache* internal_cache = static_cast<DERCache*>( | |
| 219 X509_get_ex_data(cert, x509_der_cache_index)); | |
| 220 if (!internal_cache) { | |
| 221 unsigned char* data = NULL; | |
| 222 int data_length = i2d_X509(cert, &data); | |
| 223 if (data_length <= 0 || !data) | |
| 224 return false; | |
| 225 internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length); | |
| 226 if (!internal_cache) | |
| 227 return false; | |
| 228 } | |
| 229 *der_cache = *internal_cache; | |
| 230 return true; | |
| 231 } | |
| 232 | |
| 233 // Used to free a list of X509_NAMEs and the objects it points to. | 169 // Used to free a list of X509_NAMEs and the objects it points to. |
| 234 void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) { | 170 void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) { |
| 235 sk_X509_NAME_pop_free(sk, X509_NAME_free); | 171 sk_X509_NAME_pop_free(sk, X509_NAME_free); |
| 236 } | 172 } |
| 237 | 173 |
| 238 } // namespace | 174 } // namespace |
| 239 | 175 |
| 240 // static | 176 // static |
| 241 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( | 177 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle( |
| 242 OSCertHandle cert_handle) { | 178 OSCertHandle cert_handle) { |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 294 } | 230 } |
| 295 | 231 |
| 296 // static | 232 // static |
| 297 SHA1HashValue X509Certificate::CalculateCAFingerprint( | 233 SHA1HashValue X509Certificate::CalculateCAFingerprint( |
| 298 const OSCertHandles& intermediates) { | 234 const OSCertHandles& intermediates) { |
| 299 SHA1HashValue sha1; | 235 SHA1HashValue sha1; |
| 300 memset(sha1.data, 0, sizeof(sha1.data)); | 236 memset(sha1.data, 0, sizeof(sha1.data)); |
| 301 | 237 |
| 302 SHA_CTX sha1_ctx; | 238 SHA_CTX sha1_ctx; |
| 303 SHA1_Init(&sha1_ctx); | 239 SHA1_Init(&sha1_ctx); |
| 304 DERCache der_cache; | 240 base::StringPiece der; |
| 305 for (size_t i = 0; i < intermediates.size(); ++i) { | 241 for (size_t i = 0; i < intermediates.size(); ++i) { |
| 306 if (!GetDERAndCacheIfNeeded(intermediates[i], &der_cache)) | 242 if (!x509_util::GetDER(intermediates[i], &der)) |
| 307 return sha1; | 243 return sha1; |
| 308 SHA1_Update(&sha1_ctx, der_cache.data, der_cache.data_length); | 244 SHA1_Update(&sha1_ctx, der.data(), der.length()); |
| 309 } | 245 } |
| 310 SHA1_Final(sha1.data, &sha1_ctx); | 246 SHA1_Final(sha1.data, &sha1_ctx); |
| 311 | 247 |
| 312 return sha1; | 248 return sha1; |
| 313 } | 249 } |
| 314 | 250 |
| 315 // static | 251 // static |
| 316 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( | 252 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes( |
| 317 const char* data, int length) { | 253 const char* data, int length) { |
| 318 if (length < 0) | 254 if (length < 0) |
| 319 return NULL; | 255 return NULL; |
| 320 crypto::EnsureOpenSSLInit(); | 256 crypto::EnsureOpenSSLInit(); |
| 321 const unsigned char* d2i_data = | 257 const unsigned char* d2i_data = |
| 322 reinterpret_cast<const unsigned char*>(data); | 258 reinterpret_cast<const unsigned char*>(data); |
| 323 // Don't cache this data via SetDERCache as this wire format may be not be | 259 // Don't cache this data for x509_util::GetDER as this wire format |
| 324 // identical from the i2d_X509 roundtrip. | 260 // may be not be identical from the i2d_X509 roundtrip. |
| 325 X509* cert = d2i_X509(NULL, &d2i_data, length); | 261 X509* cert = d2i_X509(NULL, &d2i_data, length); |
| 326 return cert; | 262 return cert; |
| 327 } | 263 } |
| 328 | 264 |
| 329 // static | 265 // static |
| 330 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( | 266 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes( |
| 331 const char* data, int length, Format format) { | 267 const char* data, int length, Format format) { |
| 332 OSCertHandles results; | 268 OSCertHandles results; |
| 333 if (length < 0) | 269 if (length < 0) |
| 334 return results; | 270 return results; |
| (...skipping 30 matching lines...) Expand all Loading... |
| 365 } | 301 } |
| 366 | 302 |
| 367 // static | 303 // static |
| 368 X509_STORE* X509Certificate::cert_store() { | 304 X509_STORE* X509Certificate::cert_store() { |
| 369 return X509InitSingleton::GetInstance()->store(); | 305 return X509InitSingleton::GetInstance()->store(); |
| 370 } | 306 } |
| 371 | 307 |
| 372 // static | 308 // static |
| 373 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, | 309 bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle, |
| 374 std::string* encoded) { | 310 std::string* encoded) { |
| 375 DERCache der_cache; | 311 base::StringPiece der; |
| 376 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 312 if (!x509_util::GetDER(cert_handle, &der)) |
| 377 return false; | 313 return false; |
| 378 encoded->assign(reinterpret_cast<const char*>(der_cache.data), | 314 encoded->assign(der.data(), der.length()); |
| 379 der_cache.data_length); | |
| 380 return true; | 315 return true; |
| 381 } | 316 } |
| 382 | 317 |
| 383 // static | 318 // static |
| 384 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, | 319 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a, |
| 385 X509Certificate::OSCertHandle b) { | 320 X509Certificate::OSCertHandle b) { |
| 386 DCHECK(a && b); | 321 DCHECK(a && b); |
| 387 if (a == b) | 322 if (a == b) |
| 388 return true; | 323 return true; |
| 389 | 324 |
| 390 // X509_cmp only checks the fingerprint, but we want to compare the whole | 325 // X509_cmp only checks the fingerprint, but we want to compare the whole |
| 391 // DER data. Encoding it from OSCertHandle is an expensive operation, so we | 326 // DER data. Encoding it from OSCertHandle is an expensive operation, so we |
| 392 // cache the DER (if not already cached via X509_set_ex_data). | 327 // cache the DER (if not already cached via X509_set_ex_data). |
| 393 DERCache der_cache_a, der_cache_b; | 328 base::StringPiece der_a, der_b; |
| 394 | 329 |
| 395 return GetDERAndCacheIfNeeded(a, &der_cache_a) && | 330 return x509_util::GetDER(a, &der_a) && |
| 396 GetDERAndCacheIfNeeded(b, &der_cache_b) && | 331 x509_util::GetDER(b, &der_b) && |
| 397 der_cache_a.data_length == der_cache_b.data_length && | 332 der_a == der_b; |
| 398 memcmp(der_cache_a.data, der_cache_b.data, der_cache_a.data_length) == 0; | |
| 399 } | 333 } |
| 400 | 334 |
| 401 // static | 335 // static |
| 402 X509Certificate::OSCertHandle | 336 X509Certificate::OSCertHandle |
| 403 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) { | 337 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) { |
| 404 const char* data; | 338 const char* data; |
| 405 int length; | 339 int length; |
| 406 if (!pickle_iter->ReadData(&data, &length)) | 340 if (!pickle_iter->ReadData(&data, &length)) |
| 407 return NULL; | 341 return NULL; |
| 408 | 342 |
| 409 return CreateOSCertHandleFromBytes(data, length); | 343 return CreateOSCertHandleFromBytes(data, length); |
| 410 } | 344 } |
| 411 | 345 |
| 412 // static | 346 // static |
| 413 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, | 347 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle, |
| 414 Pickle* pickle) { | 348 Pickle* pickle) { |
| 415 DERCache der_cache; | 349 base::StringPiece der; |
| 416 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache)) | 350 if (!x509_util::GetDER(cert_handle, &der)) |
| 417 return false; | 351 return false; |
| 418 | 352 |
| 419 return pickle->WriteData( | 353 return pickle->WriteData(der.data(), der.length()); |
| 420 reinterpret_cast<const char*>(der_cache.data), | |
| 421 der_cache.data_length); | |
| 422 } | 354 } |
| 423 | 355 |
| 424 // static | 356 // static |
| 425 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, | 357 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle, |
| 426 size_t* size_bits, | 358 size_t* size_bits, |
| 427 PublicKeyType* type) { | 359 PublicKeyType* type) { |
| 428 *type = kPublicKeyTypeUnknown; | 360 *type = kPublicKeyTypeUnknown; |
| 429 *size_bits = 0; | 361 *size_bits = 0; |
| 430 | 362 |
| 431 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); | 363 crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert_handle)); |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 501 if (X509_NAME_cmp(issuer, cert_names[n]) == 0) { | 433 if (X509_NAME_cmp(issuer, cert_names[n]) == 0) { |
| 502 return true; | 434 return true; |
| 503 } | 435 } |
| 504 } | 436 } |
| 505 } | 437 } |
| 506 | 438 |
| 507 return false; | 439 return false; |
| 508 } | 440 } |
| 509 | 441 |
| 510 } // namespace net | 442 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 576233002:
Only use the platform cert in verification in SSLClientSocketOpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master