Check whether or not a certificate is self-signed.

net/cert/x509_certificate_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/memory/singleton.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/synchronization/lock.h"
 #include "crypto/cssm_init.h"
 #include "crypto/mac_security_services_lock.h"
+#include "crypto/scoped_openssl_types.h"
 #include "net/cert/x509_util_mac.h"
+#include "net/cert/x509_util_openssl.h"
 
 using base::ScopedCFTypeRef;
 using base::Time;
 
 namespace net {
 
 namespace {
 
 void GetCertDistinguishedName(
     const x509_util::CSSMCachedCertificate& cached_cert,
@@ skipping 488 matching lines @@
     case CSSM_ALGID_DH:
       *type = kPublicKeyTypeDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
+// static
+bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
+  std::string der_cert;
+  if (!GetDEREncoded(cert_handle, &der_cert))
+    return false;
+
+  const unsigned char* cert_data =
+      reinterpret_cast<const unsigned char*>(der_cert.data());
+  int cert_data_len = base::checked_cast<int>(der_cert.size());
+  typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
+  ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len));
+  crypto::ScopedEVP_PKEY scoped_key(X509_get_pubkey(cert.get()));
+  if (!scoped_key)
+    return false;
+  DCHECK(scoped_key.get());
+  EVP_PKEY* key = scoped_key.get();
+
+  // NOTE: X509_verify() returns 1 in case of success, 0 or -1 on error.
+  return X509_verify(cert.get(), key) == 1;

[Ryan Sleevi, 2014/10/21 22:27:43]

Mixing BoringSSL types like this with a platform-specific file is a no-go.

The way is something like

x509_util::CSSMCachedCertificate cached_cert;
OSStatus status = cached_cert.Init(cert_handle);
if (status)
  return false;

x509_util::CSSMFieldValue normalized_subject;
x509_util::CSSMFieldValue normalized_issuer;
status = cached_cert.GetField(&CSSMOID_X509V1SubjectNameStd,
&normalized_subject);
if (!status || !normalized_subject.field())
  return false;
status = cached_cert.GetField(&CSSMOID_X509V1IssuerNameStd, &normalized_issuer);
if (!status || !normalized_issuer.field())
  return false;

if (normalized_subject.field()->Length != normalized_issuer.field()->Length ||
    memcmp(normalized_subject.field()->Data, normalized_issuer.field()->Data,
normalized_issuer.field()->Length) != 0)
  return false;

CSSM_CL_HANDLE cl_handle = CSSM_INVALID_HANDLE;
status = SecCertificateGetCLHandle(os_cert_handle, &cl_handle);
if (status)
  return false;
CSSM_DATA cert_data;
status = SecCertificateGetData(os_cert_handle, &cert_data);
if (status)
  return false;
CSSM_RETURN ret = CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL,
0);
if (ret)
  return false;
return true;

[palmer, 2014/10/21 23:02:13]

Done.

+}
+
 }  // namespace net