| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_util.h" | 5 #include "net/cert/x509_util.h" |
| 6 #include "net/cert/x509_util_nss.h" | 6 #include "net/cert/x509_util_nss.h" |
| 7 | 7 |
| 8 #include <cert.h> // Must be included before certdb.h | 8 #include <cert.h> // Must be included before certdb.h |
| 9 #include <certdb.h> | 9 #include <certdb.h> |
| 10 #include <cryptohi.h> | 10 #include <cryptohi.h> |
| (...skipping 176 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 187 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); | 187 DLOG(ERROR) << "DerSignData: " << PORT_GetError(); |
| 188 return false; | 188 return false; |
| 189 } | 189 } |
| 190 | 190 |
| 191 // Save the signed result to the cert. | 191 // Save the signed result to the cert. |
| 192 cert->derCert = result; | 192 cert->derCert = result; |
| 193 | 193 |
| 194 return true; | 194 return true; |
| 195 } | 195 } |
| 196 | 196 |
| 197 #if defined(USE_NSS_CERTS) || defined(OS_IOS) | |
| 198 // Callback for CERT_DecodeCertPackage(), used in | |
| 199 // CreateOSCertHandlesFromBytes(). | |
| 200 SECStatus PR_CALLBACK CollectCertsCallback(void* arg, | |
| 201 SECItem** certs, | |
| 202 int num_certs) { | |
| 203 X509Certificate::OSCertHandles* results = | |
| 204 reinterpret_cast<X509Certificate::OSCertHandles*>(arg); | |
| 205 | |
| 206 for (int i = 0; i < num_certs; ++i) { | |
| 207 X509Certificate::OSCertHandle handle = | |
| 208 X509Certificate::CreateOSCertHandleFromBytes( | |
| 209 reinterpret_cast<char*>(certs[i]->data), certs[i]->len); | |
| 210 if (handle) | |
| 211 results->push_back(handle); | |
| 212 } | |
| 213 | |
| 214 return SECSuccess; | |
| 215 } | |
| 216 | |
| 217 typedef scoped_ptr< | |
| 218 CERTName, | |
| 219 crypto::NSSDestroyer<CERTName, CERT_DestroyName> > ScopedCERTName; | |
| 220 | |
| 221 // Create a new CERTName object from its encoded representation. | |
| 222 // |arena| is the allocation pool to use. | |
| 223 // |data| points to a DER-encoded X.509 DistinguishedName. | |
| 224 // Return a new CERTName pointer on success, or NULL. | |
| 225 CERTName* CreateCertNameFromEncoded(PLArenaPool* arena, | |
| 226 const base::StringPiece& data) { | |
| 227 if (!arena) | |
| 228 return NULL; | |
| 229 | |
| 230 ScopedCERTName name(PORT_ArenaZNew(arena, CERTName)); | |
| 231 if (!name.get()) | |
| 232 return NULL; | |
| 233 | |
| 234 SECItem item; | |
| 235 item.len = static_cast<unsigned int>(data.length()); | |
| 236 item.data = reinterpret_cast<unsigned char*>( | |
| 237 const_cast<char*>(data.data())); | |
| 238 | |
| 239 SECStatus rv = SEC_ASN1DecodeItem( | |
| 240 arena, name.get(), SEC_ASN1_GET(CERT_NameTemplate), &item); | |
| 241 if (rv != SECSuccess) | |
| 242 return NULL; | |
| 243 | |
| 244 return name.release(); | |
| 245 } | |
| 246 | |
| 247 #endif // defined(USE_NSS_CERTS) || defined(OS_IOS) | |
| 248 | |
| 249 } // namespace | 197 } // namespace |
| 250 | 198 |
| 251 namespace x509_util { | 199 namespace x509_util { |
| 252 | 200 |
| 253 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, | 201 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key, |
| 254 DigestAlgorithm alg, | 202 DigestAlgorithm alg, |
| 255 const std::string& subject, | 203 const std::string& subject, |
| 256 uint32 serial_number, | 204 uint32 serial_number, |
| 257 base::Time not_valid_before, | 205 base::Time not_valid_before, |
| 258 base::Time not_valid_after, | 206 base::Time not_valid_after, |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 361 | 309 |
| 362 DCHECK(cert->derCert.len); | 310 DCHECK(cert->derCert.len); |
| 363 // XXX copied from X509Certificate::GetDEREncoded | 311 // XXX copied from X509Certificate::GetDEREncoded |
| 364 der_cert->clear(); | 312 der_cert->clear(); |
| 365 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), | 313 der_cert->append(reinterpret_cast<char*>(cert->derCert.data), |
| 366 cert->derCert.len); | 314 cert->derCert.len); |
| 367 CERT_DestroyCertificate(cert); | 315 CERT_DestroyCertificate(cert); |
| 368 return true; | 316 return true; |
| 369 } | 317 } |
| 370 | 318 |
| 371 #if defined(USE_NSS_CERTS) || defined(OS_IOS) | |
| 372 void ParsePrincipal(CERTName* name, CertPrincipal* principal) { | |
| 373 // Starting in NSS 3.15, CERTGetNameFunc takes a const CERTName* argument. | |
| 374 #if NSS_VMINOR >= 15 | |
| 375 typedef char* (*CERTGetNameFunc)(const CERTName* name); | |
| 376 #else | |
| 377 typedef char* (*CERTGetNameFunc)(CERTName* name); | |
| 378 #endif | |
| 379 | |
| 380 // TODO(jcampan): add business_category and serial_number. | |
| 381 // TODO(wtc): NSS has the CERT_GetOrgName, CERT_GetOrgUnitName, and | |
| 382 // CERT_GetDomainComponentName functions, but they return only the most | |
| 383 // general (the first) RDN. NSS doesn't have a function for the street | |
| 384 // address. | |
| 385 static const SECOidTag kOIDs[] = { | |
| 386 SEC_OID_AVA_STREET_ADDRESS, | |
| 387 SEC_OID_AVA_ORGANIZATION_NAME, | |
| 388 SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, | |
| 389 SEC_OID_AVA_DC }; | |
| 390 | |
| 391 std::vector<std::string>* values[] = { | |
| 392 &principal->street_addresses, | |
| 393 &principal->organization_names, | |
| 394 &principal->organization_unit_names, | |
| 395 &principal->domain_components }; | |
| 396 DCHECK_EQ(arraysize(kOIDs), arraysize(values)); | |
| 397 | |
| 398 CERTRDN** rdns = name->rdns; | |
| 399 for (size_t rdn = 0; rdns[rdn]; ++rdn) { | |
| 400 CERTAVA** avas = rdns[rdn]->avas; | |
| 401 for (size_t pair = 0; avas[pair] != 0; ++pair) { | |
| 402 SECOidTag tag = CERT_GetAVATag(avas[pair]); | |
| 403 for (size_t oid = 0; oid < arraysize(kOIDs); ++oid) { | |
| 404 if (kOIDs[oid] == tag) { | |
| 405 SECItem* decode_item = CERT_DecodeAVAValue(&avas[pair]->value); | |
| 406 if (!decode_item) | |
| 407 break; | |
| 408 // TODO(wtc): Pass decode_item to CERT_RFC1485_EscapeAndQuote. | |
| 409 std::string value(reinterpret_cast<char*>(decode_item->data), | |
| 410 decode_item->len); | |
| 411 values[oid]->push_back(value); | |
| 412 SECITEM_FreeItem(decode_item, PR_TRUE); | |
| 413 break; | |
| 414 } | |
| 415 } | |
| 416 } | |
| 417 } | |
| 418 | |
| 419 // Get CN, L, S, and C. | |
| 420 CERTGetNameFunc get_name_funcs[4] = { | |
| 421 CERT_GetCommonName, CERT_GetLocalityName, | |
| 422 CERT_GetStateName, CERT_GetCountryName }; | |
| 423 std::string* single_values[4] = { | |
| 424 &principal->common_name, &principal->locality_name, | |
| 425 &principal->state_or_province_name, &principal->country_name }; | |
| 426 for (size_t i = 0; i < arraysize(get_name_funcs); ++i) { | |
| 427 char* value = get_name_funcs[i](name); | |
| 428 if (value) { | |
| 429 single_values[i]->assign(value); | |
| 430 PORT_Free(value); | |
| 431 } | |
| 432 } | |
| 433 } | |
| 434 | |
| 435 void ParseDate(const SECItem* der_date, base::Time* result) { | |
| 436 PRTime prtime; | |
| 437 SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date); | |
| 438 DCHECK_EQ(SECSuccess, rv); | |
| 439 *result = crypto::PRTimeToBaseTime(prtime); | |
| 440 } | |
| 441 | |
| 442 std::string ParseSerialNumber(const CERTCertificate* certificate) { | |
| 443 return std::string(reinterpret_cast<char*>(certificate->serialNumber.data), | |
| 444 certificate->serialNumber.len); | |
| 445 } | |
| 446 | |
| 447 void GetSubjectAltName(CERTCertificate* cert_handle, | |
| 448 std::vector<std::string>* dns_names, | |
| 449 std::vector<std::string>* ip_addrs) { | |
| 450 if (dns_names) | |
| 451 dns_names->clear(); | |
| 452 if (ip_addrs) | |
| 453 ip_addrs->clear(); | |
| 454 | |
| 455 SECItem alt_name; | |
| 456 SECStatus rv = CERT_FindCertExtension(cert_handle, | |
| 457 SEC_OID_X509_SUBJECT_ALT_NAME, | |
| 458 &alt_name); | |
| 459 if (rv != SECSuccess) | |
| 460 return; | |
| 461 | |
| 462 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
| 463 DCHECK(arena != NULL); | |
| 464 | |
| 465 CERTGeneralName* alt_name_list; | |
| 466 alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name); | |
| 467 SECITEM_FreeItem(&alt_name, PR_FALSE); | |
| 468 | |
| 469 CERTGeneralName* name = alt_name_list; | |
| 470 while (name) { | |
| 471 // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs | |
| 472 // respectively, both of which can be byte copied from | |
| 473 // SECItemType::data into the appropriate output vector. | |
| 474 if (dns_names && name->type == certDNSName) { | |
| 475 dns_names->push_back(std::string( | |
| 476 reinterpret_cast<char*>(name->name.other.data), | |
| 477 name->name.other.len)); | |
| 478 } else if (ip_addrs && name->type == certIPAddress) { | |
| 479 ip_addrs->push_back(std::string( | |
| 480 reinterpret_cast<char*>(name->name.other.data), | |
| 481 name->name.other.len)); | |
| 482 } | |
| 483 name = CERT_GetNextGeneralName(name); | |
| 484 if (name == alt_name_list) | |
| 485 break; | |
| 486 } | |
| 487 PORT_FreeArena(arena, PR_FALSE); | |
| 488 } | |
| 489 | |
| 490 X509Certificate::OSCertHandles CreateOSCertHandlesFromBytes( | |
| 491 const char* data, | |
| 492 int length, | |
| 493 X509Certificate::Format format) { | |
| 494 X509Certificate::OSCertHandles results; | |
| 495 if (length < 0) | |
| 496 return results; | |
| 497 | |
| 498 crypto::EnsureNSSInit(); | |
| 499 | |
| 500 if (!NSS_IsInitialized()) | |
| 501 return results; | |
| 502 | |
| 503 switch (format) { | |
| 504 case X509Certificate::FORMAT_SINGLE_CERTIFICATE: { | |
| 505 X509Certificate::OSCertHandle handle = | |
| 506 X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
| 507 if (handle) | |
| 508 results.push_back(handle); | |
| 509 break; | |
| 510 } | |
| 511 case X509Certificate::FORMAT_PKCS7: { | |
| 512 // Make a copy since CERT_DecodeCertPackage may modify it | |
| 513 std::vector<char> data_copy(data, data + length); | |
| 514 | |
| 515 SECStatus result = CERT_DecodeCertPackage(&data_copy[0], | |
| 516 length, CollectCertsCallback, &results); | |
| 517 if (result != SECSuccess) | |
| 518 results.clear(); | |
| 519 break; | |
| 520 } | |
| 521 default: | |
| 522 NOTREACHED() << "Certificate format " << format << " unimplemented"; | |
| 523 break; | |
| 524 } | |
| 525 | |
| 526 return results; | |
| 527 } | |
| 528 | |
| 529 X509Certificate::OSCertHandle ReadOSCertHandleFromPickle( | |
| 530 PickleIterator* pickle_iter) { | |
| 531 const char* data; | |
| 532 int length; | |
| 533 if (!pickle_iter->ReadData(&data, &length)) | |
| 534 return NULL; | |
| 535 | |
| 536 return X509Certificate::CreateOSCertHandleFromBytes(data, length); | |
| 537 } | |
| 538 | |
| 539 void GetPublicKeyInfo(CERTCertificate* handle, | |
| 540 size_t* size_bits, | |
| 541 X509Certificate::PublicKeyType* type) { | |
| 542 // Since we might fail, set the output parameters to default values first. | |
| 543 *type = X509Certificate::kPublicKeyTypeUnknown; | |
| 544 *size_bits = 0; | |
| 545 | |
| 546 crypto::ScopedSECKEYPublicKey key(CERT_ExtractPublicKey(handle)); | |
| 547 if (!key.get()) | |
| 548 return; | |
| 549 | |
| 550 *size_bits = SECKEY_PublicKeyStrengthInBits(key.get()); | |
| 551 | |
| 552 switch (key->keyType) { | |
| 553 case rsaKey: | |
| 554 *type = X509Certificate::kPublicKeyTypeRSA; | |
| 555 break; | |
| 556 case dsaKey: | |
| 557 *type = X509Certificate::kPublicKeyTypeDSA; | |
| 558 break; | |
| 559 case dhKey: | |
| 560 *type = X509Certificate::kPublicKeyTypeDH; | |
| 561 break; | |
| 562 case ecKey: | |
| 563 *type = X509Certificate::kPublicKeyTypeECDSA; | |
| 564 break; | |
| 565 default: | |
| 566 *type = X509Certificate::kPublicKeyTypeUnknown; | |
| 567 *size_bits = 0; | |
| 568 break; | |
| 569 } | |
| 570 } | |
| 571 | |
| 572 bool GetIssuersFromEncodedList( | |
| 573 const std::vector<std::string>& encoded_issuers, | |
| 574 PLArenaPool* arena, | |
| 575 std::vector<CERTName*>* out) { | |
| 576 std::vector<CERTName*> result; | |
| 577 for (size_t n = 0; n < encoded_issuers.size(); ++n) { | |
| 578 CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]); | |
| 579 if (name != NULL) | |
| 580 result.push_back(name); | |
| 581 } | |
| 582 | |
| 583 if (result.size() == encoded_issuers.size()) { | |
| 584 out->swap(result); | |
| 585 return true; | |
| 586 } | |
| 587 | |
| 588 for (size_t n = 0; n < result.size(); ++n) | |
| 589 CERT_DestroyName(result[n]); | |
| 590 return false; | |
| 591 } | |
| 592 | |
| 593 | |
| 594 bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, | |
| 595 const std::vector<CERTName*>& valid_issuers) { | |
| 596 for (size_t n = 0; n < cert_chain.size(); ++n) { | |
| 597 CERTName* cert_issuer = &cert_chain[n]->issuer; | |
| 598 for (size_t i = 0; i < valid_issuers.size(); ++i) { | |
| 599 if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual) | |
| 600 return true; | |
| 601 } | |
| 602 } | |
| 603 return false; | |
| 604 } | |
| 605 | |
| 606 std::string GetUniqueNicknameForSlot(const std::string& nickname, | |
| 607 const SECItem* subject, | |
| 608 PK11SlotInfo* slot) { | |
| 609 int index = 2; | |
| 610 std::string new_name = nickname; | |
| 611 std::string temp_nickname = new_name; | |
| 612 std::string token_name; | |
| 613 | |
| 614 if (!slot) | |
| 615 return new_name; | |
| 616 | |
| 617 if (!PK11_IsInternalKeySlot(slot)) { | |
| 618 token_name.assign(PK11_GetTokenName(slot)); | |
| 619 token_name.append(":"); | |
| 620 | |
| 621 temp_nickname = token_name + new_name; | |
| 622 } | |
| 623 | |
| 624 while (SEC_CertNicknameConflict(temp_nickname.c_str(), | |
| 625 const_cast<SECItem*>(subject), | |
| 626 CERT_GetDefaultCertDB())) { | |
| 627 base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++); | |
| 628 temp_nickname = token_name + new_name; | |
| 629 } | |
| 630 | |
| 631 return new_name; | |
| 632 } | |
| 633 | |
| 634 #endif // defined(USE_NSS_CERTS) || defined(OS_IOS) | |
| 635 | |
| 636 } // namespace x509_util | 319 } // namespace x509_util |
| 637 | 320 |
| 638 } // namespace net | 321 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 881213004:
Support building BoringSSL with NSS certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master