Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_certificate_ios.cc

Issue 992733002: Remove //net (except for Android test stuff) and sdch (Closed) Base URL: git@github.com:domokit/mojo.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/x509_certificate.cc ('k') | net/cert/x509_certificate_known_roots_mac.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/x509_certificate.h"
6
7 #include <CommonCrypto/CommonDigest.h>
8 #include <Security/Security.h>
9
10 #include <cert.h>
11 #include <cryptohi.h>
12 #include <keyhi.h>
13 #include <nss.h>
14 #include <pk11pub.h>
15 #include <prerror.h>
16 #include <prtime.h>
17 #include <prtypes.h>
18 #include <secder.h>
19 #include <secerr.h>
20 #include <sslerr.h>
21
22 #include <vector>
23
24 #include "base/logging.h"
25 #include "base/mac/scoped_cftyperef.h"
26 #include "base/memory/scoped_ptr.h"
27 #include "base/pickle.h"
28 #include "base/time/time.h"
29 #include "crypto/nss_util.h"
30 #include "crypto/scoped_nss_types.h"
31 #include "net/base/net_errors.h"
32 #include "net/cert/asn1_util.h"
33 #include "net/cert/cert_status_flags.h"
34 #include "net/cert/cert_verify_result.h"
35 #include "net/cert/ev_root_ca_metadata.h"
36 #include "net/cert/x509_util_ios.h"
37 #include "net/cert/x509_util_nss.h"
38
39 using base::ScopedCFTypeRef;
40
41 namespace net {
42 namespace {
43 // Returns true if a given |cert_handle| is actually a valid X.509 certificate
44 // handle.
45 //
46 // SecCertificateCreateFromData() does not always force the immediate parsing of
47 // the certificate, and as such, may return a SecCertificateRef for an
48 // invalid/unparsable certificate. Force parsing to occur to ensure that the
49 // SecCertificateRef is correct. On later versions where
50 // SecCertificateCreateFromData() immediately parses, rather than lazily, this
51 // call is cheap, as the subject is cached.
52 bool IsValidOSCertHandle(SecCertificateRef cert_handle) {
53 ScopedCFTypeRef<CFStringRef> sanity_check(
54 SecCertificateCopySubjectSummary(cert_handle));
55 return sanity_check != NULL;
56 }
57 } // namespace
58
59 void X509Certificate::Initialize() {
60 x509_util_ios::NSSCertificate nss_cert(cert_handle_);
61 CERTCertificate* cert_handle = nss_cert.cert_handle();
62 if (cert_handle) {
63 x509_util::ParsePrincipal(&cert_handle->subject, &subject_);
64 x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);
65 x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);
66 x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);
67 serial_number_ = x509_util::ParseSerialNumber(cert_handle);
68 }
69 fingerprint_ = CalculateFingerprint(cert_handle_);
70 ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
71 }
72
73 bool X509Certificate::IsIssuedByEncoded(
74 const std::vector<std::string>& valid_issuers) {
75 x509_util_ios::NSSCertChain nss_chain(this);
76 // Convert to scoped CERTName* list.
77 std::vector<CERTName*> issuers;
78 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
79 if (!x509_util::GetIssuersFromEncodedList(valid_issuers,
80 arena.get(),
81 &issuers)) {
82 return false;
83 }
84 return x509_util::IsCertificateIssuedBy(
85 nss_chain.cert_chain(), issuers);
86 }
87
88 void X509Certificate::GetSubjectAltName(
89 std::vector<std::string>* dns_names,
90 std::vector<std::string>* ip_addrs) const {
91 x509_util_ios::NSSCertificate nss_cert(cert_handle_);
92 CERTCertificate* cert_handle = nss_cert.cert_handle();
93 if (!cert_handle) {
94 if (dns_names)
95 dns_names->clear();
96 if (ip_addrs)
97 ip_addrs->clear();
98 return;
99 }
100 x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs);
101 }
102
103 // static
104 bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle,
105 std::string* encoded) {
106 if (!cert_handle)
107 return false;
108 ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));
109 if (!der_data)
110 return false;
111 encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
112 CFDataGetLength(der_data));
113 return true;
114 }
115
116 // static
117 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
118 X509Certificate::OSCertHandle b) {
119 DCHECK(a && b);
120 if (a == b)
121 return true;
122 if (CFEqual(a, b))
123 return true;
124 ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));
125 ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));
126 return a_data && b_data &&
127 CFDataGetLength(a_data) == CFDataGetLength(b_data) &&
128 memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),
129 CFDataGetLength(a_data)) == 0;
130 }
131
132 // static
133 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
134 const char* data, int length) {
135 ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(
136 kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length,
137 kCFAllocatorNull));
138 if (!cert_data)
139 return NULL;
140 OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);
141 if (!cert_handle)
142 return NULL;
143 if (!IsValidOSCertHandle(cert_handle)) {
144 CFRelease(cert_handle);
145 return NULL;
146 }
147 return cert_handle;
148 }
149
150 // static
151 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
152 const char* data,
153 int length,
154 Format format) {
155 return x509_util::CreateOSCertHandlesFromBytes(data, length, format);
156 }
157
158 // static
159 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
160 OSCertHandle handle) {
161 if (!handle)
162 return NULL;
163 return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
164 }
165
166 // static
167 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
168 if (cert_handle)
169 CFRelease(cert_handle);
170 }
171
172 // static
173 SHA1HashValue X509Certificate::CalculateFingerprint(
174 OSCertHandle cert) {
175 SHA1HashValue sha1;
176 memset(sha1.data, 0, sizeof(sha1.data));
177
178 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
179 if (!cert_data)
180 return sha1;
181 DCHECK(CFDataGetBytePtr(cert_data));
182 DCHECK_NE(0, CFDataGetLength(cert_data));
183 CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data);
184
185 return sha1;
186 }
187
188 // static
189 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
190 SHA256HashValue sha256;
191 memset(sha256.data, 0, sizeof(sha256.data));
192
193 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
194 if (!cert_data)
195 return sha256;
196 DCHECK(CFDataGetBytePtr(cert_data));
197 DCHECK_NE(0, CFDataGetLength(cert_data));
198 CC_SHA256(
199 CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha256.data);
200
201 return sha256;
202 }
203
204 // static
205 SHA1HashValue X509Certificate::CalculateCAFingerprint(
206 const OSCertHandles& intermediates) {
207 SHA1HashValue sha1;
208 memset(sha1.data, 0, sizeof(sha1.data));
209
210 // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so
211 // we don't check their return values.
212 CC_SHA1_CTX sha1_ctx;
213 CC_SHA1_Init(&sha1_ctx);
214 for (size_t i = 0; i < intermediates.size(); ++i) {
215 ScopedCFTypeRef<CFDataRef>
216 cert_data(SecCertificateCopyData(intermediates[i]));
217 if (!cert_data)
218 return sha1;
219 CC_SHA1_Update(&sha1_ctx,
220 CFDataGetBytePtr(cert_data),
221 CFDataGetLength(cert_data));
222 }
223 CC_SHA1_Final(sha1.data, &sha1_ctx);
224 return sha1;
225 }
226
227 // static
228 X509Certificate::OSCertHandle
229 X509Certificate::ReadOSCertHandleFromPickle(PickleIterator* pickle_iter) {
230 return x509_util::ReadOSCertHandleFromPickle(pickle_iter);
231 }
232
233 // static
234 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
235 Pickle* pickle) {
236 ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
237 if (!cert_data)
238 return false;
239
240 return pickle->WriteData(
241 reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
242 CFDataGetLength(cert_data));
243 }
244
245 // static
246 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
247 size_t* size_bits,
248 PublicKeyType* type) {
249 x509_util_ios::NSSCertificate nss_cert(cert_handle);
250 x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);
251 }
252
253 // static
254 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
255 x509_util_ios::NSSCertificate nss_cert(cert_handle);
256 crypto::ScopedSECKEYPublicKey public_key(
257 CERT_ExtractPublicKey(nss_cert.cert_handle()));
258 if (!public_key.get())
259 return false;
260 return SECSuccess == CERT_VerifySignedDataWithPublicKey(
261 &nss_cert.cert_handle()->signatureWrap, public_key.get(), NULL);
262 }
263
264 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_certificate.cc ('k') | net/cert/x509_certificate_known_roots_mac.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698