net/cert/x509_certificate_ios.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/x509_certificate.h"
   6
   7 #include <CommonCrypto/CommonDigest.h>
   8 #include <Security/Security.h>
   9
  10 #include <cert.h>
  11 #include <cryptohi.h>
  12 #include <keyhi.h>
  13 #include <nss.h>
  14 #include <pk11pub.h>
  15 #include <prerror.h>
  16 #include <prtime.h>
  17 #include <prtypes.h>
  18 #include <secder.h>
  19 #include <secerr.h>
  20 #include <sslerr.h>
  21
  22 #include <vector>
  23
  24 #include "base/logging.h"
  25 #include "base/mac/scoped_cftyperef.h"
  26 #include "base/memory/scoped_ptr.h"
  27 #include "base/pickle.h"
  28 #include "base/time/time.h"
  29 #include "crypto/nss_util.h"
  30 #include "crypto/scoped_nss_types.h"
  31 #include "net/base/net_errors.h"
  32 #include "net/cert/asn1_util.h"
  33 #include "net/cert/cert_status_flags.h"
  34 #include "net/cert/cert_verify_result.h"
  35 #include "net/cert/ev_root_ca_metadata.h"
  36 #include "net/cert/x509_util_ios.h"
  37 #include "net/cert/x509_util_nss.h"
  38
  39 using base::ScopedCFTypeRef;
  40
  41 namespace net {
  42 namespace {
  43 // Returns true if a given |cert_handle| is actually a valid X.509 certificate
  44 // handle.
  45 //
  46 // SecCertificateCreateFromData() does not always force the immediate parsing of
  47 // the certificate, and as such, may return a SecCertificateRef for an
  48 // invalid/unparsable certificate. Force parsing to occur to ensure that the
  49 // SecCertificateRef is correct. On later versions where
  50 // SecCertificateCreateFromData() immediately parses, rather than lazily, this
  51 // call is cheap, as the subject is cached.
  52 bool IsValidOSCertHandle(SecCertificateRef cert_handle) {
  53   ScopedCFTypeRef<CFStringRef> sanity_check(
  54       SecCertificateCopySubjectSummary(cert_handle));
  55   return sanity_check != NULL;
  56 }
  57 }  // namespace
  58
  59 void X509Certificate::Initialize() {
  60   x509_util_ios::NSSCertificate nss_cert(cert_handle_);
  61   CERTCertificate* cert_handle = nss_cert.cert_handle();
  62   if (cert_handle) {
  63     x509_util::ParsePrincipal(&cert_handle->subject, &subject_);
  64     x509_util::ParsePrincipal(&cert_handle->issuer, &issuer_);
  65     x509_util::ParseDate(&cert_handle->validity.notBefore, &valid_start_);
  66     x509_util::ParseDate(&cert_handle->validity.notAfter, &valid_expiry_);
  67     serial_number_ = x509_util::ParseSerialNumber(cert_handle);
  68   }
  69   fingerprint_ = CalculateFingerprint(cert_handle_);
  70   ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
  71 }
  72
  73 bool X509Certificate::IsIssuedByEncoded(
  74     const std::vector<std::string>& valid_issuers) {
  75   x509_util_ios::NSSCertChain nss_chain(this);
  76   // Convert to scoped CERTName* list.
  77   std::vector<CERTName*> issuers;
  78   crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
  79   if (!x509_util::GetIssuersFromEncodedList(valid_issuers,
  80                                             arena.get(),
  81                                             &issuers)) {
  82     return false;
  83   }
  84   return x509_util::IsCertificateIssuedBy(
  85       nss_chain.cert_chain(), issuers);
  86 }
  87
  88 void X509Certificate::GetSubjectAltName(
  89     std::vector<std::string>* dns_names,
  90     std::vector<std::string>* ip_addrs) const {
  91   x509_util_ios::NSSCertificate nss_cert(cert_handle_);
  92   CERTCertificate* cert_handle = nss_cert.cert_handle();
  93   if (!cert_handle) {
  94     if (dns_names)
  95       dns_names->clear();
  96     if (ip_addrs)
  97       ip_addrs->clear();
  98     return;
  99   }
 100   x509_util::GetSubjectAltName(cert_handle, dns_names, ip_addrs);
 101 }
 102
 103 // static
 104 bool X509Certificate::GetDEREncoded(OSCertHandle cert_handle,
 105                                     std::string* encoded) {
 106   if (!cert_handle)
 107     return false;
 108   ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(cert_handle));
 109   if (!der_data)
 110     return false;
 111   encoded->assign(reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
 112                   CFDataGetLength(der_data));
 113   return true;
 114 }
 115
 116 // static
 117 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
 118                                    X509Certificate::OSCertHandle b) {
 119   DCHECK(a && b);
 120   if (a == b)
 121     return true;
 122   if (CFEqual(a, b))
 123     return true;
 124   ScopedCFTypeRef<CFDataRef> a_data(SecCertificateCopyData(a));
 125   ScopedCFTypeRef<CFDataRef> b_data(SecCertificateCopyData(b));
 126   return a_data && b_data &&
 127          CFDataGetLength(a_data) == CFDataGetLength(b_data) &&
 128          memcmp(CFDataGetBytePtr(a_data), CFDataGetBytePtr(b_data),
 129                 CFDataGetLength(a_data)) == 0;
 130 }
 131
 132 // static
 133 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
 134     const char* data, int length) {
 135   ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreateWithBytesNoCopy(
 136       kCFAllocatorDefault, reinterpret_cast<const UInt8 *>(data), length,
 137       kCFAllocatorNull));
 138   if (!cert_data)
 139     return NULL;
 140   OSCertHandle cert_handle = SecCertificateCreateWithData(NULL, cert_data);
 141   if (!cert_handle)
 142     return NULL;
 143   if (!IsValidOSCertHandle(cert_handle)) {
 144     CFRelease(cert_handle);
 145     return NULL;
 146   }
 147   return cert_handle;
 148 }
 149
 150 // static
 151 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
 152     const char* data,
 153     int length,
 154     Format format) {
 155   return x509_util::CreateOSCertHandlesFromBytes(data, length, format);
 156 }
 157
 158 // static
 159 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
 160     OSCertHandle handle) {
 161   if (!handle)
 162     return NULL;
 163   return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
 164 }
 165
 166 // static
 167 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
 168   if (cert_handle)
 169     CFRelease(cert_handle);
 170 }
 171
 172 // static
 173 SHA1HashValue X509Certificate::CalculateFingerprint(
 174     OSCertHandle cert) {
 175   SHA1HashValue sha1;
 176   memset(sha1.data, 0, sizeof(sha1.data));
 177
 178   ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
 179   if (!cert_data)
 180     return sha1;
 181   DCHECK(CFDataGetBytePtr(cert_data));
 182   DCHECK_NE(0, CFDataGetLength(cert_data));
 183   CC_SHA1(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha1.data);
 184
 185   return sha1;
 186 }
 187
 188 // static
 189 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
 190   SHA256HashValue sha256;
 191   memset(sha256.data, 0, sizeof(sha256.data));
 192
 193   ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
 194   if (!cert_data)
 195     return sha256;
 196   DCHECK(CFDataGetBytePtr(cert_data));
 197   DCHECK_NE(0, CFDataGetLength(cert_data));
 198   CC_SHA256(
 199       CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data), sha256.data);
 200
 201   return sha256;
 202 }
 203
 204 // static
 205 SHA1HashValue X509Certificate::CalculateCAFingerprint(
 206     const OSCertHandles& intermediates) {
 207   SHA1HashValue sha1;
 208   memset(sha1.data, 0, sizeof(sha1.data));
 209
 210   // The CC_SHA(3cc) man page says all CC_SHA1_xxx routines return 1, so
 211   // we don't check their return values.
 212   CC_SHA1_CTX sha1_ctx;
 213   CC_SHA1_Init(&sha1_ctx);
 214   for (size_t i = 0; i < intermediates.size(); ++i) {
 215     ScopedCFTypeRef<CFDataRef>
 216         cert_data(SecCertificateCopyData(intermediates[i]));
 217     if (!cert_data)
 218       return sha1;
 219     CC_SHA1_Update(&sha1_ctx,
 220                    CFDataGetBytePtr(cert_data),
 221                    CFDataGetLength(cert_data));
 222   }
 223   CC_SHA1_Final(sha1.data, &sha1_ctx);
 224   return sha1;
 225 }
 226
 227 // static
 228 X509Certificate::OSCertHandle X509Certificate::ReadOSCertHandleFromPickle(
 229     base::PickleIterator* pickle_iter) {
 230   return x509_util::ReadOSCertHandleFromPickle(pickle_iter);
 231 }
 232
 233 // static
 234 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
 235                                                 base::Pickle* pickle) {
 236   ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert_handle));
 237   if (!cert_data)
 238     return false;
 239
 240   return pickle->WriteData(
 241       reinterpret_cast<const char*>(CFDataGetBytePtr(cert_data)),
 242       CFDataGetLength(cert_data));
 243 }
 244
 245 // static
 246 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
 247                                        size_t* size_bits,
 248                                        PublicKeyType* type) {
 249   x509_util_ios::NSSCertificate nss_cert(cert_handle);
 250   x509_util::GetPublicKeyInfo(nss_cert.cert_handle(), size_bits, type);
 251 }
 252
 253 // static
 254 bool X509Certificate::IsSelfSigned(OSCertHandle cert_handle) {
 255   x509_util_ios::NSSCertificate nss_cert(cert_handle);
 256   crypto::ScopedSECKEYPublicKey public_key(
 257       CERT_ExtractPublicKey(nss_cert.cert_handle()));
 258   if (!public_key.get())
 259     return false;
 260   return SECSuccess == CERT_VerifySignedDataWithPublicKey(
 261       &nss_cert.cert_handle()->signatureWrap, public_key.get(), NULL);
 262 }
 263
 264 }  // namespace net