search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / chrome / common / net / x509_certificate_model_openssl.cc
blobb9f2039c27c7e3bd1d2239b8288e603b036be7c0
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/common/net/x509_certificate_model.h"
6
7 #include <openssl/mem.h>
8 #include <openssl/obj_mac.h>
9 #include <openssl/sha.h>
10 #include <openssl/stack.h>
11 #include <openssl/x509.h>
12 #include <openssl/x509v3.h>
13
14 #include "base/i18n/number_formatting.h"
15 #include "base/lazy_instance.h"
16 #include "base/logging.h"
17 #include "base/strings/string_number_conversions.h"
18 #include "base/strings/stringprintf.h"
19 #include "base/strings/utf_string_conversions.h"
20 #include "chrome/grit/generated_resources.h"
21 #include "crypto/openssl_bio_string.h"
22 #include "crypto/openssl_util.h"
23 #include "crypto/scoped_openssl_types.h"
24 #include "net/base/net_util.h"
25 #include "net/cert/x509_util_openssl.h"
26 #include "ui/base/l10n/l10n_util.h"
27
28 namespace x509_util = net::x509_util;
29
30 namespace x509_certificate_model {
31
32 namespace {
33
34 std::string ProcessRawAsn1String(ASN1_STRING* data) {
35 return ProcessRawBytes(ASN1_STRING_data(data), ASN1_STRING_length(data));
36 }
37
38 std::string ProcessRawAsn1Type(ASN1_TYPE* data) {
39 int len = i2d_ASN1_TYPE(data, NULL);
40 if (len <= 0)
41 return std::string();
42
43 scoped_ptr<unsigned char[]> buf(new unsigned char[len]);
44 unsigned char* bufp = buf.get();
45
46 len = i2d_ASN1_TYPE(data, &bufp);
47
48 return ProcessRawBytes(buf.get(), len);
49 }
50
51 std::string ProcessRawBignum(BIGNUM* n) {
52 int len = BN_num_bytes(n);
53 scoped_ptr<unsigned char[]> buf(new unsigned char[len]);
54 len = BN_bn2bin(n, buf.get());
55 return ProcessRawBytes(buf.get(), len);
56 }
57
58 std::string Asn1StringToUTF8(ASN1_STRING* asn1_string) {
59 std::string rv;
60 unsigned char* buf = NULL;
61 int len = ASN1_STRING_to_UTF8(&buf, asn1_string);
62 if (len < 0)
63 return rv;
64 rv = std::string(reinterpret_cast<const char*>(buf), len);
65 OPENSSL_free(buf);
66 return rv;
67 }
68
69 std::string AlternativeWhenEmpty(const std::string& text,
70 const std::string& alternative) {
71 return text.empty() ? alternative : text;
72 }
73
74 std::string GetKeyValuesFromNameEntry(X509_NAME_ENTRY* entry) {
75 std::string ret;
76 std::string key;
77 std::string value;
78 if (!x509_util::ParsePrincipalKeyAndValue(entry, &key, &value))
79 return ret;
80 if (OBJ_obj2nid(X509_NAME_ENTRY_get_object(entry)) == NID_commonName)
81 value = x509_certificate_model::ProcessIDN(value);
82 ret = base::StringPrintf("%s = %s", key.c_str(), value.c_str());
83 return ret;
84 }
85
86 std::string GetKeyValuesFromNameEntries(STACK_OF(X509_NAME_ENTRY)* entries) {
87 std::string ret;
88 size_t rdns = sk_X509_NAME_ENTRY_num(entries);
89 for (size_t i = rdns - 1; i < rdns; --i) {
90 X509_NAME_ENTRY* entry = sk_X509_NAME_ENTRY_value(entries, i);
91 if (!entry)
92 continue;
93 base::StringAppendF(&ret, "%s\n", GetKeyValuesFromNameEntry(entry).c_str());
94 }
95 return ret;
96 }
97
98 std::string GetKeyValuesFromName(X509_NAME* name) {
99 std::string ret;
100 size_t rdns = X509_NAME_entry_count(name);
101 for (size_t i = rdns - 1; i < rdns; --i) {
102 X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, i);
103 if (!entry)
104 continue;
105 base::StringAppendF(&ret, "%s\n", GetKeyValuesFromNameEntry(entry).c_str());
106 }
107 return ret;
108 }
109
110 std::string Asn1ObjectToOIDString(ASN1_OBJECT* obj) {
111 std::string s;
112 char buf[80];
113 int buflen = OBJ_obj2txt(buf, sizeof(buf), obj, 1 /* no_name */);
114 if (buflen < 0)
115 return s;
116
117 s = "OID.";
118
119 if (static_cast<size_t>(buflen) < sizeof(buf)) {
120 s.append(buf, buflen);
121 return s;
122 }
123
124 size_t prefix_len = s.size();
125 s.resize(prefix_len + buflen + 1, ' ');
126 buflen =
127 OBJ_obj2txt(&s[prefix_len], s.size() - prefix_len, obj, 1 /* no_name */);
128 if (buflen < 0) {
129 s.clear();
130 return s;
131 }
132 s.resize(prefix_len + buflen);
133 return s;
134 }
135
136 int ms_cert_ext_certtype = -1;
137 int ms_certsrv_ca_version = -1;
138 int ms_ntds_replication = -1;
139 int eku_ms_time_stamping = -1;
140 int eku_ms_file_recovery = -1;
141 int eku_ms_windows_hardware_driver_verification = -1;
142 int eku_ms_qualified_subordination = -1;
143 int eku_ms_key_recovery = -1;
144 int eku_ms_document_signing = -1;
145 int eku_ms_lifetime_signing = -1;
146 int eku_ms_key_recovery_agent = -1;
147 int cert_attribute_ev_incorporation_country = -1;
148 int ns_cert_ext_ca_cert_url = -1;
149 int ns_cert_ext_homepage_url = -1;
150 int ns_cert_ext_lost_password_url = -1;
151 int ns_cert_ext_cert_renewal_time = -1;
152
153 int RegisterDynamicOid(const char* oid_string, const char* short_name) {
154 int nid = OBJ_txt2nid(oid_string);
155 if (nid > 0) {
156 DVLOG(1) << "found already existing nid " << nid << " for " << oid_string;
157 return nid;
158 }
159 return OBJ_create(oid_string, short_name, short_name);
160 }
161
162 class DynamicOidRegisterer {
163 public:
164 DynamicOidRegisterer() {
165 ms_cert_ext_certtype =
166 RegisterDynamicOid("1.3.6.1.4.1.311.20.2", "ms_cert_ext_certtype");
167 ms_certsrv_ca_version =
168 RegisterDynamicOid("1.3.6.1.4.1.311.21.1", "ms_certsrv_ca_version");
169 ms_ntds_replication =
170 RegisterDynamicOid("1.3.6.1.4.1.311.25.1", "ms_ntds_replication");
171
172 eku_ms_time_stamping =
173 RegisterDynamicOid("1.3.6.1.4.1.311.10.3.2", "eku_ms_time_stamping");
174 eku_ms_file_recovery =
175 RegisterDynamicOid("1.3.6.1.4.1.311.10.3.4.1", "eku_ms_file_recovery");
176 eku_ms_windows_hardware_driver_verification =
177 RegisterDynamicOid("1.3.6.1.4.1.311.10.3.5",
178 "eku_ms_windows_hardware_driver_verification");
179 eku_ms_qualified_subordination = RegisterDynamicOid(
180 "1.3.6.1.4.1.311.10.3.10", "eku_ms_qualified_subordination");
181 eku_ms_key_recovery =
182 RegisterDynamicOid("1.3.6.1.4.1.311.10.3.11", "eku_ms_key_recovery");
183 eku_ms_document_signing = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.12",
184 "eku_ms_document_signing");
185 eku_ms_lifetime_signing = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.13",
186 "eku_ms_lifetime_signing");
187 eku_ms_key_recovery_agent =
188 RegisterDynamicOid("1.3.6.1.4.1.311.21.6", "eku_ms_key_recovery_agent");
189
190 cert_attribute_ev_incorporation_country = RegisterDynamicOid(
191 "1.3.6.1.4.1.311.60.2.1.3", "cert_attribute_ev_incorporation_country");
192
193 ns_cert_ext_ca_cert_url = RegisterDynamicOid(
194 "2.16.840.1.113730.1.6", "ns_cert_ext_ca_cert_url");
195 ns_cert_ext_homepage_url = RegisterDynamicOid(
196 "2.16.840.1.113730.1.9", "ns_cert_ext_homepage_url");
197 ns_cert_ext_lost_password_url = RegisterDynamicOid(
198 "2.16.840.1.113730.1.14", "ns_cert_ext_lost_password_url");
199 ns_cert_ext_cert_renewal_time = RegisterDynamicOid(
200 "2.16.840.1.113730.1.15", "ns_cert_ext_cert_renewal_time");
201 }
202 };
203
204 static base::LazyInstance<DynamicOidRegisterer>::Leaky
205 g_dynamic_oid_registerer = LAZY_INSTANCE_INITIALIZER;
206
207 std::string Asn1ObjectToString(ASN1_OBJECT* obj) {
208 g_dynamic_oid_registerer.Get();
209
210 int string_id;
211 int nid = OBJ_obj2nid(obj);
212 switch (nid) {
213 case NID_commonName:
214 string_id = IDS_CERT_OID_AVA_COMMON_NAME;
215 break;
216 case NID_stateOrProvinceName:
217 string_id = IDS_CERT_OID_AVA_STATE_OR_PROVINCE;
218 break;
219 case NID_organizationName:
220 string_id = IDS_CERT_OID_AVA_ORGANIZATION_NAME;
221 break;
222 case NID_organizationalUnitName:
223 string_id = IDS_CERT_OID_AVA_ORGANIZATIONAL_UNIT_NAME;
224 break;
225 case NID_dnQualifier:
226 string_id = IDS_CERT_OID_AVA_DN_QUALIFIER;
227 break;
228 case NID_countryName:
229 string_id = IDS_CERT_OID_AVA_COUNTRY_NAME;
230 break;
231 case NID_serialNumber:
232 string_id = IDS_CERT_OID_AVA_SERIAL_NUMBER;
233 break;
234 case NID_localityName:
235 string_id = IDS_CERT_OID_AVA_LOCALITY;
236 break;
237 case NID_domainComponent:
238 string_id = IDS_CERT_OID_AVA_DC;
239 break;
240 case NID_rfc822Mailbox:
241 string_id = IDS_CERT_OID_RFC1274_MAIL;
242 break;
243 case NID_userId:
244 string_id = IDS_CERT_OID_RFC1274_UID;
245 break;
246 case NID_pkcs9_emailAddress:
247 string_id = IDS_CERT_OID_PKCS9_EMAIL_ADDRESS;
248 break;
249 case NID_rsaEncryption:
250 string_id = IDS_CERT_OID_PKCS1_RSA_ENCRYPTION;
251 break;
252 case NID_md2WithRSAEncryption:
253 string_id = IDS_CERT_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
254 break;
255 case NID_md4WithRSAEncryption:
256 string_id = IDS_CERT_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION;
257 break;
258 case NID_md5WithRSAEncryption:
259 string_id = IDS_CERT_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
260 break;
261 case NID_sha1WithRSAEncryption:
262 string_id = IDS_CERT_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
263 break;
264 case NID_sha256WithRSAEncryption:
265 string_id = IDS_CERT_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
266 break;
267 case NID_sha384WithRSAEncryption:
268 string_id = IDS_CERT_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
269 break;
270 case NID_sha512WithRSAEncryption:
271 string_id = IDS_CERT_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
272 break;
273 case NID_netscape_cert_type:
274 string_id = IDS_CERT_EXT_NS_CERT_TYPE;
275 break;
276 case NID_netscape_base_url:
277 string_id = IDS_CERT_EXT_NS_CERT_BASE_URL;
278 break;
279 case NID_netscape_revocation_url:
280 string_id = IDS_CERT_EXT_NS_CERT_REVOCATION_URL;
281 break;
282 case NID_netscape_ca_revocation_url:
283 string_id = IDS_CERT_EXT_NS_CA_REVOCATION_URL;
284 break;
285 case NID_netscape_renewal_url:
286 string_id = IDS_CERT_EXT_NS_CERT_RENEWAL_URL;
287 break;
288 case NID_netscape_ca_policy_url:
289 string_id = IDS_CERT_EXT_NS_CA_POLICY_URL;
290 break;
291 case NID_netscape_ssl_server_name:
292 string_id = IDS_CERT_EXT_NS_SSL_SERVER_NAME;
293 break;
294 case NID_netscape_comment:
295 string_id = IDS_CERT_EXT_NS_COMMENT;
296 break;
297 case NID_subject_directory_attributes:
298 string_id = IDS_CERT_X509_SUBJECT_DIRECTORY_ATTR;
299 break;
300 case NID_subject_key_identifier:
301 string_id = IDS_CERT_X509_SUBJECT_KEYID;
302 break;
303 case NID_key_usage:
304 string_id = IDS_CERT_X509_KEY_USAGE;
305 break;
306 case NID_subject_alt_name:
307 string_id = IDS_CERT_X509_SUBJECT_ALT_NAME;
308 break;
309 case NID_issuer_alt_name:
310 string_id = IDS_CERT_X509_ISSUER_ALT_NAME;
311 break;
312 case NID_basic_constraints:
313 string_id = IDS_CERT_X509_BASIC_CONSTRAINTS;
314 break;
315 case NID_name_constraints:
316 string_id = IDS_CERT_X509_NAME_CONSTRAINTS;
317 break;
318 case NID_crl_distribution_points:
319 string_id = IDS_CERT_X509_CRL_DIST_POINTS;
320 break;
321 case NID_certificate_policies:
322 string_id = IDS_CERT_X509_CERT_POLICIES;
323 break;
324 case NID_policy_mappings:
325 string_id = IDS_CERT_X509_POLICY_MAPPINGS;
326 break;
327 case NID_policy_constraints:
328 string_id = IDS_CERT_X509_POLICY_CONSTRAINTS;
329 break;
330 case NID_authority_key_identifier:
331 string_id = IDS_CERT_X509_AUTH_KEYID;
332 break;
333 case NID_ext_key_usage:
334 string_id = IDS_CERT_X509_EXT_KEY_USAGE;
335 break;
336 case NID_info_access:
337 string_id = IDS_CERT_X509_AUTH_INFO_ACCESS;
338 break;
339 case NID_server_auth:
340 string_id = IDS_CERT_EKU_TLS_WEB_SERVER_AUTHENTICATION;
341 break;
342 case NID_client_auth:
343 string_id = IDS_CERT_EKU_TLS_WEB_CLIENT_AUTHENTICATION;
344 break;
345 case NID_code_sign:
346 string_id = IDS_CERT_EKU_CODE_SIGNING;
347 break;
348 case NID_email_protect:
349 string_id = IDS_CERT_EKU_EMAIL_PROTECTION;
350 break;
351 case NID_time_stamp:
352 string_id = IDS_CERT_EKU_TIME_STAMPING;
353 break;
354 case NID_OCSP_sign:
355 string_id = IDS_CERT_EKU_OCSP_SIGNING;
356 break;
357 case NID_id_qt_cps:
358 string_id = IDS_CERT_PKIX_CPS_POINTER_QUALIFIER;
359 break;
360 case NID_id_qt_unotice:
361 string_id = IDS_CERT_PKIX_USER_NOTICE_QUALIFIER;
362 break;
363 case NID_ms_upn:
364 string_id = IDS_CERT_EXT_MS_NT_PRINCIPAL_NAME;
365 break;
366 case NID_ms_code_ind:
367 string_id = IDS_CERT_EKU_MS_INDIVIDUAL_CODE_SIGNING;
368 break;
369 case NID_ms_code_com:
370 string_id = IDS_CERT_EKU_MS_COMMERCIAL_CODE_SIGNING;
371 break;
372 case NID_ms_ctl_sign:
373 string_id = IDS_CERT_EKU_MS_TRUST_LIST_SIGNING;
374 break;
375 case NID_ms_sgc:
376 string_id = IDS_CERT_EKU_MS_SERVER_GATED_CRYPTO;
377 break;
378 case NID_ms_efs:
379 string_id = IDS_CERT_EKU_MS_ENCRYPTING_FILE_SYSTEM;
380 break;
381 case NID_ms_smartcard_login:
382 string_id = IDS_CERT_EKU_MS_SMART_CARD_LOGON;
383 break;
384 case NID_ns_sgc:
385 string_id = IDS_CERT_EKU_NETSCAPE_INTERNATIONAL_STEP_UP;
386 break;
387 case NID_businessCategory:
388 string_id = IDS_CERT_OID_BUSINESS_CATEGORY;
389 break;
390 case NID_undef:
391 string_id = -1;
392 break;
393
394 default:
395 if (nid == ms_cert_ext_certtype)
396 string_id = IDS_CERT_EXT_MS_CERT_TYPE;
397 else if (nid == ms_certsrv_ca_version)
398 string_id = IDS_CERT_EXT_MS_CA_VERSION;
399 else if (nid == ms_ntds_replication)
400 string_id = IDS_CERT_EXT_MS_NTDS_REPLICATION;
401 else if (nid == eku_ms_time_stamping)
402 string_id = IDS_CERT_EKU_MS_TIME_STAMPING;
403 else if (nid == eku_ms_file_recovery)
404 string_id = IDS_CERT_EKU_MS_FILE_RECOVERY;
405 else if (nid == eku_ms_windows_hardware_driver_verification)
406 string_id = IDS_CERT_EKU_MS_WINDOWS_HARDWARE_DRIVER_VERIFICATION;
407 else if (nid == eku_ms_qualified_subordination)
408 string_id = IDS_CERT_EKU_MS_QUALIFIED_SUBORDINATION;
409 else if (nid == eku_ms_key_recovery)
410 string_id = IDS_CERT_EKU_MS_KEY_RECOVERY;
411 else if (nid == eku_ms_document_signing)
412 string_id = IDS_CERT_EKU_MS_DOCUMENT_SIGNING;
413 else if (nid == eku_ms_lifetime_signing)
414 string_id = IDS_CERT_EKU_MS_LIFETIME_SIGNING;
415 else if (nid == eku_ms_key_recovery_agent)
416 string_id = IDS_CERT_EKU_MS_KEY_RECOVERY_AGENT;
417 else if (nid == cert_attribute_ev_incorporation_country)
418 string_id = IDS_CERT_OID_EV_INCORPORATION_COUNTRY;
419 else if (nid == ns_cert_ext_lost_password_url)
420 string_id = IDS_CERT_EXT_NS_LOST_PASSWORD_URL;
421 else if (nid == ns_cert_ext_cert_renewal_time)
422 string_id = IDS_CERT_EXT_NS_CERT_RENEWAL_TIME;
423 else
424 string_id = -1;
425 break;
426 }
427 if (string_id >= 0)
428 return l10n_util::GetStringUTF8(string_id);
429
430 return Asn1ObjectToOIDString(obj);
431 }
432
433 struct MaskIdPair {
434 unsigned int mask;
435 int string_id;
436 };
437
438 std::string ProcessBitField(ASN1_BIT_STRING* bitfield,
439 const MaskIdPair* string_map,
440 size_t len,
441 char separator) {
442 unsigned int bits = 0;
443 std::string rv;
444 for (size_t i = 0;
445 i < sizeof(bits) && static_cast<int>(i) < ASN1_STRING_length(bitfield);
446 ++i)
447 bits |= ASN1_STRING_data(bitfield)[i] << (i * 8);
448 for (size_t i = 0; i < len; ++i) {
449 if (bits & string_map[i].mask) {
450 if (!rv.empty())
451 rv += separator;
452 rv += l10n_util::GetStringUTF8(string_map[i].string_id);
453 }
454 }
455 return rv;
456 }
457
458 std::string ProcessNSCertTypeExtension(X509_EXTENSION* ex) {
459 static const MaskIdPair usage_string_map[] = {
460 {NS_SSL_CLIENT, IDS_CERT_USAGE_SSL_CLIENT},
461 {NS_SSL_SERVER, IDS_CERT_USAGE_SSL_SERVER},
462 {NS_SMIME, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL},
463 {NS_OBJSIGN, IDS_CERT_USAGE_OBJECT_SIGNER},
464 {NS_SSL_CA, IDS_CERT_USAGE_SSL_CA},
465 {NS_SMIME_CA, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL_CA},
466 {NS_OBJSIGN_CA, IDS_CERT_USAGE_OBJECT_SIGNER},
467 };
468
469 crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value(
470 reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex)));
471 if (!value.get())
472 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
473 return ProcessBitField(value.get(),
474 usage_string_map,
475 arraysize(usage_string_map),
476 '\n');
477 }
478
479 std::string ProcessKeyUsageExtension(X509_EXTENSION* ex) {
480 static const MaskIdPair key_usage_string_map[] = {
481 {KU_DIGITAL_SIGNATURE, IDS_CERT_X509_KEY_USAGE_SIGNING},
482 {KU_NON_REPUDIATION, IDS_CERT_X509_KEY_USAGE_NONREP},
483 {KU_KEY_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_ENCIPHERMENT},
484 {KU_DATA_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_DATA_ENCIPHERMENT},
485 {KU_KEY_AGREEMENT, IDS_CERT_X509_KEY_USAGE_KEY_AGREEMENT},
486 {KU_KEY_CERT_SIGN, IDS_CERT_X509_KEY_USAGE_CERT_SIGNER},
487 {KU_CRL_SIGN, IDS_CERT_X509_KEY_USAGE_CRL_SIGNER},
488 {KU_ENCIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_ENCIPHER_ONLY},
489 {KU_DECIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_DECIPHER_ONLY},
490 };
491
492 crypto::ScopedOpenSSL<ASN1_BIT_STRING, ASN1_BIT_STRING_free> value(
493 reinterpret_cast<ASN1_BIT_STRING*>(X509V3_EXT_d2i(ex)));
494 if (!value.get())
495 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
496 return ProcessBitField(value.get(),
497 key_usage_string_map,
498 arraysize(key_usage_string_map),
499 '\n');
500 }
501
502 std::string ProcessBasicConstraints(X509_EXTENSION* ex) {
503 std::string rv;
504 crypto::ScopedOpenSSL<BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free> value(
505 reinterpret_cast<BASIC_CONSTRAINTS*>(X509V3_EXT_d2i(ex)));
506 if (!value.get())
507 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
508 if (value.get()->ca)
509 rv = l10n_util::GetStringUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_IS_CA);
510 else
511 rv = l10n_util::GetStringUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_IS_NOT_CA);
512 rv += '\n';
513 if (value.get()->ca) {
514 base::string16 depth;
515 if (!value.get()->pathlen) {
516 depth = l10n_util::GetStringUTF16(
517 IDS_CERT_X509_BASIC_CONSTRAINT_PATH_LEN_UNLIMITED);
518 } else {
519 depth = base::FormatNumber(ASN1_INTEGER_get(value.get()->pathlen));
520 }
521 rv += l10n_util::GetStringFUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_PATH_LEN,
522 depth);
523 }
524 return rv;
525 }
526
527 std::string ProcessExtKeyUsage(X509_EXTENSION* ex) {
528 std::string rv;
529 crypto::ScopedOpenSSL<EXTENDED_KEY_USAGE, EXTENDED_KEY_USAGE_free> value(
530 reinterpret_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ex)));
531 if (!value.get())
532 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
533 for (size_t i = 0; i < sk_ASN1_OBJECT_num(value.get()); i++) {
534 ASN1_OBJECT* obj = sk_ASN1_OBJECT_value(value.get(), i);
535 std::string oid_dump = Asn1ObjectToOIDString(obj);
536 std::string oid_text = Asn1ObjectToString(obj);
537
538 // If oid is one we recognize, oid_text will have a text description of the
539 // OID, which we display along with the oid_dump. If we don't recognize the
540 // OID, they will be the same, so just display the OID alone.
541 if (oid_dump == oid_text)
542 rv += oid_dump;
543 else
544 rv += l10n_util::GetStringFUTF8(IDS_CERT_EXT_KEY_USAGE_FORMAT,
545 base::UTF8ToUTF16(oid_text),
546 base::UTF8ToUTF16(oid_dump));
547 rv += '\n';
548 }
549 return rv;
550 }
551
552 std::string ProcessGeneralName(GENERAL_NAME* name) {
553 std::string key;
554 std::string value;
555
556 switch (name->type) {
557 case GEN_OTHERNAME: {
558 ASN1_OBJECT* oid;
559 ASN1_TYPE* asn1_value;
560 GENERAL_NAME_get0_otherName(name, &oid, &asn1_value);
561 key = Asn1ObjectToString(oid);
562 // g_dynamic_oid_registerer.Get() will have been run by
563 // Asn1ObjectToString.
564 int nid = OBJ_obj2nid(oid);
565 if (nid == IDS_CERT_EXT_MS_NT_PRINCIPAL_NAME) {
566 // The type of this name is apparently nowhere explicitly
567 // documented. However, in the generated templates, it is always
568 // UTF-8. So try to decode this as UTF-8; if that fails, dump the
569 // raw data.
570 if (asn1_value->type == V_ASN1_UTF8STRING) {
571 value = std::string(reinterpret_cast<char*>(ASN1_STRING_data(
572 asn1_value->value.utf8string)),
573 ASN1_STRING_length(asn1_value->value.utf8string));
574 } else {
575 value = ProcessRawAsn1Type(asn1_value);
576 }
577 } else if (nid == ms_ntds_replication) {
578 // This should be a 16-byte GUID.
579 if (asn1_value->type == V_ASN1_OCTET_STRING &&
580 asn1_value->value.octet_string->length == 16) {
581 unsigned char* d = asn1_value->value.octet_string->data;
582 base::SStringPrintf(
583 &value,
584 "{%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-"
585 "%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}",
586 d[3], d[2], d[1], d[0], d[5], d[4], d[7], d[6],
587 d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
588 } else {
589 value = ProcessRawAsn1Type(asn1_value);
590 }
591 } else {
592 value = ProcessRawAsn1Type(asn1_value);
593 }
594 break;
595 }
596 case GEN_EMAIL:
597 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_RFC822_NAME);
598 value = std::string(
599 reinterpret_cast<char*>(ASN1_STRING_data(name->d.rfc822Name)),
600 ASN1_STRING_length(name->d.rfc822Name));
601 break;
602 case GEN_DNS:
603 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_DNS_NAME);
604 value = std::string(
605 reinterpret_cast<char*>(ASN1_STRING_data(name->d.dNSName)),
606 ASN1_STRING_length(name->d.dNSName));
607 value = ProcessIDN(value);
608 break;
609 case GEN_X400:
610 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_X400_ADDRESS);
611 value = ProcessRawAsn1Type(name->d.x400Address);
612 break;
613 case GEN_DIRNAME:
614 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_DIRECTORY_NAME);
615 value = GetKeyValuesFromName(name->d.directoryName);
616 break;
617 case GEN_EDIPARTY:
618 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_EDI_PARTY_NAME);
619 if (name->d.ediPartyName->nameAssigner &&
620 ASN1_STRING_length(name->d.ediPartyName->nameAssigner) > 0) {
621 value += l10n_util::GetStringFUTF8(
622 IDS_CERT_EDI_NAME_ASSIGNER,
623 base::UTF8ToUTF16(
624 Asn1StringToUTF8(name->d.ediPartyName->nameAssigner)));
625 value += "\n";
626 }
627 if (name->d.ediPartyName->partyName &&
628 ASN1_STRING_length(name->d.ediPartyName->partyName) > 0) {
629 value += l10n_util::GetStringFUTF8(
630 IDS_CERT_EDI_PARTY_NAME,
631 base::UTF8ToUTF16(
632 Asn1StringToUTF8(name->d.ediPartyName->partyName)));
633 value += "\n";
634 }
635 break;
636 case GEN_URI:
637 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_URI);
638 value =
639 std::string(reinterpret_cast<char*>(
640 ASN1_STRING_data(name->d.uniformResourceIdentifier)),
641 ASN1_STRING_length(name->d.uniformResourceIdentifier));
642 break;
643 case GEN_IPADD: {
644 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_IP_ADDRESS);
645 net::IPAddressNumber ip(ASN1_STRING_data(name->d.iPAddress),
646 ASN1_STRING_data(name->d.iPAddress) +
647 ASN1_STRING_length(name->d.iPAddress));
648 if (net::GetAddressFamily(ip) != net::ADDRESS_FAMILY_UNSPECIFIED) {
649 value = net::IPAddressToString(ip);
650 } else {
651 // Invalid IP address.
652 value = ProcessRawBytes(ip.data(), ip.size());
653 }
654 break;
655 }
656 case GEN_RID:
657 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_REGISTERED_ID);
658 value = Asn1ObjectToString(name->d.registeredID);
659 break;
660 }
661 std::string rv(l10n_util::GetStringFUTF8(IDS_CERT_UNKNOWN_OID_INFO_FORMAT,
662 base::UTF8ToUTF16(key),
663 base::UTF8ToUTF16(value)));
664 rv += '\n';
665 return rv;
666 }
667
668 std::string ProcessGeneralNames(GENERAL_NAMES* names) {
669 std::string rv;
670 for (size_t i = 0; i < sk_GENERAL_NAME_num(names); ++i) {
671 GENERAL_NAME* name = sk_GENERAL_NAME_value(names, i);
672 rv += ProcessGeneralName(name);
673 }
674 return rv;
675 }
676
677 std::string ProcessAltName(X509_EXTENSION* ex) {
678 crypto::ScopedOpenSSL<GENERAL_NAMES, GENERAL_NAMES_free> alt_names(
679 reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ex)));
680 if (!alt_names.get())
681 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
682
683 return ProcessGeneralNames(alt_names.get());
684 }
685
686 std::string ProcessSubjectKeyId(X509_EXTENSION* ex) {
687 crypto::ScopedOpenSSL<ASN1_OCTET_STRING, ASN1_OCTET_STRING_free> value(
688 reinterpret_cast<ASN1_OCTET_STRING*>(X509V3_EXT_d2i(ex)));
689 if (!value.get())
690 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
691
692 return l10n_util::GetStringFUTF8(
693 IDS_CERT_KEYID_FORMAT,
694 base::ASCIIToUTF16(ProcessRawAsn1String(value.get())));
695 }
696
697 std::string ProcessAuthKeyId(X509_EXTENSION* ex) {
698 std::string rv;
699 crypto::ScopedOpenSSL<AUTHORITY_KEYID, AUTHORITY_KEYID_free> value(
700 reinterpret_cast<AUTHORITY_KEYID*>(X509V3_EXT_d2i(ex)));
701 if (!value.get())
702 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
703
704 if (value.get()->keyid && ASN1_STRING_length(value.get()->keyid) > 0) {
705 rv += l10n_util::GetStringFUTF8(
706 IDS_CERT_KEYID_FORMAT,
707 base::ASCIIToUTF16(ProcessRawAsn1String(value.get()->keyid)));
708 rv += '\n';
709 }
710
711 if (value.get()->issuer) {
712 rv += l10n_util::GetStringFUTF8(
713 IDS_CERT_ISSUER_FORMAT,
714 base::UTF8ToUTF16(ProcessGeneralNames(value.get()->issuer)));
715 rv += '\n';
716 }
717
718 if (value.get()->serial) {
719 rv += l10n_util::GetStringFUTF8(
720 IDS_CERT_SERIAL_NUMBER_FORMAT,
721 base::ASCIIToUTF16(ProcessRawAsn1String(value.get()->serial)));
722 rv += '\n';
723 }
724
725 return rv;
726 }
727
728 std::string ProcessUserNotice(USERNOTICE* notice) {
729 std::string rv;
730 if (notice->noticeref) {
731 rv += Asn1StringToUTF8(notice->noticeref->organization);
732 rv += " - ";
733 for (size_t i = 0; i < sk_ASN1_INTEGER_num(notice->noticeref->noticenos);
734 ++i) {
735 ASN1_INTEGER* info =
736 sk_ASN1_INTEGER_value(notice->noticeref->noticenos, i);
737 long number = ASN1_INTEGER_get(info);
738 if (number != -1) {
739 if (i != sk_ASN1_INTEGER_num(notice->noticeref->noticenos) - 1)
740 rv += ", ";
741 rv += '#';
742 rv += base::IntToString(number);
743 }
744 }
745 }
746 if (notice->exptext && notice->exptext->length != 0) {
747 rv += "\n ";
748 rv += Asn1StringToUTF8(notice->exptext);
749 }
750 return rv;
751 }
752
753 std::string ProcessCertificatePolicies(X509_EXTENSION* ex) {
754 std::string rv;
755 crypto::ScopedOpenSSL<CERTIFICATEPOLICIES, CERTIFICATEPOLICIES_free> policies(
756 reinterpret_cast<CERTIFICATEPOLICIES*>(X509V3_EXT_d2i(ex)));
757
758 if (!policies.get())
759 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
760
761 for (size_t i = 0; i < sk_POLICYINFO_num(policies.get()); ++i) {
762 POLICYINFO* info = sk_POLICYINFO_value(policies.get(), i);
763 std::string key = Asn1ObjectToString(info->policyid);
764 // If we have policy qualifiers, display the oid text
765 // with a ':', otherwise just put the oid text and a newline.
766 if (info->qualifiers && sk_POLICYQUALINFO_num(info->qualifiers)) {
767 rv += l10n_util::GetStringFUTF8(IDS_CERT_MULTILINE_INFO_START_FORMAT,
768 base::UTF8ToUTF16(key));
769 } else {
770 rv += key;
771 }
772 rv += '\n';
773
774 if (info->qualifiers && sk_POLICYQUALINFO_num(info->qualifiers)) {
775 // Add all qualifiers on separate lines, indented.
776 for (size_t i = 0; i < sk_POLICYQUALINFO_num(info->qualifiers); ++i) {
777 POLICYQUALINFO* qualifier =
778 sk_POLICYQUALINFO_value(info->qualifiers, i);
779 rv += " ";
780 rv += l10n_util::GetStringFUTF8(
781 IDS_CERT_MULTILINE_INFO_START_FORMAT,
782 base::UTF8ToUTF16(Asn1ObjectToString(qualifier->pqualid)));
783 int nid = OBJ_obj2nid(qualifier->pqualid);
784 switch (nid) {
785 case NID_id_qt_cps:
786 rv += " ";
787 rv += std::string(
788 reinterpret_cast<char*>(ASN1_STRING_data(qualifier->d.cpsuri)),
789 ASN1_STRING_length(qualifier->d.cpsuri));
790 break;
791 case NID_id_qt_unotice:
792 rv += ProcessUserNotice(qualifier->d.usernotice);
793 break;
794 default:
795 rv += ProcessRawAsn1Type(qualifier->d.other);
796 break;
797 }
798 rv += '\n';
799 }
800 }
801 }
802 return rv;
803 }
804
805 std::string ProcessCrlDistPoints(X509_EXTENSION* ex) {
806 static const MaskIdPair reason_string_map[] = {
807 // OpenSSL doesn't define contants for these. (The CRL_REASON_ defines in
808 // x509v3.h are for the "X509v3 CRL Reason Code" extension.)
809 // These are from RFC5280 section 4.2.1.13.
810 {0, IDS_CERT_REVOCATION_REASON_UNUSED},
811 {1, IDS_CERT_REVOCATION_REASON_KEY_COMPROMISE},
812 {2, IDS_CERT_REVOCATION_REASON_CA_COMPROMISE},
813 {3, IDS_CERT_REVOCATION_REASON_AFFILIATION_CHANGED},
814 {4, IDS_CERT_REVOCATION_REASON_SUPERSEDED},
815 {5, IDS_CERT_REVOCATION_REASON_CESSATION_OF_OPERATION},
816 {6, IDS_CERT_REVOCATION_REASON_CERTIFICATE_HOLD},
817 {7, IDS_CERT_REVOCATION_REASON_PRIVILEGE_WITHDRAWN},
818 {8, IDS_CERT_REVOCATION_REASON_AA_COMPROMISE},
819 };
820 // OpenSSL doesn't define constants for the DIST_POINT type field. These
821 // values are from reading openssl/crypto/x509v3/v3_crld.c
822 const int kDistPointFullName = 0;
823 const int kDistPointRelativeName = 1;
824
825 std::string rv;
826 crypto::ScopedOpenSSL<CRL_DIST_POINTS, CRL_DIST_POINTS_free> dist_points(
827 reinterpret_cast<CRL_DIST_POINTS*>(X509V3_EXT_d2i(ex)));
828
829 if (!dist_points.get())
830 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
831
832 for (size_t i = 0; i < sk_DIST_POINT_num(dist_points.get()); ++i) {
833 DIST_POINT* point = sk_DIST_POINT_value(dist_points.get(), i);
834 if (point->distpoint) {
835 switch (point->distpoint->type) {
836 case kDistPointFullName:
837 rv += ProcessGeneralNames(point->distpoint->name.fullname);
838 break;
839 case kDistPointRelativeName:
840 rv +=
841 GetKeyValuesFromNameEntries(point->distpoint->name.relativename);
842 // TODO(mattm): should something be done with
843 // point->distpoint->dpname?
844 break;
845 }
846 }
847 if (point->reasons) {
848 rv += ' ';
849 rv += ProcessBitField(point->reasons,
850 reason_string_map,
851 arraysize(reason_string_map),
852 ',');
853 rv += '\n';
854 }
855 if (point->CRLissuer) {
856 rv += l10n_util::GetStringFUTF8(
857 IDS_CERT_ISSUER_FORMAT,
858 base::UTF8ToUTF16(ProcessGeneralNames(point->CRLissuer)));
859 }
860 }
861
862 return rv;
863 }
864
865 std::string ProcessAuthInfoAccess(X509_EXTENSION* ex) {
866 std::string rv;
867 crypto::ScopedOpenSSL<AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_ACCESS_free> aia(
868 reinterpret_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ex)));
869
870 if (!aia.get())
871 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
872
873 for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(aia.get()); ++i) {
874 ACCESS_DESCRIPTION* desc = sk_ACCESS_DESCRIPTION_value(aia.get(), i);
875
876 base::string16 location_str =
877 base::UTF8ToUTF16(ProcessGeneralName(desc->location));
878 switch (OBJ_obj2nid(desc->method)) {
879 case NID_ad_OCSP:
880 rv += l10n_util::GetStringFUTF8(IDS_CERT_OCSP_RESPONDER_FORMAT,
881 location_str);
882 break;
883 case NID_ad_ca_issuers:
884 rv +=
885 l10n_util::GetStringFUTF8(IDS_CERT_CA_ISSUERS_FORMAT, location_str);
886 break;
887 default:
888 rv += l10n_util::GetStringFUTF8(
889 IDS_CERT_UNKNOWN_OID_INFO_FORMAT,
890 base::UTF8ToUTF16(Asn1ObjectToString(desc->method)),
891 location_str);
892 break;
893 }
894 }
895 return rv;
896 }
897
898 std::string ProcessIA5StringData(ASN1_OCTET_STRING* asn1_string) {
899 const unsigned char* data = ASN1_STRING_data(asn1_string);
900 crypto::ScopedOpenSSL<ASN1_IA5STRING, ASN1_IA5STRING_free> ia5_string(
901 d2i_ASN1_IA5STRING(NULL, &data, ASN1_STRING_length(asn1_string)));
902
903 if (!ia5_string.get())
904 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
905
906 return std::string(
907 reinterpret_cast<char*>(ASN1_STRING_data(ia5_string.get())),
908 ASN1_STRING_length(ia5_string.get()));
909 }
910
911 std::string ProcessBMPStringData(ASN1_OCTET_STRING* asn1_string) {
912 const unsigned char* data = ASN1_STRING_data(asn1_string);
913 crypto::ScopedOpenSSL<ASN1_BMPSTRING, ASN1_BMPSTRING_free> bmp_string(
914 d2i_ASN1_BMPSTRING(NULL, &data, ASN1_STRING_length(asn1_string)));
915
916 if (!bmp_string.get())
917 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
918
919 return Asn1StringToUTF8(bmp_string.get());
920 }
921
922 std::string X509ExtensionValueToString(X509_EXTENSION* ex) {
923 g_dynamic_oid_registerer.Get();
924 int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
925 switch (nid) {
926 case NID_netscape_cert_type:
927 return ProcessNSCertTypeExtension(ex);
928 case NID_key_usage:
929 return ProcessKeyUsageExtension(ex);
930 case NID_basic_constraints:
931 return ProcessBasicConstraints(ex);
932 case NID_ext_key_usage:
933 return ProcessExtKeyUsage(ex);
934 case NID_issuer_alt_name:
935 case NID_subject_alt_name:
936 return ProcessAltName(ex);
937 case NID_subject_key_identifier:
938 return ProcessSubjectKeyId(ex);
939 case NID_authority_key_identifier:
940 return ProcessAuthKeyId(ex);
941 case NID_certificate_policies:
942 return ProcessCertificatePolicies(ex);
943 case NID_crl_distribution_points:
944 return ProcessCrlDistPoints(ex);
945 case NID_info_access:
946 return ProcessAuthInfoAccess(ex);
947 case NID_netscape_base_url:
948 case NID_netscape_revocation_url:
949 case NID_netscape_ca_revocation_url:
950 case NID_netscape_renewal_url:
951 case NID_netscape_ca_policy_url:
952 case NID_netscape_comment:
953 case NID_netscape_ssl_server_name:
954 return ProcessIA5StringData(X509_EXTENSION_get_data(ex));
955 default:
956 if (nid == ns_cert_ext_ca_cert_url ||
957 nid == ns_cert_ext_homepage_url ||
958 nid == ns_cert_ext_lost_password_url)
959 return ProcessIA5StringData(X509_EXTENSION_get_data(ex));
960 if (nid == ms_cert_ext_certtype)
961 return ProcessBMPStringData(X509_EXTENSION_get_data(ex));
962 return ProcessRawAsn1String(X509_EXTENSION_get_data(ex));
963 }
964 }
965
966 } // namespace
967
968 using net::X509Certificate;
969
970 std::string GetCertNameOrNickname(X509Certificate::OSCertHandle cert_handle) {
971 std::string name =
972 ProcessIDN(GetSubjectCommonName(cert_handle, std::string()));
973 if (!name.empty())
974 return name;
975
976 crypto::ScopedBIO bio(crypto::BIO_new_string(&name));
977 if (!bio.get())
978 return name;
979 X509_NAME_print_ex(bio.get(),
980 X509_get_subject_name(cert_handle),
981 0 /* indent */,
982 XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB);
983 return name;
984 }
985
986 std::string GetTokenName(X509Certificate::OSCertHandle cert_handle) {
987 // TODO(bulach): implement me.
988 return "";
989 }
990
991 std::string GetVersion(net::X509Certificate::OSCertHandle cert_handle) {
992 unsigned long version = X509_get_version(cert_handle);
993 if (version != ULONG_MAX)
994 return base::UintToString(version + 1);
995 return "";
996 }
997
998 net::CertType GetType(X509Certificate::OSCertHandle os_cert) {
999 // TODO(bulach): implement me.
1000 return net::OTHER_CERT;
1001 }
1002
1003 void GetUsageStrings(X509Certificate::OSCertHandle cert_handle,
1004 std::vector<std::string>* usages) {
1005 // TODO(bulach): implement me.
1006 }
1007
1008 std::string GetSerialNumberHexified(
1009 X509Certificate::OSCertHandle cert_handle,
1010 const std::string& alternative_text) {
1011 ASN1_INTEGER* num = X509_get_serialNumber(cert_handle);
1012 const char kSerialNumberSeparator = ':';
1013 std::string hex_string = ProcessRawBytesWithSeparators(
1014 num->data, num->length, kSerialNumberSeparator, kSerialNumberSeparator);
1015 return AlternativeWhenEmpty(hex_string, alternative_text);
1016 }
1017
1018 std::string GetIssuerCommonName(
1019 X509Certificate::OSCertHandle cert_handle,
1020 const std::string& alternative_text) {
1021 std::string ret;
1022 x509_util::ParsePrincipalValueByNID(X509_get_issuer_name(cert_handle),
1023 NID_commonName, &ret);
1024 return AlternativeWhenEmpty(ret, alternative_text);
1025 }
1026
1027 std::string GetIssuerOrgName(
1028 X509Certificate::OSCertHandle cert_handle,
1029 const std::string& alternative_text) {
1030 std::string ret;
1031 x509_util::ParsePrincipalValueByNID(X509_get_issuer_name(cert_handle),
1032 NID_organizationName, &ret);
1033 return AlternativeWhenEmpty(ret, alternative_text);
1034 }
1035
1036 std::string GetIssuerOrgUnitName(
1037 X509Certificate::OSCertHandle cert_handle,
1038 const std::string& alternative_text) {
1039 std::string ret;
1040 x509_util::ParsePrincipalValueByNID(X509_get_issuer_name(cert_handle),
1041 NID_organizationalUnitName, &ret);
1042 return AlternativeWhenEmpty(ret, alternative_text);
1043 }
1044
1045 std::string GetSubjectOrgName(
1046 X509Certificate::OSCertHandle cert_handle,
1047 const std::string& alternative_text) {
1048 std::string ret;
1049 x509_util::ParsePrincipalValueByNID(X509_get_subject_name(cert_handle),
1050 NID_organizationName, &ret);
1051 return AlternativeWhenEmpty(ret, alternative_text);
1052 }
1053
1054 std::string GetSubjectOrgUnitName(
1055 X509Certificate::OSCertHandle cert_handle,
1056 const std::string& alternative_text) {
1057 std::string ret;
1058 x509_util::ParsePrincipalValueByNID(X509_get_subject_name(cert_handle),
1059 NID_organizationalUnitName, &ret);
1060 return AlternativeWhenEmpty(ret, alternative_text);
1061 }
1062
1063 std::string GetSubjectCommonName(X509Certificate::OSCertHandle cert_handle,
1064 const std::string& alternative_text) {
1065 std::string ret;
1066 x509_util::ParsePrincipalValueByNID(X509_get_subject_name(cert_handle),
1067 NID_commonName, &ret);
1068 return AlternativeWhenEmpty(ret, alternative_text);
1069 }
1070
1071 bool GetTimes(X509Certificate::OSCertHandle cert_handle,
1072 base::Time* issued, base::Time* expires) {
1073 return x509_util::ParseDate(X509_get_notBefore(cert_handle), issued) &&
1074 x509_util::ParseDate(X509_get_notAfter(cert_handle), expires);
1075 }
1076
1077 std::string GetTitle(net::X509Certificate::OSCertHandle cert_handle) {
1078 // TODO(mattm): merge GetTitle and GetCertNameOrNickname?
1079 // Is there any reason GetCertNameOrNickname calls ProcessIDN and this
1080 // doesn't?
1081 std::string title =
1082 GetSubjectCommonName(cert_handle, std::string());
1083 if (!title.empty())
1084 return title;
1085
1086 crypto::ScopedBIO bio(crypto::BIO_new_string(&title));
1087 if (!bio.get())
1088 return title;
1089 X509_NAME_print_ex(bio.get(),
1090 X509_get_subject_name(cert_handle),
1091 0 /* indent */,
1092 XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB);
1093 return title;
1094 }
1095
1096 std::string GetIssuerName(net::X509Certificate::OSCertHandle cert_handle) {
1097 return GetKeyValuesFromName(X509_get_issuer_name(cert_handle));
1098 }
1099
1100 std::string GetSubjectName(net::X509Certificate::OSCertHandle cert_handle) {
1101 return GetKeyValuesFromName(X509_get_subject_name(cert_handle));
1102 }
1103
1104 void GetExtensions(
1105 const std::string& critical_label,
1106 const std::string& non_critical_label,
1107 net::X509Certificate::OSCertHandle cert_handle,
1108 Extensions* extensions) {
1109 for (int i = 0; i < X509_get_ext_count(cert_handle); ++i) {
1110 X509_EXTENSION* ex = X509_get_ext(cert_handle, i);
1111 ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex);
1112
1113 Extension extension;
1114 extension.name = Asn1ObjectToString(obj);
1115 extension.value = (X509_EXTENSION_get_critical(ex) ? critical_label
1116 : non_critical_label) +
1117 "\n" + X509ExtensionValueToString(ex);
1118 extensions->push_back(extension);
1119 }
1120 }
1121
1122 std::string HashCertSHA256(net::X509Certificate::OSCertHandle cert_handle) {
1123 unsigned char sha256_data[SHA256_DIGEST_LENGTH] = {0};
1124 unsigned int sha256_size = sizeof(sha256_data);
1125 int ret = X509_digest(cert_handle, EVP_sha256(), sha256_data, &sha256_size);
1126 DCHECK(ret);
1127 DCHECK_EQ(sha256_size, sizeof(sha256_data));
1128 return ProcessRawBytes(sha256_data, sha256_size);
1129 }
1130
1131 std::string HashCertSHA1(net::X509Certificate::OSCertHandle cert_handle) {
1132 unsigned char sha1_data[SHA_DIGEST_LENGTH] = {0};
1133 unsigned int sha1_size = sizeof(sha1_data);
1134 int ret = X509_digest(cert_handle, EVP_sha1(), sha1_data, &sha1_size);
1135 DCHECK(ret);
1136 DCHECK_EQ(sha1_size, sizeof(sha1_data));
1137 return ProcessRawBytes(sha1_data, sha1_size);
1138 }
1139
1140 std::string GetCMSString(const net::X509Certificate::OSCertHandles& cert_chain,
1141 size_t start, size_t end) {
1142 STACK_OF(X509)* certs = sk_X509_new_null();
1143
1144 for (size_t i = start; i < end; ++i) {
1145 sk_X509_push(certs, cert_chain[i]);
1146 }
1147
1148 CBB pkcs7;
1149 CBB_init(&pkcs7, 1024 * sk_X509_num(certs));
1150
1151 uint8_t *pkcs7_data;
1152 size_t pkcs7_len;
1153 if (!PKCS7_bundle_certificates(&pkcs7, certs) ||
1154 !CBB_finish(&pkcs7, &pkcs7_data, &pkcs7_len)) {
1155 CBB_cleanup(&pkcs7);
1156 sk_X509_free(certs);
1157 return "";
1158 }
1159
1160 std::string ret(reinterpret_cast<char*>(pkcs7_data), pkcs7_len);
1161 OPENSSL_free(pkcs7_data);
1162 sk_X509_free(certs);
1163
1164 return ret;
1165 }
1166
1167 std::string ProcessSecAlgorithmSignature(
1168 net::X509Certificate::OSCertHandle cert_handle) {
1169 return Asn1ObjectToString(cert_handle->cert_info->signature->algorithm);
1170 }
1171
1172 std::string ProcessSecAlgorithmSubjectPublicKey(
1173 net::X509Certificate::OSCertHandle cert_handle) {
1174 return Asn1ObjectToString(
1175 X509_get_X509_PUBKEY(cert_handle)->algor->algorithm);
1176 }
1177
1178 std::string ProcessSecAlgorithmSignatureWrap(
1179 net::X509Certificate::OSCertHandle cert_handle) {
1180 return Asn1ObjectToString(cert_handle->sig_alg->algorithm);
1181 }
1182
1183 std::string ProcessSubjectPublicKeyInfo(
1184 net::X509Certificate::OSCertHandle cert_handle) {
1185 std::string rv;
1186 crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(cert_handle));
1187 if (!public_key.get())
1188 return rv;
1189 switch (EVP_PKEY_type(public_key.get()->type)) {
1190 case EVP_PKEY_RSA: {
1191 crypto::ScopedRSA rsa_key(EVP_PKEY_get1_RSA(public_key.get()));
1192 if (!rsa_key)
1193 return rv;
1194 rv = l10n_util::GetStringFUTF8(
1195 IDS_CERT_RSA_PUBLIC_KEY_DUMP_FORMAT,
1196 base::UintToString16(BN_num_bits(rsa_key.get()->n)),
1197 base::UTF8ToUTF16(ProcessRawBignum(rsa_key.get()->n)),
1198 base::UintToString16(BN_num_bits(rsa_key.get()->e)),
1199 base::UTF8ToUTF16(ProcessRawBignum(rsa_key.get()->e)));
1200 return rv;
1201 }
1202 default:
1203 rv = ProcessRawAsn1String(X509_get_X509_PUBKEY(cert_handle)->public_key);
1204 return rv;
1205 }
1206 }
1207
1208 std::string ProcessRawBitsSignatureWrap(
1209 net::X509Certificate::OSCertHandle cert_handle) {
1210 return ProcessRawAsn1String(cert_handle->signature);
1211 }
1212
1213 } // namespace x509_certificate_model