search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Disable view source for Developer Tools.
[chromium-blink-merge.git] / chrome / third_party / mozilla_security_manager / nsNSSCertHelper.cpp
blob88615f845eaa0d9bcf9ddb01393570f8c413da96
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Ian McGreer <mcgreer@netscape.com>
23 * Javier Delgadillo <javi@netscape.com>
24 * John Gardiner Myers <jgmyers@speakeasy.net>
25 * Martin v. Loewis <martin@v.loewis.de>
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either the GNU General Public License Version 2 or later (the "GPL"), or
29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
40
41 #include "chrome/third_party/mozilla_security_manager/nsNSSCertHelper.h"
42
43 #include <certdb.h>
44 #include <keyhi.h>
45 #include <prprf.h>
46 #include <unicode/uidna.h>
47
48 #include "base/i18n/number_formatting.h"
49 #include "base/strings/string_number_conversions.h"
50 #include "base/strings/stringprintf.h"
51 #include "base/strings/utf_string_conversions.h"
52 #include "chrome/common/net/x509_certificate_model.h"
53 #include "crypto/scoped_nss_types.h"
54 #include "grit/generated_resources.h"
55 #include "net/base/ip_endpoint.h"
56 #include "net/base/net_util.h"
57 #include "ui/base/l10n/l10n_util.h"
58
59 #if !defined(CERTDB_TERMINAL_RECORD)
60 /* NSS 3.13 renames CERTDB_VALID_PEER to CERTDB_TERMINAL_RECORD
61 * and marks CERTDB_VALID_PEER as deprecated.
62 * If we're using an older version, rename it ourselves.
63 */
64 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
65 #endif
66
67 namespace {
68
69 std::string BMPtoUTF8(PRArenaPool* arena, unsigned char* data,
70 unsigned int len) {
71 if (len % 2 != 0)
72 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
73
74 unsigned int utf8_val_len = len * 3 + 1;
75 std::vector<unsigned char> utf8_val(utf8_val_len);
76 if (!PORT_UCS2_UTF8Conversion(PR_FALSE, data, len,
77 &utf8_val.front(), utf8_val_len, &utf8_val_len))
78 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
79 return std::string(reinterpret_cast<char*>(&utf8_val.front()), utf8_val_len);
80 }
81
82 SECOidTag RegisterDynamicOid(const char* oid_string) {
83 SECOidTag rv = SEC_OID_UNKNOWN;
84 unsigned char buffer[1024];
85 SECOidData od;
86 od.oid.type = siDEROID;
87 od.oid.data = buffer;
88 od.oid.len = sizeof(buffer);
89
90 if (SEC_StringToOID(NULL, &od.oid, oid_string, 0) == SECSuccess) {
91 od.offset = SEC_OID_UNKNOWN;
92 od.mechanism = CKM_INVALID_MECHANISM;
93 od.supportedExtension = INVALID_CERT_EXTENSION;
94 od.desc = oid_string;
95
96 rv = SECOID_AddEntry(&od);
97 }
98 DCHECK_NE(rv, SEC_OID_UNKNOWN) << oid_string;
99 return rv;
100 }
101
102 // Format a SECItem as a space separated string, with 16 bytes on each line.
103 std::string ProcessRawBytes(SECItem* data) {
104 return x509_certificate_model::ProcessRawBytes(data->data, data->len);
105 }
106
107 } // namespace
108
109 namespace mozilla_security_manager {
110
111 SECOidTag ms_cert_ext_certtype = SEC_OID_UNKNOWN;
112 SECOidTag ms_certsrv_ca_version = SEC_OID_UNKNOWN;
113 SECOidTag ms_nt_principal_name = SEC_OID_UNKNOWN;
114 SECOidTag ms_ntds_replication = SEC_OID_UNKNOWN;
115 SECOidTag eku_ms_individual_code_signing = SEC_OID_UNKNOWN;
116 SECOidTag eku_ms_commercial_code_signing = SEC_OID_UNKNOWN;
117 SECOidTag eku_ms_trust_list_signing = SEC_OID_UNKNOWN;
118 SECOidTag eku_ms_time_stamping = SEC_OID_UNKNOWN;
119 SECOidTag eku_ms_server_gated_crypto = SEC_OID_UNKNOWN;
120 SECOidTag eku_ms_encrypting_file_system = SEC_OID_UNKNOWN;
121 SECOidTag eku_ms_file_recovery = SEC_OID_UNKNOWN;
122 SECOidTag eku_ms_windows_hardware_driver_verification = SEC_OID_UNKNOWN;
123 SECOidTag eku_ms_qualified_subordination = SEC_OID_UNKNOWN;
124 SECOidTag eku_ms_key_recovery = SEC_OID_UNKNOWN;
125 SECOidTag eku_ms_document_signing = SEC_OID_UNKNOWN;
126 SECOidTag eku_ms_lifetime_signing = SEC_OID_UNKNOWN;
127 SECOidTag eku_ms_smart_card_logon = SEC_OID_UNKNOWN;
128 SECOidTag eku_ms_key_recovery_agent = SEC_OID_UNKNOWN;
129 SECOidTag eku_netscape_international_step_up = SEC_OID_UNKNOWN;
130 SECOidTag cert_attribute_business_category = SEC_OID_UNKNOWN;
131 SECOidTag cert_attribute_ev_incorporation_country = SEC_OID_UNKNOWN;
132
133 void RegisterDynamicOids() {
134 if (ms_cert_ext_certtype != SEC_OID_UNKNOWN)
135 return;
136
137 ms_cert_ext_certtype = RegisterDynamicOid("1.3.6.1.4.1.311.20.2");
138 ms_certsrv_ca_version = RegisterDynamicOid("1.3.6.1.4.1.311.21.1");
139 ms_nt_principal_name = RegisterDynamicOid("1.3.6.1.4.1.311.20.2.3");
140 ms_ntds_replication = RegisterDynamicOid("1.3.6.1.4.1.311.25.1");
141
142 eku_ms_individual_code_signing = RegisterDynamicOid("1.3.6.1.4.1.311.2.1.21");
143 eku_ms_commercial_code_signing = RegisterDynamicOid("1.3.6.1.4.1.311.2.1.22");
144 eku_ms_trust_list_signing = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.1");
145 eku_ms_time_stamping = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.2");
146 eku_ms_server_gated_crypto = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.3");
147 eku_ms_encrypting_file_system = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.4");
148 eku_ms_file_recovery = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.4.1");
149 eku_ms_windows_hardware_driver_verification = RegisterDynamicOid(
150 "1.3.6.1.4.1.311.10.3.5");
151 eku_ms_qualified_subordination = RegisterDynamicOid(
152 "1.3.6.1.4.1.311.10.3.10");
153 eku_ms_key_recovery = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.11");
154 eku_ms_document_signing = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.12");
155 eku_ms_lifetime_signing = RegisterDynamicOid("1.3.6.1.4.1.311.10.3.13");
156 eku_ms_smart_card_logon = RegisterDynamicOid("1.3.6.1.4.1.311.20.2.2");
157 eku_ms_key_recovery_agent = RegisterDynamicOid("1.3.6.1.4.1.311.21.6");
158 eku_netscape_international_step_up = RegisterDynamicOid(
159 "2.16.840.1.113730.4.1");
160
161 // These two OIDs will be built-in as SEC_OID_BUSINESS_CATEGORY and
162 // SEC_OID_EV_INCORPORATION_COUNTRY starting in NSS 3.13. Until then,
163 // we need to add them dynamically.
164 cert_attribute_business_category = RegisterDynamicOid("2.5.4.15");
165 cert_attribute_ev_incorporation_country = RegisterDynamicOid(
166 "1.3.6.1.4.1.311.60.2.1.3");
167 }
168
169 std::string DumpOidString(SECItem* oid) {
170 char* pr_string = CERT_GetOidString(oid);
171 if (pr_string) {
172 std::string rv = pr_string;
173 PR_smprintf_free(pr_string);
174 return rv;
175 }
176
177 return ProcessRawBytes(oid);
178 }
179
180 std::string GetOIDText(SECItem* oid) {
181 int string_id;
182 SECOidTag oid_tag = SECOID_FindOIDTag(oid);
183 switch (oid_tag) {
184 case SEC_OID_AVA_COMMON_NAME:
185 string_id = IDS_CERT_OID_AVA_COMMON_NAME;
186 break;
187 case SEC_OID_AVA_STATE_OR_PROVINCE:
188 string_id = IDS_CERT_OID_AVA_STATE_OR_PROVINCE;
189 break;
190 case SEC_OID_AVA_ORGANIZATION_NAME:
191 string_id = IDS_CERT_OID_AVA_ORGANIZATION_NAME;
192 break;
193 case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
194 string_id = IDS_CERT_OID_AVA_ORGANIZATIONAL_UNIT_NAME;
195 break;
196 case SEC_OID_AVA_DN_QUALIFIER:
197 string_id = IDS_CERT_OID_AVA_DN_QUALIFIER;
198 break;
199 case SEC_OID_AVA_COUNTRY_NAME:
200 string_id = IDS_CERT_OID_AVA_COUNTRY_NAME;
201 break;
202 case SEC_OID_AVA_SERIAL_NUMBER:
203 string_id = IDS_CERT_OID_AVA_SERIAL_NUMBER;
204 break;
205 case SEC_OID_AVA_LOCALITY:
206 string_id = IDS_CERT_OID_AVA_LOCALITY;
207 break;
208 case SEC_OID_AVA_DC:
209 string_id = IDS_CERT_OID_AVA_DC;
210 break;
211 case SEC_OID_RFC1274_MAIL:
212 string_id = IDS_CERT_OID_RFC1274_MAIL;
213 break;
214 case SEC_OID_RFC1274_UID:
215 string_id = IDS_CERT_OID_RFC1274_UID;
216 break;
217 case SEC_OID_PKCS9_EMAIL_ADDRESS:
218 string_id = IDS_CERT_OID_PKCS9_EMAIL_ADDRESS;
219 break;
220 case SEC_OID_PKCS1_RSA_ENCRYPTION:
221 string_id = IDS_CERT_OID_PKCS1_RSA_ENCRYPTION;
222 break;
223 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
224 string_id = IDS_CERT_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
225 break;
226 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
227 string_id = IDS_CERT_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION;
228 break;
229 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
230 string_id = IDS_CERT_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
231 break;
232 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
233 string_id = IDS_CERT_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
234 break;
235 case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
236 string_id = IDS_CERT_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
237 break;
238 case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
239 string_id = IDS_CERT_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
240 break;
241 case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
242 string_id = IDS_CERT_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
243 break;
244 case SEC_OID_NS_CERT_EXT_CERT_TYPE:
245 string_id = IDS_CERT_EXT_NS_CERT_TYPE;
246 break;
247 case SEC_OID_NS_CERT_EXT_BASE_URL:
248 string_id = IDS_CERT_EXT_NS_CERT_BASE_URL;
249 break;
250 case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
251 string_id = IDS_CERT_EXT_NS_CERT_REVOCATION_URL;
252 break;
253 case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
254 string_id = IDS_CERT_EXT_NS_CA_REVOCATION_URL;
255 break;
256 case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
257 string_id = IDS_CERT_EXT_NS_CERT_RENEWAL_URL;
258 break;
259 case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
260 string_id = IDS_CERT_EXT_NS_CA_POLICY_URL;
261 break;
262 case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
263 string_id = IDS_CERT_EXT_NS_SSL_SERVER_NAME;
264 break;
265 case SEC_OID_NS_CERT_EXT_COMMENT:
266 string_id = IDS_CERT_EXT_NS_COMMENT;
267 break;
268 case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
269 string_id = IDS_CERT_EXT_NS_LOST_PASSWORD_URL;
270 break;
271 case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
272 string_id = IDS_CERT_EXT_NS_CERT_RENEWAL_TIME;
273 break;
274 case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR:
275 string_id = IDS_CERT_X509_SUBJECT_DIRECTORY_ATTR;
276 break;
277 case SEC_OID_X509_SUBJECT_KEY_ID:
278 string_id = IDS_CERT_X509_SUBJECT_KEYID;
279 break;
280 case SEC_OID_X509_KEY_USAGE:
281 string_id = IDS_CERT_X509_KEY_USAGE;
282 break;
283 case SEC_OID_X509_SUBJECT_ALT_NAME:
284 string_id = IDS_CERT_X509_SUBJECT_ALT_NAME;
285 break;
286 case SEC_OID_X509_ISSUER_ALT_NAME:
287 string_id = IDS_CERT_X509_ISSUER_ALT_NAME;
288 break;
289 case SEC_OID_X509_BASIC_CONSTRAINTS:
290 string_id = IDS_CERT_X509_BASIC_CONSTRAINTS;
291 break;
292 case SEC_OID_X509_NAME_CONSTRAINTS:
293 string_id = IDS_CERT_X509_NAME_CONSTRAINTS;
294 break;
295 case SEC_OID_X509_CRL_DIST_POINTS:
296 string_id = IDS_CERT_X509_CRL_DIST_POINTS;
297 break;
298 case SEC_OID_X509_CERTIFICATE_POLICIES:
299 string_id = IDS_CERT_X509_CERT_POLICIES;
300 break;
301 case SEC_OID_X509_POLICY_MAPPINGS:
302 string_id = IDS_CERT_X509_POLICY_MAPPINGS;
303 break;
304 case SEC_OID_X509_POLICY_CONSTRAINTS:
305 string_id = IDS_CERT_X509_POLICY_CONSTRAINTS;
306 break;
307 case SEC_OID_X509_AUTH_KEY_ID:
308 string_id = IDS_CERT_X509_AUTH_KEYID;
309 break;
310 case SEC_OID_X509_EXT_KEY_USAGE:
311 string_id = IDS_CERT_X509_EXT_KEY_USAGE;
312 break;
313 case SEC_OID_X509_AUTH_INFO_ACCESS:
314 string_id = IDS_CERT_X509_AUTH_INFO_ACCESS;
315 break;
316 case SEC_OID_EXT_KEY_USAGE_SERVER_AUTH:
317 string_id = IDS_CERT_EKU_TLS_WEB_SERVER_AUTHENTICATION;
318 break;
319 case SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH:
320 string_id = IDS_CERT_EKU_TLS_WEB_CLIENT_AUTHENTICATION;
321 break;
322 case SEC_OID_EXT_KEY_USAGE_CODE_SIGN:
323 string_id = IDS_CERT_EKU_CODE_SIGNING;
324 break;
325 case SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT:
326 string_id = IDS_CERT_EKU_EMAIL_PROTECTION;
327 break;
328 case SEC_OID_EXT_KEY_USAGE_TIME_STAMP:
329 string_id = IDS_CERT_EKU_TIME_STAMPING;
330 break;
331 case SEC_OID_OCSP_RESPONDER:
332 string_id = IDS_CERT_EKU_OCSP_SIGNING;
333 break;
334 case SEC_OID_PKIX_CPS_POINTER_QUALIFIER:
335 string_id = IDS_CERT_PKIX_CPS_POINTER_QUALIFIER;
336 break;
337 case SEC_OID_PKIX_USER_NOTICE_QUALIFIER:
338 string_id = IDS_CERT_PKIX_USER_NOTICE_QUALIFIER;
339 break;
340 case SEC_OID_UNKNOWN:
341 string_id = -1;
342 break;
343
344 // There are a billionty other OIDs we could add here. I tried to get the
345 // important ones...
346 default:
347 if (oid_tag == ms_cert_ext_certtype)
348 string_id = IDS_CERT_EXT_MS_CERT_TYPE;
349 else if (oid_tag == ms_certsrv_ca_version)
350 string_id = IDS_CERT_EXT_MS_CA_VERSION;
351 else if (oid_tag == ms_nt_principal_name)
352 string_id = IDS_CERT_EXT_MS_NT_PRINCIPAL_NAME;
353 else if (oid_tag == ms_ntds_replication)
354 string_id = IDS_CERT_EXT_MS_NTDS_REPLICATION;
355 else if (oid_tag == eku_ms_individual_code_signing)
356 string_id = IDS_CERT_EKU_MS_INDIVIDUAL_CODE_SIGNING;
357 else if (oid_tag == eku_ms_commercial_code_signing)
358 string_id = IDS_CERT_EKU_MS_COMMERCIAL_CODE_SIGNING;
359 else if (oid_tag == eku_ms_trust_list_signing)
360 string_id = IDS_CERT_EKU_MS_TRUST_LIST_SIGNING;
361 else if (oid_tag == eku_ms_time_stamping)
362 string_id = IDS_CERT_EKU_MS_TIME_STAMPING;
363 else if (oid_tag == eku_ms_server_gated_crypto)
364 string_id = IDS_CERT_EKU_MS_SERVER_GATED_CRYPTO;
365 else if (oid_tag == eku_ms_encrypting_file_system)
366 string_id = IDS_CERT_EKU_MS_ENCRYPTING_FILE_SYSTEM;
367 else if (oid_tag == eku_ms_file_recovery)
368 string_id = IDS_CERT_EKU_MS_FILE_RECOVERY;
369 else if (oid_tag == eku_ms_windows_hardware_driver_verification)
370 string_id = IDS_CERT_EKU_MS_WINDOWS_HARDWARE_DRIVER_VERIFICATION;
371 else if (oid_tag == eku_ms_qualified_subordination)
372 string_id = IDS_CERT_EKU_MS_QUALIFIED_SUBORDINATION;
373 else if (oid_tag == eku_ms_key_recovery)
374 string_id = IDS_CERT_EKU_MS_KEY_RECOVERY;
375 else if (oid_tag == eku_ms_document_signing)
376 string_id = IDS_CERT_EKU_MS_DOCUMENT_SIGNING;
377 else if (oid_tag == eku_ms_lifetime_signing)
378 string_id = IDS_CERT_EKU_MS_LIFETIME_SIGNING;
379 else if (oid_tag == eku_ms_smart_card_logon)
380 string_id = IDS_CERT_EKU_MS_SMART_CARD_LOGON;
381 else if (oid_tag == eku_ms_key_recovery_agent)
382 string_id = IDS_CERT_EKU_MS_KEY_RECOVERY_AGENT;
383 else if (oid_tag == eku_netscape_international_step_up)
384 string_id = IDS_CERT_EKU_NETSCAPE_INTERNATIONAL_STEP_UP;
385 else if (oid_tag == cert_attribute_business_category)
386 string_id = IDS_CERT_OID_BUSINESS_CATEGORY;
387 else if (oid_tag == cert_attribute_ev_incorporation_country)
388 string_id = IDS_CERT_OID_EV_INCORPORATION_COUNTRY;
389 else
390 string_id = -1;
391 break;
392 }
393 if (string_id >= 0)
394 return l10n_util::GetStringUTF8(string_id);
395
396 return DumpOidString(oid);
397 }
398
399 // Get a display string from a Relative Distinguished Name.
400 std::string ProcessRDN(CERTRDN* rdn) {
401 std::string rv;
402
403 CERTAVA** avas = rdn->avas;
404 for (size_t i = 0; avas[i] != NULL; ++i) {
405 rv += GetOIDText(&avas[i]->type);
406 SECItem* decode_item = CERT_DecodeAVAValue(&avas[i]->value);
407 if (decode_item) {
408 // TODO(mattm): Pass decode_item to CERT_RFC1485_EscapeAndQuote.
409 rv += " = ";
410 std::string value(reinterpret_cast<char*>(decode_item->data),
411 decode_item->len);
412 if (SECOID_FindOIDTag(&avas[i]->type) == SEC_OID_AVA_COMMON_NAME)
413 value = x509_certificate_model::ProcessIDN(value);
414 rv += value;
415 SECITEM_FreeItem(decode_item, PR_TRUE);
416 }
417 rv += '\n';
418 }
419
420 return rv;
421 }
422
423 std::string ProcessName(CERTName* name) {
424 std::string rv;
425 CERTRDN** last_rdn;
426
427 // Find last non-NULL rdn.
428 for (last_rdn = name->rdns; last_rdn[0]; last_rdn++) {}
429 last_rdn--;
430
431 for (CERTRDN** rdn = last_rdn; rdn >= name->rdns; rdn--)
432 rv += ProcessRDN(*rdn);
433 return rv;
434 }
435
436 std::string ProcessBasicConstraints(SECItem* extension_data) {
437 CERTBasicConstraints value;
438 value.pathLenConstraint = -1;
439 if (CERT_DecodeBasicConstraintValue(&value, extension_data) != SECSuccess)
440 return ProcessRawBytes(extension_data);
441
442 std::string rv;
443 if (value.isCA)
444 rv = l10n_util::GetStringUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_IS_CA);
445 else
446 rv = l10n_util::GetStringUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_IS_NOT_CA);
447 rv += '\n';
448 if (value.pathLenConstraint != -1) {
449 base::string16 depth;
450 if (value.pathLenConstraint == CERT_UNLIMITED_PATH_CONSTRAINT) {
451 depth = l10n_util::GetStringUTF16(
452 IDS_CERT_X509_BASIC_CONSTRAINT_PATH_LEN_UNLIMITED);
453 } else {
454 depth = base::FormatNumber(value.pathLenConstraint);
455 }
456 rv += l10n_util::GetStringFUTF8(IDS_CERT_X509_BASIC_CONSTRAINT_PATH_LEN,
457 depth);
458 }
459 return rv;
460 }
461
462 std::string ProcessGeneralName(PRArenaPool* arena,
463 CERTGeneralName* current) {
464 DCHECK(current);
465
466 std::string key;
467 std::string value;
468
469 switch (current->type) {
470 case certOtherName: {
471 key = GetOIDText(&current->name.OthName.oid);
472 SECOidTag oid_tag = SECOID_FindOIDTag(&current->name.OthName.oid);
473 if (oid_tag == ms_nt_principal_name) {
474 // The type of this name is apparently nowhere explicitly
475 // documented. However, in the generated templates, it is always
476 // UTF-8. So try to decode this as UTF-8; if that fails, dump the
477 // raw data.
478 SECItem decoded;
479 if (SEC_ASN1DecodeItem(arena, &decoded,
480 SEC_ASN1_GET(SEC_UTF8StringTemplate),
481 &current->name.OthName.name) == SECSuccess) {
482 value = std::string(reinterpret_cast<char*>(decoded.data),
483 decoded.len);
484 } else {
485 value = ProcessRawBytes(&current->name.OthName.name);
486 }
487 break;
488 } else if (oid_tag == ms_ntds_replication) {
489 // This should be a 16-byte GUID.
490 SECItem guid;
491 if (SEC_ASN1DecodeItem(arena, &guid,
492 SEC_ASN1_GET(SEC_OctetStringTemplate),
493 &current->name.OthName.name) == SECSuccess &&
494 guid.len == 16) {
495 unsigned char* d = guid.data;
496 base::SStringPrintf(
497 &value,
498 "{%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-"
499 "%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}",
500 d[3], d[2], d[1], d[0], d[5], d[4], d[7], d[6],
501 d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
502 } else {
503 value = ProcessRawBytes(&current->name.OthName.name);
504 }
505 } else {
506 value = ProcessRawBytes(&current->name.OthName.name);
507 }
508 break;
509 }
510 case certRFC822Name:
511 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_RFC822_NAME);
512 value = std::string(reinterpret_cast<char*>(current->name.other.data),
513 current->name.other.len);
514 break;
515 case certDNSName:
516 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_DNS_NAME);
517 value = std::string(reinterpret_cast<char*>(current->name.other.data),
518 current->name.other.len);
519 value = x509_certificate_model::ProcessIDN(value);
520 break;
521 case certX400Address:
522 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_X400_ADDRESS);
523 value = ProcessRawBytes(&current->name.other);
524 break;
525 case certDirectoryName:
526 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_DIRECTORY_NAME);
527 value = ProcessName(&current->name.directoryName);
528 break;
529 case certEDIPartyName:
530 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_EDI_PARTY_NAME);
531 value = ProcessRawBytes(&current->name.other);
532 break;
533 case certURI:
534 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_URI);
535 value = std::string(reinterpret_cast<char*>(current->name.other.data),
536 current->name.other.len);
537 break;
538 case certIPAddress: {
539 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_IP_ADDRESS);
540 net::IPAddressNumber ip(
541 current->name.other.data,
542 current->name.other.data + current->name.other.len);
543 value = net::IPEndPoint(ip, 0).ToStringWithoutPort();
544 if (value.empty()) {
545 // Invalid IP address.
546 value = ProcessRawBytes(&current->name.other);
547 }
548 break;
549 }
550 case certRegisterID:
551 key = l10n_util::GetStringUTF8(IDS_CERT_GENERAL_NAME_REGISTERED_ID);
552 value = DumpOidString(&current->name.other);
553 break;
554 }
555 std::string rv(l10n_util::GetStringFUTF8(IDS_CERT_UNKNOWN_OID_INFO_FORMAT,
556 base::UTF8ToUTF16(key),
557 base::UTF8ToUTF16(value)));
558 rv += '\n';
559 return rv;
560 }
561
562 std::string ProcessGeneralNames(PRArenaPool* arena,
563 CERTGeneralName* name_list) {
564 std::string rv;
565 CERTGeneralName* current = name_list;
566
567 do {
568 std::string text = ProcessGeneralName(arena, current);
569 if (text.empty())
570 break;
571 rv += text;
572 current = CERT_GetNextGeneralName(current);
573 } while (current != name_list);
574 return rv;
575 }
576
577 std::string ProcessAltName(SECItem* extension_data) {
578 CERTGeneralName* name_list;
579
580 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
581 CHECK(arena.get());
582
583 name_list = CERT_DecodeAltNameExtension(arena.get(), extension_data);
584 if (!name_list)
585 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
586
587 return ProcessGeneralNames(arena.get(), name_list);
588 }
589
590 std::string ProcessSubjectKeyId(SECItem* extension_data) {
591 SECItem decoded;
592 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
593 CHECK(arena.get());
594
595 std::string rv;
596 if (SEC_QuickDERDecodeItem(arena.get(), &decoded,
597 SEC_ASN1_GET(SEC_OctetStringTemplate),
598 extension_data) != SECSuccess) {
599 rv = l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
600 return rv;
601 }
602
603 rv = l10n_util::GetStringFUTF8(IDS_CERT_KEYID_FORMAT,
604 base::ASCIIToUTF16(ProcessRawBytes(&decoded)));
605 return rv;
606 }
607
608 std::string ProcessAuthKeyId(SECItem* extension_data) {
609 CERTAuthKeyID* ret;
610 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
611 std::string rv;
612
613 CHECK(arena.get());
614
615 ret = CERT_DecodeAuthKeyID(arena.get(), extension_data);
616
617 if (ret->keyID.len > 0) {
618 rv += l10n_util::GetStringFUTF8(IDS_CERT_KEYID_FORMAT,
619 base::ASCIIToUTF16(
620 ProcessRawBytes(&ret->keyID)));
621 rv += '\n';
622 }
623
624 if (ret->authCertIssuer) {
625 rv += l10n_util::GetStringFUTF8(
626 IDS_CERT_ISSUER_FORMAT,
627 base::UTF8ToUTF16(
628 ProcessGeneralNames(arena.get(), ret->authCertIssuer)));
629 rv += '\n';
630 }
631
632 if (ret->authCertSerialNumber.len > 0) {
633 rv += l10n_util::GetStringFUTF8(
634 IDS_CERT_SERIAL_NUMBER_FORMAT,
635 base::ASCIIToUTF16(ProcessRawBytes(&ret->authCertSerialNumber)));
636 rv += '\n';
637 }
638
639 return rv;
640 }
641
642 std::string ProcessUserNotice(SECItem* der_notice) {
643 CERTUserNotice* notice = CERT_DecodeUserNotice(der_notice);
644 if (!notice)
645 return ProcessRawBytes(der_notice);
646
647 std::string rv;
648 if (notice->noticeReference.organization.len != 0) {
649 switch (notice->noticeReference.organization.type) {
650 case siAsciiString:
651 case siVisibleString:
652 case siUTF8String:
653 rv += std::string(
654 reinterpret_cast<char*>(notice->noticeReference.organization.data),
655 notice->noticeReference.organization.len);
656 break;
657 case siBMPString:
658 rv += ProcessBMPString(&notice->noticeReference.organization);
659 break;
660 default:
661 break;
662 }
663 rv += " - ";
664 SECItem** itemList = notice->noticeReference.noticeNumbers;
665 while (*itemList) {
666 unsigned long number;
667 if (SEC_ASN1DecodeInteger(*itemList, &number) == SECSuccess) {
668 if (itemList != notice->noticeReference.noticeNumbers)
669 rv += ", ";
670 rv += '#';
671 rv += base::UTF16ToUTF8(base::UintToString16(number));
672 }
673 itemList++;
674 }
675 }
676 if (notice->displayText.len != 0) {
677 rv += "\n ";
678 switch (notice->displayText.type) {
679 case siAsciiString:
680 case siVisibleString:
681 case siUTF8String:
682 rv += std::string(reinterpret_cast<char*>(notice->displayText.data),
683 notice->displayText.len);
684 break;
685 case siBMPString:
686 rv += ProcessBMPString(&notice->displayText);
687 break;
688 default:
689 break;
690 }
691 }
692
693 CERT_DestroyUserNotice(notice);
694 return rv;
695 }
696
697 std::string ProcessCertificatePolicies(SECItem* extension_data) {
698 std::string rv;
699
700 CERTCertificatePolicies* policies = CERT_DecodeCertificatePoliciesExtension(
701 extension_data);
702 if (!policies)
703 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
704
705 CERTPolicyInfo** policyInfos = policies->policyInfos;
706 while (*policyInfos) {
707 CERTPolicyInfo* policyInfo = *policyInfos++;
708 std::string key = GetOIDText(&policyInfo->policyID);
709
710 // If we have policy qualifiers, display the oid text
711 // with a ':', otherwise just put the oid text and a newline.
712 // TODO(mattm): Add extra note if this is the ev oid? (It's a bit
713 // complicated, since we don't want to do the EV check synchronously.)
714 if (policyInfo->policyQualifiers) {
715 rv += l10n_util::GetStringFUTF8(IDS_CERT_MULTILINE_INFO_START_FORMAT,
716 base::UTF8ToUTF16(key));
717 } else {
718 rv += key;
719 }
720 rv += '\n';
721
722 if (policyInfo->policyQualifiers) {
723 // Add all qualifiers on separate lines, indented.
724 CERTPolicyQualifier** policyQualifiers = policyInfo->policyQualifiers;
725 while (*policyQualifiers != NULL) {
726 rv += " ";
727
728 CERTPolicyQualifier* policyQualifier = *policyQualifiers++;
729 rv += l10n_util::GetStringFUTF8(
730 IDS_CERT_MULTILINE_INFO_START_FORMAT,
731 base::UTF8ToUTF16(GetOIDText(&policyQualifier->qualifierID)));
732 switch(policyQualifier->oid) {
733 case SEC_OID_PKIX_CPS_POINTER_QUALIFIER:
734 rv += " ";
735 /* The CPS pointer ought to be the cPSuri alternative
736 of the Qualifier choice. */
737 rv += ProcessIA5String(&policyQualifier->qualifierValue);
738 break;
739 case SEC_OID_PKIX_USER_NOTICE_QUALIFIER:
740 rv += ProcessUserNotice(&policyQualifier->qualifierValue);
741 break;
742 default:
743 rv += ProcessRawBytes(&policyQualifier->qualifierValue);
744 break;
745 }
746 rv += '\n';
747 }
748 }
749 }
750
751 CERT_DestroyCertificatePoliciesExtension(policies);
752 return rv;
753 }
754
755 std::string ProcessCrlDistPoints(SECItem* extension_data) {
756 std::string rv;
757 CERTCrlDistributionPoints* crldp;
758 CRLDistributionPoint** points;
759 CRLDistributionPoint* point;
760 bool comma;
761
762 static const struct {
763 int reason;
764 int string_id;
765 } reason_string_map[] = {
766 {RF_UNUSED, IDS_CERT_REVOCATION_REASON_UNUSED},
767 {RF_KEY_COMPROMISE, IDS_CERT_REVOCATION_REASON_KEY_COMPROMISE},
768 {RF_CA_COMPROMISE, IDS_CERT_REVOCATION_REASON_CA_COMPROMISE},
769 {RF_AFFILIATION_CHANGED, IDS_CERT_REVOCATION_REASON_AFFILIATION_CHANGED},
770 {RF_SUPERSEDED, IDS_CERT_REVOCATION_REASON_SUPERSEDED},
771 {RF_CESSATION_OF_OPERATION,
772 IDS_CERT_REVOCATION_REASON_CESSATION_OF_OPERATION},
773 {RF_CERTIFICATE_HOLD, IDS_CERT_REVOCATION_REASON_CERTIFICATE_HOLD},
774 };
775
776 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
777 CHECK(arena.get());
778
779 crldp = CERT_DecodeCRLDistributionPoints(arena.get(), extension_data);
780 if (!crldp || !crldp->distPoints) {
781 rv = l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
782 return rv;
783 }
784
785 for (points = crldp->distPoints; *points; ++points) {
786 point = *points;
787 switch (point->distPointType) {
788 case generalName:
789 // generalName is a typo in upstream NSS; fullName is actually a
790 // GeneralNames (SEQUENCE OF GeneralName). See Mozilla Bug #615100.
791 rv += ProcessGeneralNames(arena.get(), point->distPoint.fullName);
792 break;
793 case relativeDistinguishedName:
794 rv += ProcessRDN(&point->distPoint.relativeName);
795 break;
796 }
797 if (point->reasons.len) {
798 rv += ' ';
799 comma = false;
800 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(reason_string_map); ++i) {
801 if (point->reasons.data[0] & reason_string_map[i].reason) {
802 if (comma)
803 rv += ',';
804 rv += l10n_util::GetStringUTF8(reason_string_map[i].string_id);
805 comma = true;
806 }
807 }
808 rv += '\n';
809 }
810 if (point->crlIssuer) {
811 rv += l10n_util::GetStringFUTF8(
812 IDS_CERT_ISSUER_FORMAT,
813 base::UTF8ToUTF16(
814 ProcessGeneralNames(arena.get(), point->crlIssuer)));
815 }
816 }
817 return rv;
818 }
819
820 std::string ProcessAuthInfoAccess(SECItem* extension_data) {
821 std::string rv;
822 CERTAuthInfoAccess** aia;
823 CERTAuthInfoAccess* desc;
824 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
825 CHECK(arena.get());
826
827 aia = CERT_DecodeAuthInfoAccessExtension(arena.get(), extension_data);
828 if (aia == NULL)
829 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
830
831 while (*aia != NULL) {
832 desc = *aia++;
833 base::string16 location_str =
834 base::UTF8ToUTF16(ProcessGeneralName(arena.get(), desc->location));
835 switch (SECOID_FindOIDTag(&desc->method)) {
836 case SEC_OID_PKIX_OCSP:
837 rv += l10n_util::GetStringFUTF8(IDS_CERT_OCSP_RESPONDER_FORMAT,
838 location_str);
839 break;
840 case SEC_OID_PKIX_CA_ISSUERS:
841 rv += l10n_util::GetStringFUTF8(IDS_CERT_CA_ISSUERS_FORMAT,
842 location_str);
843 break;
844 default:
845 rv += l10n_util::GetStringFUTF8(IDS_CERT_UNKNOWN_OID_INFO_FORMAT,
846 base::UTF8ToUTF16(
847 GetOIDText(&desc->method)),
848 location_str);
849 break;
850 }
851 }
852 return rv;
853 }
854
855 std::string ProcessIA5String(SECItem* extension_data) {
856 SECItem item;
857 if (SEC_ASN1DecodeItem(NULL, &item, SEC_ASN1_GET(SEC_IA5StringTemplate),
858 extension_data) != SECSuccess)
859 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
860 std::string rv((char*)item.data, item.len); // ASCII data.
861 PORT_Free(item.data);
862 return rv;
863 }
864
865 std::string ProcessBMPString(SECItem* extension_data) {
866 std::string rv;
867 SECItem item;
868 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
869 CHECK(arena.get());
870
871 if (SEC_ASN1DecodeItem(arena.get(), &item,
872 SEC_ASN1_GET(SEC_BMPStringTemplate), extension_data) ==
873 SECSuccess)
874 rv = BMPtoUTF8(arena.get(), item.data, item.len);
875 return rv;
876 }
877
878 struct MaskIdPair {
879 unsigned int mask;
880 int string_id;
881 };
882
883 static std::string ProcessBitField(SECItem* bitfield,
884 const MaskIdPair* string_map,
885 size_t len,
886 char separator) {
887 unsigned int bits = 0;
888 std::string rv;
889 for (size_t i = 0; i * 8 < bitfield->len && i < sizeof(bits); ++i)
890 bits |= bitfield->data[i] << (i * 8);
891 for (size_t i = 0; i < len; ++i) {
892 if (bits & string_map[i].mask) {
893 if (!rv.empty())
894 rv += separator;
895 rv += l10n_util::GetStringUTF8(string_map[i].string_id);
896 }
897 }
898 return rv;
899 }
900
901 static std::string ProcessBitStringExtension(SECItem* extension_data,
902 const MaskIdPair* string_map,
903 size_t len,
904 char separator) {
905 SECItem decoded;
906 decoded.type = siBuffer;
907 decoded.data = NULL;
908 decoded.len = 0;
909 if (SEC_ASN1DecodeItem(NULL, &decoded, SEC_ASN1_GET(SEC_BitStringTemplate),
910 extension_data) != SECSuccess)
911 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
912 std::string rv = ProcessBitField(&decoded, string_map, len, separator);
913 PORT_Free(decoded.data);
914 return rv;
915 }
916
917 std::string ProcessNSCertTypeExtension(SECItem* extension_data) {
918 static const MaskIdPair usage_string_map[] = {
919 {NS_CERT_TYPE_SSL_CLIENT, IDS_CERT_USAGE_SSL_CLIENT},
920 {NS_CERT_TYPE_SSL_SERVER, IDS_CERT_USAGE_SSL_SERVER},
921 {NS_CERT_TYPE_EMAIL, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL},
922 {NS_CERT_TYPE_OBJECT_SIGNING, IDS_CERT_USAGE_OBJECT_SIGNER},
923 {NS_CERT_TYPE_SSL_CA, IDS_CERT_USAGE_SSL_CA},
924 {NS_CERT_TYPE_EMAIL_CA, IDS_CERT_EXT_NS_CERT_TYPE_EMAIL_CA},
925 {NS_CERT_TYPE_OBJECT_SIGNING_CA, IDS_CERT_USAGE_OBJECT_SIGNER},
926 };
927 return ProcessBitStringExtension(extension_data, usage_string_map,
928 ARRAYSIZE_UNSAFE(usage_string_map), '\n');
929 }
930
931 static const MaskIdPair key_usage_string_map[] = {
932 {KU_DIGITAL_SIGNATURE, IDS_CERT_X509_KEY_USAGE_SIGNING},
933 {KU_NON_REPUDIATION, IDS_CERT_X509_KEY_USAGE_NONREP},
934 {KU_KEY_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_ENCIPHERMENT},
935 {KU_DATA_ENCIPHERMENT, IDS_CERT_X509_KEY_USAGE_DATA_ENCIPHERMENT},
936 {KU_KEY_AGREEMENT, IDS_CERT_X509_KEY_USAGE_KEY_AGREEMENT},
937 {KU_KEY_CERT_SIGN, IDS_CERT_X509_KEY_USAGE_CERT_SIGNER},
938 {KU_CRL_SIGN, IDS_CERT_X509_KEY_USAGE_CRL_SIGNER},
939 {KU_ENCIPHER_ONLY, IDS_CERT_X509_KEY_USAGE_ENCIPHER_ONLY},
940 // NSS is missing a flag for dechiperOnly, see:
941 // https://bugzilla.mozilla.org/show_bug.cgi?id=549952
942 };
943
944 std::string ProcessKeyUsageBitString(SECItem* bitstring, char sep) {
945 return ProcessBitField(bitstring, key_usage_string_map,
946 arraysize(key_usage_string_map), sep);
947 }
948
949 std::string ProcessKeyUsageExtension(SECItem* extension_data) {
950 return ProcessBitStringExtension(extension_data, key_usage_string_map,
951 arraysize(key_usage_string_map), '\n');
952 }
953
954 std::string ProcessExtKeyUsage(SECItem* extension_data) {
955 std::string rv;
956 CERTOidSequence* extension_key_usage = NULL;
957 extension_key_usage = CERT_DecodeOidSequence(extension_data);
958 if (extension_key_usage == NULL)
959 return l10n_util::GetStringUTF8(IDS_CERT_EXTENSION_DUMP_ERROR);
960
961 SECItem** oids;
962 SECItem* oid;
963 for (oids = extension_key_usage->oids; oids != NULL && *oids != NULL;
964 ++oids) {
965 oid = *oids;
966 std::string oid_dump = DumpOidString(oid);
967 std::string oid_text = GetOIDText(oid);
968
969 // If oid is one we recognize, oid_text will have a text description of the
970 // OID, which we display along with the oid_dump. If we don't recognize the
971 // OID, GetOIDText will return the same value as DumpOidString, so just
972 // display the OID alone.
973 if (oid_dump == oid_text)
974 rv += oid_dump;
975 else
976 rv += l10n_util::GetStringFUTF8(IDS_CERT_EXT_KEY_USAGE_FORMAT,
977 base::UTF8ToUTF16(oid_text),
978 base::UTF8ToUTF16(oid_dump));
979 rv += '\n';
980 }
981 CERT_DestroyOidSequence(extension_key_usage);
982 return rv;
983 }
984
985 std::string ProcessExtensionData(SECOidTag oid_tag, SECItem* extension_data) {
986 // This (and its sub-functions) are based on the same-named functions in
987 // security/manager/ssl/src/nsNSSCertHelper.cpp.
988 switch (oid_tag) {
989 case SEC_OID_NS_CERT_EXT_CERT_TYPE:
990 return ProcessNSCertTypeExtension(extension_data);
991 case SEC_OID_X509_KEY_USAGE:
992 return ProcessKeyUsageExtension(extension_data);
993 case SEC_OID_X509_BASIC_CONSTRAINTS:
994 return ProcessBasicConstraints(extension_data);
995 case SEC_OID_X509_EXT_KEY_USAGE:
996 return ProcessExtKeyUsage(extension_data);
997 case SEC_OID_X509_ISSUER_ALT_NAME:
998 case SEC_OID_X509_SUBJECT_ALT_NAME:
999 return ProcessAltName(extension_data);
1000 case SEC_OID_X509_SUBJECT_KEY_ID:
1001 return ProcessSubjectKeyId(extension_data);
1002 case SEC_OID_X509_AUTH_KEY_ID:
1003 return ProcessAuthKeyId(extension_data);
1004 case SEC_OID_X509_CERTIFICATE_POLICIES:
1005 return ProcessCertificatePolicies(extension_data);
1006 case SEC_OID_X509_CRL_DIST_POINTS:
1007 return ProcessCrlDistPoints(extension_data);
1008 case SEC_OID_X509_AUTH_INFO_ACCESS:
1009 return ProcessAuthInfoAccess(extension_data);
1010 case SEC_OID_NS_CERT_EXT_BASE_URL:
1011 case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
1012 case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
1013 case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
1014 case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
1015 case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
1016 case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
1017 case SEC_OID_NS_CERT_EXT_COMMENT:
1018 case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
1019 case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
1020 return ProcessIA5String(extension_data);
1021 default:
1022 if (oid_tag == ms_cert_ext_certtype)
1023 return ProcessBMPString(extension_data);
1024 return ProcessRawBytes(extension_data);
1025 }
1026 }
1027
1028 std::string ProcessSubjectPublicKeyInfo(CERTSubjectPublicKeyInfo* spki) {
1029 std::string rv;
1030 SECKEYPublicKey* key = SECKEY_ExtractPublicKey(spki);
1031 if (key) {
1032 switch (key->keyType) {
1033 case rsaKey: {
1034 rv = l10n_util::GetStringFUTF8(
1035 IDS_CERT_RSA_PUBLIC_KEY_DUMP_FORMAT,
1036 base::UintToString16(key->u.rsa.modulus.len * 8),
1037 base::UTF8ToUTF16(ProcessRawBytes(&key->u.rsa.modulus)),
1038 base::UintToString16(key->u.rsa.publicExponent.len * 8),
1039 base::UTF8ToUTF16(ProcessRawBytes(&key->u.rsa.publicExponent)));
1040 break;
1041 }
1042 default:
1043 rv = x509_certificate_model::ProcessRawBits(
1044 spki->subjectPublicKey.data, spki->subjectPublicKey.len);
1045 break;
1046 }
1047 SECKEY_DestroyPublicKey(key);
1048 }
1049 return rv;
1050 }
1051
1052 net::CertType GetCertType(CERTCertificate *cert) {
1053 CERTCertTrust trust = {0};
1054 CERT_GetCertTrust(cert, &trust);
1055
1056 unsigned all_flags = trust.sslFlags | trust.emailFlags |
1057 trust.objectSigningFlags;
1058
1059 if (cert->nickname && (all_flags & CERTDB_USER))
1060 return net::USER_CERT;
1061 if ((all_flags & CERTDB_VALID_CA) || CERT_IsCACert(cert, NULL))
1062 return net::CA_CERT;
1063 // TODO(mattm): http://crbug.com/128633.
1064 if (trust.sslFlags & CERTDB_TERMINAL_RECORD)
1065 return net::SERVER_CERT;
1066 return net::OTHER_CERT;
1067 }
1068
1069 } // namespace mozilla_security_manager