1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/x509_util_apple.h"
6
7 #include <CommonCrypto/CommonDigest.h>
8
9 #include <string>
10
11 #include "base/check_op.h"
12 #include "base/logging.h"
13 #include "base/notreached.h"
14 #include "base/numerics/safe_conversions.h"
15 #include "build/build_config.h"
16 #include "net/cert/x509_certificate.h"
17 #include "net/cert/x509_util.h"
18 #include "third_party/boringssl/src/include/openssl/pool.h"
19
20 namespace net {
21 namespace x509_util {
22
23 namespace {
24
CertBufferFromSecCertificate(SecCertificateRef sec_cert)25 bssl::UniquePtr<CRYPTO_BUFFER> CertBufferFromSecCertificate(
26 SecCertificateRef sec_cert) {
27 if (!sec_cert) {
28 return nullptr;
29 }
30 base::ScopedCFTypeRef<CFDataRef> der_data(SecCertificateCopyData(sec_cert));
31 if (!der_data) {
32 return nullptr;
33 }
34 return CreateCryptoBuffer(
35 base::make_span(CFDataGetBytePtr(der_data),
36 base::checked_cast<size_t>(CFDataGetLength(der_data))));
37 }
38
39 } // namespace
40
CreateSecCertificateFromBytes(const uint8_t * data,size_t length)41 base::ScopedCFTypeRef<SecCertificateRef> CreateSecCertificateFromBytes(
42 const uint8_t* data,
43 size_t length) {
44 base::ScopedCFTypeRef<CFDataRef> cert_data(
45 CFDataCreate(kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
46 base::checked_cast<CFIndex>(length)));
47 if (!cert_data)
48 return base::ScopedCFTypeRef<SecCertificateRef>();
49
50 return base::ScopedCFTypeRef<SecCertificateRef>(
51 SecCertificateCreateWithData(nullptr, cert_data));
52 }
53
54 base::ScopedCFTypeRef<SecCertificateRef>
CreateSecCertificateFromX509Certificate(const X509Certificate * cert)55 CreateSecCertificateFromX509Certificate(const X509Certificate* cert) {
56 return CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(cert->cert_buffer()),
57 CRYPTO_BUFFER_len(cert->cert_buffer()));
58 }
59
60 base::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert)61 CreateSecCertificateArrayForX509Certificate(X509Certificate* cert) {
62 return CreateSecCertificateArrayForX509Certificate(
63 cert, InvalidIntermediateBehavior::kFail);
64 }
65
66 base::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert,InvalidIntermediateBehavior invalid_intermediate_behavior)67 CreateSecCertificateArrayForX509Certificate(
68 X509Certificate* cert,
69 InvalidIntermediateBehavior invalid_intermediate_behavior) {
70 base::ScopedCFTypeRef<CFMutableArrayRef> cert_list(
71 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
72 if (!cert_list)
73 return base::ScopedCFTypeRef<CFMutableArrayRef>();
74 std::string bytes;
75 base::ScopedCFTypeRef<SecCertificateRef> sec_cert(
76 CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(cert->cert_buffer()),
77 CRYPTO_BUFFER_len(cert->cert_buffer())));
78 if (!sec_cert)
79 return base::ScopedCFTypeRef<CFMutableArrayRef>();
80 CFArrayAppendValue(cert_list, sec_cert);
81 for (const auto& intermediate : cert->intermediate_buffers()) {
82 base::ScopedCFTypeRef<SecCertificateRef> intermediate_cert(
83 CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(intermediate.get()),
84 CRYPTO_BUFFER_len(intermediate.get())));
85 if (!intermediate_cert) {
86 if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail)
87 return base::ScopedCFTypeRef<CFMutableArrayRef>();
88 LOG(WARNING) << "error parsing intermediate";
89 continue;
90 }
91 CFArrayAppendValue(cert_list, intermediate_cert);
92 }
93 return cert_list;
94 }
95
CreateX509CertificateFromSecCertificate(base::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::ScopedCFTypeRef<SecCertificateRef>> & sec_chain)96 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
97 base::ScopedCFTypeRef<SecCertificateRef> sec_cert,
98 const std::vector<base::ScopedCFTypeRef<SecCertificateRef>>& sec_chain) {
99 return CreateX509CertificateFromSecCertificate(sec_cert, sec_chain, {});
100 }
101
CreateX509CertificateFromSecCertificate(base::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::ScopedCFTypeRef<SecCertificateRef>> & sec_chain,X509Certificate::UnsafeCreateOptions options)102 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
103 base::ScopedCFTypeRef<SecCertificateRef> sec_cert,
104 const std::vector<base::ScopedCFTypeRef<SecCertificateRef>>& sec_chain,
105 X509Certificate::UnsafeCreateOptions options) {
106 bssl::UniquePtr<CRYPTO_BUFFER> cert_handle =
107 CertBufferFromSecCertificate(sec_cert);
108 if (!cert_handle) {
109 return nullptr;
110 }
111 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
112 for (const auto& sec_intermediate : sec_chain) {
113 bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle =
114 CertBufferFromSecCertificate(sec_intermediate);
115 if (!intermediate_cert_handle) {
116 return nullptr;
117 }
118 intermediates.push_back(std::move(intermediate_cert_handle));
119 }
120 scoped_refptr<X509Certificate> result(
121 X509Certificate::CreateFromBufferUnsafeOptions(
122 std::move(cert_handle), std::move(intermediates), options));
123 return result;
124 }
125
CalculateFingerprint256(SecCertificateRef cert)126 SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
127 SHA256HashValue sha256;
128 memset(sha256.data, 0, sizeof(sha256.data));
129
130 base::ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
131 if (!cert_data) {
132 return sha256;
133 }
134
135 DCHECK(CFDataGetBytePtr(cert_data));
136 DCHECK_NE(CFDataGetLength(cert_data), 0);
137
138 CC_SHA256(CFDataGetBytePtr(cert_data), CFDataGetLength(cert_data),
139 sha256.data);
140
141 return sha256;
142 }
143
CertificateChainFromSecTrust(SecTrustRef trust)144 base::ScopedCFTypeRef<CFArrayRef> CertificateChainFromSecTrust(
145 SecTrustRef trust) {
146 if (__builtin_available(macOS 12.0, iOS 15.0, *)) {
147 return base::ScopedCFTypeRef<CFArrayRef>(
148 SecTrustCopyCertificateChain(trust));
149 }
150
151 // TODO(crbug.com/1426476): Remove code when it is no longer needed.
152 #if (BUILDFLAG(IS_MAC) && \
153 MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_VERSION_12_0) || \
154 (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < __IPHONE_15_0)
155 base::ScopedCFTypeRef<CFMutableArrayRef> chain(
156 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
157 const CFIndex chain_length = SecTrustGetCertificateCount(trust);
158 for (CFIndex i = 0; i < chain_length; ++i) {
159 CFArrayAppendValue(chain, SecTrustGetCertificateAtIndex(trust, i));
160 }
161 return base::ScopedCFTypeRef<CFArrayRef>(chain.release());
162
163 #else
164 // The other logic paths should be used, this is just to make the compiler
165 // happy.
166 NOTREACHED();
167 return base::ScopedCFTypeRef<CFArrayRef>(nullptr);
168 #endif // (BUILDFLAG(IS_MAC) && MAC_OS_X_VERSION_MIN_REQUIRED <
169 // MAC_OS_VERSION_12_0)
170 // || (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED <
171 // __IPHONE_15_0)
172 }
173
174 } // namespace x509_util
175 } // namespace net
176