1 // Copyright 2011 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_X509_UTIL_NSS_H_ 6 #define NET_CERT_X509_UTIL_NSS_H_ 7 8 #include <stddef.h> 9 10 #include <string> 11 #include <vector> 12 13 #include "net/base/net_export.h" 14 #include "net/cert/cert_type.h" 15 #include "net/cert/scoped_nss_types.h" 16 #include "net/cert/x509_certificate.h" 17 18 typedef struct CERTCertificateStr CERTCertificate; 19 typedef struct CERTNameStr CERTName; 20 typedef struct PK11SlotInfoStr PK11SlotInfo; 21 typedef struct SECItemStr SECItem; 22 23 namespace net::x509_util { 24 25 // Returns true if two certificate handles refer to identical certificates. 26 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, CERTCertificate* b); 27 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const X509Certificate* b); 28 NET_EXPORT bool IsSameCertificate(const X509Certificate* a, CERTCertificate* b); 29 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const CRYPTO_BUFFER* b); 30 NET_EXPORT bool IsSameCertificate(const CRYPTO_BUFFER* a, CERTCertificate* b); 31 32 // Returns a CERTCertificate handle from the DER-encoded representation. The 33 // returned value may reference an already existing CERTCertificate object. 34 // Returns NULL on failure. 35 NET_EXPORT ScopedCERTCertificate 36 CreateCERTCertificateFromBytes(const uint8_t* data, size_t length); 37 38 // Returns a CERTCertificate handle from |cert|. The returned value may 39 // reference an already existing CERTCertificate object. Returns NULL on 40 // failure. 41 NET_EXPORT ScopedCERTCertificate 42 CreateCERTCertificateFromX509Certificate(const X509Certificate* cert); 43 44 // Returns a vector of CERTCertificates corresponding to |cert| and its 45 // intermediates (if any). Returns an empty vector on failure. 46 NET_EXPORT ScopedCERTCertificateList 47 CreateCERTCertificateListFromX509Certificate(const X509Certificate* cert); 48 49 // Specify behavior if an intermediate certificate fails CERTCertificate 50 // parsing. kFail means the function should return a failure result 51 // immediately. kIgnore means the invalid intermediate is not added to the 52 // output container. 53 enum class InvalidIntermediateBehavior { kFail, kIgnore }; 54 55 // Returns a vector of CERTCertificates corresponding to |cert| and its 56 // intermediates (if any). Returns an empty vector if the certificate could not 57 // be converted. |invalid_intermediate_behavior| specifies behavior if 58 // intermediates of |cert| could not be converted. 59 NET_EXPORT ScopedCERTCertificateList 60 CreateCERTCertificateListFromX509Certificate( 61 const X509Certificate* cert, 62 InvalidIntermediateBehavior invalid_intermediate_behavior); 63 64 // Parses all of the certificates possible from |data|. |format| is a 65 // bit-wise OR of X509Certificate::Format, indicating the possible formats the 66 // certificates may have been serialized as. If an error occurs, an empty 67 // collection will be returned. 68 NET_EXPORT ScopedCERTCertificateList 69 CreateCERTCertificateListFromBytes(const char* data, size_t length, int format); 70 71 // Increments the refcount of |cert| and returns a handle for that reference. 72 NET_EXPORT ScopedCERTCertificate DupCERTCertificate(CERTCertificate* cert); 73 74 // Increments the refcount of each element in |cerst| and returns a list of 75 // handles for them. 76 NET_EXPORT ScopedCERTCertificateList 77 DupCERTCertificateList(const ScopedCERTCertificateList& certs); 78 79 // Creates an X509Certificate from |cert|, with intermediates from |chain|. 80 // Returns NULL on failure. 81 NET_EXPORT scoped_refptr<X509Certificate> 82 CreateX509CertificateFromCERTCertificate( 83 CERTCertificate* cert, 84 const std::vector<CERTCertificate*>& chain); 85 86 // Creates an X509Certificate with non-standard parsing options. 87 // Do not use without consulting //net owners. 88 NET_EXPORT scoped_refptr<X509Certificate> 89 CreateX509CertificateFromCERTCertificate( 90 CERTCertificate* cert, 91 const std::vector<CERTCertificate*>& chain, 92 X509Certificate::UnsafeCreateOptions options); 93 94 // Creates an X509Certificate from |cert|, with no intermediates. 95 // Returns NULL on failure. 96 NET_EXPORT scoped_refptr<X509Certificate> 97 CreateX509CertificateFromCERTCertificate(CERTCertificate* cert); 98 99 // Creates an X509Certificate for each element in |certs|. 100 // Returns an empty list on failure. 101 NET_EXPORT CertificateList CreateX509CertificateListFromCERTCertificates( 102 const ScopedCERTCertificateList& certs); 103 104 // Obtains the DER encoded certificate data for |cert|. On success, returns 105 // true and writes the DER encoded certificate to |*der_encoded|. 106 NET_EXPORT bool GetDEREncoded(CERTCertificate* cert, std::string* der_encoded); 107 108 // Obtains the PEM encoded certificate data for |cert|. On success, returns 109 // true and writes the PEM encoded certificate to |*pem_encoded|. 110 NET_EXPORT bool GetPEMEncoded(CERTCertificate* cert, std::string* pem_encoded); 111 112 // Stores the values of all rfc822Name subjectAltNames from |cert_handle| 113 // into |names|. If no names are present, clears |names|. 114 // WARNING: This method does not validate that the rfc822Name is 115 // properly encoded; it MAY contain embedded NULs or other illegal 116 // characters; care should be taken to validate the well-formedness 117 // before using. 118 NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, 119 std::vector<std::string>* names); 120 121 // Stores the values of all Microsoft UPN subjectAltNames from |cert_handle| 122 // into |names|. If no names are present, clears |names|. 123 // 124 // A "Microsoft UPN subjectAltName" is an OtherName value whose type-id 125 // is equal to 1.3.6.1.4.1.311.20.2.3 (known as either id-ms-san-sc-logon-upn, 126 // as described in RFC 4556, or as szOID_NT_PRINCIPAL_NAME, as 127 // documented in Microsoft KB287547). 128 // The value field is a UTF8String literal. 129 // For more information: 130 // https://www.ietf.org/mail-archive/web/pkix/current/msg03145.html 131 // https://www.ietf.org/proceedings/65/slides/pkix-4/sld1.htm 132 // https://tools.ietf.org/html/rfc4556 133 // 134 // WARNING: This method does not validate that the name is 135 // properly encoded; it MAY contain embedded NULs or other illegal 136 // characters; care should be taken to validate the well-formedness 137 // before using. 138 NET_EXPORT void GetUPNSubjectAltNames(CERTCertificate* cert_handle, 139 std::vector<std::string>* names); 140 141 // Generates a unique nickname for |nss_cert| based on the |type| and |slot|. 142 NET_EXPORT std::string GetDefaultUniqueNickname(CERTCertificate* nss_cert, 143 CertType type, 144 PK11SlotInfo* slot); 145 146 // Returns a name that can be used to represent the principal. It tries in 147 // this order: CN, O and OU and returns the first non-empty one found. 148 // This mirrors net::CertPrincipal::GetDisplayName. 149 NET_EXPORT std::string GetCERTNameDisplayName(CERTName* name); 150 151 // Stores the notBefore and notAfter times from |cert| into |*not_before| and 152 // |*not_after|, returning true if successful. |not_before| or |not_after| may 153 // be null. 154 NET_EXPORT bool GetValidityTimes(CERTCertificate* cert, 155 base::Time* not_before, 156 base::Time* not_after); 157 158 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty 159 // (all zero) fingerprint on failure. 160 NET_EXPORT SHA256HashValue CalculateFingerprint256(CERTCertificate* cert); 161 162 // Prefer using NSSCertDatabase::ImportUserCert. Temporary public for Kcer. 163 // Import a user certificate. The private key for the user certificate must 164 // already be installed, otherwise returns ERR_NO_PRIVATE_KEY_FOR_CERT. 165 // Returns OK or a network error code. 166 NET_EXPORT int ImportUserCert(CERTCertificate* cert); 167 168 } // namespace net::x509_util 169 170 #endif // NET_CERT_X509_UTIL_NSS_H_ 171