1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/x509_util_apple.h"
6
7 #include <CommonCrypto/CommonDigest.h>
8
9 #include <string>
10
11 #include "base/check_op.h"
12 #include "base/logging.h"
13 #include "base/notreached.h"
14 #include "base/numerics/safe_conversions.h"
15 #include "build/build_config.h"
16 #include "net/cert/x509_certificate.h"
17 #include "net/cert/x509_util.h"
18 #include "third_party/boringssl/src/include/openssl/pool.h"
19
20 namespace net {
21 namespace x509_util {
22
23 namespace {
24
CertBufferFromSecCertificate(SecCertificateRef sec_cert)25 bssl::UniquePtr<CRYPTO_BUFFER> CertBufferFromSecCertificate(
26 SecCertificateRef sec_cert) {
27 if (!sec_cert) {
28 return nullptr;
29 }
30 base::apple::ScopedCFTypeRef<CFDataRef> der_data(
31 SecCertificateCopyData(sec_cert));
32 if (!der_data) {
33 return nullptr;
34 }
35 return CreateCryptoBuffer(base::make_span(
36 CFDataGetBytePtr(der_data.get()),
37 base::checked_cast<size_t>(CFDataGetLength(der_data.get()))));
38 }
39
40 } // namespace
41
CreateSecCertificateFromBytes(const uint8_t * data,size_t length)42 base::apple::ScopedCFTypeRef<SecCertificateRef> CreateSecCertificateFromBytes(
43 const uint8_t* data,
44 size_t length) {
45 base::apple::ScopedCFTypeRef<CFDataRef> cert_data(
46 CFDataCreate(kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
47 base::checked_cast<CFIndex>(length)));
48 if (!cert_data)
49 return base::apple::ScopedCFTypeRef<SecCertificateRef>();
50
51 return base::apple::ScopedCFTypeRef<SecCertificateRef>(
52 SecCertificateCreateWithData(nullptr, cert_data.get()));
53 }
54
55 base::apple::ScopedCFTypeRef<SecCertificateRef>
CreateSecCertificateFromX509Certificate(const X509Certificate * cert)56 CreateSecCertificateFromX509Certificate(const X509Certificate* cert) {
57 return CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(cert->cert_buffer()),
58 CRYPTO_BUFFER_len(cert->cert_buffer()));
59 }
60
61 base::apple::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert)62 CreateSecCertificateArrayForX509Certificate(X509Certificate* cert) {
63 return CreateSecCertificateArrayForX509Certificate(
64 cert, InvalidIntermediateBehavior::kFail);
65 }
66
67 base::apple::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert,InvalidIntermediateBehavior invalid_intermediate_behavior)68 CreateSecCertificateArrayForX509Certificate(
69 X509Certificate* cert,
70 InvalidIntermediateBehavior invalid_intermediate_behavior) {
71 base::apple::ScopedCFTypeRef<CFMutableArrayRef> cert_list(
72 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
73 if (!cert_list)
74 return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
75 std::string bytes;
76 base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert(
77 CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(cert->cert_buffer()),
78 CRYPTO_BUFFER_len(cert->cert_buffer())));
79 if (!sec_cert)
80 return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
81 CFArrayAppendValue(cert_list.get(), sec_cert.get());
82 for (const auto& intermediate : cert->intermediate_buffers()) {
83 base::apple::ScopedCFTypeRef<SecCertificateRef> intermediate_cert(
84 CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(intermediate.get()),
85 CRYPTO_BUFFER_len(intermediate.get())));
86 if (!intermediate_cert) {
87 if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail)
88 return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
89 LOG(WARNING) << "error parsing intermediate";
90 continue;
91 }
92 CFArrayAppendValue(cert_list.get(), intermediate_cert.get());
93 }
94 return cert_list;
95 }
96
CreateX509CertificateFromSecCertificate(base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>> & sec_chain)97 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
98 base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,
99 const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>>&
100 sec_chain) {
101 return CreateX509CertificateFromSecCertificate(sec_cert, sec_chain, {});
102 }
103
CreateX509CertificateFromSecCertificate(base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>> & sec_chain,X509Certificate::UnsafeCreateOptions options)104 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
105 base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,
106 const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>>&
107 sec_chain,
108 X509Certificate::UnsafeCreateOptions options) {
109 bssl::UniquePtr<CRYPTO_BUFFER> cert_handle =
110 CertBufferFromSecCertificate(sec_cert.get());
111 if (!cert_handle) {
112 return nullptr;
113 }
114 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
115 for (const auto& sec_intermediate : sec_chain) {
116 bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle =
117 CertBufferFromSecCertificate(sec_intermediate.get());
118 if (!intermediate_cert_handle) {
119 return nullptr;
120 }
121 intermediates.push_back(std::move(intermediate_cert_handle));
122 }
123 scoped_refptr<X509Certificate> result(
124 X509Certificate::CreateFromBufferUnsafeOptions(
125 std::move(cert_handle), std::move(intermediates), options));
126 return result;
127 }
128
CalculateFingerprint256(SecCertificateRef cert)129 SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
130 SHA256HashValue sha256;
131 memset(sha256.data, 0, sizeof(sha256.data));
132
133 base::apple::ScopedCFTypeRef<CFDataRef> cert_data(
134 SecCertificateCopyData(cert));
135 if (!cert_data) {
136 return sha256;
137 }
138
139 DCHECK(CFDataGetBytePtr(cert_data.get()));
140 DCHECK_NE(CFDataGetLength(cert_data.get()), 0);
141
142 CC_SHA256(CFDataGetBytePtr(cert_data.get()), CFDataGetLength(cert_data.get()),
143 sha256.data);
144
145 return sha256;
146 }
147
CertificateChainFromSecTrust(SecTrustRef trust)148 base::apple::ScopedCFTypeRef<CFArrayRef> CertificateChainFromSecTrust(
149 SecTrustRef trust) {
150 if (__builtin_available(macOS 12.0, iOS 15.0, *)) {
151 return base::apple::ScopedCFTypeRef<CFArrayRef>(
152 SecTrustCopyCertificateChain(trust));
153 }
154
155 // TODO(crbug.com/1426476): Remove code when it is no longer needed.
156 #if (BUILDFLAG(IS_MAC) && \
157 MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_VERSION_12_0) || \
158 (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < __IPHONE_15_0)
159 base::apple::ScopedCFTypeRef<CFMutableArrayRef> chain(
160 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
161 const CFIndex chain_length = SecTrustGetCertificateCount(trust);
162 for (CFIndex i = 0; i < chain_length; ++i) {
163 CFArrayAppendValue(chain.get(), SecTrustGetCertificateAtIndex(trust, i));
164 }
165 return chain;
166
167 #else
168 // The other logic paths should be used, this is just to make the compiler
169 // happy.
170 NOTREACHED();
171 return base::apple::ScopedCFTypeRef<CFArrayRef>(nullptr);
172 #endif // (BUILDFLAG(IS_MAC) && MAC_OS_X_VERSION_MIN_REQUIRED <
173 // MAC_OS_VERSION_12_0)
174 // || (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED <
175 // __IPHONE_15_0)
176 }
177
178 } // namespace x509_util
179 } // namespace net
180