1 // Copyright 2011 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_X509_UTIL_NSS_H_ 6 #define NET_CERT_X509_UTIL_NSS_H_ 7 8 #include <stddef.h> 9 10 #include <string> 11 #include <vector> 12 13 #include "crypto/scoped_nss_types.h" 14 #include "net/base/net_export.h" 15 #include "net/cert/cert_type.h" 16 #include "net/cert/scoped_nss_types.h" 17 #include "net/cert/x509_certificate.h" 18 19 typedef struct CERTCertificateStr CERTCertificate; 20 typedef struct CERTNameStr CERTName; 21 typedef struct PK11SlotInfoStr PK11SlotInfo; 22 typedef struct SECItemStr SECItem; 23 24 namespace net::x509_util { 25 26 // Returns a span containing the DER encoded certificate data for `nss_cert`. 27 NET_EXPORT base::span<const uint8_t> CERTCertificateAsSpan( 28 const CERTCertificate* nss_cert); 29 30 // Returns a span containing the data pointed to by SECItem `item`. 31 NET_EXPORT base::span<const uint8_t> SECItemAsSpan(const SECItem& item); 32 33 // Returns true if two certificate handles refer to identical certificates. 34 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, CERTCertificate* b); 35 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const X509Certificate* b); 36 NET_EXPORT bool IsSameCertificate(const X509Certificate* a, CERTCertificate* b); 37 NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const CRYPTO_BUFFER* b); 38 NET_EXPORT bool IsSameCertificate(const CRYPTO_BUFFER* a, CERTCertificate* b); 39 40 // Returns a CERTCertificate handle from the DER-encoded representation. The 41 // returned value may reference an already existing CERTCertificate object. 42 // Returns NULL on failure. 43 NET_EXPORT ScopedCERTCertificate 44 CreateCERTCertificateFromBytes(base::span<const uint8_t> data); 45 46 // Returns a CERTCertificate handle from |cert|. The returned value may 47 // reference an already existing CERTCertificate object. Returns NULL on 48 // failure. 49 NET_EXPORT ScopedCERTCertificate 50 CreateCERTCertificateFromX509Certificate(const X509Certificate* cert); 51 52 // Returns a vector of CERTCertificates corresponding to |cert| and its 53 // intermediates (if any). Returns an empty vector on failure. 54 NET_EXPORT ScopedCERTCertificateList 55 CreateCERTCertificateListFromX509Certificate(const X509Certificate* cert); 56 57 // Specify behavior if an intermediate certificate fails CERTCertificate 58 // parsing. kFail means the function should return a failure result 59 // immediately. kIgnore means the invalid intermediate is not added to the 60 // output container. 61 enum class InvalidIntermediateBehavior { kFail, kIgnore }; 62 63 // Returns a vector of CERTCertificates corresponding to |cert| and its 64 // intermediates (if any). Returns an empty vector if the certificate could not 65 // be converted. |invalid_intermediate_behavior| specifies behavior if 66 // intermediates of |cert| could not be converted. 67 NET_EXPORT ScopedCERTCertificateList 68 CreateCERTCertificateListFromX509Certificate( 69 const X509Certificate* cert, 70 InvalidIntermediateBehavior invalid_intermediate_behavior); 71 72 // Parses all of the certificates possible from |data|. |format| is a 73 // bit-wise OR of X509Certificate::Format, indicating the possible formats the 74 // certificates may have been serialized as. If an error occurs, an empty 75 // collection will be returned. 76 NET_EXPORT ScopedCERTCertificateList 77 CreateCERTCertificateListFromBytes(base::span<const uint8_t> data, int format); 78 79 // Increments the refcount of |cert| and returns a handle for that reference. 80 NET_EXPORT ScopedCERTCertificate DupCERTCertificate(CERTCertificate* cert); 81 82 // Increments the refcount of each element in |cerst| and returns a list of 83 // handles for them. 84 NET_EXPORT ScopedCERTCertificateList 85 DupCERTCertificateList(const ScopedCERTCertificateList& certs); 86 87 // Creates an X509Certificate from |cert|, with intermediates from |chain|. 88 // Returns NULL on failure. 89 NET_EXPORT scoped_refptr<X509Certificate> 90 CreateX509CertificateFromCERTCertificate( 91 CERTCertificate* cert, 92 const std::vector<CERTCertificate*>& chain); 93 94 // Creates an X509Certificate with non-standard parsing options. 95 // Do not use without consulting //net owners. 96 NET_EXPORT scoped_refptr<X509Certificate> 97 CreateX509CertificateFromCERTCertificate( 98 CERTCertificate* cert, 99 const std::vector<CERTCertificate*>& chain, 100 X509Certificate::UnsafeCreateOptions options); 101 102 // Creates an X509Certificate from |cert|, with no intermediates. 103 // Returns NULL on failure. 104 NET_EXPORT scoped_refptr<X509Certificate> 105 CreateX509CertificateFromCERTCertificate(CERTCertificate* cert); 106 107 // Creates an X509Certificate for each element in |certs|. 108 // Returns an empty list on failure. 109 NET_EXPORT CertificateList CreateX509CertificateListFromCERTCertificates( 110 const ScopedCERTCertificateList& certs); 111 112 // Obtains the DER encoded certificate data for |cert|. On success, returns 113 // true and writes the DER encoded certificate to |*der_encoded|. 114 NET_EXPORT bool GetDEREncoded(CERTCertificate* cert, std::string* der_encoded); 115 116 // Obtains the PEM encoded certificate data for |cert|. On success, returns 117 // true and writes the PEM encoded certificate to |*pem_encoded|. 118 NET_EXPORT bool GetPEMEncoded(CERTCertificate* cert, std::string* pem_encoded); 119 120 // Stores the values of all rfc822Name subjectAltNames from |cert_handle| 121 // into |names|. If no names are present, clears |names|. 122 // WARNING: This method does not validate that the rfc822Name is 123 // properly encoded; it MAY contain embedded NULs or other illegal 124 // characters; care should be taken to validate the well-formedness 125 // before using. 126 NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, 127 std::vector<std::string>* names); 128 129 // Stores the values of all Microsoft UPN subjectAltNames from |cert_handle| 130 // into |names|. If no names are present, clears |names|. 131 // 132 // A "Microsoft UPN subjectAltName" is an OtherName value whose type-id 133 // is equal to 1.3.6.1.4.1.311.20.2.3 (known as either id-ms-san-sc-logon-upn, 134 // as described in RFC 4556, or as szOID_NT_PRINCIPAL_NAME, as 135 // documented in Microsoft KB287547). 136 // The value field is a UTF8String literal. 137 // For more information: 138 // https://www.ietf.org/mail-archive/web/pkix/current/msg03145.html 139 // https://www.ietf.org/proceedings/65/slides/pkix-4/sld1.htm 140 // https://tools.ietf.org/html/rfc4556 141 // 142 // WARNING: This method does not validate that the name is 143 // properly encoded; it MAY contain embedded NULs or other illegal 144 // characters; care should be taken to validate the well-formedness 145 // before using. 146 NET_EXPORT void GetUPNSubjectAltNames(CERTCertificate* cert_handle, 147 std::vector<std::string>* names); 148 149 // Generates a unique nickname for |nss_cert| based on the |type| and |slot|. 150 NET_EXPORT std::string GetDefaultUniqueNickname(CERTCertificate* nss_cert, 151 CertType type, 152 PK11SlotInfo* slot); 153 154 // Returns a name that can be used to represent the principal. It tries in 155 // this order: CN, O and OU and returns the first non-empty one found. 156 // This mirrors net::CertPrincipal::GetDisplayName. 157 NET_EXPORT std::string GetCERTNameDisplayName(CERTName* name); 158 159 // Stores the notBefore and notAfter times from |cert| into |*not_before| and 160 // |*not_after|, returning true if successful. |not_before| or |not_after| may 161 // be null. 162 NET_EXPORT bool GetValidityTimes(CERTCertificate* cert, 163 base::Time* not_before, 164 base::Time* not_after); 165 166 // Calculates the SHA-256 fingerprint of the certificate. Returns an empty 167 // (all zero) fingerprint on failure. 168 NET_EXPORT SHA256HashValue CalculateFingerprint256(CERTCertificate* cert); 169 170 // Prefer using NSSCertDatabase::ImportUserCert. Temporary public for Kcer. 171 // Import a user certificate. The private key for the user certificate must 172 // already be installed, the cert will be installed on the same slot, otherwise 173 // returns ERR_NO_PRIVATE_KEY_FOR_CERT. If the key exists on multiple slots, 174 // prioritizes the `preferred_slot`. Returns OK or a network error code. 175 NET_EXPORT int ImportUserCert(CERTCertificate* cert, 176 crypto::ScopedPK11Slot preferred_slot); 177 178 } // namespace net::x509_util 179 180 #endif // NET_CERT_X509_UTIL_NSS_H_ 181