• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/base/x509_certificate.h"
6 
7 #include "base/lazy_instance.h"
8 #include "base/logging.h"
9 #include "base/pickle.h"
10 #include "base/sha1.h"
11 #include "base/string_tokenizer.h"
12 #include "base/string_util.h"
13 #include "base/utf_string_conversions.h"
14 #include "crypto/rsa_private_key.h"
15 #include "crypto/scoped_capi_types.h"
16 #include "net/base/asn1_util.h"
17 #include "net/base/cert_status_flags.h"
18 #include "net/base/cert_verify_result.h"
19 #include "net/base/ev_root_ca_metadata.h"
20 #include "net/base/net_errors.h"
21 #include "net/base/scoped_cert_chain_context.h"
22 #include "net/base/test_root_certs.h"
23 #include "net/base/x509_certificate_known_roots_win.h"
24 
25 #pragma comment(lib, "crypt32.lib")
26 
27 using base::Time;
28 
29 namespace net {
30 
31 namespace {
32 
33 typedef crypto::ScopedCAPIHandle<
34     HCERTSTORE,
35     crypto::CAPIDestroyerWithFlags<HCERTSTORE,
36                                    CertCloseStore, 0> > ScopedHCERTSTORE;
37 
38 struct FreeChainEngineFunctor {
operator ()net::__anon07b41aa30111::FreeChainEngineFunctor39   void operator()(HCERTCHAINENGINE engine) const {
40     if (engine)
41       CertFreeCertificateChainEngine(engine);
42   }
43 };
44 
45 typedef crypto::ScopedCAPIHandle<HCERTCHAINENGINE, FreeChainEngineFunctor>
46     ScopedHCERTCHAINENGINE;
47 
48 //-----------------------------------------------------------------------------
49 
50 // TODO(wtc): This is a copy of the MapSecurityError function in
51 // ssl_client_socket_win.cc.  Another function that maps Windows error codes
52 // to our network error codes is WinInetUtil::OSErrorToNetError.  We should
53 // eliminate the code duplication.
MapSecurityError(SECURITY_STATUS err)54 int MapSecurityError(SECURITY_STATUS err) {
55   // There are numerous security error codes, but these are the ones we thus
56   // far find interesting.
57   switch (err) {
58     case SEC_E_WRONG_PRINCIPAL:  // Schannel
59     case CERT_E_CN_NO_MATCH:  // CryptoAPI
60       return ERR_CERT_COMMON_NAME_INVALID;
61     case SEC_E_UNTRUSTED_ROOT:  // Schannel
62     case CERT_E_UNTRUSTEDROOT:  // CryptoAPI
63       return ERR_CERT_AUTHORITY_INVALID;
64     case SEC_E_CERT_EXPIRED:  // Schannel
65     case CERT_E_EXPIRED:  // CryptoAPI
66       return ERR_CERT_DATE_INVALID;
67     case CRYPT_E_NO_REVOCATION_CHECK:
68       return ERR_CERT_NO_REVOCATION_MECHANISM;
69     case CRYPT_E_REVOCATION_OFFLINE:
70       return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
71     case CRYPT_E_REVOKED:  // Schannel and CryptoAPI
72       return ERR_CERT_REVOKED;
73     case SEC_E_CERT_UNKNOWN:
74     case CERT_E_ROLE:
75       return ERR_CERT_INVALID;
76     case CERT_E_WRONG_USAGE:
77       // TODO(wtc): Should we add ERR_CERT_WRONG_USAGE?
78       return ERR_CERT_INVALID;
79     // We received an unexpected_message or illegal_parameter alert message
80     // from the server.
81     case SEC_E_ILLEGAL_MESSAGE:
82       return ERR_SSL_PROTOCOL_ERROR;
83     case SEC_E_ALGORITHM_MISMATCH:
84       return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
85     case SEC_E_INVALID_HANDLE:
86       return ERR_UNEXPECTED;
87     case SEC_E_OK:
88       return OK;
89     default:
90       LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
91       return ERR_FAILED;
92   }
93 }
94 
95 // Map the errors in the chain_context->TrustStatus.dwErrorStatus returned by
96 // CertGetCertificateChain to our certificate status flags.
MapCertChainErrorStatusToCertStatus(DWORD error_status)97 int MapCertChainErrorStatusToCertStatus(DWORD error_status) {
98   int cert_status = 0;
99 
100   // We don't include CERT_TRUST_IS_NOT_TIME_NESTED because it's obsolete and
101   // we wouldn't consider it an error anyway
102   const DWORD kDateInvalidErrors = CERT_TRUST_IS_NOT_TIME_VALID |
103                                    CERT_TRUST_CTL_IS_NOT_TIME_VALID;
104   if (error_status & kDateInvalidErrors)
105     cert_status |= CERT_STATUS_DATE_INVALID;
106 
107   const DWORD kAuthorityInvalidErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |
108                                         CERT_TRUST_IS_EXPLICIT_DISTRUST |
109                                         CERT_TRUST_IS_PARTIAL_CHAIN;
110   if (error_status & kAuthorityInvalidErrors)
111     cert_status |= CERT_STATUS_AUTHORITY_INVALID;
112 
113   if ((error_status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN) &&
114       !(error_status & CERT_TRUST_IS_OFFLINE_REVOCATION))
115     cert_status |= CERT_STATUS_NO_REVOCATION_MECHANISM;
116 
117   if (error_status & CERT_TRUST_IS_OFFLINE_REVOCATION)
118     cert_status |= CERT_STATUS_UNABLE_TO_CHECK_REVOCATION;
119 
120   if (error_status & CERT_TRUST_IS_REVOKED)
121     cert_status |= CERT_STATUS_REVOKED;
122 
123   const DWORD kWrongUsageErrors = CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
124                                   CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE;
125   if (error_status & kWrongUsageErrors) {
126     // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?
127     cert_status |= CERT_STATUS_INVALID;
128   }
129 
130   // The rest of the errors.
131   const DWORD kCertInvalidErrors =
132       CERT_TRUST_IS_NOT_SIGNATURE_VALID |
133       CERT_TRUST_IS_CYCLIC |
134       CERT_TRUST_INVALID_EXTENSION |
135       CERT_TRUST_INVALID_POLICY_CONSTRAINTS |
136       CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
137       CERT_TRUST_INVALID_NAME_CONSTRAINTS |
138       CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID |
139       CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT |
140       CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
141       CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
142       CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT |
143       CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY |
144       CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT;
145   if (error_status & kCertInvalidErrors)
146     cert_status |= CERT_STATUS_INVALID;
147 
148   return cert_status;
149 }
150 
ExplodedTimeToSystemTime(const base::Time::Exploded & exploded,SYSTEMTIME * system_time)151 void ExplodedTimeToSystemTime(const base::Time::Exploded& exploded,
152                               SYSTEMTIME* system_time) {
153   system_time->wYear = exploded.year;
154   system_time->wMonth = exploded.month;
155   system_time->wDayOfWeek = exploded.day_of_week;
156   system_time->wDay = exploded.day_of_month;
157   system_time->wHour = exploded.hour;
158   system_time->wMinute = exploded.minute;
159   system_time->wSecond = exploded.second;
160   system_time->wMilliseconds = exploded.millisecond;
161 }
162 
163 //-----------------------------------------------------------------------------
164 
165 // Wrappers of malloc and free for CRYPT_DECODE_PARA, which requires the
166 // WINAPI calling convention.
MyCryptAlloc(size_t size)167 void* WINAPI MyCryptAlloc(size_t size) {
168   return malloc(size);
169 }
170 
MyCryptFree(void * p)171 void WINAPI MyCryptFree(void* p) {
172   free(p);
173 }
174 
175 // Decodes the cert's subjectAltName extension into a CERT_ALT_NAME_INFO
176 // structure and stores it in *output.
GetCertSubjectAltName(PCCERT_CONTEXT cert,scoped_ptr_malloc<CERT_ALT_NAME_INFO> * output)177 void GetCertSubjectAltName(PCCERT_CONTEXT cert,
178                            scoped_ptr_malloc<CERT_ALT_NAME_INFO>* output) {
179   PCERT_EXTENSION extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
180                                                 cert->pCertInfo->cExtension,
181                                                 cert->pCertInfo->rgExtension);
182   if (!extension)
183     return;
184 
185   CRYPT_DECODE_PARA decode_para;
186   decode_para.cbSize = sizeof(decode_para);
187   decode_para.pfnAlloc = MyCryptAlloc;
188   decode_para.pfnFree = MyCryptFree;
189   CERT_ALT_NAME_INFO* alt_name_info = NULL;
190   DWORD alt_name_info_size = 0;
191   BOOL rv;
192   rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
193                            szOID_SUBJECT_ALT_NAME2,
194                            extension->Value.pbData,
195                            extension->Value.cbData,
196                            CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
197                            &decode_para,
198                            &alt_name_info,
199                            &alt_name_info_size);
200   if (rv)
201     output->reset(alt_name_info);
202 }
203 
204 // Returns true if any common name in the certificate's Subject field contains
205 // a NULL character.
CertSubjectCommonNameHasNull(PCCERT_CONTEXT cert)206 bool CertSubjectCommonNameHasNull(PCCERT_CONTEXT cert) {
207   CRYPT_DECODE_PARA decode_para;
208   decode_para.cbSize = sizeof(decode_para);
209   decode_para.pfnAlloc = MyCryptAlloc;
210   decode_para.pfnFree = MyCryptFree;
211   CERT_NAME_INFO* name_info = NULL;
212   DWORD name_info_size = 0;
213   BOOL rv;
214   rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
215                            X509_NAME,
216                            cert->pCertInfo->Subject.pbData,
217                            cert->pCertInfo->Subject.cbData,
218                            CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
219                            &decode_para,
220                            &name_info,
221                            &name_info_size);
222   if (rv) {
223     scoped_ptr_malloc<CERT_NAME_INFO> scoped_name_info(name_info);
224 
225     // The Subject field may have multiple common names.  According to the
226     // "PKI Layer Cake" paper, CryptoAPI uses every common name in the
227     // Subject field, so we inspect every common name.
228     //
229     // From RFC 5280:
230     // X520CommonName ::= CHOICE {
231     //       teletexString     TeletexString   (SIZE (1..ub-common-name)),
232     //       printableString   PrintableString (SIZE (1..ub-common-name)),
233     //       universalString   UniversalString (SIZE (1..ub-common-name)),
234     //       utf8String        UTF8String      (SIZE (1..ub-common-name)),
235     //       bmpString         BMPString       (SIZE (1..ub-common-name)) }
236     //
237     // We also check IA5String and VisibleString.
238     for (DWORD i = 0; i < name_info->cRDN; ++i) {
239       PCERT_RDN rdn = &name_info->rgRDN[i];
240       for (DWORD j = 0; j < rdn->cRDNAttr; ++j) {
241         PCERT_RDN_ATTR rdn_attr = &rdn->rgRDNAttr[j];
242         if (strcmp(rdn_attr->pszObjId, szOID_COMMON_NAME) == 0) {
243           switch (rdn_attr->dwValueType) {
244             // After the CryptoAPI ASN.1 security vulnerabilities described in
245             // http://www.microsoft.com/technet/security/Bulletin/MS09-056.mspx
246             // were patched, we get CERT_RDN_ENCODED_BLOB for a common name
247             // that contains a NULL character.
248             case CERT_RDN_ENCODED_BLOB:
249               break;
250             // Array of 8-bit characters.
251             case CERT_RDN_PRINTABLE_STRING:
252             case CERT_RDN_TELETEX_STRING:
253             case CERT_RDN_IA5_STRING:
254             case CERT_RDN_VISIBLE_STRING:
255               for (DWORD k = 0; k < rdn_attr->Value.cbData; ++k) {
256                 if (rdn_attr->Value.pbData[k] == '\0')
257                   return true;
258               }
259               break;
260             // Array of 16-bit characters.
261             case CERT_RDN_BMP_STRING:
262             case CERT_RDN_UTF8_STRING: {
263               DWORD num_wchars = rdn_attr->Value.cbData / 2;
264               wchar_t* common_name =
265                   reinterpret_cast<wchar_t*>(rdn_attr->Value.pbData);
266               for (DWORD k = 0; k < num_wchars; ++k) {
267                 if (common_name[k] == L'\0')
268                   return true;
269               }
270               break;
271             }
272             // Array of ints (32-bit).
273             case CERT_RDN_UNIVERSAL_STRING: {
274               DWORD num_ints = rdn_attr->Value.cbData / 4;
275               int* common_name =
276                   reinterpret_cast<int*>(rdn_attr->Value.pbData);
277               for (DWORD k = 0; k < num_ints; ++k) {
278                 if (common_name[k] == 0)
279                   return true;
280               }
281               break;
282             }
283             default:
284               NOTREACHED();
285               break;
286           }
287         }
288       }
289     }
290   }
291   return false;
292 }
293 
294 // Saves some information about the certificate chain chain_context in
295 // *verify_result.  The caller MUST initialize *verify_result before calling
296 // this function.
GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,CertVerifyResult * verify_result)297 void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
298                       CertVerifyResult* verify_result) {
299   PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
300   int num_elements = first_chain->cElement;
301   PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
302 
303   // Each chain starts with the end entity certificate (i = 0) and ends with
304   // the root CA certificate (i = num_elements - 1).  Do not inspect the
305   // signature algorithm of the root CA certificate because the signature on
306   // the trust anchor is not important.
307   for (int i = 0; i < num_elements - 1; ++i) {
308     PCCERT_CONTEXT cert = element[i]->pCertContext;
309     const char* algorithm = cert->pCertInfo->SignatureAlgorithm.pszObjId;
310     if (strcmp(algorithm, szOID_RSA_MD5RSA) == 0) {
311       // md5WithRSAEncryption: 1.2.840.113549.1.1.4
312       verify_result->has_md5 = true;
313       if (i != 0)
314         verify_result->has_md5_ca = true;
315     } else if (strcmp(algorithm, szOID_RSA_MD2RSA) == 0) {
316       // md2WithRSAEncryption: 1.2.840.113549.1.1.2
317       verify_result->has_md2 = true;
318       if (i != 0)
319         verify_result->has_md2_ca = true;
320     } else if (strcmp(algorithm, szOID_RSA_MD4RSA) == 0) {
321       // md4WithRSAEncryption: 1.2.840.113549.1.1.3
322       verify_result->has_md4 = true;
323     }
324   }
325 }
326 
327 // Decodes the cert's certificatePolicies extension into a CERT_POLICIES_INFO
328 // structure and stores it in *output.
GetCertPoliciesInfo(PCCERT_CONTEXT cert,scoped_ptr_malloc<CERT_POLICIES_INFO> * output)329 void GetCertPoliciesInfo(PCCERT_CONTEXT cert,
330                          scoped_ptr_malloc<CERT_POLICIES_INFO>* output) {
331   PCERT_EXTENSION extension = CertFindExtension(szOID_CERT_POLICIES,
332                                                 cert->pCertInfo->cExtension,
333                                                 cert->pCertInfo->rgExtension);
334   if (!extension)
335     return;
336 
337   CRYPT_DECODE_PARA decode_para;
338   decode_para.cbSize = sizeof(decode_para);
339   decode_para.pfnAlloc = MyCryptAlloc;
340   decode_para.pfnFree = MyCryptFree;
341   CERT_POLICIES_INFO* policies_info = NULL;
342   DWORD policies_info_size = 0;
343   BOOL rv;
344   rv = CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
345                            szOID_CERT_POLICIES,
346                            extension->Value.pbData,
347                            extension->Value.cbData,
348                            CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
349                            &decode_para,
350                            &policies_info,
351                            &policies_info_size);
352   if (rv)
353     output->reset(policies_info);
354 }
355 
356 // Helper function to parse a principal from a WinInet description of that
357 // principal.
ParsePrincipal(const std::string & description,CertPrincipal * principal)358 void ParsePrincipal(const std::string& description,
359                     CertPrincipal* principal) {
360   // The description of the principal is a string with each LDAP value on
361   // a separate line.
362   const std::string kDelimiters("\r\n");
363 
364   std::vector<std::string> common_names, locality_names, state_names,
365       country_names;
366 
367   // TODO(jcampan): add business_category and serial_number.
368   const std::string kPrefixes[] = { std::string("CN="),
369                                     std::string("L="),
370                                     std::string("S="),
371                                     std::string("C="),
372                                     std::string("STREET="),
373                                     std::string("O="),
374                                     std::string("OU="),
375                                     std::string("DC=") };
376 
377   std::vector<std::string>* values[] = {
378       &common_names, &locality_names,
379       &state_names, &country_names,
380       &(principal->street_addresses),
381       &(principal->organization_names),
382       &(principal->organization_unit_names),
383       &(principal->domain_components) };
384   DCHECK(arraysize(kPrefixes) == arraysize(values));
385 
386   StringTokenizer str_tok(description, kDelimiters);
387   while (str_tok.GetNext()) {
388     std::string entry = str_tok.token();
389     for (int i = 0; i < arraysize(kPrefixes); i++) {
390       if (!entry.compare(0, kPrefixes[i].length(), kPrefixes[i])) {
391         std::string value = entry.substr(kPrefixes[i].length());
392         // Remove enclosing double-quotes if any.
393         if (value.size() >= 2 &&
394             value[0] == '"' && value[value.size() - 1] == '"')
395           value = value.substr(1, value.size() - 2);
396         values[i]->push_back(value);
397         break;
398       }
399     }
400   }
401 
402   // We don't expect to have more than one CN, L, S, and C. If there is more
403   // than one entry for CN, L, S, and C, we will use the first entry. Although
404   // RFC 2818 Section 3.1 says the "most specific" CN should be used, that term
405   // has been removed in draft-saintandre-tls-server-id-check, which requires
406   // that the Subject field contains only one CN. So it is fine for us to just
407   // use the first CN.
408   std::vector<std::string>* single_value_lists[4] = {
409       &common_names, &locality_names, &state_names, &country_names };
410   std::string* single_values[4] = {
411       &principal->common_name, &principal->locality_name,
412       &principal->state_or_province_name, &principal->country_name };
413   for (int i = 0; i < arraysize(single_value_lists); ++i) {
414     int length = static_cast<int>(single_value_lists[i]->size());
415     if (!single_value_lists[i]->empty())
416       *(single_values[i]) = (*(single_value_lists[i]))[0];
417   }
418 }
419 
AddCertsFromStore(HCERTSTORE store,X509Certificate::OSCertHandles * results)420 void AddCertsFromStore(HCERTSTORE store,
421                        X509Certificate::OSCertHandles* results) {
422   PCCERT_CONTEXT cert = NULL;
423 
424   while ((cert = CertEnumCertificatesInStore(store, cert)) != NULL) {
425     PCCERT_CONTEXT to_add = NULL;
426     if (CertAddCertificateContextToStore(
427         NULL,  // The cert won't be persisted in any cert store. This breaks
428                // any association the context currently has to |store|, which
429                // allows us, the caller, to safely close |store| without
430                // releasing the cert handles.
431         cert,
432         CERT_STORE_ADD_USE_EXISTING,
433         &to_add) && to_add != NULL) {
434       // When processing stores generated from PKCS#7/PKCS#12 files, it
435       // appears that the order returned is the inverse of the order that it
436       // appeared in the file.
437       // TODO(rsleevi): Ensure this order is consistent across all Win
438       // versions
439       results->insert(results->begin(), to_add);
440     }
441   }
442 }
443 
ParsePKCS7(const char * data,size_t length)444 X509Certificate::OSCertHandles ParsePKCS7(const char* data, size_t length) {
445   X509Certificate::OSCertHandles results;
446   CERT_BLOB data_blob;
447   data_blob.cbData = length;
448   data_blob.pbData = reinterpret_cast<BYTE*>(const_cast<char*>(data));
449 
450   HCERTSTORE out_store = NULL;
451 
452   DWORD expected_types = CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
453                          CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED |
454                          CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED;
455 
456   if (!CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &data_blob, expected_types,
457                         CERT_QUERY_FORMAT_FLAG_BINARY, 0, NULL, NULL, NULL,
458                         &out_store, NULL, NULL) || out_store == NULL) {
459     return results;
460   }
461 
462   AddCertsFromStore(out_store, &results);
463   CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG);
464 
465   return results;
466 }
467 
AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,std::vector<SHA1Fingerprint> * hashes)468 void AppendPublicKeyHashes(PCCERT_CHAIN_CONTEXT chain,
469                            std::vector<SHA1Fingerprint>* hashes) {
470   if (chain->cChain == 0)
471     return;
472 
473   PCERT_SIMPLE_CHAIN first_chain = chain->rgpChain[0];
474   PCERT_CHAIN_ELEMENT* const element = first_chain->rgpElement;
475 
476   const DWORD num_elements = first_chain->cElement;
477   for (DWORD i = 0; i < num_elements; i++) {
478     PCCERT_CONTEXT cert = element[i]->pCertContext;
479 
480     base::StringPiece der_bytes(
481         reinterpret_cast<const char*>(cert->pbCertEncoded),
482         cert->cbCertEncoded);
483     base::StringPiece spki_bytes;
484     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
485       continue;
486 
487     SHA1Fingerprint hash;
488     base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()),
489                         spki_bytes.size(), hash.data);
490     hashes->push_back(hash);
491   }
492 }
493 
494 }  // namespace
495 
Initialize()496 void X509Certificate::Initialize() {
497   std::wstring subject_info;
498   std::wstring issuer_info;
499   DWORD name_size;
500   DCHECK(cert_handle_);
501   name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
502                             &cert_handle_->pCertInfo->Subject,
503                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
504                             NULL, 0);
505   name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
506                             &cert_handle_->pCertInfo->Subject,
507                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
508                             WriteInto(&subject_info, name_size), name_size);
509   name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
510                             &cert_handle_->pCertInfo->Issuer,
511                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
512                             NULL, 0);
513   name_size = CertNameToStr(cert_handle_->dwCertEncodingType,
514                             &cert_handle_->pCertInfo->Issuer,
515                             CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG,
516                             WriteInto(&issuer_info, name_size), name_size);
517   ParsePrincipal(WideToUTF8(subject_info), &subject_);
518   ParsePrincipal(WideToUTF8(issuer_info), &issuer_);
519 
520   valid_start_ = Time::FromFileTime(cert_handle_->pCertInfo->NotBefore);
521   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
522 
523   fingerprint_ = CalculateFingerprint(cert_handle_);
524 
525   const CRYPT_INTEGER_BLOB* serial = &cert_handle_->pCertInfo->SerialNumber;
526   scoped_array<uint8> serial_bytes(new uint8[serial->cbData]);
527   for (unsigned i = 0; i < serial->cbData; i++)
528     serial_bytes[i] = serial->pbData[serial->cbData - i - 1];
529   serial_number_ = std::string(
530       reinterpret_cast<char*>(serial_bytes.get()), serial->cbData);
531   // Remove leading zeros.
532   while (serial_number_.size() > 1 && serial_number_[0] == 0)
533     serial_number_ = serial_number_.substr(1, serial_number_.size() - 1);
534 }
535 
536 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
537 // which we recognise as a standard root.
538 // static
IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context)539 bool X509Certificate::IsIssuedByKnownRoot(PCCERT_CHAIN_CONTEXT chain_context) {
540   PCERT_SIMPLE_CHAIN first_chain = chain_context->rgpChain[0];
541   int num_elements = first_chain->cElement;
542   if (num_elements < 1)
543     return false;
544   PCERT_CHAIN_ELEMENT* element = first_chain->rgpElement;
545   PCCERT_CONTEXT cert = element[num_elements - 1]->pCertContext;
546 
547   SHA1Fingerprint hash = CalculateFingerprint(cert);
548   return IsSHA1HashInSortedArray(
549       hash, &kKnownRootCertSHA1Hashes[0][0], sizeof(kKnownRootCertSHA1Hashes));
550 }
551 
552 // static
CreateSelfSigned(crypto::RSAPrivateKey * key,const std::string & subject,uint32 serial_number,base::TimeDelta valid_duration)553 X509Certificate* X509Certificate::CreateSelfSigned(
554     crypto::RSAPrivateKey* key,
555     const std::string& subject,
556     uint32 serial_number,
557     base::TimeDelta valid_duration) {
558   // Get the ASN.1 encoding of the certificate subject.
559   std::wstring w_subject = ASCIIToWide(subject);
560   DWORD encoded_subject_length = 0;
561   if (!CertStrToName(
562           X509_ASN_ENCODING,
563           w_subject.c_str(),
564           CERT_X500_NAME_STR, NULL, NULL, &encoded_subject_length, NULL)) {
565     return NULL;
566   }
567 
568   scoped_array<BYTE> encoded_subject(new BYTE[encoded_subject_length]);
569   if (!CertStrToName(
570           X509_ASN_ENCODING,
571           w_subject.c_str(),
572           CERT_X500_NAME_STR, NULL,
573           encoded_subject.get(),
574           &encoded_subject_length, NULL)) {
575     return NULL;
576   }
577 
578   CERT_NAME_BLOB subject_name;
579   memset(&subject_name, 0, sizeof(subject_name));
580   subject_name.cbData = encoded_subject_length;
581   subject_name.pbData = encoded_subject.get();
582 
583   CRYPT_ALGORITHM_IDENTIFIER sign_algo;
584   memset(&sign_algo, 0, sizeof(sign_algo));
585   sign_algo.pszObjId = szOID_RSA_SHA1RSA;
586 
587   base::Time not_before = base::Time::Now();
588   base::Time not_after = not_before + valid_duration;
589   base::Time::Exploded exploded;
590 
591   // Create the system time structs representing our exploded times.
592   not_before.UTCExplode(&exploded);
593   SYSTEMTIME start_time;
594   ExplodedTimeToSystemTime(exploded, &start_time);
595   not_after.UTCExplode(&exploded);
596   SYSTEMTIME end_time;
597   ExplodedTimeToSystemTime(exploded, &end_time);
598 
599   PCCERT_CONTEXT cert_handle =
600       CertCreateSelfSignCertificate(key->provider(), &subject_name,
601                                     CERT_CREATE_SELFSIGN_NO_KEY_INFO, NULL,
602                                     &sign_algo, &start_time, &end_time, NULL);
603   DCHECK(cert_handle) << "Failed to create self-signed certificate: "
604                       << GetLastError();
605   if (!cert_handle)
606     return NULL;
607 
608   X509Certificate* cert = CreateFromHandle(cert_handle,
609                                            SOURCE_LONE_CERT_IMPORT,
610                                            OSCertHandles());
611   FreeOSCertHandle(cert_handle);
612   return cert;
613 }
614 
GetDNSNames(std::vector<std::string> * dns_names) const615 void X509Certificate::GetDNSNames(std::vector<std::string>* dns_names) const {
616   dns_names->clear();
617   if (cert_handle_) {
618     scoped_ptr_malloc<CERT_ALT_NAME_INFO> alt_name_info;
619     GetCertSubjectAltName(cert_handle_, &alt_name_info);
620     CERT_ALT_NAME_INFO* alt_name = alt_name_info.get();
621     if (alt_name) {
622       int num_entries = alt_name->cAltEntry;
623       for (int i = 0; i < num_entries; i++) {
624         // dNSName is an ASN.1 IA5String representing a string of ASCII
625         // characters, so we can use WideToASCII here.
626         if (alt_name->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME)
627           dns_names->push_back(
628               WideToASCII(alt_name->rgAltEntry[i].pwszDNSName));
629       }
630     }
631   }
632   if (dns_names->empty())
633     dns_names->push_back(subject_.common_name);
634 }
635 
636 class GlobalCertStore {
637  public:
cert_store()638   HCERTSTORE cert_store() {
639     return cert_store_;
640   }
641 
642  private:
643   friend struct base::DefaultLazyInstanceTraits<GlobalCertStore>;
644 
GlobalCertStore()645   GlobalCertStore()
646       : cert_store_(CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL)) {
647   }
648 
~GlobalCertStore()649   ~GlobalCertStore() {
650     CertCloseStore(cert_store_, 0 /* flags */);
651   }
652 
653   const HCERTSTORE cert_store_;
654 
655   DISALLOW_COPY_AND_ASSIGN(GlobalCertStore);
656 };
657 
658 static base::LazyInstance<GlobalCertStore> g_cert_store(
659     base::LINKER_INITIALIZED);
660 
661 // static
cert_store()662 HCERTSTORE X509Certificate::cert_store() {
663   return g_cert_store.Get().cert_store();
664 }
665 
Verify(const std::string & hostname,int flags,CertVerifyResult * verify_result) const666 int X509Certificate::Verify(const std::string& hostname,
667                             int flags,
668                             CertVerifyResult* verify_result) const {
669   verify_result->Reset();
670   if (!cert_handle_)
671     return ERR_UNEXPECTED;
672 
673   if (IsBlacklisted()) {
674     verify_result->cert_status |= CERT_STATUS_REVOKED;
675     return ERR_CERT_REVOKED;
676   }
677 
678   // Build and validate certificate chain.
679 
680   CERT_CHAIN_PARA chain_para;
681   memset(&chain_para, 0, sizeof(chain_para));
682   chain_para.cbSize = sizeof(chain_para);
683   // ExtendedKeyUsage.
684   // We still need to request szOID_SERVER_GATED_CRYPTO and szOID_SGC_NETSCAPE
685   // today because some certificate chains need them.  IE also requests these
686   // two usages.
687   static const LPSTR usage[] = {
688     szOID_PKIX_KP_SERVER_AUTH,
689     szOID_SERVER_GATED_CRYPTO,
690     szOID_SGC_NETSCAPE
691   };
692   chain_para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
693   chain_para.RequestedUsage.Usage.cUsageIdentifier = arraysize(usage);
694   chain_para.RequestedUsage.Usage.rgpszUsageIdentifier =
695       const_cast<LPSTR*>(usage);
696   // We can set CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS to get more chains.
697   DWORD chain_flags = CERT_CHAIN_CACHE_END_CERT;
698   if (flags & VERIFY_REV_CHECKING_ENABLED) {
699     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
700     chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
701   } else {
702     chain_flags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
703     // EV requires revocation checking.
704     flags &= ~VERIFY_EV_CERT;
705   }
706 
707   // Get the certificatePolicies extension of the certificate.
708   scoped_ptr_malloc<CERT_POLICIES_INFO> policies_info;
709   LPSTR ev_policy_oid = NULL;
710   if (flags & VERIFY_EV_CERT) {
711     GetCertPoliciesInfo(cert_handle_, &policies_info);
712     if (policies_info.get()) {
713       EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
714       for (DWORD i = 0; i < policies_info->cPolicyInfo; ++i) {
715         LPSTR policy_oid = policies_info->rgPolicyInfo[i].pszPolicyIdentifier;
716         if (metadata->IsEVPolicyOID(policy_oid)) {
717           ev_policy_oid = policy_oid;
718           chain_para.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
719           chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 1;
720           chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier =
721               &ev_policy_oid;
722           break;
723         }
724       }
725     }
726   }
727 
728   // For non-test scenarios, use the default HCERTCHAINENGINE, NULL, which
729   // corresponds to HCCE_CURRENT_USER and is is initialized as needed by
730   // crypt32. However, when testing, it is necessary to create a new
731   // HCERTCHAINENGINE and use that instead. This is because each
732   // HCERTCHAINENGINE maintains a cache of information about certificates
733   // encountered, and each test run may modify the trust status of a
734   // certificate.
735   ScopedHCERTCHAINENGINE chain_engine(NULL);
736   if (TestRootCerts::HasInstance())
737     chain_engine.reset(TestRootCerts::GetInstance()->GetChainEngine());
738 
739   PCCERT_CHAIN_CONTEXT chain_context;
740   // IE passes a non-NULL pTime argument that specifies the current system
741   // time.  IE passes CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT as the
742   // chain_flags argument.
743   if (!CertGetCertificateChain(
744            chain_engine,
745            cert_handle_,
746            NULL,  // current system time
747            cert_handle_->hCertStore,
748            &chain_para,
749            chain_flags,
750            NULL,  // reserved
751            &chain_context)) {
752     return MapSecurityError(GetLastError());
753   }
754   if (chain_context->TrustStatus.dwErrorStatus &
755       CERT_TRUST_IS_NOT_VALID_FOR_USAGE) {
756     ev_policy_oid = NULL;
757     chain_para.RequestedIssuancePolicy.Usage.cUsageIdentifier = 0;
758     chain_para.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = NULL;
759     CertFreeCertificateChain(chain_context);
760     if (!CertGetCertificateChain(
761              chain_engine,
762              cert_handle_,
763              NULL,  // current system time
764              cert_handle_->hCertStore,
765              &chain_para,
766              chain_flags,
767              NULL,  // reserved
768              &chain_context)) {
769       return MapSecurityError(GetLastError());
770     }
771   }
772   ScopedCertChainContext scoped_chain_context(chain_context);
773 
774   GetCertChainInfo(chain_context, verify_result);
775   verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
776       chain_context->TrustStatus.dwErrorStatus);
777 
778   // Treat certificates signed using broken signature algorithms as invalid.
779   if (verify_result->has_md4)
780     verify_result->cert_status |= CERT_STATUS_INVALID;
781 
782   // Flag certificates signed using weak signature algorithms.
783   if (verify_result->has_md2)
784     verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
785 
786   // Flag certificates that have a Subject common name with a NULL character.
787   if (CertSubjectCommonNameHasNull(cert_handle_))
788     verify_result->cert_status |= CERT_STATUS_INVALID;
789 
790   std::wstring wstr_hostname = ASCIIToWide(hostname);
791 
792   SSL_EXTRA_CERT_CHAIN_POLICY_PARA extra_policy_para;
793   memset(&extra_policy_para, 0, sizeof(extra_policy_para));
794   extra_policy_para.cbSize = sizeof(extra_policy_para);
795   extra_policy_para.dwAuthType = AUTHTYPE_SERVER;
796   extra_policy_para.fdwChecks = 0;
797   extra_policy_para.pwszServerName =
798       const_cast<wchar_t*>(wstr_hostname.c_str());
799 
800   CERT_CHAIN_POLICY_PARA policy_para;
801   memset(&policy_para, 0, sizeof(policy_para));
802   policy_para.cbSize = sizeof(policy_para);
803   policy_para.dwFlags = 0;
804   policy_para.pvExtraPolicyPara = &extra_policy_para;
805 
806   CERT_CHAIN_POLICY_STATUS policy_status;
807   memset(&policy_status, 0, sizeof(policy_status));
808   policy_status.cbSize = sizeof(policy_status);
809 
810   if (!CertVerifyCertificateChainPolicy(
811            CERT_CHAIN_POLICY_SSL,
812            chain_context,
813            &policy_para,
814            &policy_status)) {
815     return MapSecurityError(GetLastError());
816   }
817 
818   if (policy_status.dwError) {
819     verify_result->cert_status |= MapNetErrorToCertStatus(
820         MapSecurityError(policy_status.dwError));
821 
822     // CertVerifyCertificateChainPolicy reports only one error (in
823     // policy_status.dwError) if the certificate has multiple errors.
824     // CertGetCertificateChain doesn't report certificate name mismatch, so
825     // CertVerifyCertificateChainPolicy is the only function that can report
826     // certificate name mismatch.
827     //
828     // To prevent a potential certificate name mismatch from being hidden by
829     // some other certificate error, if we get any other certificate error,
830     // we call CertVerifyCertificateChainPolicy again, ignoring all other
831     // certificate errors.  Both extra_policy_para.fdwChecks and
832     // policy_para.dwFlags allow us to ignore certificate errors, so we set
833     // them both.
834     if (policy_status.dwError != CERT_E_CN_NO_MATCH) {
835       const DWORD extra_ignore_flags =
836           0x00000080 |  // SECURITY_FLAG_IGNORE_REVOCATION
837           0x00000100 |  // SECURITY_FLAG_IGNORE_UNKNOWN_CA
838           0x00002000 |  // SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
839           0x00000200;   // SECURITY_FLAG_IGNORE_WRONG_USAGE
840       extra_policy_para.fdwChecks = extra_ignore_flags;
841       const DWORD ignore_flags =
842           CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS |
843           CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG |
844           CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
845           CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG |
846           CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG |
847           CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG |
848           CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS |
849           CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG |
850           CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG |
851           CERT_CHAIN_POLICY_IGNORE_NOT_SUPPORTED_CRITICAL_EXT_FLAG |
852           CERT_CHAIN_POLICY_IGNORE_PEER_TRUST_FLAG;
853       policy_para.dwFlags = ignore_flags;
854       if (!CertVerifyCertificateChainPolicy(
855                CERT_CHAIN_POLICY_SSL,
856                chain_context,
857                &policy_para,
858                &policy_status)) {
859         return MapSecurityError(GetLastError());
860       }
861       if (policy_status.dwError) {
862         verify_result->cert_status |= MapNetErrorToCertStatus(
863             MapSecurityError(policy_status.dwError));
864       }
865     }
866   }
867 
868   // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
869   // compatible with WinHTTP, which doesn't report this error (bug 3004).
870   verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM;
871 
872   if (IsCertStatusError(verify_result->cert_status))
873     return MapCertStatusToNetError(verify_result->cert_status);
874 
875   AppendPublicKeyHashes(chain_context, &verify_result->public_key_hashes);
876   verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(chain_context);
877 
878   if (ev_policy_oid && CheckEV(chain_context, ev_policy_oid))
879     verify_result->cert_status |= CERT_STATUS_IS_EV;
880 
881   if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
882     verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
883     return MapCertStatusToNetError(verify_result->cert_status);
884   }
885 
886   return OK;
887 }
888 
GetDEREncoded(std::string * encoded)889 bool X509Certificate::GetDEREncoded(std::string* encoded) {
890   if (!cert_handle_->pbCertEncoded || !cert_handle_->cbCertEncoded)
891     return false;
892   encoded->clear();
893   encoded->append(reinterpret_cast<char*>(cert_handle_->pbCertEncoded),
894                   cert_handle_->cbCertEncoded);
895   return true;
896 }
897 
898 // Returns true if the certificate is an extended-validation certificate.
899 //
900 // This function checks the certificatePolicies extensions of the
901 // certificates in the certificate chain according to Section 7 (pp. 11-12)
902 // of the EV Certificate Guidelines Version 1.0 at
903 // http://cabforum.org/EV_Certificate_Guidelines.pdf.
CheckEV(PCCERT_CHAIN_CONTEXT chain_context,const char * policy_oid) const904 bool X509Certificate::CheckEV(PCCERT_CHAIN_CONTEXT chain_context,
905                               const char* policy_oid) const {
906   DCHECK(chain_context->cChain != 0);
907   // If the cert doesn't match any of the policies, the
908   // CERT_TRUST_IS_NOT_VALID_FOR_USAGE bit (0x10) in
909   // chain_context->TrustStatus.dwErrorStatus is set.
910   DWORD error_status = chain_context->TrustStatus.dwErrorStatus;
911   DWORD info_status = chain_context->TrustStatus.dwInfoStatus;
912   if (!chain_context->cChain || error_status != CERT_TRUST_NO_ERROR)
913     return false;
914 
915   // Check the end certificate simple chain (chain_context->rgpChain[0]).
916   // If the end certificate's certificatePolicies extension contains the
917   // EV policy OID of the root CA, return true.
918   PCERT_CHAIN_ELEMENT* element = chain_context->rgpChain[0]->rgpElement;
919   int num_elements = chain_context->rgpChain[0]->cElement;
920   if (num_elements < 2)
921     return false;
922 
923   // Look up the EV policy OID of the root CA.
924   PCCERT_CONTEXT root_cert = element[num_elements - 1]->pCertContext;
925   SHA1Fingerprint fingerprint = CalculateFingerprint(root_cert);
926   EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
927   return metadata->HasEVPolicyOID(fingerprint, policy_oid);
928 }
929 
VerifyEV() const930 bool X509Certificate::VerifyEV() const {
931   // We don't call this private method, but we do need to implement it because
932   // it's defined in x509_certificate.h. We perform EV checking in the
933   // Verify() above.
934   NOTREACHED();
935   return false;
936 }
937 
938 // static
IsSameOSCert(X509Certificate::OSCertHandle a,X509Certificate::OSCertHandle b)939 bool X509Certificate::IsSameOSCert(X509Certificate::OSCertHandle a,
940                                    X509Certificate::OSCertHandle b) {
941   DCHECK(a && b);
942   if (a == b)
943     return true;
944   return a->cbCertEncoded == b->cbCertEncoded &&
945       memcmp(a->pbCertEncoded, b->pbCertEncoded, a->cbCertEncoded) == 0;
946 }
947 
948 // static
CreateOSCertHandleFromBytes(const char * data,int length)949 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
950     const char* data, int length) {
951   OSCertHandle cert_handle = NULL;
952   if (!CertAddEncodedCertificateToStore(
953       NULL,  // the cert won't be persisted in any cert store
954       X509_ASN_ENCODING,
955       reinterpret_cast<const BYTE*>(data), length,
956       CERT_STORE_ADD_USE_EXISTING,
957       &cert_handle))
958     return NULL;
959 
960   return cert_handle;
961 }
962 
CreateOSCertHandlesFromBytes(const char * data,int length,Format format)963 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
964     const char* data, int length, Format format) {
965   OSCertHandles results;
966   switch (format) {
967     case FORMAT_SINGLE_CERTIFICATE: {
968       OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
969       if (handle != NULL)
970         results.push_back(handle);
971       break;
972     }
973     case FORMAT_PKCS7:
974       results = ParsePKCS7(data, length);
975       break;
976     default:
977       NOTREACHED() << "Certificate format " << format << " unimplemented";
978       break;
979   }
980 
981   return results;
982 }
983 
984 
985 // static
DupOSCertHandle(OSCertHandle cert_handle)986 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
987     OSCertHandle cert_handle) {
988   return CertDuplicateCertificateContext(cert_handle);
989 }
990 
991 // static
FreeOSCertHandle(OSCertHandle cert_handle)992 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
993   CertFreeCertificateContext(cert_handle);
994 }
995 
996 // static
CalculateFingerprint(OSCertHandle cert)997 SHA1Fingerprint X509Certificate::CalculateFingerprint(
998     OSCertHandle cert) {
999   DCHECK(NULL != cert->pbCertEncoded);
1000   DCHECK(0 != cert->cbCertEncoded);
1001 
1002   BOOL rv;
1003   SHA1Fingerprint sha1;
1004   DWORD sha1_size = sizeof(sha1.data);
1005   rv = CryptHashCertificate(NULL, CALG_SHA1, 0, cert->pbCertEncoded,
1006                             cert->cbCertEncoded, sha1.data, &sha1_size);
1007   DCHECK(rv && sha1_size == sizeof(sha1.data));
1008   if (!rv)
1009     memset(sha1.data, 0, sizeof(sha1.data));
1010   return sha1;
1011 }
1012 
1013 // static
1014 X509Certificate::OSCertHandle
ReadCertHandleFromPickle(const Pickle & pickle,void ** pickle_iter)1015 X509Certificate::ReadCertHandleFromPickle(const Pickle& pickle,
1016                                           void** pickle_iter) {
1017   const char* data;
1018   int length;
1019   if (!pickle.ReadData(pickle_iter, &data, &length))
1020     return NULL;
1021 
1022   OSCertHandle cert_handle = NULL;
1023   if (!CertAddSerializedElementToStore(
1024           NULL,  // the cert won't be persisted in any cert store
1025           reinterpret_cast<const BYTE*>(data), length,
1026           CERT_STORE_ADD_USE_EXISTING, 0, CERT_STORE_CERTIFICATE_CONTEXT_FLAG,
1027           NULL, reinterpret_cast<const void **>(&cert_handle))) {
1028     return NULL;
1029   }
1030 
1031   return cert_handle;
1032 }
1033 
1034 // static
WriteCertHandleToPickle(OSCertHandle cert_handle,Pickle * pickle)1035 bool X509Certificate::WriteCertHandleToPickle(OSCertHandle cert_handle,
1036                                               Pickle* pickle) {
1037   DWORD length = 0;
1038   if (!CertSerializeCertificateStoreElement(cert_handle, 0, NULL, &length))
1039     return false;
1040 
1041   std::vector<BYTE> buffer(length);
1042   // Serialize |cert_handle| in a way that will preserve any extended
1043   // attributes set on the handle, such as the location to the certificate's
1044   // private key.
1045   if (!CertSerializeCertificateStoreElement(cert_handle, 0, &buffer[0],
1046                                             &length)) {
1047     return false;
1048   }
1049 
1050   return pickle->WriteData(reinterpret_cast<const char*>(&buffer[0]),
1051                            length);
1052 }
1053 
1054 }  // namespace net
1055