xref: /aosp_15_r20/external/cronet/net/cert/x509_util_win.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/x509_util_win.h"
6 
7 #include <string_view>
8 
9 #include "base/logging.h"
10 #include "crypto/scoped_capi_types.h"
11 #include "crypto/sha2.h"
12 #include "net/cert/x509_certificate.h"
13 #include "net/cert/x509_util.h"
14 #include "net/net_buildflags.h"
15 #include "third_party/boringssl/src/include/openssl/pool.h"
16 
17 namespace net {
18 
19 namespace x509_util {
20 
CreateX509CertificateFromCertContexts(PCCERT_CONTEXT os_cert,const std::vector<PCCERT_CONTEXT> & os_chain)21 scoped_refptr<X509Certificate> CreateX509CertificateFromCertContexts(
22     PCCERT_CONTEXT os_cert,
23     const std::vector<PCCERT_CONTEXT>& os_chain) {
24   return CreateX509CertificateFromCertContexts(os_cert, os_chain, {});
25 }
26 
CreateX509CertificateFromCertContexts(PCCERT_CONTEXT os_cert,const std::vector<PCCERT_CONTEXT> & os_chain,X509Certificate::UnsafeCreateOptions options)27 scoped_refptr<X509Certificate> CreateX509CertificateFromCertContexts(
28     PCCERT_CONTEXT os_cert,
29     const std::vector<PCCERT_CONTEXT>& os_chain,
30     X509Certificate::UnsafeCreateOptions options) {
31   if (!os_cert || !os_cert->pbCertEncoded || !os_cert->cbCertEncoded)
32     return nullptr;
33   bssl::UniquePtr<CRYPTO_BUFFER> cert_handle(x509_util::CreateCryptoBuffer(
34       base::make_span(os_cert->pbCertEncoded, os_cert->cbCertEncoded)));
35 
36   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
37   for (PCCERT_CONTEXT os_intermediate : os_chain) {
38     if (!os_intermediate || !os_intermediate->pbCertEncoded ||
39         !os_intermediate->cbCertEncoded)
40       return nullptr;
41     intermediates.push_back(x509_util::CreateCryptoBuffer(base::make_span(
42         os_intermediate->pbCertEncoded, os_intermediate->cbCertEncoded)));
43   }
44 
45   return X509Certificate::CreateFromBufferUnsafeOptions(
46       std::move(cert_handle), std::move(intermediates), options);
47 }
48 
CreateCertContextWithChain(const X509Certificate * cert)49 crypto::ScopedPCCERT_CONTEXT CreateCertContextWithChain(
50     const X509Certificate* cert) {
51   return CreateCertContextWithChain(cert, InvalidIntermediateBehavior::kFail);
52 }
53 
CreateCertContextWithChain(const X509Certificate * cert,InvalidIntermediateBehavior invalid_intermediate_behavior)54 crypto::ScopedPCCERT_CONTEXT CreateCertContextWithChain(
55     const X509Certificate* cert,
56     InvalidIntermediateBehavior invalid_intermediate_behavior) {
57   // Create an in-memory certificate store to hold the certificate and its
58   // intermediate certificates. The store will be referenced in the returned
59   // PCCERT_CONTEXT, and will not be freed until the PCCERT_CONTEXT is freed.
60   crypto::ScopedHCERTSTORE store(
61       CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL,
62                     CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, nullptr));
63   if (!store.is_valid())
64     return nullptr;
65 
66   PCCERT_CONTEXT primary_cert = nullptr;
67 
68   BOOL ok = CertAddEncodedCertificateToStore(
69       store.get(), X509_ASN_ENCODING, CRYPTO_BUFFER_data(cert->cert_buffer()),
70       base::checked_cast<DWORD>(CRYPTO_BUFFER_len(cert->cert_buffer())),
71       CERT_STORE_ADD_ALWAYS, &primary_cert);
72   if (!ok || !primary_cert)
73     return nullptr;
74   crypto::ScopedPCCERT_CONTEXT scoped_primary_cert(primary_cert);
75 
76   for (const auto& intermediate : cert->intermediate_buffers()) {
77     ok = CertAddEncodedCertificateToStore(
78         store.get(), X509_ASN_ENCODING, CRYPTO_BUFFER_data(intermediate.get()),
79         base::checked_cast<DWORD>(CRYPTO_BUFFER_len(intermediate.get())),
80         CERT_STORE_ADD_ALWAYS, nullptr);
81     if (!ok) {
82       if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail)
83         return nullptr;
84       LOG(WARNING) << "error parsing intermediate";
85     }
86   }
87 
88   // Note: |primary_cert| retains a reference to |store|, so the store will
89   // actually be freed when |primary_cert| is freed.
90   return scoped_primary_cert;
91 }
92 
CalculateFingerprint256(PCCERT_CONTEXT cert)93 SHA256HashValue CalculateFingerprint256(PCCERT_CONTEXT cert) {
94   DCHECK(nullptr != cert->pbCertEncoded);
95   DCHECK_NE(0u, cert->cbCertEncoded);
96 
97   SHA256HashValue sha256;
98 
99   // Use crypto::SHA256HashString for two reasons:
100   // * < Windows Vista does not have universal SHA-256 support.
101   // * More efficient on Windows > Vista (less overhead since non-default CSP
102   // is not needed).
103   std::string_view der_cert(reinterpret_cast<const char*>(cert->pbCertEncoded),
104                             cert->cbCertEncoded);
105   crypto::SHA256HashString(der_cert, sha256.data, sizeof(sha256.data));
106   return sha256;
107 }
108 
IsSelfSigned(PCCERT_CONTEXT cert_handle)109 bool IsSelfSigned(PCCERT_CONTEXT cert_handle) {
110   bool valid_signature = !!CryptVerifyCertificateSignatureEx(
111       NULL, X509_ASN_ENCODING, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
112       reinterpret_cast<void*>(const_cast<PCERT_CONTEXT>(cert_handle)),
113       CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
114       reinterpret_cast<void*>(const_cast<PCERT_CONTEXT>(cert_handle)), 0,
115       nullptr);
116   if (!valid_signature)
117     return false;
118   return !!CertCompareCertificateName(X509_ASN_ENCODING,
119                                       &cert_handle->pCertInfo->Subject,
120                                       &cert_handle->pCertInfo->Issuer);
121 }
122 
123 }  // namespace x509_util
124 
125 }  // namespace net
126