xref: /aosp_15_r20/external/cronet/net/cert/x509_util_apple.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/x509_util_apple.h"
6 
7 #include <CommonCrypto/CommonDigest.h>
8 
9 #include <string>
10 
11 #include "base/check_op.h"
12 #include "base/logging.h"
13 #include "base/notreached.h"
14 #include "base/numerics/safe_conversions.h"
15 #include "build/build_config.h"
16 #include "net/cert/x509_certificate.h"
17 #include "net/cert/x509_util.h"
18 #include "third_party/boringssl/src/include/openssl/pool.h"
19 
20 namespace net {
21 namespace x509_util {
22 
23 namespace {
24 
CertBufferFromSecCertificate(SecCertificateRef sec_cert)25 bssl::UniquePtr<CRYPTO_BUFFER> CertBufferFromSecCertificate(
26     SecCertificateRef sec_cert) {
27   if (!sec_cert) {
28     return nullptr;
29   }
30   base::apple::ScopedCFTypeRef<CFDataRef> der_data(
31       SecCertificateCopyData(sec_cert));
32   if (!der_data) {
33     return nullptr;
34   }
35   return CreateCryptoBuffer(base::make_span(
36       CFDataGetBytePtr(der_data.get()),
37       base::checked_cast<size_t>(CFDataGetLength(der_data.get()))));
38 }
39 
40 }  // namespace
41 
CreateSecCertificateFromBytes(base::span<const uint8_t> data)42 base::apple::ScopedCFTypeRef<SecCertificateRef> CreateSecCertificateFromBytes(
43     base::span<const uint8_t> data) {
44   base::apple::ScopedCFTypeRef<CFDataRef> cert_data(CFDataCreate(
45       kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data.data()),
46       base::checked_cast<CFIndex>(data.size())));
47   if (!cert_data) {
48     return base::apple::ScopedCFTypeRef<SecCertificateRef>();
49   }
50 
51   return base::apple::ScopedCFTypeRef<SecCertificateRef>(
52       SecCertificateCreateWithData(nullptr, cert_data.get()));
53 }
54 
55 base::apple::ScopedCFTypeRef<SecCertificateRef>
CreateSecCertificateFromX509Certificate(const X509Certificate * cert)56 CreateSecCertificateFromX509Certificate(const X509Certificate* cert) {
57   return CreateSecCertificateFromBytes(CryptoBufferAsSpan(cert->cert_buffer()));
58 }
59 
60 base::apple::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert)61 CreateSecCertificateArrayForX509Certificate(X509Certificate* cert) {
62   return CreateSecCertificateArrayForX509Certificate(
63       cert, InvalidIntermediateBehavior::kFail);
64 }
65 
66 base::apple::ScopedCFTypeRef<CFMutableArrayRef>
CreateSecCertificateArrayForX509Certificate(X509Certificate * cert,InvalidIntermediateBehavior invalid_intermediate_behavior)67 CreateSecCertificateArrayForX509Certificate(
68     X509Certificate* cert,
69     InvalidIntermediateBehavior invalid_intermediate_behavior) {
70   base::apple::ScopedCFTypeRef<CFMutableArrayRef> cert_list(
71       CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
72   if (!cert_list)
73     return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
74   std::string bytes;
75   base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert(
76       CreateSecCertificateFromBytes(CryptoBufferAsSpan(cert->cert_buffer())));
77   if (!sec_cert) {
78     return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
79   }
80   CFArrayAppendValue(cert_list.get(), sec_cert.get());
81   for (const auto& intermediate : cert->intermediate_buffers()) {
82     base::apple::ScopedCFTypeRef<SecCertificateRef> intermediate_cert(
83         CreateSecCertificateFromBytes(CryptoBufferAsSpan(intermediate.get())));
84     if (!intermediate_cert) {
85       if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail)
86         return base::apple::ScopedCFTypeRef<CFMutableArrayRef>();
87       LOG(WARNING) << "error parsing intermediate";
88       continue;
89     }
90     CFArrayAppendValue(cert_list.get(), intermediate_cert.get());
91   }
92   return cert_list;
93 }
94 
CreateX509CertificateFromSecCertificate(base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>> & sec_chain)95 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
96     base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,
97     const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>>&
98         sec_chain) {
99   return CreateX509CertificateFromSecCertificate(sec_cert, sec_chain, {});
100 }
101 
CreateX509CertificateFromSecCertificate(base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>> & sec_chain,X509Certificate::UnsafeCreateOptions options)102 scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
103     base::apple::ScopedCFTypeRef<SecCertificateRef> sec_cert,
104     const std::vector<base::apple::ScopedCFTypeRef<SecCertificateRef>>&
105         sec_chain,
106     X509Certificate::UnsafeCreateOptions options) {
107   bssl::UniquePtr<CRYPTO_BUFFER> cert_handle =
108       CertBufferFromSecCertificate(sec_cert.get());
109   if (!cert_handle) {
110     return nullptr;
111   }
112   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
113   for (const auto& sec_intermediate : sec_chain) {
114     bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle =
115         CertBufferFromSecCertificate(sec_intermediate.get());
116     if (!intermediate_cert_handle) {
117       return nullptr;
118     }
119     intermediates.push_back(std::move(intermediate_cert_handle));
120   }
121   scoped_refptr<X509Certificate> result(
122       X509Certificate::CreateFromBufferUnsafeOptions(
123           std::move(cert_handle), std::move(intermediates), options));
124   return result;
125 }
126 
CalculateFingerprint256(SecCertificateRef cert)127 SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
128   SHA256HashValue sha256;
129   memset(sha256.data, 0, sizeof(sha256.data));
130 
131   base::apple::ScopedCFTypeRef<CFDataRef> cert_data(
132       SecCertificateCopyData(cert));
133   if (!cert_data) {
134     return sha256;
135   }
136 
137   DCHECK(CFDataGetBytePtr(cert_data.get()));
138   DCHECK_NE(CFDataGetLength(cert_data.get()), 0);
139 
140   CC_SHA256(CFDataGetBytePtr(cert_data.get()), CFDataGetLength(cert_data.get()),
141             sha256.data);
142 
143   return sha256;
144 }
145 
CertificateChainFromSecTrust(SecTrustRef trust)146 base::apple::ScopedCFTypeRef<CFArrayRef> CertificateChainFromSecTrust(
147     SecTrustRef trust) {
148   if (__builtin_available(macOS 12.0, iOS 15.0, *)) {
149     return base::apple::ScopedCFTypeRef<CFArrayRef>(
150         SecTrustCopyCertificateChain(trust));
151   }
152 
153 // TODO(crbug.com/1426476): Remove code when it is no longer needed.
154 #if (BUILDFLAG(IS_MAC) &&                                    \
155      MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_VERSION_12_0) || \
156     (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < __IPHONE_15_0)
157   base::apple::ScopedCFTypeRef<CFMutableArrayRef> chain(
158       CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
159   const CFIndex chain_length = SecTrustGetCertificateCount(trust);
160   for (CFIndex i = 0; i < chain_length; ++i) {
161     CFArrayAppendValue(chain.get(), SecTrustGetCertificateAtIndex(trust, i));
162   }
163   return chain;
164 
165 #else
166   // The other logic paths should be used, this is just to make the compiler
167   // happy.
168   NOTREACHED();
169   return base::apple::ScopedCFTypeRef<CFArrayRef>(nullptr);
170 #endif  // (BUILDFLAG(IS_MAC) && MAC_OS_X_VERSION_MIN_REQUIRED <
171         // MAC_OS_VERSION_12_0)
172         // || (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED <
173         // __IPHONE_15_0)
174 }
175 
176 }  // namespace x509_util
177 }  // namespace net
178