1*6777b538SAndroid Build Coastguard Worker // Copyright 2011 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_X509_UTIL_NSS_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_X509_UTIL_NSS_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stddef.h> 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker #include <string> 11*6777b538SAndroid Build Coastguard Worker #include <vector> 12*6777b538SAndroid Build Coastguard Worker 13*6777b538SAndroid Build Coastguard Worker #include "crypto/scoped_nss_types.h" 14*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 15*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_type.h" 16*6777b538SAndroid Build Coastguard Worker #include "net/cert/scoped_nss_types.h" 17*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate.h" 18*6777b538SAndroid Build Coastguard Worker 19*6777b538SAndroid Build Coastguard Worker typedef struct CERTCertificateStr CERTCertificate; 20*6777b538SAndroid Build Coastguard Worker typedef struct CERTNameStr CERTName; 21*6777b538SAndroid Build Coastguard Worker typedef struct PK11SlotInfoStr PK11SlotInfo; 22*6777b538SAndroid Build Coastguard Worker typedef struct SECItemStr SECItem; 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker namespace net::x509_util { 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard Worker // Returns true if two certificate handles refer to identical certificates. 27*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool IsSameCertificate(CERTCertificate* a, CERTCertificate* b); 28*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const X509Certificate* b); 29*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool IsSameCertificate(const X509Certificate* a, CERTCertificate* b); 30*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool IsSameCertificate(CERTCertificate* a, const CRYPTO_BUFFER* b); 31*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool IsSameCertificate(const CRYPTO_BUFFER* a, CERTCertificate* b); 32*6777b538SAndroid Build Coastguard Worker 33*6777b538SAndroid Build Coastguard Worker // Returns a CERTCertificate handle from the DER-encoded representation. The 34*6777b538SAndroid Build Coastguard Worker // returned value may reference an already existing CERTCertificate object. 35*6777b538SAndroid Build Coastguard Worker // Returns NULL on failure. 36*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificate 37*6777b538SAndroid Build Coastguard Worker CreateCERTCertificateFromBytes(base::span<const uint8_t> data); 38*6777b538SAndroid Build Coastguard Worker 39*6777b538SAndroid Build Coastguard Worker // Returns a CERTCertificate handle from |cert|. The returned value may 40*6777b538SAndroid Build Coastguard Worker // reference an already existing CERTCertificate object. Returns NULL on 41*6777b538SAndroid Build Coastguard Worker // failure. 42*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificate 43*6777b538SAndroid Build Coastguard Worker CreateCERTCertificateFromX509Certificate(const X509Certificate* cert); 44*6777b538SAndroid Build Coastguard Worker 45*6777b538SAndroid Build Coastguard Worker // Returns a vector of CERTCertificates corresponding to |cert| and its 46*6777b538SAndroid Build Coastguard Worker // intermediates (if any). Returns an empty vector on failure. 47*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificateList 48*6777b538SAndroid Build Coastguard Worker CreateCERTCertificateListFromX509Certificate(const X509Certificate* cert); 49*6777b538SAndroid Build Coastguard Worker 50*6777b538SAndroid Build Coastguard Worker // Specify behavior if an intermediate certificate fails CERTCertificate 51*6777b538SAndroid Build Coastguard Worker // parsing. kFail means the function should return a failure result 52*6777b538SAndroid Build Coastguard Worker // immediately. kIgnore means the invalid intermediate is not added to the 53*6777b538SAndroid Build Coastguard Worker // output container. 54*6777b538SAndroid Build Coastguard Worker enum class InvalidIntermediateBehavior { kFail, kIgnore }; 55*6777b538SAndroid Build Coastguard Worker 56*6777b538SAndroid Build Coastguard Worker // Returns a vector of CERTCertificates corresponding to |cert| and its 57*6777b538SAndroid Build Coastguard Worker // intermediates (if any). Returns an empty vector if the certificate could not 58*6777b538SAndroid Build Coastguard Worker // be converted. |invalid_intermediate_behavior| specifies behavior if 59*6777b538SAndroid Build Coastguard Worker // intermediates of |cert| could not be converted. 60*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificateList 61*6777b538SAndroid Build Coastguard Worker CreateCERTCertificateListFromX509Certificate( 62*6777b538SAndroid Build Coastguard Worker const X509Certificate* cert, 63*6777b538SAndroid Build Coastguard Worker InvalidIntermediateBehavior invalid_intermediate_behavior); 64*6777b538SAndroid Build Coastguard Worker 65*6777b538SAndroid Build Coastguard Worker // Parses all of the certificates possible from |data|. |format| is a 66*6777b538SAndroid Build Coastguard Worker // bit-wise OR of X509Certificate::Format, indicating the possible formats the 67*6777b538SAndroid Build Coastguard Worker // certificates may have been serialized as. If an error occurs, an empty 68*6777b538SAndroid Build Coastguard Worker // collection will be returned. 69*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificateList 70*6777b538SAndroid Build Coastguard Worker CreateCERTCertificateListFromBytes(const char* data, size_t length, int format); 71*6777b538SAndroid Build Coastguard Worker 72*6777b538SAndroid Build Coastguard Worker // Increments the refcount of |cert| and returns a handle for that reference. 73*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificate DupCERTCertificate(CERTCertificate* cert); 74*6777b538SAndroid Build Coastguard Worker 75*6777b538SAndroid Build Coastguard Worker // Increments the refcount of each element in |cerst| and returns a list of 76*6777b538SAndroid Build Coastguard Worker // handles for them. 77*6777b538SAndroid Build Coastguard Worker NET_EXPORT ScopedCERTCertificateList 78*6777b538SAndroid Build Coastguard Worker DupCERTCertificateList(const ScopedCERTCertificateList& certs); 79*6777b538SAndroid Build Coastguard Worker 80*6777b538SAndroid Build Coastguard Worker // Creates an X509Certificate from |cert|, with intermediates from |chain|. 81*6777b538SAndroid Build Coastguard Worker // Returns NULL on failure. 82*6777b538SAndroid Build Coastguard Worker NET_EXPORT scoped_refptr<X509Certificate> 83*6777b538SAndroid Build Coastguard Worker CreateX509CertificateFromCERTCertificate( 84*6777b538SAndroid Build Coastguard Worker CERTCertificate* cert, 85*6777b538SAndroid Build Coastguard Worker const std::vector<CERTCertificate*>& chain); 86*6777b538SAndroid Build Coastguard Worker 87*6777b538SAndroid Build Coastguard Worker // Creates an X509Certificate with non-standard parsing options. 88*6777b538SAndroid Build Coastguard Worker // Do not use without consulting //net owners. 89*6777b538SAndroid Build Coastguard Worker NET_EXPORT scoped_refptr<X509Certificate> 90*6777b538SAndroid Build Coastguard Worker CreateX509CertificateFromCERTCertificate( 91*6777b538SAndroid Build Coastguard Worker CERTCertificate* cert, 92*6777b538SAndroid Build Coastguard Worker const std::vector<CERTCertificate*>& chain, 93*6777b538SAndroid Build Coastguard Worker X509Certificate::UnsafeCreateOptions options); 94*6777b538SAndroid Build Coastguard Worker 95*6777b538SAndroid Build Coastguard Worker // Creates an X509Certificate from |cert|, with no intermediates. 96*6777b538SAndroid Build Coastguard Worker // Returns NULL on failure. 97*6777b538SAndroid Build Coastguard Worker NET_EXPORT scoped_refptr<X509Certificate> 98*6777b538SAndroid Build Coastguard Worker CreateX509CertificateFromCERTCertificate(CERTCertificate* cert); 99*6777b538SAndroid Build Coastguard Worker 100*6777b538SAndroid Build Coastguard Worker // Creates an X509Certificate for each element in |certs|. 101*6777b538SAndroid Build Coastguard Worker // Returns an empty list on failure. 102*6777b538SAndroid Build Coastguard Worker NET_EXPORT CertificateList CreateX509CertificateListFromCERTCertificates( 103*6777b538SAndroid Build Coastguard Worker const ScopedCERTCertificateList& certs); 104*6777b538SAndroid Build Coastguard Worker 105*6777b538SAndroid Build Coastguard Worker // Obtains the DER encoded certificate data for |cert|. On success, returns 106*6777b538SAndroid Build Coastguard Worker // true and writes the DER encoded certificate to |*der_encoded|. 107*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool GetDEREncoded(CERTCertificate* cert, std::string* der_encoded); 108*6777b538SAndroid Build Coastguard Worker 109*6777b538SAndroid Build Coastguard Worker // Obtains the PEM encoded certificate data for |cert|. On success, returns 110*6777b538SAndroid Build Coastguard Worker // true and writes the PEM encoded certificate to |*pem_encoded|. 111*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool GetPEMEncoded(CERTCertificate* cert, std::string* pem_encoded); 112*6777b538SAndroid Build Coastguard Worker 113*6777b538SAndroid Build Coastguard Worker // Stores the values of all rfc822Name subjectAltNames from |cert_handle| 114*6777b538SAndroid Build Coastguard Worker // into |names|. If no names are present, clears |names|. 115*6777b538SAndroid Build Coastguard Worker // WARNING: This method does not validate that the rfc822Name is 116*6777b538SAndroid Build Coastguard Worker // properly encoded; it MAY contain embedded NULs or other illegal 117*6777b538SAndroid Build Coastguard Worker // characters; care should be taken to validate the well-formedness 118*6777b538SAndroid Build Coastguard Worker // before using. 119*6777b538SAndroid Build Coastguard Worker NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle, 120*6777b538SAndroid Build Coastguard Worker std::vector<std::string>* names); 121*6777b538SAndroid Build Coastguard Worker 122*6777b538SAndroid Build Coastguard Worker // Stores the values of all Microsoft UPN subjectAltNames from |cert_handle| 123*6777b538SAndroid Build Coastguard Worker // into |names|. If no names are present, clears |names|. 124*6777b538SAndroid Build Coastguard Worker // 125*6777b538SAndroid Build Coastguard Worker // A "Microsoft UPN subjectAltName" is an OtherName value whose type-id 126*6777b538SAndroid Build Coastguard Worker // is equal to 1.3.6.1.4.1.311.20.2.3 (known as either id-ms-san-sc-logon-upn, 127*6777b538SAndroid Build Coastguard Worker // as described in RFC 4556, or as szOID_NT_PRINCIPAL_NAME, as 128*6777b538SAndroid Build Coastguard Worker // documented in Microsoft KB287547). 129*6777b538SAndroid Build Coastguard Worker // The value field is a UTF8String literal. 130*6777b538SAndroid Build Coastguard Worker // For more information: 131*6777b538SAndroid Build Coastguard Worker // https://www.ietf.org/mail-archive/web/pkix/current/msg03145.html 132*6777b538SAndroid Build Coastguard Worker // https://www.ietf.org/proceedings/65/slides/pkix-4/sld1.htm 133*6777b538SAndroid Build Coastguard Worker // https://tools.ietf.org/html/rfc4556 134*6777b538SAndroid Build Coastguard Worker // 135*6777b538SAndroid Build Coastguard Worker // WARNING: This method does not validate that the name is 136*6777b538SAndroid Build Coastguard Worker // properly encoded; it MAY contain embedded NULs or other illegal 137*6777b538SAndroid Build Coastguard Worker // characters; care should be taken to validate the well-formedness 138*6777b538SAndroid Build Coastguard Worker // before using. 139*6777b538SAndroid Build Coastguard Worker NET_EXPORT void GetUPNSubjectAltNames(CERTCertificate* cert_handle, 140*6777b538SAndroid Build Coastguard Worker std::vector<std::string>* names); 141*6777b538SAndroid Build Coastguard Worker 142*6777b538SAndroid Build Coastguard Worker // Generates a unique nickname for |nss_cert| based on the |type| and |slot|. 143*6777b538SAndroid Build Coastguard Worker NET_EXPORT std::string GetDefaultUniqueNickname(CERTCertificate* nss_cert, 144*6777b538SAndroid Build Coastguard Worker CertType type, 145*6777b538SAndroid Build Coastguard Worker PK11SlotInfo* slot); 146*6777b538SAndroid Build Coastguard Worker 147*6777b538SAndroid Build Coastguard Worker // Returns a name that can be used to represent the principal. It tries in 148*6777b538SAndroid Build Coastguard Worker // this order: CN, O and OU and returns the first non-empty one found. 149*6777b538SAndroid Build Coastguard Worker // This mirrors net::CertPrincipal::GetDisplayName. 150*6777b538SAndroid Build Coastguard Worker NET_EXPORT std::string GetCERTNameDisplayName(CERTName* name); 151*6777b538SAndroid Build Coastguard Worker 152*6777b538SAndroid Build Coastguard Worker // Stores the notBefore and notAfter times from |cert| into |*not_before| and 153*6777b538SAndroid Build Coastguard Worker // |*not_after|, returning true if successful. |not_before| or |not_after| may 154*6777b538SAndroid Build Coastguard Worker // be null. 155*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool GetValidityTimes(CERTCertificate* cert, 156*6777b538SAndroid Build Coastguard Worker base::Time* not_before, 157*6777b538SAndroid Build Coastguard Worker base::Time* not_after); 158*6777b538SAndroid Build Coastguard Worker 159*6777b538SAndroid Build Coastguard Worker // Calculates the SHA-256 fingerprint of the certificate. Returns an empty 160*6777b538SAndroid Build Coastguard Worker // (all zero) fingerprint on failure. 161*6777b538SAndroid Build Coastguard Worker NET_EXPORT SHA256HashValue CalculateFingerprint256(CERTCertificate* cert); 162*6777b538SAndroid Build Coastguard Worker 163*6777b538SAndroid Build Coastguard Worker // Prefer using NSSCertDatabase::ImportUserCert. Temporary public for Kcer. 164*6777b538SAndroid Build Coastguard Worker // Import a user certificate. The private key for the user certificate must 165*6777b538SAndroid Build Coastguard Worker // already be installed, the cert will be installed on the same slot, otherwise 166*6777b538SAndroid Build Coastguard Worker // returns ERR_NO_PRIVATE_KEY_FOR_CERT. If the key exists on multiple slots, 167*6777b538SAndroid Build Coastguard Worker // prioritizes the `preferred_slot`. Returns OK or a network error code. 168*6777b538SAndroid Build Coastguard Worker NET_EXPORT int ImportUserCert(CERTCertificate* cert, 169*6777b538SAndroid Build Coastguard Worker crypto::ScopedPK11Slot preferred_slot); 170*6777b538SAndroid Build Coastguard Worker 171*6777b538SAndroid Build Coastguard Worker } // namespace net::x509_util 172*6777b538SAndroid Build Coastguard Worker 173*6777b538SAndroid Build Coastguard Worker #endif // NET_CERT_X509_UTIL_NSS_H_ 174