x509_certificate.cc | Explore in Territory

// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/cert/x509_certificate.h"

#include <limits.h>
#include <stdlib.h>

#include <memory>
#include <string>
#include <string_view>
#include <vector>

#include "base/containers/contains.h"
#include "base/containers/span.h"
#include "base/logging.h"
#include "base/notreached.h"
#include "base/numerics/safe_conversions.h"
#include "base/pickle.h"
#include "base/strings/strcat.h"
#include "base/strings/string_util.h"
#include "base/time/time.h"
#include "crypto/openssl_util.h"
#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "net/base/tracing.h"
#include "net/base/url_util.h"
#include "net/cert/asn1_util.h"
#include "net/cert/time_conversions.h"
#include "net/cert/x509_util.h"
#include "third_party/boringssl/src/include/openssl/evp.h"
#include "third_party/boringssl/src/include/openssl/pool.h"
#include "third_party/boringssl/src/include/openssl/sha.h"
#include "third_party/boringssl/src/pki/cert_errors.h"
#include "third_party/boringssl/src/pki/name_constraints.h"
#include "third_party/boringssl/src/pki/parsed_certificate.h"
#include "third_party/boringssl/src/pki/parser.h"
#include "third_party/boringssl/src/pki/pem.h"
#include "third_party/boringssl/src/pki/signature_algorithm.h"
#include "third_party/boringssl/src/pki/verify_certificate_chain.h"
#include "third_party/boringssl/src/pki/verify_name_match.h"
#include "third_party/boringssl/src/pki/verify_signed_data.h"
#include "url/url_canon.h"

namespace net {

namespace {

// Indicates the order to use when trying to decode binary data, which is
// based on (speculation) as to what will be most common -> least common
constexpr auto kFormatDecodePriority = …;

// The PEM block header used for DER certificates
const char kCertificateHeader[] = …;
// The PEM block header used for PKCS#7 data
const char kPKCS7Header[] = …;

// Utility to split |src| on the first occurrence of |c|, if any. |right| will
// either be empty if |c| was not found, or will contain the remainder of the
// string including the split character itself.
void SplitOnChar(std::string_view src,
                 char c,
                 std::string_view* left,
                 std::string_view* right) { … }

// Sets |value| to the Value from a DER Sequence Tag-Length-Value and return
// true, or return false if the TLV was not a valid DER Sequence.
[[nodiscard]] bool ParseSequenceValue(const bssl::der::Input& tlv,
                                      bssl::der::Input* value) { … }

// Normalize |cert|'s Issuer and store it in |out_normalized_issuer|, returning
// true on success or false if there was a parsing error.
bool GetNormalizedCertIssuer(CRYPTO_BUFFER* cert,
                             std::string* out_normalized_issuer) { … }

bssl::UniquePtr<CRYPTO_BUFFER> CreateCertBufferFromBytesWithSanityCheck(
    base::span<const uint8_t> data) { … }

}  // namespace

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromBuffer(
    bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer,
    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromBufferUnsafeOptions(
    bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer,
    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates,
    UnsafeCreateOptions options) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromDERCertChain(
    const std::vector<std::string_view>& der_certs) { … }

// static
scoped_refptr<X509Certificate>
X509Certificate::CreateFromDERCertChainUnsafeOptions(
    const std::vector<std::string_view>& der_certs,
    UnsafeCreateOptions options) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromBytes(
    base::span<const uint8_t> data) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromBytesUnsafeOptions(
    base::span<const uint8_t> data,
    UnsafeCreateOptions options) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromPickle(
    base::PickleIterator* pickle_iter) { … }

// static
scoped_refptr<X509Certificate> X509Certificate::CreateFromPickleUnsafeOptions(
    base::PickleIterator* pickle_iter,
    UnsafeCreateOptions options) { … }

// static
CertificateList X509Certificate::CreateCertificateListFromBytes(
    base::span<const uint8_t> data,
    int format) { … }

scoped_refptr<X509Certificate> X509Certificate::CloneWithDifferentIntermediates(
    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates) { … }

void X509Certificate::Persist(base::Pickle* pickle) const { … }

bool X509Certificate::GetSubjectAltName(
    std::vector<std::string>* dns_names,
    std::vector<std::string>* ip_addrs) const { … }

bool X509Certificate::HasExpired() const { … }

bool X509Certificate::EqualsExcludingChain(const X509Certificate* other) const { … }

bool X509Certificate::EqualsIncludingChain(const X509Certificate* other) const { … }

bool X509Certificate::IsIssuedByEncoded(
    const std::vector<std::string>& valid_issuers) const { … }

// static
bool X509Certificate::VerifyHostname(
    std::string_view hostname,
    const std::vector<std::string>& cert_san_dns_names,
    const std::vector<std::string>& cert_san_ip_addrs) { … }

bool X509Certificate::VerifyNameMatch(std::string_view hostname) const { … }

// static
bool X509Certificate::GetPEMEncodedFromDER(std::string_view der_encoded,
                                           std::string* pem_encoded) { … }

// static
bool X509Certificate::GetPEMEncoded(const CRYPTO_BUFFER* cert_buffer,
                                    std::string* pem_encoded) { … }

bool X509Certificate::GetPEMEncodedChain(
    std::vector<std::string>* pem_encoded) const { … }

// static
void X509Certificate::GetPublicKeyInfo(const CRYPTO_BUFFER* cert_buffer,
                                       size_t* size_bits,
                                       PublicKeyType* type) { … }

// static
std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>
X509Certificate::CreateCertBuffersFromBytes(base::span<const uint8_t> data,
                                            Format format) { … }

// static
SHA256HashValue X509Certificate::CalculateFingerprint256(
    const CRYPTO_BUFFER* cert) { … }

SHA256HashValue X509Certificate::CalculateChainFingerprint256() const { … }

// static
bool X509Certificate::IsSelfSigned(CRYPTO_BUFFER* cert_buffer) { … }

X509Certificate::X509Certificate(
    ParsedFields parsed,
    bssl::UniquePtr<CRYPTO_BUFFER> cert_buffer,
    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates)
    : … { … }

X509Certificate::X509Certificate(
    const X509Certificate& other,
    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates)
    : … { … }

X509Certificate::~X509Certificate() = default;

base::span<const uint8_t> X509Certificate::cert_span() const { … }

X509Certificate::ParsedFields::ParsedFields() = default;
X509Certificate::ParsedFields::ParsedFields(const ParsedFields&) = default;
X509Certificate::ParsedFields::ParsedFields(ParsedFields&&) = default;
X509Certificate::ParsedFields::~ParsedFields() = default;

bool X509Certificate::ParsedFields::Initialize(
    const CRYPTO_BUFFER* cert_buffer,
    X509Certificate::UnsafeCreateOptions options) { … }

}  // namespace net
chromium/net/cert/x509_certificate.cc
