// Copyright 2017 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/x509_util_apple.h" #include #include #include "base/check_op.h" #include "base/logging.h" #include "base/notreached.h" #include "base/numerics/safe_conversions.h" #include "build/build_config.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "third_party/boringssl/src/include/openssl/pool.h" namespace net { namespace x509_util { namespace { bssl::UniquePtr CertBufferFromSecCertificate( SecCertificateRef sec_cert) { if (!sec_cert) { return nullptr; } base::apple::ScopedCFTypeRef der_data( SecCertificateCopyData(sec_cert)); if (!der_data) { return nullptr; } return CreateCryptoBuffer(base::make_span( CFDataGetBytePtr(der_data.get()), base::checked_cast(CFDataGetLength(der_data.get())))); } } // namespace base::apple::ScopedCFTypeRef CreateSecCertificateFromBytes( base::span data) { base::apple::ScopedCFTypeRef cert_data(CFDataCreate( kCFAllocatorDefault, reinterpret_cast(data.data()), base::checked_cast(data.size()))); if (!cert_data) { return base::apple::ScopedCFTypeRef(); } return base::apple::ScopedCFTypeRef( SecCertificateCreateWithData(nullptr, cert_data.get())); } base::apple::ScopedCFTypeRef CreateSecCertificateFromX509Certificate(const X509Certificate* cert) { return CreateSecCertificateFromBytes(CryptoBufferAsSpan(cert->cert_buffer())); } base::apple::ScopedCFTypeRef CreateSecCertificateArrayForX509Certificate(X509Certificate* cert) { return CreateSecCertificateArrayForX509Certificate( cert, InvalidIntermediateBehavior::kFail); } base::apple::ScopedCFTypeRef CreateSecCertificateArrayForX509Certificate( X509Certificate* cert, InvalidIntermediateBehavior invalid_intermediate_behavior) { base::apple::ScopedCFTypeRef cert_list( CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); if (!cert_list) return base::apple::ScopedCFTypeRef(); std::string bytes; base::apple::ScopedCFTypeRef sec_cert( CreateSecCertificateFromBytes(CryptoBufferAsSpan(cert->cert_buffer()))); if (!sec_cert) { return base::apple::ScopedCFTypeRef(); } CFArrayAppendValue(cert_list.get(), sec_cert.get()); for (const auto& intermediate : cert->intermediate_buffers()) { base::apple::ScopedCFTypeRef intermediate_cert( CreateSecCertificateFromBytes(CryptoBufferAsSpan(intermediate.get()))); if (!intermediate_cert) { if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail) return base::apple::ScopedCFTypeRef(); LOG(WARNING) << "error parsing intermediate"; continue; } CFArrayAppendValue(cert_list.get(), intermediate_cert.get()); } return cert_list; } scoped_refptr CreateX509CertificateFromSecCertificate( base::apple::ScopedCFTypeRef sec_cert, const std::vector>& sec_chain) { return CreateX509CertificateFromSecCertificate(sec_cert, sec_chain, {}); } scoped_refptr CreateX509CertificateFromSecCertificate( base::apple::ScopedCFTypeRef sec_cert, const std::vector>& sec_chain, X509Certificate::UnsafeCreateOptions options) { bssl::UniquePtr cert_handle = CertBufferFromSecCertificate(sec_cert.get()); if (!cert_handle) { return nullptr; } std::vector> intermediates; for (const auto& sec_intermediate : sec_chain) { bssl::UniquePtr intermediate_cert_handle = CertBufferFromSecCertificate(sec_intermediate.get()); if (!intermediate_cert_handle) { return nullptr; } intermediates.push_back(std::move(intermediate_cert_handle)); } scoped_refptr result( X509Certificate::CreateFromBufferUnsafeOptions( std::move(cert_handle), std::move(intermediates), options)); return result; } SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) { SHA256HashValue sha256; memset(sha256.data, 0, sizeof(sha256.data)); base::apple::ScopedCFTypeRef cert_data( SecCertificateCopyData(cert)); if (!cert_data) { return sha256; } DCHECK(CFDataGetBytePtr(cert_data.get())); DCHECK_NE(CFDataGetLength(cert_data.get()), 0); CC_SHA256(CFDataGetBytePtr(cert_data.get()), CFDataGetLength(cert_data.get()), sha256.data); return sha256; } base::apple::ScopedCFTypeRef CertificateChainFromSecTrust( SecTrustRef trust) { if (__builtin_available(macOS 12.0, iOS 15.0, *)) { return base::apple::ScopedCFTypeRef( SecTrustCopyCertificateChain(trust)); } // TODO(crbug.com/1426476): Remove code when it is no longer needed. #if (BUILDFLAG(IS_MAC) && \ MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_VERSION_12_0) || \ (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < __IPHONE_15_0) base::apple::ScopedCFTypeRef chain( CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); const CFIndex chain_length = SecTrustGetCertificateCount(trust); for (CFIndex i = 0; i < chain_length; ++i) { CFArrayAppendValue(chain.get(), SecTrustGetCertificateAtIndex(trust, i)); } return chain; #else // The other logic paths should be used, this is just to make the compiler // happy. NOTREACHED(); return base::apple::ScopedCFTypeRef(nullptr); #endif // (BUILDFLAG(IS_MAC) && MAC_OS_X_VERSION_MIN_REQUIRED < // MAC_OS_VERSION_12_0) // || (BUILDFLAG(IS_IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < // __IPHONE_15_0) } } // namespace x509_util } // namespace net