1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_X509_UTIL_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_X509_UTIL_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stdint.h> 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker #include <memory> 11*6777b538SAndroid Build Coastguard Worker #include <string> 12*6777b538SAndroid Build Coastguard Worker #include <string_view> 13*6777b538SAndroid Build Coastguard Worker #include <vector> 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard Worker #include "base/containers/span.h" 16*6777b538SAndroid Build Coastguard Worker #include "base/memory/scoped_refptr.h" 17*6777b538SAndroid Build Coastguard Worker #include "base/time/time.h" 18*6777b538SAndroid Build Coastguard Worker #include "crypto/signature_verifier.h" 19*6777b538SAndroid Build Coastguard Worker #include "net/base/hash_value.h" 20*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 21*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate.h" 22*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h" 23*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/pool.h" 24*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/parsed_certificate.h" 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard Worker namespace crypto { 27*6777b538SAndroid Build Coastguard Worker class RSAPrivateKey; 28*6777b538SAndroid Build Coastguard Worker } 29*6777b538SAndroid Build Coastguard Worker 30*6777b538SAndroid Build Coastguard Worker namespace net { 31*6777b538SAndroid Build Coastguard Worker 32*6777b538SAndroid Build Coastguard Worker namespace x509_util { 33*6777b538SAndroid Build Coastguard Worker 34*6777b538SAndroid Build Coastguard Worker // Convert a vector of bytes into X509Certificate objects. 35*6777b538SAndroid Build Coastguard Worker // This will silently drop all input that does not parse, so be careful using 36*6777b538SAndroid Build Coastguard Worker // this. 37*6777b538SAndroid Build Coastguard Worker NET_EXPORT net::CertificateList ConvertToX509CertificatesIgnoreErrors( 38*6777b538SAndroid Build Coastguard Worker const std::vector<std::vector<uint8_t>>& certs_bytes); 39*6777b538SAndroid Build Coastguard Worker 40*6777b538SAndroid Build Coastguard Worker // Parse all certificiates with default parsing options. Return those that 41*6777b538SAndroid Build Coastguard Worker // parse. 42*6777b538SAndroid Build Coastguard Worker // This will silently drop all certs with parsing errors, so be careful using 43*6777b538SAndroid Build Coastguard Worker // this. 44*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::ParsedCertificateList ParseAllValidCerts( 45*6777b538SAndroid Build Coastguard Worker const CertificateList& x509_certs); 46*6777b538SAndroid Build Coastguard Worker 47*6777b538SAndroid Build Coastguard Worker // Supported digest algorithms for signing certificates. 48*6777b538SAndroid Build Coastguard Worker enum DigestAlgorithm { DIGEST_SHA256 }; 49*6777b538SAndroid Build Coastguard Worker 50*6777b538SAndroid Build Coastguard Worker // Adds a RFC 5280 Time value to the given CBB. 51*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CBBAddTime(CBB* cbb, base::Time time); 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Worker // Adds an X.509 name to |cbb|. The name is determined by parsing |name| as 54*6777b538SAndroid Build Coastguard Worker // a comma-separated list of type=value pairs, such as "O=Organization, 55*6777b538SAndroid Build Coastguard Worker // CN=Common Name". 56*6777b538SAndroid Build Coastguard Worker // 57*6777b538SAndroid Build Coastguard Worker // WARNING: This function does not implement the full RFC 4514 syntax for 58*6777b538SAndroid Build Coastguard Worker // distinguished names. It should only be used if |name| is a constant 59*6777b538SAndroid Build Coastguard Worker // value, rather than programmatically constructed. If programmatic support 60*6777b538SAndroid Build Coastguard Worker // is needed, this input should be replaced with a richer type. 61*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool AddName(CBB* cbb, std::string_view name); 62*6777b538SAndroid Build Coastguard Worker 63*6777b538SAndroid Build Coastguard Worker // Generate a 'tls-server-end-point' channel binding based on the specified 64*6777b538SAndroid Build Coastguard Worker // certificate. Channel bindings are based on RFC 5929. 65*6777b538SAndroid Build Coastguard Worker NET_EXPORT_PRIVATE bool GetTLSServerEndPointChannelBinding( 66*6777b538SAndroid Build Coastguard Worker const X509Certificate& certificate, 67*6777b538SAndroid Build Coastguard Worker std::string* token); 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard Worker // Creates a public-private keypair and a self-signed certificate. 70*6777b538SAndroid Build Coastguard Worker // Subject, serial number and validity period are given as parameters. 71*6777b538SAndroid Build Coastguard Worker // The certificate is signed by the private key in |key|. The key length and 72*6777b538SAndroid Build Coastguard Worker // signature algorithm may be updated periodically to match best practices. 73*6777b538SAndroid Build Coastguard Worker // 74*6777b538SAndroid Build Coastguard Worker // |subject| specifies the subject and issuer names as in AddName() 75*6777b538SAndroid Build Coastguard Worker // 76*6777b538SAndroid Build Coastguard Worker // SECURITY WARNING 77*6777b538SAndroid Build Coastguard Worker // 78*6777b538SAndroid Build Coastguard Worker // Using self-signed certificates has the following security risks: 79*6777b538SAndroid Build Coastguard Worker // 1. Encryption without authentication and thus vulnerable to 80*6777b538SAndroid Build Coastguard Worker // man-in-the-middle attacks. 81*6777b538SAndroid Build Coastguard Worker // 2. Self-signed certificates cannot be revoked. 82*6777b538SAndroid Build Coastguard Worker // 83*6777b538SAndroid Build Coastguard Worker // Use this certificate only after the above risks are acknowledged. 84*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CreateKeyAndSelfSignedCert( 85*6777b538SAndroid Build Coastguard Worker std::string_view subject, 86*6777b538SAndroid Build Coastguard Worker uint32_t serial_number, 87*6777b538SAndroid Build Coastguard Worker base::Time not_valid_before, 88*6777b538SAndroid Build Coastguard Worker base::Time not_valid_after, 89*6777b538SAndroid Build Coastguard Worker std::unique_ptr<crypto::RSAPrivateKey>* key, 90*6777b538SAndroid Build Coastguard Worker std::string* der_cert); 91*6777b538SAndroid Build Coastguard Worker 92*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT Extension { 93*6777b538SAndroid Build Coastguard Worker Extension(base::span<const uint8_t> oid, 94*6777b538SAndroid Build Coastguard Worker bool critical, 95*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> contents); 96*6777b538SAndroid Build Coastguard Worker ~Extension(); 97*6777b538SAndroid Build Coastguard Worker Extension(const Extension&); 98*6777b538SAndroid Build Coastguard Worker 99*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> oid; 100*6777b538SAndroid Build Coastguard Worker bool critical; 101*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> contents; 102*6777b538SAndroid Build Coastguard Worker }; 103*6777b538SAndroid Build Coastguard Worker 104*6777b538SAndroid Build Coastguard Worker // Create a certificate signed by |issuer_key| and write it to |der_encoded|. 105*6777b538SAndroid Build Coastguard Worker // 106*6777b538SAndroid Build Coastguard Worker // |subject| and |issuer| specify names as in AddName(). If you want to create 107*6777b538SAndroid Build Coastguard Worker // a self-signed certificate, see |CreateSelfSignedCert|. 108*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CreateCert(EVP_PKEY* subject_key, 109*6777b538SAndroid Build Coastguard Worker DigestAlgorithm digest_alg, 110*6777b538SAndroid Build Coastguard Worker std::string_view subject, 111*6777b538SAndroid Build Coastguard Worker uint32_t serial_number, 112*6777b538SAndroid Build Coastguard Worker base::Time not_valid_before, 113*6777b538SAndroid Build Coastguard Worker base::Time not_valid_after, 114*6777b538SAndroid Build Coastguard Worker const std::vector<Extension>& extension_specs, 115*6777b538SAndroid Build Coastguard Worker std::string_view issuer, 116*6777b538SAndroid Build Coastguard Worker EVP_PKEY* issuer_key, 117*6777b538SAndroid Build Coastguard Worker std::string* der_encoded); 118*6777b538SAndroid Build Coastguard Worker 119*6777b538SAndroid Build Coastguard Worker // Creates a self-signed certificate from a provided key, using the specified 120*6777b538SAndroid Build Coastguard Worker // hash algorithm. 121*6777b538SAndroid Build Coastguard Worker // 122*6777b538SAndroid Build Coastguard Worker // |subject| specifies the subject and issuer names as in AddName(). 123*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CreateSelfSignedCert( 124*6777b538SAndroid Build Coastguard Worker EVP_PKEY* key, 125*6777b538SAndroid Build Coastguard Worker DigestAlgorithm alg, 126*6777b538SAndroid Build Coastguard Worker std::string_view subject, 127*6777b538SAndroid Build Coastguard Worker uint32_t serial_number, 128*6777b538SAndroid Build Coastguard Worker base::Time not_valid_before, 129*6777b538SAndroid Build Coastguard Worker base::Time not_valid_after, 130*6777b538SAndroid Build Coastguard Worker const std::vector<Extension>& extension_specs, 131*6777b538SAndroid Build Coastguard Worker std::string* der_cert); 132*6777b538SAndroid Build Coastguard Worker 133*6777b538SAndroid Build Coastguard Worker // Returns a CRYPTO_BUFFER_POOL for deduplicating certificates. 134*6777b538SAndroid Build Coastguard Worker NET_EXPORT CRYPTO_BUFFER_POOL* GetBufferPool(); 135*6777b538SAndroid Build Coastguard Worker 136*6777b538SAndroid Build Coastguard Worker // Creates a CRYPTO_BUFFER in the same pool returned by GetBufferPool. 137*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::UniquePtr<CRYPTO_BUFFER> CreateCryptoBuffer( 138*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data); 139*6777b538SAndroid Build Coastguard Worker 140*6777b538SAndroid Build Coastguard Worker // Creates a CRYPTO_BUFFER in the same pool returned by GetBufferPool. 141*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::UniquePtr<CRYPTO_BUFFER> CreateCryptoBuffer( 142*6777b538SAndroid Build Coastguard Worker std::string_view data); 143*6777b538SAndroid Build Coastguard Worker 144*6777b538SAndroid Build Coastguard Worker // Overload with no definition, to disallow creating a CRYPTO_BUFFER from a 145*6777b538SAndroid Build Coastguard Worker // char* due to StringPiece implicit ctor. 146*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::UniquePtr<CRYPTO_BUFFER> CreateCryptoBuffer( 147*6777b538SAndroid Build Coastguard Worker const char* invalid_data); 148*6777b538SAndroid Build Coastguard Worker 149*6777b538SAndroid Build Coastguard Worker // Creates a CRYPTO_BUFFER in the same pool returned by GetBufferPool backed by 150*6777b538SAndroid Build Coastguard Worker // |data| without copying. |data| must be immutable and last for the lifetime 151*6777b538SAndroid Build Coastguard Worker // of the address space. 152*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::UniquePtr<CRYPTO_BUFFER> 153*6777b538SAndroid Build Coastguard Worker CreateCryptoBufferFromStaticDataUnsafe(base::span<const uint8_t> data); 154*6777b538SAndroid Build Coastguard Worker 155*6777b538SAndroid Build Coastguard Worker // Compares two CRYPTO_BUFFERs and returns true if they have the same contents. 156*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CryptoBufferEqual(const CRYPTO_BUFFER* a, 157*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* b); 158*6777b538SAndroid Build Coastguard Worker 159*6777b538SAndroid Build Coastguard Worker // Returns a StringPiece pointing to the data in |buffer|. 160*6777b538SAndroid Build Coastguard Worker NET_EXPORT std::string_view CryptoBufferAsStringPiece( 161*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* buffer); 162*6777b538SAndroid Build Coastguard Worker 163*6777b538SAndroid Build Coastguard Worker // Returns a span pointing to the data in |buffer|. 164*6777b538SAndroid Build Coastguard Worker NET_EXPORT base::span<const uint8_t> CryptoBufferAsSpan( 165*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* buffer); 166*6777b538SAndroid Build Coastguard Worker 167*6777b538SAndroid Build Coastguard Worker // Creates a new X509Certificate from the chain in |buffers|, which must have at 168*6777b538SAndroid Build Coastguard Worker // least one element. 169*6777b538SAndroid Build Coastguard Worker NET_EXPORT scoped_refptr<X509Certificate> CreateX509CertificateFromBuffers( 170*6777b538SAndroid Build Coastguard Worker const STACK_OF(CRYPTO_BUFFER) * buffers); 171*6777b538SAndroid Build Coastguard Worker 172*6777b538SAndroid Build Coastguard Worker // Parses certificates from a PKCS#7 SignedData structure, appending them to 173*6777b538SAndroid Build Coastguard Worker // |handles|. Returns true on success (in which case zero or more elements were 174*6777b538SAndroid Build Coastguard Worker // added to |handles|) and false on error (in which case |handles| is 175*6777b538SAndroid Build Coastguard Worker // unmodified). 176*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool CreateCertBuffersFromPKCS7Bytes( 177*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> data, 178*6777b538SAndroid Build Coastguard Worker std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>* handles); 179*6777b538SAndroid Build Coastguard Worker 180*6777b538SAndroid Build Coastguard Worker // Returns the default ParseCertificateOptions for the net stack. 181*6777b538SAndroid Build Coastguard Worker NET_EXPORT bssl::ParseCertificateOptions DefaultParseCertificateOptions(); 182*6777b538SAndroid Build Coastguard Worker 183*6777b538SAndroid Build Coastguard Worker // On success, returns true and updates |hash| to be the SHA-256 hash of the 184*6777b538SAndroid Build Coastguard Worker // subjectPublicKeyInfo of the certificate in |buffer|. If |buffer| is not a 185*6777b538SAndroid Build Coastguard Worker // valid certificate, returns false and |hash| is in an undefined state. 186*6777b538SAndroid Build Coastguard Worker [[nodiscard]] NET_EXPORT bool CalculateSha256SpkiHash( 187*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* buffer, 188*6777b538SAndroid Build Coastguard Worker HashValue* hash); 189*6777b538SAndroid Build Coastguard Worker 190*6777b538SAndroid Build Coastguard Worker // Calls |verifier->VerifyInit|, using the public key from |certificate|, 191*6777b538SAndroid Build Coastguard Worker // checking if the digitalSignature key usage bit is present, and returns true 192*6777b538SAndroid Build Coastguard Worker // on success or false on error. 193*6777b538SAndroid Build Coastguard Worker NET_EXPORT bool SignatureVerifierInitWithCertificate( 194*6777b538SAndroid Build Coastguard Worker crypto::SignatureVerifier* verifier, 195*6777b538SAndroid Build Coastguard Worker crypto::SignatureVerifier::SignatureAlgorithm signature_algorithm, 196*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> signature, 197*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* certificate); 198*6777b538SAndroid Build Coastguard Worker 199*6777b538SAndroid Build Coastguard Worker // Returns true if the signature on the certificate is RSASSA-PKCS1-v1_5 with 200*6777b538SAndroid Build Coastguard Worker // SHA-1. 201*6777b538SAndroid Build Coastguard Worker NET_EXPORT_PRIVATE bool HasRsaPkcs1Sha1Signature( 202*6777b538SAndroid Build Coastguard Worker const CRYPTO_BUFFER* cert_buffer); 203*6777b538SAndroid Build Coastguard Worker 204*6777b538SAndroid Build Coastguard Worker } // namespace x509_util 205*6777b538SAndroid Build Coastguard Worker 206*6777b538SAndroid Build Coastguard Worker } // namespace net 207*6777b538SAndroid Build Coastguard Worker 208*6777b538SAndroid Build Coastguard Worker #endif // NET_CERT_X509_UTIL_H_ 209