pki/certificate.cc - boringssl - Git at Google

 /* Copyright (c) 2023, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

 #include <optional>
 #include <string_view>

 #include <openssl/pki/certificate.h>
 #include <openssl/pool.h>

 #include "cert_errors.h"
 #include "encode_values.h"
 #include "parsed_certificate.h"
 #include "pem.h"
 #include "parse_values.h"

 BSSL_NAMESPACE_BEGIN

 namespace {

 std::shared_ptr<const bssl::ParsedCertificate> ParseCertificateFromDer(
     bssl::Span<const uint8_t>cert, std::string *out_diagnostic) {
   bssl::ParseCertificateOptions default_options{};
   // We follow Chromium in setting |allow_invalid_serial_numbers| in order to
   // not choke on 21-byte serial numbers, which are common.  davidben explains
   // why:
   //
   // The reason for the discrepancy is that unsigned numbers with the high bit
   // otherwise set get an extra 0 byte in front to keep them positive. So if you
   // do:
   //    var num [20]byte
   //    fillWithRandom(num[:])
   //    serialNumber := new(big.Int).SetBytes(num[:])
   //    encodeASN1Integer(serialNumber)
   //
   // Then half of your serial numbers will be encoded with 21 bytes. (And
   // 1/512th will have 19 bytes instead of 20.)
   default_options.allow_invalid_serial_numbers = true;

   bssl::UniquePtr<CRYPTO_BUFFER> buffer(
       CRYPTO_BUFFER_new(cert.data(), cert.size(), nullptr));
   bssl::CertErrors errors;
   std::shared_ptr<const bssl::ParsedCertificate> parsed_cert(
       bssl::ParsedCertificate::Create(std::move(buffer), default_options, &errors));
   if (!parsed_cert) {
     *out_diagnostic = errors.ToDebugString();
     return nullptr;
   }
   return parsed_cert;
 }

 } // namespace

 struct CertificateInternals {
   std::shared_ptr<const bssl::ParsedCertificate> cert;
 };

 Certificate::Certificate(std::unique_ptr<CertificateInternals> internals)
     : internals_(std::move(internals)) {}
 Certificate::~Certificate() = default;
 Certificate::Certificate(Certificate&& other) = default;

 std::unique_ptr<Certificate> Certificate::FromDER(bssl::Span<const uint8_t> der,
                                                   std::string *out_diagnostic) {
   std::shared_ptr<const bssl::ParsedCertificate> result =
       ParseCertificateFromDer(der, out_diagnostic);
   if (result == nullptr) {
     return nullptr;
   }

   auto internals = std::make_unique<CertificateInternals>();
   internals->cert = std::move(result);
   std::unique_ptr<Certificate> ret(new Certificate(std::move(internals)));
   return ret;
 }

 std::unique_ptr<Certificate> Certificate::FromPEM(std::string_view pem,
                                                   std::string *out_diagnostic) {
   bssl::PEMTokenizer tokenizer(pem, {"CERTIFICATE"});
   if (!tokenizer.GetNext()) {
     return nullptr;
   }
   return FromDER(StringAsBytes(tokenizer.data()), out_diagnostic);
 }

 bool Certificate::IsSelfIssued() const {
   return internals_->cert->normalized_subject() ==
          internals_->cert->normalized_issuer();
 }

 Certificate::Validity Certificate::GetValidity() const {
   Certificate::Validity validity;

   // As this is a previously parsed certificate, we know the not_before
   // and not after are valid, so these conversions can not fail.
   (void) GeneralizedTimeToPosixTime(
       internals_->cert->tbs().validity_not_before, &validity.not_before);
   (void) GeneralizedTimeToPosixTime(
       internals_->cert->tbs().validity_not_after, &validity.not_after);
   return validity;
 }

 bssl::Span<const uint8_t> Certificate::GetSerialNumber() const {
   return internals_->cert->tbs().serial_number;
 }

 BSSL_NAMESPACE_END
	/* Copyright (c) 2023, Google Inc.
	*
	* Permission to use, copy, modify, and/or distribute this software for any
	* purpose with or without fee is hereby granted, provided that the above
	* copyright notice and this permission notice appear in all copies.
	*
	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

	#include <optional>
	#include <string_view>

	#include <openssl/pki/certificate.h>
	#include <openssl/pool.h>

	#include "cert_errors.h"
	#include "encode_values.h"
	#include "parsed_certificate.h"
	#include "pem.h"
	#include "parse_values.h"

	BSSL_NAMESPACE_BEGIN

	namespace {

	std::shared_ptr<const bssl::ParsedCertificate> ParseCertificateFromDer(
	bssl::Span<const uint8_t>cert, std::string *out_diagnostic) {
	bssl::ParseCertificateOptions default_options{};
	// We follow Chromium in setting \|allow_invalid_serial_numbers\| in order to
	// not choke on 21-byte serial numbers, which are common. davidben explains
	// why:
	//
	// The reason for the discrepancy is that unsigned numbers with the high bit
	// otherwise set get an extra 0 byte in front to keep them positive. So if you
	// do:
	// var num [20]byte
	// fillWithRandom(num[:])
	// serialNumber := new(big.Int).SetBytes(num[:])
	// encodeASN1Integer(serialNumber)
	//
	// Then half of your serial numbers will be encoded with 21 bytes. (And
	// 1/512th will have 19 bytes instead of 20.)
	default_options.allow_invalid_serial_numbers = true;

	bssl::UniquePtr<CRYPTO_BUFFER> buffer(
	CRYPTO_BUFFER_new(cert.data(), cert.size(), nullptr));
	bssl::CertErrors errors;
	std::shared_ptr<const bssl::ParsedCertificate> parsed_cert(
	bssl::ParsedCertificate::Create(std::move(buffer), default_options, &errors));
	if (!parsed_cert) {
	*out_diagnostic = errors.ToDebugString();
	return nullptr;
	}
	return parsed_cert;
	}

	} // namespace

	struct CertificateInternals {
	std::shared_ptr<const bssl::ParsedCertificate> cert;
	};

	Certificate::Certificate(std::unique_ptr<CertificateInternals> internals)
	: internals_(std::move(internals)) {}
	Certificate::~Certificate() = default;
	Certificate::Certificate(Certificate&& other) = default;

	std::unique_ptr<Certificate> Certificate::FromDER(bssl::Span<const uint8_t> der,
	std::string *out_diagnostic) {
	std::shared_ptr<const bssl::ParsedCertificate> result =
	ParseCertificateFromDer(der, out_diagnostic);
	if (result == nullptr) {
	return nullptr;
	}

	auto internals = std::make_unique<CertificateInternals>();
	internals->cert = std::move(result);
	std::unique_ptr<Certificate> ret(new Certificate(std::move(internals)));
	return ret;
	}

	std::unique_ptr<Certificate> Certificate::FromPEM(std::string_view pem,
	std::string *out_diagnostic) {
	bssl::PEMTokenizer tokenizer(pem, {"CERTIFICATE"});
	if (!tokenizer.GetNext()) {
	return nullptr;
	}
	return FromDER(StringAsBytes(tokenizer.data()), out_diagnostic);
	}

	bool Certificate::IsSelfIssued() const {
	return internals_->cert->normalized_subject() ==
	internals_->cert->normalized_issuer();
	}

	Certificate::Validity Certificate::GetValidity() const {
	Certificate::Validity validity;

	// As this is a previously parsed certificate, we know the not_before
	// and not after are valid, so these conversions can not fail.
	(void) GeneralizedTimeToPosixTime(
	internals_->cert->tbs().validity_not_before, &validity.not_before);
	(void) GeneralizedTimeToPosixTime(
	internals_->cert->tbs().validity_not_after, &validity.not_after);
	return validity;
	}

	bssl::Span<const uint8_t> Certificate::GetSerialNumber() const {
	return internals_->cert->tbs().serial_number;
	}

	BSSL_NAMESPACE_END