blob: 5cb746c3e518c8cb4a219090263011859da2de8f [file] [log] [blame]
/* Copyright (c) 2023, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <optional>
#include <string_view>
#include <openssl/pki/certificate.h>
#include <openssl/pool.h>
#include "cert_errors.h"
#include "encode_values.h"
#include "parsed_certificate.h"
#include "pem.h"
#include "parse_values.h"
BSSL_NAMESPACE_BEGIN
namespace {
std::shared_ptr<const bssl::ParsedCertificate> ParseCertificateFromDer(
bssl::Span<const uint8_t>cert, std::string *out_diagnostic) {
bssl::ParseCertificateOptions default_options{};
// We follow Chromium in setting |allow_invalid_serial_numbers| in order to
// not choke on 21-byte serial numbers, which are common. davidben explains
// why:
//
// The reason for the discrepancy is that unsigned numbers with the high bit
// otherwise set get an extra 0 byte in front to keep them positive. So if you
// do:
// var num [20]byte
// fillWithRandom(num[:])
// serialNumber := new(big.Int).SetBytes(num[:])
// encodeASN1Integer(serialNumber)
//
// Then half of your serial numbers will be encoded with 21 bytes. (And
// 1/512th will have 19 bytes instead of 20.)
default_options.allow_invalid_serial_numbers = true;
bssl::UniquePtr<CRYPTO_BUFFER> buffer(
CRYPTO_BUFFER_new(cert.data(), cert.size(), nullptr));
bssl::CertErrors errors;
std::shared_ptr<const bssl::ParsedCertificate> parsed_cert(
bssl::ParsedCertificate::Create(std::move(buffer), default_options, &errors));
if (!parsed_cert) {
*out_diagnostic = errors.ToDebugString();
return nullptr;
}
return parsed_cert;
}
} // namespace
struct CertificateInternals {
std::shared_ptr<const bssl::ParsedCertificate> cert;
};
Certificate::Certificate(std::unique_ptr<CertificateInternals> internals)
: internals_(std::move(internals)) {}
Certificate::~Certificate() = default;
Certificate::Certificate(Certificate&& other) = default;
std::unique_ptr<Certificate> Certificate::FromDER(bssl::Span<const uint8_t> der,
std::string *out_diagnostic) {
std::shared_ptr<const bssl::ParsedCertificate> result =
ParseCertificateFromDer(der, out_diagnostic);
if (result == nullptr) {
return nullptr;
}
auto internals = std::make_unique<CertificateInternals>();
internals->cert = std::move(result);
std::unique_ptr<Certificate> ret(new Certificate(std::move(internals)));
return ret;
}
std::unique_ptr<Certificate> Certificate::FromPEM(std::string_view pem,
std::string *out_diagnostic) {
bssl::PEMTokenizer tokenizer(pem, {"CERTIFICATE"});
if (!tokenizer.GetNext()) {
return nullptr;
}
return FromDER(StringAsBytes(tokenizer.data()), out_diagnostic);
}
bool Certificate::IsSelfIssued() const {
return internals_->cert->normalized_subject() ==
internals_->cert->normalized_issuer();
}
Certificate::Validity Certificate::GetValidity() const {
Certificate::Validity validity;
// As this is a previously parsed certificate, we know the not_before
// and not after are valid, so these conversions can not fail.
(void) GeneralizedTimeToPosixTime(
internals_->cert->tbs().validity_not_before, &validity.not_before);
(void) GeneralizedTimeToPosixTime(
internals_->cert->tbs().validity_not_after, &validity.not_after);
return validity;
}
bssl::Span<const uint8_t> Certificate::GetSerialNumber() const {
return internals_->cert->tbs().serial_number;
}
BSSL_NAMESPACE_END