blob: e34a326a733415daff5db4b780908efea37fbf73 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/x509_util_mac.h"
#include <CommonCrypto/CommonDigest.h>
#include "base/check_op.h"
#include "base/strings/sys_string_conversions.h"
#include "net/cert/x509_certificate.h"
#include "third_party/apple_apsl/cssmapplePriv.h"
#include "third_party/boringssl/src/include/openssl/pool.h"
namespace net {
// CSSM functions are deprecated as of OSX 10.7, but have no replacement.
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
namespace x509_util {
namespace {
// Creates a SecPolicyRef for the given OID, with optional value.
OSStatus CreatePolicy(const CSSM_OID* policy_oid,
void* option_data,
size_t option_length,
SecPolicyRef* policy) {
SecPolicySearchRef search;
OSStatus err = SecPolicySearchCreate(CSSM_CERT_X_509v3, policy_oid, NULL,
if (err)
return err;
err = SecPolicySearchCopyNext(search, policy);
if (err)
return err;
if (option_data) {
CSSM_DATA options_data = {
err = SecPolicySetValue(*policy, &options_data);
if (err) {
return err;
return noErr;
} // namespace
bool IsValidSecCertificate(SecCertificateRef cert_handle) {
const CSSM_X509_NAME* sanity_check = NULL;
OSStatus status = SecCertificateGetSubject(cert_handle, &sanity_check);
return status == noErr && sanity_check;
base::ScopedCFTypeRef<SecCertificateRef> CreateSecCertificateFromBytes(
const uint8_t* data,
size_t length) {
CSSM_DATA cert_data;
cert_data.Data = const_cast<uint8_t*>(data);
cert_data.Length = length;
base::ScopedCFTypeRef<SecCertificateRef> cert_handle;
OSStatus status = SecCertificateCreateFromData(&cert_data, CSSM_CERT_X_509v3,
if (status != noErr)
return base::ScopedCFTypeRef<SecCertificateRef>();
if (!IsValidSecCertificate(cert_handle.get()))
return base::ScopedCFTypeRef<SecCertificateRef>();
return cert_handle;
CreateSecCertificateFromX509Certificate(const X509Certificate* cert) {
return CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(cert->cert_buffer()),
scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
SecCertificateRef sec_cert,
const std::vector<SecCertificateRef>& sec_chain) {
return CreateX509CertificateFromSecCertificate(sec_cert, sec_chain, {});
scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
SecCertificateRef sec_cert,
const std::vector<SecCertificateRef>& sec_chain,
X509Certificate::UnsafeCreateOptions options) {
CSSM_DATA der_data;
if (!sec_cert || SecCertificateGetData(sec_cert, &der_data) != noErr)
return nullptr;
bssl::UniquePtr<CRYPTO_BUFFER> cert_handle(
reinterpret_cast<const char*>(der_data.Data), der_data.Length));
if (!cert_handle)
return nullptr;
std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
for (const SecCertificateRef& sec_intermediate : sec_chain) {
if (!sec_intermediate ||
SecCertificateGetData(sec_intermediate, &der_data) != noErr) {
return nullptr;
bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle(
reinterpret_cast<const char*>(der_data.Data), der_data.Length));
if (!intermediate_cert_handle)
return nullptr;
scoped_refptr<X509Certificate> result(
std::move(cert_handle), std::move(intermediates), options));
return result;
SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
SHA256HashValue sha256;
memset(, 0, sizeof(;
CSSM_DATA cert_data;
OSStatus status = SecCertificateGetData(cert, &cert_data);
if (status)
return sha256;
DCHECK_NE(cert_data.Length, 0U);
CC_SHA256(cert_data.Data, cert_data.Length,;
return sha256;
OSStatus CreateSSLClientPolicy(SecPolicyRef* policy) {
*policy = SecPolicyCreateSSL(false /* server */, nullptr);
return *policy ? noErr : errSecNoPolicyModule;
OSStatus CreateSSLServerPolicy(const std::string& hostname,
SecPolicyRef* policy) {
base::ScopedCFTypeRef<CFStringRef> hostname_cfstring;
if (!hostname.empty()) {
if (!hostname_cfstring)
return errSecNoPolicyModule;
*policy = SecPolicyCreateSSL(true /* server */, hostname_cfstring.get());
return *policy ? noErr : errSecNoPolicyModule;
OSStatus CreateBasicX509Policy(SecPolicyRef* policy) {
*policy = SecPolicyCreateBasicX509();
return *policy ? noErr : errSecNoPolicyModule;
OSStatus CreateRevocationPolicies(bool enable_revocation_checking,
CFMutableArrayRef policies) {
if (__builtin_available(macos 10.12, *)) {
// On Sierra, it's not possible to disable network revocation checking
// without also breaking AIA. If revocation checking isn't explicitly
// enabled, just don't add a revocation policy.
if (!enable_revocation_checking)
return noErr;
// If revocation checking is requested, enable checking and require positive
// results. Note that this will fail if there are certs with no
// CRLDistributionPoints or OCSP AIA urls, which differs from the behavior
// of |enable_revocation_checking| on pre-10.12. There does not appear to be
// a way around this, but it shouldn't matter much in practice since
// revocation checking is generally used with EV certs, where it is expected
// that all certs include revocation mechanisms.
SecPolicyRef revocation_policy =
SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod |
if (!revocation_policy)
return errSecNoPolicyModule;
CFArrayAppendValue(policies, revocation_policy);
return noErr;
OSStatus status = noErr;
// In order to bypass the system revocation checking settings, the
// SecTrustRef must have at least one revocation policy associated with it.
// Since it is not known prior to verification whether the Apple TP will
// consider a certificate as an EV candidate, the default policy used is a
// CRL policy, since it does not communicate over the network.
// If the TP believes the leaf is an EV cert, it will explicitly add an
// OCSP policy to perform the online checking, and if it doesn't believe
// that the leaf is EV, then the default CRL policy will effectively no-op.
// This behaviour is used to implement EV-only revocation checking.
if (enable_revocation_checking) {
memset(&tp_crl_options, 0, sizeof(tp_crl_options));
tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
// Only allow network CRL fetches if the caller explicitly requests
// online revocation checking. Note that, as of OS X 10.7.2, the system
// will set force this flag on according to system policies, so
// online revocation checks cannot be completely disabled.
// Starting with OS X 10.12, if a CRL policy is added without the
// FETCH_CRL_FROM_NET flag, AIA fetching is disabled.
tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
SecPolicyRef crl_policy;
status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options,
sizeof(tp_crl_options), &crl_policy);
if (status)
return status;
CFArrayAppendValue(policies, crl_policy);
// If revocation checking is explicitly enabled, then add an OCSP policy
// and allow network access. If both revocation checking is
// disabled, then the added OCSP policy will be prevented from
// accessing the network. This is done because the TP will force an OCSP
// policy to be present when it believes the certificate is EV.
memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options));
tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
if (enable_revocation_checking) {
// The default for the OCSP policy is to fetch responses via the network,
// unlike the CRL policy default. The policy is further modified to
// prefer OCSP over CRLs, if both are specified on the certificate. This
// is because an OCSP response is both sufficient and typically
// significantly smaller than the CRL counterpart.
tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
} else {
// Effectively disable OCSP checking by making it impossible to get an
// OCSP response. Even if the Apple TP forces OCSP, no checking will
// be able to succeed. If this happens, the Apple TP will report an error
// that OCSP was unavailable, but this will be handled and suppressed in
// X509Certificate::Verify().
tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET |
SecPolicyRef ocsp_policy;
status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options,
sizeof(tp_ocsp_options), &ocsp_policy);
if (status)
return status;
CFArrayAppendValue(policies, ocsp_policy);
return status;
: cl_handle_(CSSM_INVALID_HANDLE),
field_(NULL) {
CSSMFieldValue::CSSMFieldValue(CSSM_CL_HANDLE cl_handle,
const CSSM_OID* oid,
: cl_handle_(cl_handle),
field_(field) {
CSSMFieldValue::~CSSMFieldValue() {
void CSSMFieldValue::Reset(CSSM_CL_HANDLE cl_handle,
CSSM_DATA_PTR field) {
if (cl_handle_ && oid_ && field_)
CSSM_CL_FreeFieldValue(cl_handle_, oid_, field_);
cl_handle_ = cl_handle;
oid_ = oid;
field_ = field;
: cl_handle_(CSSM_INVALID_HANDLE),
cached_cert_handle_(CSSM_INVALID_HANDLE) {
CSSMCachedCertificate::~CSSMCachedCertificate() {
if (cl_handle_ && cached_cert_handle_)
CSSM_CL_CertAbortCache(cl_handle_, cached_cert_handle_);
OSStatus CSSMCachedCertificate::Init(SecCertificateRef os_cert_handle) {
DCHECK(!cl_handle_ && !cached_cert_handle_);
CSSM_DATA cert_data;
OSStatus status = SecCertificateGetData(os_cert_handle, &cert_data);
if (status)
return status;
status = SecCertificateGetCLHandle(os_cert_handle, &cl_handle_);
if (status) {
return status;
status = CSSM_CL_CertCache(cl_handle_, &cert_data, &cached_cert_handle_);
if (status)
return status;
OSStatus CSSMCachedCertificate::GetField(const CSSM_OID* field_oid,
CSSMFieldValue* field) const {
CSSM_OID_PTR oid = const_cast<CSSM_OID_PTR>(field_oid);
CSSM_DATA_PTR field_ptr = NULL;
uint32_t field_value_count = 0;
CSSM_RETURN status = CSSM_CL_CertGetFirstCachedFieldValue(
cl_handle_, cached_cert_handle_, oid, &results_handle,
&field_value_count, &field_ptr);
if (status)
return status;
// Note: |field_value_count| may be > 1, indicating that more than one
// value is present. This may happen with extensions, but for current
// usages, only the first value is returned.
CSSM_CL_CertAbortQuery(cl_handle_, results_handle);
field->Reset(cl_handle_, oid, field_ptr);
return CSSM_OK;
} // namespace x509_util
#pragma clang diagnostic pop // "-Wdeprecated-declarations"
} // namespace net