File: certificate_helpers.cc

package info (click to toggle)
chromium 138.0.7204.183-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,908 kB
  • sloc: cpp: 34,937,088; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (131 lines) | stat: -rw-r--r-- 4,310 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "remoting/base/certificate_helpers.h"

#include <string>

#include "base/logging.h"
#include "build/build_config.h"
#include "crypto/crypto_buildflags.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/client_cert_store.h"

#if BUILDFLAG(USE_NSS_CERTS)
#include "net/ssl/client_cert_store_nss.h"
#elif BUILDFLAG(IS_WIN)
#include "net/ssl/client_cert_store_win.h"
#elif BUILDFLAG(IS_APPLE) && !BUILDFLAG(IS_IOS)
#include "net/ssl/client_cert_store_mac.h"
#endif

namespace remoting {

namespace {

constexpr char kCertIssuerWildCard[] = "*";

// Returns true if certificate |c1| is a worse match than |c2|.
//
// Criteria:
// 1. An invalid certificate is always worse than a valid certificate.
// 2. Invalid certificates are equally bad, in which case false will be
//    returned.
// 3. A certificate with earlier |valid_start| time is worse.
// 4. When |valid_start| are the same, the certificate with earlier
//    |valid_expiry| is worse.
bool WorseThan(const std::string& issuer,
               const base::Time& now,
               const net::X509Certificate& c1,
               const net::X509Certificate& c2) {
  if (!IsCertificateValid(issuer, now, c2)) {
    return false;
  }

  if (!IsCertificateValid(issuer, now, c1)) {
    return true;
  }

  if (c1.valid_start() != c2.valid_start()) {
    return c1.valid_start() < c2.valid_start();
  }

  return c1.valid_expiry() < c2.valid_expiry();
}

#if BUILDFLAG(IS_WIN)
crypto::ScopedHCERTSTORE OpenLocalMachineCertStore() {
  return crypto::ScopedHCERTSTORE(::CertOpenStore(
      CERT_STORE_PROV_SYSTEM, 0, NULL,
      CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_READONLY_FLAG, L"MY"));
}
#endif

}  // namespace

std::string GetPreferredIssuerFieldValue(const net::X509Certificate& cert) {
  if (!cert.issuer().common_name.empty()) {
    return cert.issuer().common_name;
  }
  if (!cert.issuer().organization_names.empty() &&
      !cert.issuer().organization_names[0].empty()) {
    return cert.issuer().organization_names[0];
  }
  if (!cert.issuer().organization_unit_names.empty() &&
      !cert.issuer().organization_unit_names[0].empty()) {
    return cert.issuer().organization_unit_names[0];
  }

  return std::string();
}

bool IsCertificateValid(const std::string& issuer,
                        const base::Time& now,
                        const net::X509Certificate& cert) {
  return (issuer == kCertIssuerWildCard ||
          issuer == GetPreferredIssuerFieldValue(cert)) &&
         cert.valid_start() <= now && cert.valid_expiry() > now;
}

std::unique_ptr<net::ClientCertIdentity> GetBestMatchFromCertificateList(
    const std::string& issuer,
    const base::Time& now,
    net::ClientCertIdentityList& client_certs) {
  auto best_match_position = std::max_element(
      client_certs.begin(), client_certs.end(),
      [&issuer, now](std::unique_ptr<net::ClientCertIdentity>& i1,
                     std::unique_ptr<net::ClientCertIdentity>& i2) {
        return WorseThan(issuer, now, *i1->certificate(), *i2->certificate());
      });

  if (best_match_position == client_certs.end()) {
    LOG(ERROR) << "Failed to find a certificate from the list of candidates ("
               << client_certs.size() << ").";
    return nullptr;
  }

  return std::move(*best_match_position);
}

std::unique_ptr<net::ClientCertStore> CreateClientCertStoreInstance() {
#if BUILDFLAG(USE_NSS_CERTS)
  return std::make_unique<net::ClientCertStoreNSS>(
      net::ClientCertStoreNSS::PasswordDelegateFactory());
#elif BUILDFLAG(IS_WIN)
  // The network process is running as "Local Service" whose "Current User"
  // cert store doesn't contain any certificates. Use the "Local Machine"
  // store instead.
  // The ACL on the private key of the machine certificate in the "Local
  // Machine" cert store needs to allow access by "Local Service".
  return std::make_unique<net::ClientCertStoreWin>(
      base::BindRepeating(&OpenLocalMachineCertStore));
#elif BUILDFLAG(IS_APPLE) && !BUILDFLAG(IS_IOS)
  return std::make_unique<net::ClientCertStoreMac>();
#else
  // OpenSSL does not use the ClientCertStore infrastructure.
  return nullptr;
#endif
}

}  // namespace remoting