Rollback

Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=224206719
2018-12-05 13:02:27 -08:00
parent df7566c0c1
commit 7f649cf826
49 changed files with 2697 additions and 2130 deletions
--- a/common/x509_cert.cc
+++ b/common/x509_cert.cc
@@ -255,6 +255,41 @@ util::Status X509CertChain::LoadPkcs7(const std::string& pk7_cert_chain) {
  return util::OkStatus();
 }

+std::string X509CertChain::GetPkcs7() {
+  std::string pkcs7_cert;
+  ScopedX509Stack cert_stack(sk_X509_new_null());
+  for (X509Cert* cert : cert_chain_) {
+    // X509 stack takes ownership of certificates. Copy certificates to retain
+    // |cert_chain_|.
+    X509Cert cert_copy;
+    if (!cert_copy.LoadPem(cert->GetPem()).ok()) {
+      LOG(WARNING) << "Certificate chain serialization failed";
+      return "";
+    }
+    X509* openssl_cert_copy = const_cast<X509*>(cert_copy.openssl_cert());
+    cert_copy.openssl_cert_ = nullptr;
+    sk_X509_push(cert_stack.get(), openssl_cert_copy);
+  }
+  ScopedPKCS7 pkcs7(
+      PKCS7_sign(nullptr, nullptr, cert_stack.get(), nullptr, PKCS7_DETACHED));
+  if (!pkcs7) {
+    LOG(WARNING) << "Could not convert certificate chain to PKCS7";
+    return "";
+  }
+  ScopedBIO bio(BIO_new(BIO_s_mem()));
+  if (bio.get() == nullptr || !i2d_PKCS7_bio(bio.get(), pkcs7.get())) {
+    LOG(WARNING) << "Failed writing PKCS7 to bio";
+    return "";
+  }
+  int cert_size = BIO_pending(bio.get());
+  pkcs7_cert.resize(cert_size);
+  if (BIO_read(bio.get(), &pkcs7_cert[0], cert_size) != cert_size) {
+    LOG(WARNING) << "BIO_read failure";
+    return "";
+  }
+  return pkcs7_cert;
+}
+
 X509Cert* X509CertChain::GetCert(size_t cert_index) const {
  if (cert_index >= cert_chain_.size()) {
    return NULL;
@@ -326,6 +361,25 @@ util::Status X509CA::VerifyCertChain(const X509CertChain& cert_chain) {
  return OpenSslX509Verify(leaf_cert->openssl_cert(), intermediates.get());
 }

+util::Status X509CA::VerifyCertWithChain(const X509Cert& cert,
+                                         const X509CertChain& cert_chain) {
+  ScopedX509StackOnly intermediates(sk_X509_new_null());
+  if (!intermediates) {
+    // MakeStatus is now preferred. But we don't support it in the exported
+    // version, yet. So, ignore lint here.
+    // NOLINTNEXTLINE
+    return util::Status(
+        util::Status::canonical_space(), util::error::INTERNAL,
+        "Failed to allocate X.509 intermediate certificate stack");
+  }
+  for (size_t idx = 0; idx < cert_chain.GetNumCerts(); ++idx) {
+    sk_X509_push(intermediates.get(),
+                 const_cast<X509*>(cert_chain.GetCert(idx)->openssl_cert()));
+  }
+
+  return OpenSslX509Verify(cert.openssl_cert(), intermediates.get());
+}
+
 util::Status X509CA::OpenSslX509Verify(const X509* cert,
                                       STACK_OF(X509) * intermediates) {
  DCHECK(cert);