diff options
-rw-r--r--net/data/ssl/certificates/google.binary.p7bbin1661 -> 0 bytes
-rw-r--r--net/data/ssl/certificates/google.single.derbin805 -> 0 bytes
17 files changed, 19 insertions, 986 deletions
diff --git a/net/base/ b/net/base/
deleted file mode 100644
index 0abe5db..0000000
--- a/net/base/
+++ /dev/null
@@ -1,95 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-#include "net/base/pem_tokenizer.h"
-#include "base/base64.h"
-#include "base/string_util.h"
-namespace {
-const char kPEMSearchBlock[] = "-----BEGIN ";
-const char kPEMBeginBlock[] = "-----BEGIN %s-----";
-const char kPEMEndBlock[] = "-----END %s-----";
-} // namespace
-namespace net {
-using base::StringPiece;
- const StringPiece& str,
- const std::vector<std::string>& allowed_block_types) {
- Init(str, allowed_block_types);
-bool PEMTokenizer::GetNext() {
- while (pos_ != StringPiece::npos) {
- // Scan for the beginning of the next PEM encoded block.
- pos_ = str_.find(kPEMSearchBlock, pos_);
- if (pos_ == StringPiece::npos)
- return false; // No more PEM blocks
- std::vector<PEMType>::const_iterator it;
- // Check to see if it is of an acceptable block type.
- for (it = block_types_.begin(); it != block_types_.end(); ++it) {
- if (!str_.substr(pos_).starts_with(it->header))
- continue;
- // Look for a footer matching the header. If none is found, then all
- // data following this point is invalid and should not be parsed.
- StringPiece::size_type footer_pos = str_.find(it->footer, pos_);
- if (footer_pos == StringPiece::npos) {
- pos_ = StringPiece::npos;
- return false;
- }
- // Chop off the header and footer and parse the data in between.
- StringPiece::size_type data_begin = pos_ + it->header.size();
- pos_ = footer_pos + it->footer.size();
- block_type_ = it->type;
- StringPiece encoded = str_.substr(data_begin,
- footer_pos - data_begin);
- if (!base::Base64Decode(CollapseWhitespaceASCII(encoded.as_string(),
- true), &data_)) {
- // The most likely cause for a decode failure is a datatype that
- // includes PEM headers, which are not supported.
- break;
- }
- return true;
- }
- // If the block did not match any acceptable type, move past it and
- // continue the search. Otherwise, |pos_| has been updated to the most
- // appropriate search position to continue searching from and should not
- // be adjusted.
- if (it == block_types_.end())
- pos_ += sizeof(kPEMSearchBlock);
- }
- return false;
-void PEMTokenizer::Init(
- const StringPiece& str,
- const std::vector<std::string>& allowed_block_types) {
- str_ = str;
- pos_ = 0;
- // Construct PEM header/footer strings for all the accepted types, to
- // reduce parsing later.
- for (std::vector<std::string>::const_iterator it =
- allowed_block_types.begin(); it != allowed_block_types.end(); ++it) {
- PEMType allowed_type;
- allowed_type.type = *it;
- allowed_type.header = StringPrintf(kPEMBeginBlock, it->c_str());
- allowed_type.footer = StringPrintf(kPEMEndBlock, it->c_str());
- block_types_.push_back(allowed_type);
- }
-} // namespace net
diff --git a/net/base/pem_tokenizer.h b/net/base/pem_tokenizer.h
deleted file mode 100644
index eebba2d..0000000
--- a/net/base/pem_tokenizer.h
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-#include <string>
-#include <vector>
-#include "base/string_piece.h"
-namespace net {
-// PEMTokenizer is a utility class for the parsing of data encapsulated
-// using RFC 1421, Privacy Enhancement for Internet Electronic Mail. It
-// does not implement the full specification, most notably it does not
-// support the Encapsulated Header Portion described in Section 4.4.
-class PEMTokenizer {
- public:
- // Create a new PEMTokenizer that iterates through |str| searching for
- // instances of PEM encoded blocks that are of the |allowed_block_types|.
- // |str| must remain valid for the duration of the PEMTokenizer.
- PEMTokenizer(const base::StringPiece& str,
- const std::vector<std::string>& allowed_block_types);
- // Attempts to decode the next PEM block in the string. Returns false if no
- // PEM blocks can be decoded. The decoded PEM block will be available via
- // data().
- bool GetNext();
- // Returns the PEM block type (eg: CERTIFICATE) of the last successfully
- // decoded PEM block.
- // GetNext() must have returned true before calling this method.
- const std::string& block_type() const { return block_type_; }
- // Returns the raw, Base64-decoded data of the last successfully decoded
- // PEM block.
- // GetNext() must have returned true before calling this method.
- const std::string& data() const { return data_; }
- private:
- void Init(const base::StringPiece& str,
- const std::vector<std::string>& allowed_block_types);
- // A simple cache of the allowed PEM header and footer for a given PEM
- // block type, so that it is only computed once.
- struct PEMType {
- std::string type;
- std::string header;
- std::string footer;
- };
- // The string to search, which must remain valid for as long as this class
- // is around.
- base::StringPiece str_;
- // The current position within |str_| that searching should begin from,
- // or StringPiece::npos if iteration is complete
- base::StringPiece::size_type pos_;
- // The type of data that was encoded, as indicated in the PEM
- // Pre-Encapsulation Boundary (eg: CERTIFICATE, PKCS7, or
- std::string block_type_;
- // The types of PEM blocks that are allowed. PEM blocks that are not of
- // one of these types will be skipped.
- std::vector<PEMType> block_types_;
- // The raw (Base64-decoded) data of the last successfully decoded block.
- std::string data_;
-} // namespace net
diff --git a/net/base/ b/net/base/
deleted file mode 100644
index af2446c..0000000
--- a/net/base/
+++ /dev/null
@@ -1,169 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-#include "net/base/pem_tokenizer.h"
-#include "testing/gtest/include/gtest/gtest.h"
-namespace net {
-TEST(PEMTokenizerTest, BasicParsing) {
- const char data[] =
- "-----BEGIN EXPECTED-BLOCK-----\n"
- "TWF0Y2hlc0FjY2VwdGVkQmxvY2tUeXBl\n"
- "-----END EXPECTED-BLOCK-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("EXPECTED-BLOCK");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("EXPECTED-BLOCK", tokenizer.block_type());
- EXPECT_EQ("MatchesAcceptedBlockType",;
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, CarriageReturnLineFeeds) {
- const char data[] =
- "-----BEGIN EXPECTED-BLOCK-----\r\n"
- "TWF0Y2hlc0FjY2VwdGVkQmxvY2tUeXBl\r\n"
- "-----END EXPECTED-BLOCK-----\r\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("EXPECTED-BLOCK");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("EXPECTED-BLOCK", tokenizer.block_type());
- EXPECT_EQ("MatchesAcceptedBlockType",;
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, NoAcceptedBlockTypes) {
- const char data[] =
- "SWdub3Jlc1JlamVjdGVkQmxvY2tUeXBl\n"
- "-----END UNEXPECTED-BLOCK-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("EXPECTED-BLOCK");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, MultipleAcceptedBlockTypes) {
- const char data[] =
- "-----BEGIN BLOCK-ONE-----\n"
- "RW5jb2RlZERhdGFPbmU=\n"
- "-----END BLOCK-ONE-----\n"
- "-----BEGIN BLOCK-TWO-----\n"
- "RW5jb2RlZERhdGFUd28=\n"
- "-----END BLOCK-TWO-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("BLOCK-ONE");
- accepted_types.push_back("BLOCK-TWO");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
- EXPECT_EQ("EncodedDataOne",;
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("BLOCK-TWO", tokenizer.block_type());
- EXPECT_EQ("EncodedDataTwo",;
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, MissingFooter) {
- const char data[] =
- "-----BEGIN MISSING-FOOTER-----\n"
- "RW5jb2RlZERhdGFPbmU=\n"
- "-----END MISSING-FOOTER-----\n"
- "-----BEGIN MISSING-FOOTER-----\n"
- "RW5jb2RlZERhdGFUd28=\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("MISSING-FOOTER");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("MISSING-FOOTER", tokenizer.block_type());
- EXPECT_EQ("EncodedDataOne",;
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, NestedEncoding) {
- const char data[] =
- "-----BEGIN BLOCK-ONE-----\n"
- "RW5jb2RlZERhdGFPbmU=\n"
- "-----BEGIN BLOCK-TWO-----\n"
- "RW5jb2RlZERhdGFUd28=\n"
- "-----END BLOCK-TWO-----\n"
- "-----END BLOCK-ONE-----\n"
- "-----BEGIN BLOCK-ONE-----\n"
- "RW5jb2RlZERhdGFUaHJlZQ==\n"
- "-----END BLOCK-ONE-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("BLOCK-ONE");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
- EXPECT_EQ("EncodedDataThree",;
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, EmptyAcceptedTypes) {
- const char data[] =
- "-----BEGIN BLOCK-ONE-----\n"
- "RW5jb2RlZERhdGFPbmU=\n"
- "-----END BLOCK-ONE-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_FALSE(tokenizer.GetNext());
-TEST(PEMTokenizerTest, BlockWithHeader) {
- const char data[] =
- "-----BEGIN BLOCK-ONE-----\n"
- "Header-One: Data data data\n"
- "Header-Two: \n"
- " continuation\n"
- "Header-Three: Mix-And,Match\n"
- "\n"
- "RW5jb2RlZERhdGFPbmU=\n"
- "-----END BLOCK-ONE-----\n"
- "-----BEGIN BLOCK-ONE-----\n"
- "RW5jb2RlZERhdGFUd28=\n"
- "-----END BLOCK-ONE-----\n";
- base::StringPiece string_piece(data);
- std::vector<std::string> accepted_types;
- accepted_types.push_back("BLOCK-ONE");
- PEMTokenizer tokenizer(string_piece, accepted_types);
- EXPECT_TRUE(tokenizer.GetNext());
- EXPECT_EQ("BLOCK-ONE", tokenizer.block_type());
- EXPECT_EQ("EncodedDataTwo",;
- EXPECT_FALSE(tokenizer.GetNext());
-} // namespace net
diff --git a/net/base/ b/net/base/
index 1230f27..f5b28a6 100644
--- a/net/base/
+++ b/net/base/
@@ -15,9 +15,7 @@
#include "base/histogram.h"
#include "base/logging.h"
#include "base/singleton.h"
-#include "base/string_piece.h"
#include "base/time.h"
-#include "net/base/pem_tokenizer.h"
namespace net {
@@ -33,18 +31,6 @@ bool IsNullFingerprint(const SHA1Fingerprint& fingerprint) {
return true;
-// Indicates the order to use when trying to decode binary data, which is
-// based on (speculation) as to what will be most common -> least common
-const X509Certificate::Format kFormatDecodePriority[] = {
- X509Certificate::FORMAT_DER,
- X509Certificate::FORMAT_PKCS7
-// The PEM block header used for DER certificates
-const char kCertificateHeader[] = "CERTIFICATE";
-// The PEM block header used for PKCS#7 data
-const char kPKCS7Header[] = "PKCS7";
} // namespace
// static
@@ -200,81 +186,6 @@ X509Certificate* X509Certificate::CreateFromBytes(const char* data,
return cert;
-CertificateList X509Certificate::CreateCertificateListFromBytes(
- const char* data, int length, int format) {
- OSCertHandles certificates;
- // Try each of the formats, in order of parse preference, to see if |data|
- // contains the binary representation of a Format.
- for (size_t i = 0; certificates.empty() &&
- i < arraysize(kFormatDecodePriority); ++i) {
- if (format & kFormatDecodePriority[i])
- certificates = CreateOSCertHandlesFromBytes(data, length,
- kFormatDecodePriority[i]);
- }
- // No certs were read. Check to see if it is in a PEM-encoded form.
- if (certificates.empty()) {
- base::StringPiece data_string(data, length);
- std::vector<std::string> pem_headers;
- // To maintain compatibility with NSS/Firefox, CERTIFICATE is a universally
- // valid PEM block header for any format.
- pem_headers.push_back(kCertificateHeader);
- if (format & FORMAT_PKCS7)
- pem_headers.push_back(kPKCS7Header);
- PEMTokenizer pem_tok(data_string, pem_headers);
- while (pem_tok.GetNext()) {
- std::string decoded(;
- OSCertHandle handle = NULL;
- if (format & FORMAT_PEM)
- handle = CreateOSCertHandleFromBytes(decoded.c_str(), decoded.size());
- if (handle != NULL) {
- // Parsed a DER encoded certificate. All PEM blocks that follow must
- // also be DER encoded certificates wrapped inside of PEM blocks.
- format = FORMAT_PEM;
- certificates.push_back(handle);
- continue;
- }
- // If the first block failed to parse as a DER certificate, and
- // formats other than PEM are acceptable, check to see if the decoded
- // data is one of the accepted formats.
- if (format & ~FORMAT_PEM) {
- for (size_t i = 0; certificates.empty() &&
- i < arraysize(kFormatDecodePriority); ++i) {
- if (format & kFormatDecodePriority[i]) {
- certificates = CreateOSCertHandlesFromBytes(decoded.c_str(),
- decoded.size(), kFormatDecodePriority[i]);
- }
- }
- }
- // Stop parsing after the first block for any format but a sequence of
- // PEM-encoded DER certificates. The case of FORMAT_PEM is handled
- // above, and continues processing until a certificate fails to parse.
- break;
- }
- }
- CertificateList results;
- // No certificates parsed.
- if (certificates.empty())
- return results;
- for (OSCertHandles::iterator it = certificates.begin();
- it != certificates.end(); ++it) {
- X509Certificate* result = CreateFromHandle(*it, SOURCE_LONE_CERT_IMPORT,
- OSCertHandles());
- results.push_back(scoped_refptr<X509Certificate>(result));
- FreeOSCertHandle(*it);
- }
- return results;
X509Certificate::X509Certificate(OSCertHandle cert_handle,
Source source,
const OSCertHandles& intermediates)
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 284d2fb..d6b3447 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -32,8 +32,6 @@ namespace net {
class CertVerifyResult;
-typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
// X509Certificate represents an X.509 certificate used by SSL.
class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
@@ -74,27 +72,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
VERIFY_EV_CERT = 1 << 1,
- enum Format {
- // The data contains a single DER-encoded certificate, or a PEM-encoded
- // DER certificate with the PEM encoding block name of "CERTIFICATE".
- // Any subsequent blocks will be ignored.
- FORMAT_DER = 1 << 0,
- // The data contains a sequence of one or more PEM-encoded, DER
- // certificates, with the PEM encoding block name of "CERTIFICATE".
- // All PEM blocks will be parsed, until the first error is encountered.
- FORMAT_PEM = 1 << 1,
- // The data contains a PKCS#7 SignedData structure, whose certificates
- // member is to be used to initialize the certificate and intermediates.
- // The data my further be encoding using PEM, specifying block names of
- // either "PKCS7" or "CERTIFICATE".
- FORMAT_PKCS7 = 1 << 2,
- // Automatically detect the format.
- };
// Create an X509Certificate from a handle to the certificate object in the
// underlying crypto library. |source| specifies where |cert_handle| comes
// from. Given two certificate handles for the same certificate, our
@@ -107,7 +84,7 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
Source source,
const OSCertHandles& intermediates);
- // Create an X509Certificate from the DER-encoded representation.
+ // Create an X509Certificate from the BER-encoded representation.
// Returns NULL on failure.
// The returned pointer must be stored in a scoped_refptr<X509Certificate>.
@@ -122,14 +99,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
static X509Certificate* CreateFromPickle(const Pickle& pickle,
void** pickle_iter);
- // Parses all of the certificates possible from |data|. |format| is a
- // bit-wise OR of Format, indicating the possible formats the
- // certificates may have been serialized as. If an error occurs, an empty
- // collection will be returned.
- static CertificateList CreateCertificateListFromBytes(const char* data,
- int length,
- int format);
// Creates a X509Certificate from the ground up. Used by tests that simulate
// SSL connections.
X509Certificate(const std::string& subject, const std::string& issuer,
@@ -234,11 +203,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> {
static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
int length);
- // Creates all possible OS certificate handles from |data| encoded in a
- // specific |format|. Returns an empty collection on failure.
- static OSCertHandles CreateOSCertHandlesFromBytes(
- const char* data, int length, Format format);
// Duplicates (or adds a reference to) an OS certificate handle.
static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
diff --git a/net/base/ b/net/base/
index 727fde9..ed46adc 100644
--- a/net/base/
+++ b/net/base/
@@ -8,9 +8,9 @@
#include <Security/Security.h>
#include <time.h>
+#include "base/scoped_cftyperef.h"
#include "base/logging.h"
#include "base/pickle.h"
-#include "base/scoped_cftyperef.h"
#include "base/sys_string_conversions.h"
#include "net/base/cert_status_flags.h"
#include "net/base/cert_verify_result.h"
@@ -372,44 +372,6 @@ bool ExtendedKeyUsageAllows(const CE_ExtendedKeyUsage* usage,
return false;
-// Parses |data| of length |length|, attempting to decode it as the specified
-// |format|. If |data| is in the specified format, any certificates contained
-// within are stored into |output|.
-void AddCertificatesFromBytes(const char* data, size_t length,
- SecExternalFormat format,
- X509Certificate::OSCertHandles* output) {
- SecExternalFormat input_format = format;
- scoped_cftyperef<CFDataRef> local_data(CFDataCreateWithBytesNoCopy(
- kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data),
- length, kCFAllocatorNull));
- CFArrayRef items = NULL;
- OSStatus status = SecKeychainItemImport(local_data, NULL, &input_format,
- NULL, 0, NULL, NULL, &items);
- if (status) {
- DLOG(WARNING) << status << " Unable to import items from data of length "
- << length;
- return;
- }
- scoped_cftyperef<CFArrayRef> scoped_items(items);
- CFTypeID cert_type_id = SecCertificateGetTypeID();
- for (CFIndex i = 0; i < CFArrayGetCount(items); ++i) {
- SecKeychainItemRef item = reinterpret_cast<SecKeychainItemRef>(
- const_cast<void*>(CFArrayGetValueAtIndex(items, i)));
- // While inputFormat implies only certificates will be imported, if/when
- // other formats (eg: PKCS#12) are supported, this may also include
- // private keys or other items types, so filter appropriately.
- if (CFGetTypeID(item) == cert_type_id) {
- SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(item);
- CFRetain(cert);
- output->push_back(cert);
- }
- }
} // namespace
void X509Certificate::Initialize() {
@@ -707,53 +669,15 @@ X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
OSCertHandle cert_handle = NULL;
OSStatus status = SecCertificateCreateFromData(&cert_data,
if (status)
return NULL;
- // SecCertificateCreateFromData() unfortunately will not return any
- // errors, as long as simply all pointers are present. The actual decoding
- // of the certificate does not happen until an API that requires a CDSA
- // handle is called. While SecCertificateGetCLHandle is the most likely
- // candidate, as it initializes the parsing, it does not check whether the
- // parsing was successful. Instead, SecCertificateGetSubject is used
- // (supported since 10.3), as a means to double-check that the parsed
- // parsed certificate is valid.
- const CSSM_X509_NAME* sanity_check = NULL;
- status = SecCertificateGetSubject(cert_handle, &sanity_check);
- if (status || !sanity_check) {
- CFRelease(cert_handle);
- return NULL;
- }
return cert_handle;
// static
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
- const char* data, int length, Format format) {
- OSCertHandles results;
- switch (format) {
- case FORMAT_DER: {
- OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
- if (handle)
- results.push_back(handle);
- break;
- }
- case FORMAT_PKCS7:
- AddCertificatesFromBytes(data, length, kSecFormatPKCS7, &results);
- break;
- default:
- NOTREACHED() << "Certificate format " << format << " unimplemented";
- break;
- }
- return results;
-// static
X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
OSCertHandle handle) {
if (!handle)
diff --git a/net/base/ b/net/base/
index dbc4d18..8eb337f 100644
--- a/net/base/
+++ b/net/base/
@@ -16,7 +16,6 @@
#include "base/logging.h"
#include "base/pickle.h"
-#include "base/scoped_ptr.h"
#include "base/time.h"
#include "base/nss_util.h"
#include "net/base/cert_status_flags.h"
@@ -572,22 +571,6 @@ bool CheckCertPolicies(X509Certificate::OSCertHandle cert_handle,
return false;
-CollectCertsCallback(void* arg, SECItem** certs, int num_certs) {
- X509Certificate::OSCertHandles* results =
- reinterpret_cast<X509Certificate::OSCertHandles*>(arg);
- for (int i = 0; i < num_certs; ++i) {
- X509Certificate::OSCertHandle handle =
- X509Certificate::CreateOSCertHandleFromBytes(
- reinterpret_cast<char*>(certs[i]->data), certs[i]->len);
- if (handle)
- results->push_back(handle);
- }
- return SECSuccess;
} // namespace
void X509Certificate::Initialize() {
@@ -738,59 +721,21 @@ bool X509Certificate::VerifyEV() const {
// static
X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
const char* data, int length) {
- if (length < 0)
- return NULL;
if (!NSS_IsInitialized())
return NULL;
- SECItem der_cert;
- = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
- der_cert.len = length;
- der_cert.type = siDERCertBuffer;
+ // Make a copy of |data| since CERT_DecodeCertPackage might modify it.
+ char* data_copy = new char[length];
+ memcpy(data_copy, data, length);
// Parse into a certificate structure.
- return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
-// static
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
- const char* data, int length, Format format) {
- OSCertHandles results;
- if (length < 0)
- return results;
- base::EnsureNSSInit();
- if (!NSS_IsInitialized())
- return results;
- switch (format) {
- case FORMAT_DER: {
- OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
- if (handle)
- results.push_back(handle);
- break;
- }
- case FORMAT_PKCS7: {
- // Make a copy since CERT_DecodeCertPackage may modify it
- std::vector<char> data_copy(data, data + length);
- SECStatus result = CERT_DecodeCertPackage(&data_copy[0],
- length, CollectCertsCallback, &results);
- if (result != SECSuccess)
- results.clear();
- break;
- }
- default:
- NOTREACHED() << "Certificate format " << format << " unimplemented";
- break;
- }
- return results;
+ CERTCertificate* cert = CERT_DecodeCertFromPackage(data_copy, length);
+ delete [] data_copy;
+ if (!cert)
+ LOG(ERROR) << "Couldn't parse a certificate from " << length << " bytes";
+ return cert;
// static
diff --git a/net/base/ b/net/base/
index 6becea0..63eec15 100644
--- a/net/base/
+++ b/net/base/
@@ -76,93 +76,6 @@ unsigned char unosoft_hu_fingerprint[] = {
0x25, 0x66, 0xf2, 0xec, 0x8b, 0x0f, 0xbf, 0xd8
-// The fingerprint of the Google certificate used in the parsing tests,
-// which is newer than the one included in the x509_certificate_data.h
-unsigned char google_parse_fingerprint[] = {
- 0x40, 0x50, 0x62, 0xe5, 0xbe, 0xfd, 0xe4, 0xaf, 0x97, 0xe9, 0x38, 0x2a,
- 0xf1, 0x6c, 0xc8, 0x7c, 0x8f, 0xb7, 0xc4, 0xe2
-// The fingerprint for the Thawte SGC certificate
-unsigned char thawte_parse_fingerprint[] = {
- 0xec, 0x07, 0x10, 0x03, 0xd8, 0xf5, 0xa3, 0x7f, 0x42, 0xc4, 0x55, 0x7f,
- 0x65, 0x6a, 0xae, 0x86, 0x65, 0xfa, 0x4b, 0x02
-// Dec 18 00:00:00 2009 GMT
-const double kGoogleParseValidFrom = 1261094400;
-// Dec 18 23:59:59 2011 GMT
-const double kGoogleParseValidTo = 1324252799;
-struct CertificateFormatTestData {
- const char* file_name;
- X509Certificate::Format format;
- unsigned char* chain_fingerprints[3];
-const CertificateFormatTestData FormatTestData[] = {
- // DER Parsing - single certificate, DER encoded
- { "google.single.der", X509Certificate::FORMAT_DER,
- { google_parse_fingerprint,
- NULL, } },
- // DER parsing - single certificate, PEM encoded
- { "google.single.pem", X509Certificate::FORMAT_DER,
- { google_parse_fingerprint,
- NULL, } },
- // PEM parsing - single certificate, PEM encoded with a PEB of
- { "google.single.pem", X509Certificate::FORMAT_PEM,
- { google_parse_fingerprint,
- NULL, } },
- // PEM parsing - sequence of certificates, PEM encoded with a PEB of
- { "google.chain.pem", X509Certificate::FORMAT_PEM,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- // PKCS#7 parsing - "degenerate" SignedData collection of certificates, DER
- // encoding
- { "google.binary.p7b", X509Certificate::FORMAT_PKCS7,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
- // encoded with a PEM PEB of "CERTIFICATE"
- { "google.pem_cert.p7b", X509Certificate::FORMAT_PKCS7,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- // PKCS#7 parsing - "degenerate" SignedData collection of certificates, PEM
- // encoded with a PEM PEB of "PKCS7"
- { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_PKCS7,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- // All of the above, this time using auto-detection
- { "google.single.der", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- NULL, } },
- { "google.single.pem", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- NULL, } },
- { "google.chain.pem", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- { "google.binary.p7b", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- { "google.pem_cert.p7b", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
- { "google.pem_pkcs7.p7b", X509Certificate::FORMAT_AUTO,
- { google_parse_fingerprint,
- thawte_parse_fingerprint,
- NULL, } },
// Returns a FilePath object representing the src/net/data/ssl/certificates
// directory in the source tree.
FilePath GetTestCertsDirectory() {
@@ -187,22 +100,12 @@ X509Certificate* ImportCertFromFile(const FilePath& certs_dir,
return X509Certificate::CreateFromBytes(, cert_data.size());
-CertificateList CreateCertificateListFromFile(
- const FilePath& certs_dir,
- const std::string& cert_file,
- int format) {
- FilePath cert_path = certs_dir.AppendASCII(cert_file);
- std::string cert_data;
- if (!file_util::ReadFileToString(cert_path, &cert_data))
- return CertificateList();
- return X509Certificate::CreateCertificateListFromBytes(,
- cert_data.size(),
- format);
+} // namespace
+TEST(X509CertificateTest, GoogleCertParsing) {
+ scoped_refptr<X509Certificate> google_cert = X509Certificate::CreateFromBytes(
+ reinterpret_cast<const char*>(google_der), sizeof(google_der));
-void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
- unsigned char* expected_fingerprint,
- double valid_from, double valid_to) {
ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
const CertPrincipal& subject = google_cert->subject();
@@ -229,14 +132,14 @@ void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
// Use DoubleT because its epoch is the same on all platforms
const Time& valid_start = google_cert->valid_start();
- EXPECT_EQ(valid_from, valid_start.ToDoubleT());
+ EXPECT_EQ(1238192407, valid_start.ToDoubleT()); // Mar 27 22:20:07 2009 GMT
const Time& valid_expiry = google_cert->valid_expiry();
- EXPECT_EQ(valid_to, valid_expiry.ToDoubleT());
+ EXPECT_EQ(1269728407, valid_expiry.ToDoubleT()); // Mar 27 22:20:07 2010 GMT
const SHA1Fingerprint& fingerprint = google_cert->fingerprint();
for (size_t i = 0; i < 20; ++i)
- EXPECT_EQ(expected_fingerprint[i],[i]);
+ EXPECT_EQ(google_fingerprint[i],[i]);
std::vector<std::string> dns_names;
@@ -253,18 +156,6 @@ void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
-} // namespace
-TEST(X509CertificateTest, GoogleCertParsing) {
- scoped_refptr<X509Certificate> google_cert =
- X509Certificate::CreateFromBytes(
- reinterpret_cast<const char*>(google_der), sizeof(google_der));
- CheckGoogleCert(google_cert, google_fingerprint,
- 1238192407, // Mar 27 22:20:07 2009 GMT
- 1269728407); // Mar 27 22:20:07 2010 GMT
TEST(X509CertificateTest, WebkitCertParsing) {
scoped_refptr<X509Certificate> webkit_cert = X509Certificate::CreateFromBytes(
reinterpret_cast<const char*>(webkit_der), sizeof(webkit_der));
@@ -637,41 +528,4 @@ TEST(X509CertificateTest, IntermediateCertificates) {
-class X509CertificateParseTest
- : public testing::TestWithParam<CertificateFormatTestData> {
- public:
- virtual ~X509CertificateParseTest() {}
- virtual void SetUp() {
- test_data_ = GetParam();
- }
- virtual void TearDown() {}
- protected:
- CertificateFormatTestData test_data_;
-TEST_P(X509CertificateParseTest, CanParseFormat) {
- FilePath certs_dir = GetTestCertsDirectory();
- CertificateList certs = CreateCertificateListFromFile(
- certs_dir, test_data_.file_name, test_data_.format);
- ASSERT_FALSE(certs.empty());
- ASSERT_LE(certs.size(), arraysize(test_data_.chain_fingerprints));
- CheckGoogleCert(certs.front(), google_parse_fingerprint,
- kGoogleParseValidFrom, kGoogleParseValidTo);
- size_t i;
- for (i = 0; i < arraysize(test_data_.chain_fingerprints) &&
- i < certs.size() && test_data_.chain_fingerprints[i] != NULL; ++i) {
- const X509Certificate* cert = certs[i];
- const SHA1Fingerprint& actual_fingerprint = cert->fingerprint();
- unsigned char* expected_fingerprint = test_data_.chain_fingerprints[i];
- for (size_t j = 0; j < 20; ++j)
- EXPECT_EQ(expected_fingerprint[j],[j]);
- }
-INSTANTIATE_TEST_CASE_P(, X509CertificateParseTest,
- testing::ValuesIn(FormatTestData));
} // namespace net
diff --git a/net/base/ b/net/base/
index faa8871..901c0a6 100644
--- a/net/base/
+++ b/net/base/
@@ -434,54 +434,6 @@ void ParsePrincipal(const std::string& description,
-void AddCertsFromStore(HCERTSTORE store,
- X509Certificate::OSCertHandles* results) {
- while ((cert = CertEnumCertificatesInStore(store, cert)) != NULL) {
- if (CertAddCertificateContextToStore(
- NULL, // The cert won't be persisted in any cert store. This breaks
- // any association the context currently has to |store|, which
- // allows us, the caller, to safely close |store| without
- // releasing the cert handles.
- cert,
- &to_add) && to_add != NULL) {
- // When processing stores generated from PKCS#7/PKCS#12 files, it
- // appears that the order returned is the inverse of the order that it
- // appeared in the file.
- // TODO(rsleevi): Ensure this order is consistent across all Win
- // versions
- results->insert(results->begin(), to_add);
- }
- }
-X509Certificate::OSCertHandles ParsePKCS7(const char* data, size_t length) {
- X509Certificate::OSCertHandles results;
- CERT_BLOB data_blob;
- data_blob.cbData = length;
- data_blob.pbData = reinterpret_cast<BYTE*>(const_cast<char*>(data));
- HCERTSTORE out_store = NULL;
- if (!CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &data_blob, expected_types,
- &out_store, NULL, NULL) || out_store == NULL) {
- return results;
- }
- AddCertsFromStore(out_store, &results);
- CertCloseStore(out_store, CERT_CLOSE_STORE_CHECK_FLAG);
- return results;
} // namespace
void X509Certificate::Initialize() {
@@ -801,27 +753,6 @@ X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
return cert_handle;
-X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
- const char* data, int length, Format format) {
- OSCertHandles results;
- switch (format) {
- case FORMAT_DER: {
- OSCertHandle handle = CreateOSCertHandleFromBytes(data, length);
- if (handle != NULL)
- results.push_back(handle);
- break;
- }
- case FORMAT_PKCS7:
- results = ParsePKCS7(data, length);
- break;
- default:
- NOTREACHED() << "Certificate format " << format << " unimplemented";
- break;
- }
- return results;
// static
X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
diff --git a/net/data/ssl/certificates/google.binary.p7b b/net/data/ssl/certificates/google.binary.p7b
deleted file mode 100644
index 052e388..0000000
--- a/net/data/ssl/certificates/google.binary.p7b
+++ /dev/null
Binary files differ
diff --git a/net/data/ssl/certificates/google.chain.pem b/net/data/ssl/certificates/google.chain.pem
deleted file mode 100644
index e78af71..0000000
--- a/net/data/ssl/certificates/google.chain.pem
+++ /dev/null
@@ -1,38 +0,0 @@
------END CERTIFICATE----- \ No newline at end of file
diff --git a/net/data/ssl/certificates/google.pem_cert.p7b b/net/data/ssl/certificates/google.pem_cert.p7b
deleted file mode 100644
index ba80fb0..0000000
--- a/net/data/ssl/certificates/google.pem_cert.p7b
+++ /dev/null
@@ -1,37 +0,0 @@
diff --git a/net/data/ssl/certificates/google.pem_pkcs7.p7b b/net/data/ssl/certificates/google.pem_pkcs7.p7b
deleted file mode 100644
index 49e2eec..0000000
--- a/net/data/ssl/certificates/google.pem_pkcs7.p7b
+++ /dev/null
@@ -1,37 +0,0 @@
------BEGIN PKCS7-----
------END PKCS7-----
diff --git a/net/data/ssl/certificates/google.single.der b/net/data/ssl/certificates/google.single.der
deleted file mode 100644
index f73df17..0000000
--- a/net/data/ssl/certificates/google.single.der
+++ /dev/null
Binary files differ
diff --git a/net/data/ssl/certificates/google.single.pem b/net/data/ssl/certificates/google.single.pem
deleted file mode 100644
index a03adc4..0000000
--- a/net/data/ssl/certificates/google.single.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------END CERTIFICATE----- \ No newline at end of file
diff --git a/net/data/ssl/certificates/thawte.single.pem b/net/data/ssl/certificates/thawte.single.pem
deleted file mode 100644
index d326459..0000000
--- a/net/data/ssl/certificates/thawte.single.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------END CERTIFICATE----- \ No newline at end of file
diff --git a/net/net.gyp b/net/net.gyp
index ea740ff..98dc526 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -125,8 +125,6 @@
- 'base/',
- 'base/pem_tokenizer.h',
# TODO(tc): gnome-vfs? xdgmime? /etc/mime.types?
@@ -676,7 +674,6 @@
- 'base/',