TrustStoreMac: Use internal implementation for IsSelfSigned

This is significantly faster (about 80x in some quick testing). Also remove the now unused x509_util_mac IsSelfSigned function. Bug: 410574 Change-Id: I60cfc40d5f5a5dab419566836555cb4828148c6f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1570768Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#651774}

TrustStoreMac: Use internal implementation for IsSelfSigned
This is significantly faster (about 80x in some quick testing). Also remove the now unused x509_util_mac IsSelfSigned function. Bug: 410574 Change-Id: I60cfc40d5f5a5dab419566836555cb4828148c6f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1570768Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#651774}
6ef07c67 · Matt Mueller · Commit Bot · 6099951a · 6ef07c67 · 6ef07c67
Commit 6ef07c67 authored Apr 17, 2019 by Matt Mueller Committed by Commit Bot Apr 17, 2019
Showing with 15 additions and 43 deletions

net/cert/internal/trust_store_mac.cc net/cert/internal/trust_store_mac.cc +15 -4

net/cert/x509_util_mac.cc net/cert/x509_util_mac.cc +0 -36

net/cert/x509_util_mac.h net/cert/x509_util_mac.h +0 -3

No files found.
--- a/net/cert/internal/trust_store_mac.cc
+++ b/net/cert/internal/trust_store_mac.cc
@@ -14,6 +14,7 @@
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parse_name.h"
 #include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/verify_signed_data.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/x509_util.h"
 #include "net/cert/x509_util_mac.h"
@@ -141,11 +142,21 @@ TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
  return TrustStatus::UNSPECIFIED;
 }

+bool IsSelfSigned(const scoped_refptr<ParsedCertificate>& cert) {
+  if (cert->normalized_subject() != cert->normalized_issuer())
+    return false;
+  return VerifySignedData(cert->signature_algorithm(),
+                          cert->tbs_certificate_tlv(), cert->signature_value(),
+                          cert->tbs().spki_tlv);
+}
+
 // Returns true if the certificate |cert_handle| is trusted for the policy
 // |policy_oid|.
-TrustStatus IsSecCertificateTrustedForPolicy(SecCertificateRef cert_handle,
-                                             const CFStringRef policy_oid) {
-  const bool is_self_signed = x509_util::IsSelfSigned(cert_handle);
+TrustStatus IsSecCertificateTrustedForPolicy(
+    const scoped_refptr<ParsedCertificate>& cert,
+    SecCertificateRef cert_handle,
+    const CFStringRef policy_oid) {
+  const bool is_self_signed = IsSelfSigned(cert);
  // Evaluate trust domains in user, admin, system order. Admin settings can
  // override system ones, and user settings can override both admin and system.
  for (const auto& trust_domain :
@@ -242,7 +253,7 @@ void TrustStoreMac::GetTrust(const scoped_refptr<ParsedCertificate>& cert,
  }

  TrustStatus trust_status =
-      IsSecCertificateTrustedForPolicy(cert_handle, policy_oid_);
+      IsSecCertificateTrustedForPolicy(cert, cert_handle, policy_oid_);
  switch (trust_status) {
    case TrustStatus::TRUSTED:
      *trust = CertificateTrust::ForTrustAnchor();

--- a/net/cert/x509_util_mac.cc
+++ b/net/cert/x509_util_mac.cc
@@ -121,42 +121,6 @@ scoped_refptr<X509Certificate> CreateX509CertificateFromSecCertificate(
  return result;
 }

-bool IsSelfSigned(SecCertificateRef cert_handle) {
-  CSSMCachedCertificate cached_cert;
-  OSStatus status = cached_cert.Init(cert_handle);
-  if (status != noErr)
-    return false;
-
-  CSSMFieldValue subject;
-  status = cached_cert.GetField(&CSSMOID_X509V1SubjectNameStd, &subject);
-  if (status != CSSM_OK || !subject.field())
-    return false;
-
-  CSSMFieldValue issuer;
-  status = cached_cert.GetField(&CSSMOID_X509V1IssuerNameStd, &issuer);
-  if (status != CSSM_OK || !issuer.field())
-    return false;
-
-  if (subject.field()->Length != issuer.field()->Length ||
-      memcmp(subject.field()->Data, issuer.field()->Data,
-             issuer.field()->Length) != 0) {
-    return false;
-  }
-
-  CSSM_CL_HANDLE cl_handle = CSSM_INVALID_HANDLE;
-  status = SecCertificateGetCLHandle(cert_handle, &cl_handle);
-  if (status)
-    return false;
-  CSSM_DATA cert_data;
-  status = SecCertificateGetData(cert_handle, &cert_data);
-  if (status)
-    return false;
-
-  if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0))
-    return false;
-  return true;
-}
-
 SHA256HashValue CalculateFingerprint256(SecCertificateRef cert) {
  SHA256HashValue sha256;
  memset(sha256.data, 0, sizeof(sha256.data));

--- a/net/cert/x509_util_mac.h
+++ b/net/cert/x509_util_mac.h
@@ -58,9 +58,6 @@ CreateX509CertificateFromSecCertificate(
    const std::vector<SecCertificateRef>& sec_chain,
    X509Certificate::UnsafeCreateOptions options);

-// Returns true if the certificate is self-signed.
-NET_EXPORT bool IsSelfSigned(SecCertificateRef cert_handle);
-
 // Calculates the SHA-256 fingerprint of the certificate.  Returns an empty
 // (all zero) fingerprint on failure.
 NET_EXPORT SHA256HashValue CalculateFingerprint256(SecCertificateRef cert);