Chromium Code Reviews Chromium Code Reviews
Issue 1083493003:
Encrypt certificate reports before uploading to HTTP URLs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/net/certificate_error_reporter.h" | 5 #include "chrome/browser/net/certificate_error_reporter.h" |
| 6 | 6 |
|
agl
2015/04/16 17:26:29
Overall comment, this AEAD is in BoringSSL, as is
estark
2015/04/16 18:45:11
Ah, it didn't occur to me that we could just drop
| |
| 7 #include <set> | 7 #include <set> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| 11 #include "base/time/time.h" | 11 #include "base/time/time.h" |
| 12 #include "chrome/browser/net/cert_logger.pb.h" | 12 #include "chrome/browser/net/cert_logger.pb.h" |
| 13 #include "crypto/curve25519.h" | |
| 14 #include "crypto/encryptor.h" | |
| 15 #include "crypto/hmac.h" | |
| 16 #include "crypto/random.h" | |
| 17 #include "crypto/sha2.h" | |
| 18 #include "crypto/symmetric_key.h" | |
| 13 #include "net/base/elements_upload_data_stream.h" | 19 #include "net/base/elements_upload_data_stream.h" |
| 14 #include "net/base/load_flags.h" | 20 #include "net/base/load_flags.h" |
| 15 #include "net/base/request_priority.h" | 21 #include "net/base/request_priority.h" |
| 16 #include "net/base/upload_bytes_element_reader.h" | 22 #include "net/base/upload_bytes_element_reader.h" |
| 17 #include "net/cert/x509_certificate.h" | 23 #include "net/cert/x509_certificate.h" |
| 18 #include "net/ssl/ssl_info.h" | 24 #include "net/ssl/ssl_info.h" |
| 19 #include "net/url_request/url_request_context.h" | 25 #include "net/url_request/url_request_context.h" |
| 20 | 26 |
| 27 namespace { | |
|
agl
2015/04/16 17:26:28
blank line after this.
| |
| 28 // Constants used for crypto | |
| 29 static const uint8 kServerPublicKey[] = { | |
| 30 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18, | |
| 31 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f, | |
| 32 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b}; | |
| 33 static const uint32 kServerPublicKeyVersion = 1; | |
| 34 static const size_t kAesKeySize = 16; | |
| 35 static const size_t kAeadNonceSize = 12; | |
| 36 static const size_t kAeadTagSize = 32; | |
| 37 static const size_t kAesBlockSize = 16; | |
| 38 static const size_t kAeadKeySize = 48; | |
| 39 static const size_t kSha256BlockSize = 64; | |
| 40 | |
| 41 void CalculateAeadKey(const uint8 client_private_key[32], | |
| 42 const uint8 server_public_key[32], | |
| 43 std::string* aead_key) { | |
| 44 // Compute the shared secret, and then hash it once with a 0 prepended | |
| 45 // and once with a 1 prepended. | |
| 46 uint8 shared_secret[crypto::curve25519::kBytes + 1]; | |
| 47 | |
| 48 crypto::curve25519::ScalarMult(client_private_key, server_public_key, | |
| 49 shared_secret + 1); | |
| 50 | |
| 51 std::string shared_secret_str((char*)shared_secret, sizeof(shared_secret)); | |
| 52 | |
| 53 shared_secret_str[0] = 0; | |
| 54 *aead_key = crypto::SHA256HashString(shared_secret_str); | |
| 55 shared_secret[0] = 1; | |
| 56 // Take only as many bytes of the second hash as we need to get to | |
| 57 // |kAeadKeySize|. | |
| 58 *aead_key += crypto::SHA256HashString(shared_secret_str) | |
| 59 .substr(0, kAeadKeySize - aead_key->size()); | |
| 60 } | |
| 61 | |
| 62 void CopyUint64(uint64 value, std::string* input) { | |
|
agl
2015/04/16 17:26:28
Name it AppendUint64LE or something similar?
| |
| 63 unsigned i; | |
| 64 uint8 bytes[8]; | |
| 65 for (i = 0; i < sizeof(bytes); i++) { | |
| 66 bytes[i] = value & 0xff; | |
| 67 value >>= 8; | |
| 68 } | |
| 69 *input += std::string((char*)bytes, 8); | |
| 70 } | |
| 71 | |
| 72 void ComputeHmacInput(const std::string& ciphertext, | |
| 73 const std::string& nonce, | |
| 74 std::string* hmac_input) { | |
| 75 CopyUint64(0, hmac_input); | |
| 76 CopyUint64(ciphertext.size(), hmac_input); | |
| 77 | |
| 78 *hmac_input += nonce; | |
| 79 | |
| 80 // Pad with zeroes to the end of the SHA256 block | |
| 81 const size_t num_padding = | |
| 82 (kSha256BlockSize - | |
| 83 ((sizeof(uint64) * 2 + kAeadNonceSize) % kSha256BlockSize)) % | |
| 84 kSha256BlockSize; | |
| 85 uint8 padding[kSha256BlockSize]; | |
| 86 memset(padding, 0, num_padding); | |
| 87 *hmac_input += std::string((char*)padding, num_padding); | |
| 88 | |
| 89 *hmac_input += ciphertext; | |
| 90 } | |
| 91 | |
| 92 // Used only by tests (by way of |DecryptCertificateErrorReport|). | |
| 93 bool Open(const std::string& aead_key, | |
| 94 const std::string& nonce, | |
| 95 const std::string& ciphertext, | |
| 96 std::string* const plaintext) { | |
| 97 crypto::Encryptor encryptor; | |
| 98 uint8 counter[kAesBlockSize]; | |
| 99 scoped_ptr<crypto::SymmetricKey> aes_key(crypto::SymmetricKey::Import( | |
| 100 crypto::SymmetricKey::AES, aead_key.substr(0, kAesKeySize))); | |
| 101 | |
| 102 memset(counter, 0, kAesBlockSize); | |
| 103 memcpy(counter, nonce.data(), kAeadNonceSize); | |
| 104 | |
| 105 std::string aes_ciphertext = | |
| 106 ciphertext.substr(0, ciphertext.size() - kAeadTagSize); | |
| 107 std::string tag = ciphertext.substr(ciphertext.size() - kAeadTagSize); | |
| 108 | |
| 109 // Compute HMAC(ad_len || ct_len || nonce || ciphertext) | |
| 110 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
| 111 if (!hmac.Init(aead_key.substr(kAesKeySize))) { | |
| 112 LOG(ERROR) << "Failed to initialize HMAC"; | |
| 113 return false; | |
| 114 } | |
| 115 | |
| 116 std::string hmac_input; | |
| 117 ComputeHmacInput(aes_ciphertext, nonce, &hmac_input); | |
| 118 if (!hmac.Verify(hmac_input, tag)) | |
| 119 return false; | |
| 120 | |
| 121 encryptor.Init(aes_key.get(), crypto::Encryptor::CTR, ""); | |
| 122 encryptor.SetCounter(std::string((char*)counter, kAesBlockSize)); | |
| 123 encryptor.Decrypt(aes_ciphertext, plaintext); | |
| 124 return true; | |
| 125 } | |
| 126 | |
| 127 bool EncryptSerializedReport( | |
| 128 const uint8* server_public_key, | |
| 129 uint32 server_public_key_version, | |
| 130 const std::string& report, | |
| 131 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) { | |
| 132 // Generate an ephemeral key pair to generate a shared secret. | |
| 133 uint8 public_key[crypto::curve25519::kBytes]; | |
| 134 uint8 private_key[crypto::curve25519::kScalarBytes]; | |
| 135 | |
| 136 crypto::RandBytes(private_key, sizeof(private_key)); | |
| 137 crypto::curve25519::ScalarBaseMult(private_key, public_key); | |
| 138 | |
| 139 std::string aead_key; | |
| 140 std::string ciphertext; | |
| 141 CalculateAeadKey(private_key, server_public_key, &aead_key); | |
| 142 | |
| 143 // Use an all-zero nonce because the key is random per-message. | |
| 144 std::string nonce(kAeadNonceSize, 0); | |
| 145 if (!chrome_browser_net::Seal(aead_key, nonce, report, &ciphertext)) | |
| 146 return false; | |
| 147 | |
| 148 encrypted_report->set_encrypted_report(ciphertext); | |
| 149 encrypted_report->set_server_public_key_version(server_public_key_version); | |
| 150 encrypted_report->set_client_public_key( | |
| 151 std::string((char*)public_key, crypto::curve25519::kBytes)); | |
| 152 encrypted_report->set_algorithm( | |
| 153 chrome_browser_net::EncryptedCertLoggerRequest:: | |
| 154 AEAD_ECDH_AES_128_CTR_HMAC_SHA256); | |
| 155 return true; | |
| 156 } | |
| 157 | |
| 158 } // namespace | |
| 159 | |
| 21 namespace chrome_browser_net { | 160 namespace chrome_browser_net { |
| 22 | 161 |
| 162 // Seal |plaintext| with AES-CTR-128-HMAC-SHA256. Support for AD | |
| 163 // (additional authenticated data) is not implemented because it's not | |
| 164 // needed for cert reporting. | |
| 165 bool Seal(const std::string& aead_key, | |
| 166 const std::string& nonce, | |
| 167 const std::string& plaintext, | |
| 168 std::string* const ciphertext) { | |
| 169 crypto::Encryptor encryptor; | |
| 170 uint8 counter[kAesBlockSize]; | |
| 171 scoped_ptr<crypto::SymmetricKey> aes_key(crypto::SymmetricKey::Import( | |
| 172 crypto::SymmetricKey::AES, aead_key.substr(0, kAesKeySize))); | |
| 173 | |
| 174 memset(counter, 0, kAesBlockSize); | |
| 175 memcpy(counter, nonce.data(), kAeadNonceSize); | |
| 176 | |
| 177 encryptor.Init(aes_key.get(), crypto::Encryptor::CTR, ""); | |
| 178 encryptor.SetCounter(std::string((char*)counter, sizeof(counter))); | |
| 179 encryptor.Encrypt(plaintext, ciphertext); | |
| 180 | |
| 181 // Compute HMAC(ad_len || ct_len || nonce || ad || padding || ciphertext) | |
| 182 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
| 183 unsigned char digest[32]; | |
| 184 CHECK_EQ(32u, hmac.DigestLength()); | |
| 185 if (!hmac.Init(aead_key.substr(kAesKeySize))) { | |
| 186 LOG(ERROR) << "Failed to initialize HMAC"; | |
| 187 return false; | |
| 188 } | |
| 189 | |
| 190 std::string hmac_input; | |
| 191 ComputeHmacInput(*ciphertext, nonce, &hmac_input); | |
| 192 if (!hmac.Sign(hmac_input, digest, sizeof(digest))) { | |
| 193 LOG(ERROR) << "Failed to compute HMAC."; | |
| 194 return false; | |
| 195 } | |
| 196 | |
| 197 *ciphertext += std::string((char*)digest, kAeadTagSize); | |
| 198 return true; | |
| 199 } | |
| 200 | |
| 201 // Used only by tests. | |
| 202 bool DecryptCertificateErrorReport( | |
| 203 const uint8 server_private_key[32], | |
| 204 const EncryptedCertLoggerRequest& encrypted_report, | |
| 205 CertLoggerRequest* decrypted_report) { | |
| 206 std::string aead_key; | |
| 207 std::string plaintext; | |
| 208 CalculateAeadKey(server_private_key, | |
| 209 (uint8*)encrypted_report.client_public_key().data(), | |
| 210 &aead_key); | |
| 211 | |
| 212 // Use an all-zero nonce because the key is random per-message. | |
| 213 std::string nonce(kAeadNonceSize, 0); | |
| 214 if (!Open(aead_key, nonce, encrypted_report.encrypted_report(), &plaintext)) | |
| 215 return false; | |
| 216 | |
| 217 decrypted_report->ParseFromString(plaintext); | |
| 218 return true; | |
| 219 } | |
| 220 | |
| 23 CertificateErrorReporter::CertificateErrorReporter( | 221 CertificateErrorReporter::CertificateErrorReporter( |
| 24 net::URLRequestContext* request_context, | 222 net::URLRequestContext* request_context, |
| 25 const GURL& upload_url, | 223 const GURL& upload_url, |
| 26 CookiesPreference cookies_preference) | 224 CookiesPreference cookies_preference) |
| 225 : CertificateErrorReporter(request_context, | |
| 226 upload_url, | |
| 227 cookies_preference, | |
| 228 kServerPublicKey, | |
| 229 kServerPublicKeyVersion) { | |
| 230 } | |
| 231 | |
| 232 CertificateErrorReporter::CertificateErrorReporter( | |
| 233 net::URLRequestContext* request_context, | |
| 234 const GURL& upload_url, | |
| 235 CookiesPreference cookies_preference, | |
| 236 const uint8 server_public_key[32], | |
| 237 const uint32 server_public_key_version) | |
| 27 : request_context_(request_context), | 238 : request_context_(request_context), |
| 28 upload_url_(upload_url), | 239 upload_url_(upload_url), |
| 29 cookies_preference_(cookies_preference) { | 240 cookies_preference_(cookies_preference), |
| 241 server_public_key_(server_public_key), | |
| 242 server_public_key_version_(server_public_key_version) { | |
| 30 DCHECK(!upload_url.is_empty()); | 243 DCHECK(!upload_url.is_empty()); |
| 31 } | 244 } |
| 32 | 245 |
| 33 CertificateErrorReporter::~CertificateErrorReporter() { | 246 CertificateErrorReporter::~CertificateErrorReporter() { |
| 34 STLDeleteElements(&inflight_requests_); | 247 STLDeleteElements(&inflight_requests_); |
| 35 } | 248 } |
| 36 | 249 |
| 37 void CertificateErrorReporter::SendReport(ReportType type, | 250 void CertificateErrorReporter::SendReport(ReportType type, |
| 38 const std::string& hostname, | 251 const std::string& hostname, |
| 39 const net::SSLInfo& ssl_info) { | 252 const net::SSLInfo& ssl_info) { |
| 40 CertLoggerRequest request; | 253 CertLoggerRequest request; |
| 41 std::string out; | |
| 42 | |
| 43 BuildReport(hostname, ssl_info, &request); | 254 BuildReport(hostname, ssl_info, &request); |
| 44 | 255 |
| 45 switch (type) { | 256 switch (type) { |
| 46 case REPORT_TYPE_PINNING_VIOLATION: | 257 case REPORT_TYPE_PINNING_VIOLATION: |
| 47 SendCertLoggerRequest(request); | 258 SendCertLoggerRequest(request); |
| 48 break; | 259 break; |
| 49 case REPORT_TYPE_EXTENDED_REPORTING: | 260 case REPORT_TYPE_EXTENDED_REPORTING: |
| 50 // TODO(estark): Encrypt the report if not sending over HTTPS | 261 if (upload_url_.SchemeIsSecure()) { |
| 51 DCHECK(upload_url_.SchemeIsSecure()); | 262 SendCertLoggerRequest(request); |
| 52 SendCertLoggerRequest(request); | 263 } else { |
| 264 EncryptedCertLoggerRequest encrypted_report; | |
| 265 std::string serialized_report; | |
| 266 request.SerializeToString(&serialized_report); | |
| 267 if (!EncryptSerializedReport(server_public_key_, | |
| 268 server_public_key_version_, | |
| 269 serialized_report, &encrypted_report)) { | |
| 270 LOG(ERROR) << "Failed to encrypt serialized report."; | |
| 271 return; | |
| 272 } | |
| 273 std::string serialized_encrypted_report; | |
| 274 encrypted_report.SerializeToString(&serialized_encrypted_report); | |
| 275 SendSerializedRequest(serialized_encrypted_report); | |
| 276 } | |
| 53 break; | 277 break; |
| 54 default: | 278 default: |
| 55 NOTREACHED(); | 279 NOTREACHED(); |
| 56 } | 280 } |
| 57 } | 281 } |
| 58 | 282 |
| 59 void CertificateErrorReporter::OnResponseStarted(net::URLRequest* request) { | 283 void CertificateErrorReporter::OnResponseStarted(net::URLRequest* request) { |
| 60 const net::URLRequestStatus& status(request->status()); | 284 const net::URLRequestStatus& status(request->status()); |
| 61 if (!status.is_success()) { | 285 if (!status.is_success()) { |
| 62 LOG(WARNING) << "Certificate upload failed" | 286 LOG(WARNING) << "Certificate upload failed" |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 81 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | | 305 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | |
| 82 net::LOAD_DO_NOT_SAVE_COOKIES); | 306 net::LOAD_DO_NOT_SAVE_COOKIES); |
| 83 } | 307 } |
| 84 return request.Pass(); | 308 return request.Pass(); |
| 85 } | 309 } |
| 86 | 310 |
| 87 void CertificateErrorReporter::SendCertLoggerRequest( | 311 void CertificateErrorReporter::SendCertLoggerRequest( |
| 88 const CertLoggerRequest& request) { | 312 const CertLoggerRequest& request) { |
| 89 std::string serialized_request; | 313 std::string serialized_request; |
| 90 request.SerializeToString(&serialized_request); | 314 request.SerializeToString(&serialized_request); |
| 315 SendSerializedRequest(serialized_request); | |
| 316 } | |
| 91 | 317 |
| 318 void CertificateErrorReporter::SendSerializedRequest( | |
| 319 const std::string& serialized_request) { | |
| 92 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 320 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); |
| 93 url_request->set_method("POST"); | 321 url_request->set_method("POST"); |
| 94 | 322 |
| 95 scoped_ptr<net::UploadElementReader> reader( | 323 scoped_ptr<net::UploadElementReader> reader( |
| 96 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); | 324 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); |
| 97 url_request->set_upload( | 325 url_request->set_upload( |
| 98 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 326 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
| 99 | 327 |
| 100 net::HttpRequestHeaders headers; | 328 net::HttpRequestHeaders headers; |
| 101 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 329 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 126 } | 354 } |
| 127 | 355 |
| 128 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { | 356 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { |
| 129 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 357 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
| 130 DCHECK(i != inflight_requests_.end()); | 358 DCHECK(i != inflight_requests_.end()); |
| 131 scoped_ptr<net::URLRequest> url_request(*i); | 359 scoped_ptr<net::URLRequest> url_request(*i); |
| 132 inflight_requests_.erase(i); | 360 inflight_requests_.erase(i); |
| 133 } | 361 } |
| 134 | 362 |
| 135 } // namespace chrome_browser_net | 363 } // namespace chrome_browser_net |
| OLD | NEW |
