Chromium Code Reviews Chromium Code Reviews
Issue 1209283004:
Implement VerifySignedData() for ECDSA, RSA PKCS#1 and RSA PSS. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@parse_pss| Index: net/cert/internal/verify_signed_data.cc |
| diff --git a/net/cert/internal/verify_signed_data.cc b/net/cert/internal/verify_signed_data.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..c2c70feb152c3d66635f32594dfa9b2d7cc59682 |
| --- /dev/null |
| +++ b/net/cert/internal/verify_signed_data.cc |
| @@ -0,0 +1,316 @@ |
| +// Copyright 2015 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "net/cert/internal/verify_signed_data.h" |
| + |
| +#include "net/cert/internal/signature_algorithm.h" |
| + |
| +// TODO(eroman): There is no intention to implement this for non-OpenSSL. Remove |
| +// this branch once the migration is complete. This could have been done as a |
| +// conditional file (_openssl.cc) in the build file instead, but that is likely |
| +// not worth the effort at this point. |
|
Ryan Sleevi
2015/07/16 04:05:23
iOS is still affected by this at present.
eroman
2015/07/16 17:34:07
Would you prefer I designate this file _openssl an
|
| + |
| +#if !defined(USE_OPENSSL) |
| + |
| +namespace net { |
| + |
| +bool VerifySignedData(const SignatureAlgorithm& signature_algorithm, |
| + const der::Input& signed_data, |
| + const der::Input& signature_value, |
| + const der::Input& public_key) { |
| + // Not implemented |
| + return false; |
| +} |
| + |
| +} // namespace net |
| + |
| +#else |
| + |
| +#include <openssl/evp.h> |
| +#include <openssl/x509.h> |
| + |
| +#include "crypto/openssl_util.h" |
| +#include "crypto/scoped_openssl_types.h" |
| +#include "net/der/input.h" |
| +#include "net/der/parser.h" |
| + |
| +namespace net { |
| + |
| +namespace { |
| + |
| +// Converts a DigestAlgorithm to an equivalent EVP_MD*. |
| +WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) { |
| + switch (digest) { |
| + case DigestAlgorithm::Sha1: |
| + *out = EVP_sha1(); |
| + break; |
| + case DigestAlgorithm::Sha256: |
| + *out = EVP_sha256(); |
| + break; |
| + case DigestAlgorithm::Sha384: |
| + *out = EVP_sha384(); |
| + break; |
| + case DigestAlgorithm::Sha512: |
| + *out = EVP_sha512(); |
| + break; |
| + } |
| + |
| + return *out != nullptr; |
| +} |
| + |
| +// Sets the RSASSA-PSS parameters on |pctx|. Returns true on success. |
| +WARN_UNUSED_RESULT bool ApplyRsaPssOptions(const RsaPssParameters* params, |
| + EVP_PKEY_CTX* pctx) { |
| + // BoringSSL takes a signed int for the salt length, and interprets |
| + // negative values in a special manner. Make sure not to silently underflow. |
| + base::CheckedNumeric<int> salt_length_bytes_int(params->salt_length()); |
| + if (!salt_length_bytes_int.IsValid()) |
| + return false; |
| + |
| + const EVP_MD* mgf1_hash; |
| + if (!GetDigest(params->mgf1_hash(), &mgf1_hash)) |
| + return false; |
| + |
| + return (1 == EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) && |
| + 1 == EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) && |
| + 1 == EVP_PKEY_CTX_set_rsa_pss_saltlen( |
| + pctx, salt_length_bytes_int.ValueOrDie())); |
| +} |
| + |
| +// Parses an RSA public key from SPKI to an EVP_PKEY. |
| +// |
| +// Returns true on success. |
| +// |
| +// There are two flavors of RSA public key that this function recognizes from |
| +// RFC 5912: |
| +// |
| +// pk-rsa PUBLIC-KEY ::= { |
| +// IDENTIFIER rsaEncryption |
| +// KEY RSAPublicKey |
| +// PARAMS TYPE NULL ARE absent |
| +// -- Private key format not in this module -- |
| +// CERT-KEY-USAGE {digitalSignature, nonRepudiation, |
| +// keyEncipherment, dataEncipherment, keyCertSign, cRLSign} |
| +// } |
| +// |
| +// ... |
| +// |
| +// pk-rsaSSA-PSS PUBLIC-KEY ::= { |
| +// IDENTIFIER id-RSASSA-PSS |
| +// KEY RSAPublicKey |
| +// PARAMS TYPE RSASSA-PSS-params ARE optional |
| +// -- Private key format not in this module -- |
| +// CERT-KEY-USAGE { nonRepudiation, digitalSignature, |
| +// keyCertSign, cRLSign } |
| +// } |
| +// |
| +// Any RSA signature algorithm can accept a "pk-rsa" (rsaEncryption). However a |
| +// "pk-rsaSSA-PSS" key is only accepted if the signature algorithm was for PSS |
| +// mode: |
| +// |
| +// sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= { |
| +// IDENTIFIER id-RSASSA-PSS |
| +// PARAMS TYPE RSASSA-PSS-params ARE required |
| +// HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 |
| +// | mda-sha512 } |
| +// PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS } |
| +// SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS } |
| +// } |
| +// |
| +// Moreover, if a "pk-rsaSSA-PSS" key was used and it optionally provided |
| +// parameters for the algorithm, they must match those of the signature |
| +// algorithm. |
| +// |
| +// COMPATIBILITY NOTE: RFC 5912 specifies that the algorithm parameters for |
| +// pk-rsa (rsaEncryption) are absent. However in practice though it is common |
| +// for these to be present and NULL. |
| +WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki, |
| + crypto::ScopedEVP_PKEY* pkey) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + const uint8_t* ptr = public_key_spki.UnsafeData(); |
| + crypto::ScopedRSA rsa( |
| + d2i_RSA_PUBKEY(nullptr, &ptr, public_key_spki.Length())); |
| + |
| + if (!rsa || ptr != public_key_spki.UnsafeData() + public_key_spki.Length()) |
| + return false; |
| + |
| + // Create a corresponding EVP_PKEY. |
| + pkey->reset(EVP_PKEY_new()); |
| + if (!pkey || !EVP_PKEY_set1_RSA(pkey->get(), rsa.get())) |
| + return false; |
| + |
| + return true; |
| +} |
| + |
| +WARN_UNUSED_RESULT bool RsaVerify(const SignatureAlgorithm& algorithm, |
| + const der::Input& signed_data, |
| + const der::Input& signature_value, |
| + const der::Input& public_key_spki) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + // TODO(eroman): This does not enforce that the SPKI's algorithm matches the |
| + // signature algorithm. For instance it would not |
| + // forbid a key with PSS parameters being used |
| + // with PKCS1 padding. |
| + crypto::ScopedEVP_PKEY public_key; |
| + if (!ParseRsaKeyFromSpki(public_key_spki, &public_key)) |
| + return false; |
| + |
| + crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); |
| + EVP_PKEY_CTX* pctx = NULL; // Owned by |ctx|. |
|
Ryan Sleevi
2015/07/16 04:05:23
nullptr?
|
| + |
| + const EVP_MD* digest; |
| + if (!GetDigest(algorithm.digest(), &digest)) |
| + return false; |
| + |
| + if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, NULL, public_key.get())) |
|
Ryan Sleevi
2015/07/16 04:05:24
nullptr
|
| + return false; |
| + |
| + // Set the RSASSA-PSS specific options. |
| + if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss && |
| + !ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx)) { |
| + return false; |
| + } |
| + |
| + if (!EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(), |
| + signed_data.Length())) { |
| + return false; |
| + } |
| + |
| + return 1 == EVP_DigestVerifyFinal(ctx.get(), signature_value.UnsafeData(), |
| + signature_value.Length()); |
| +} |
| + |
| +// Returns true if the given curve is allowed for ECDSA. The input is a |
| +// BoringSSL NID. |
| +// |
| +// TODO(eroman): Extract policy decisions such as allowed curves, hashes, RSA |
| +// modulus size, to somewhere more central. |
| +WARN_UNUSED_RESULT bool IsAllowedCurveName(int curve_nid) { |
| + switch (curve_nid) { |
| + case NID_X9_62_prime256v1: |
| + case NID_secp384r1: |
| + case NID_secp521r1: |
| + return true; |
| + } |
| + return false; |
| +} |
| + |
| +// Parses an EC public key from SPKI to an EVP_PKEY. |
| +// |
| +// Returns true on success. |
| +// |
| +// RFC 5912 describes all the ECDSA signature algorithms as requiring a public |
| +// key of type "pk-ec": |
| +// |
| +// pk-ec PUBLIC-KEY ::= { |
| +// IDENTIFIER id-ecPublicKey |
| +// KEY ECPoint |
| +// PARAMS TYPE ECParameters ARE required |
| +// -- Private key format not in this module -- |
| +// CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, |
| +// keyCertSign, cRLSign } |
| +// } |
| +// |
| +// Moreover RFC 5912 stipulates what curves are allowed. The ECParameters |
| +// MUST NOT use an implicitCurve or specificCurve for PKIX: |
| +// |
| +// ECParameters ::= CHOICE { |
| +// namedCurve CURVE.&id({NamedCurve}) |
| +// -- implicitCurve NULL |
| +// -- implicitCurve MUST NOT be used in PKIX |
| +// -- specifiedCurve SpecifiedCurve |
| +// -- specifiedCurve MUST NOT be used in PKIX |
| +// -- Details for specifiedCurve can be found in [X9.62] |
| +// -- Any future additions to this CHOICE should be coordinated |
| +// -- with ANSI X.9. |
| +// } |
| +// -- If you need to be able to decode ANSI X.9 parameter structures, |
| +// -- uncomment the implicitCurve and specifiedCurve above, and also |
| +// -- uncomment the following: |
| +// --(WITH COMPONENTS {namedCurve PRESENT}) |
| +// |
| +// The namedCurves are extensible. The ones described by RFC 5912 are: |
| +// |
| +// NamedCurve CURVE ::= { |
| +// { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | |
| +// { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | |
| +// { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | |
| +// { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | |
| +// { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, |
| +// ... -- Extensible |
| +// } |
| +WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki, |
| + crypto::ScopedEVP_PKEY* pkey) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + const uint8_t* ptr = public_key_spki.UnsafeData(); |
| + crypto::ScopedEC_KEY ec( |
| + d2i_EC_PUBKEY(nullptr, &ptr, public_key_spki.Length())); |
| + |
| + if (!ec || ptr != public_key_spki.UnsafeData() + public_key_spki.Length()) |
| + return false; |
| + |
| + // Enforce policy on allowed curves in case d2i_EC_PUBKEY() were to recognize |
| + // and allow use of a weak curve. |
| + if (!IsAllowedCurveName(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get())))) |
| + return false; |
| + |
| + // Create a corresponding EVP_PKEY. |
| + pkey->reset(EVP_PKEY_new()); |
| + if (!pkey || !EVP_PKEY_set1_EC_KEY(pkey->get(), ec.get())) |
| + return false; |
| + |
| + return true; |
| +} |
| + |
| +WARN_UNUSED_RESULT bool EcdsaVerify(const SignatureAlgorithm& algorithm, |
| + const der::Input& signed_data, |
| + const der::Input& signature_value, |
| + const der::Input& public_key_spki) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + crypto::ScopedEVP_PKEY public_key; |
| + if (!ParseEcKeyFromSpki(public_key_spki, &public_key)) |
| + return false; |
| + |
| + crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); |
|
Ryan Sleevi
2015/07/16 04:05:24
From here through 292, it seems the same as RsaVer
eroman
2015/07/16 17:34:07
The RSA version is somewhat different, in that it
eroman
2015/07/18 22:44:23
Done.
|
| + |
| + const EVP_MD* digest; |
| + if (!GetDigest(algorithm.digest(), &digest)) |
| + return false; |
| + |
| + if (!EVP_DigestVerifyInit(ctx.get(), NULL, digest, NULL, public_key.get()) || |
|
Ryan Sleevi
2015/07/16 04:05:24
nullptr
eroman
2015/07/18 22:44:23
Done (throughout)
|
| + !EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(), |
| + signed_data.Length())) { |
| + return false; |
| + } |
| + |
| + return 1 == EVP_DigestVerifyFinal(ctx.get(), signature_value.UnsafeData(), |
| + signature_value.Length()); |
| +} |
| + |
| +} // namespace |
| + |
| +bool VerifySignedData(const SignatureAlgorithm& signature_algorithm, |
| + const der::Input& signed_data, |
| + const der::Input& signature_value, |
| + const der::Input& public_key_spki) { |
| + switch (signature_algorithm.algorithm()) { |
| + case SignatureAlgorithmId::RsaPkcs1: |
| + case SignatureAlgorithmId::RsaPss: |
| + return RsaVerify(signature_algorithm, signed_data, signature_value, |
| + public_key_spki); |
| + case SignatureAlgorithmId::Ecdsa: |
| + return EcdsaVerify(signature_algorithm, signed_data, signature_value, |
| + public_key_spki); |
| + } |
| + |
| + return false; // Unsupported algorithm. |
| +} |
| + |
| +} // namespace net |
| + |
| +#endif |
