Add some policy controls for VerifySignedData().

net/cert/internal/verify_signed_data.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_signed_data.h"
 
 #include "base/logging.h"
 
 // TODO(eroman): There is no intention to implement this for non-OpenSSL. Remove
 // this branch once the migration is complete. This could have been done as a
 // conditional file (_openssl.cc) in the build file instead, but that is likely
 // not worth the effort at this point.
 
 #if !defined(USE_OPENSSL)
 
 namespace net {
 
 bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
                       const der::Input& signed_data,
                       const der::Input& signature_value_bit_string,
-                      const der::Input& public_key) {
+                      const der::Input& public_key,
+                      const VerificationPolicy* policy) {
   NOTIMPLEMENTED();
   return false;
 }
 
 }  // namespace net
 
 #else
 
 #include <openssl/digest.h>
 #include <openssl/ec.h>
 #include <openssl/ec_key.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
 #include "base/compiler_specific.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/verification_policy.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 
 namespace net {
 
 namespace {
 
 // Converts a DigestAlgorithm to an equivalent EVP_MD*.
-WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) {
+WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest,
+                                  const VerificationPolicy* policy,
+                                  const EVP_MD** out) {
   *out = nullptr;
 
+  if (!policy->IsAcceptableDigestAlgorithm(digest))
+    return false;
+
   switch (digest) {
     case DigestAlgorithm::Sha1:
       *out = EVP_sha1();
       break;
     case DigestAlgorithm::Sha256:
       *out = EVP_sha256();
       break;
     case DigestAlgorithm::Sha384:
       *out = EVP_sha384();
       break;
     case DigestAlgorithm::Sha512:
       *out = EVP_sha512();
       break;
   }
 
   return *out != nullptr;
 }
 
 // Sets the RSASSA-PSS parameters on |pctx|. Returns true on success.
 WARN_UNUSED_RESULT bool ApplyRsaPssOptions(const RsaPssParameters* params,
-                                           EVP_PKEY_CTX* pctx) {
+                                           EVP_PKEY_CTX* pctx,
+                                           const VerificationPolicy* policy) {
   // BoringSSL takes a signed int for the salt length, and interprets
   // negative values in a special manner. Make sure not to silently underflow.
   base::CheckedNumeric<int> salt_length_bytes_int(params->salt_length());
   if (!salt_length_bytes_int.IsValid())
     return false;
 
   const EVP_MD* mgf1_hash;
-  if (!GetDigest(params->mgf1_hash(), &mgf1_hash))
+  if (!GetDigest(params->mgf1_hash(), policy, &mgf1_hash))
     return false;
 
   return EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
          EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) &&
          EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
                                           salt_length_bytes_int.ValueOrDie());
 }
 
 // TODO(eroman): This function is not strict enough. It accepts BER, other RSA
 // OIDs, and does not check id-rsaEncryption parameters.
@@ skipping 62 matching lines @@
 // COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
 // of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
 // RFC 3279 says they must be NULL:
 //
 //     The rsaEncryption OID is intended to be used in the algorithm field
 //     of a value of type AlgorithmIdentifier.  The parameters field MUST
 //     have ASN.1 type NULL for this algorithm identifier.
 //
 // Following RFC 3279 in this case.
 WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki,
-                                            crypto::ScopedEVP_PKEY* pkey) {
-  return ImportPkeyFromSpki(public_key_spki, EVP_PKEY_RSA, pkey);
+                                            crypto::ScopedEVP_PKEY* pkey,
+                                            const VerificationPolicy* policy) {
+  if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_RSA, pkey))
+    return false;
+
+  // Extract the modulus length from the key.
+  crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey->get()));
+  if (!rsa.get())
+    return false;
+  unsigned int modulus_length_bits = BN_num_bits(rsa.get()->n);
+
+  return policy->IsAcceptableModulusLengthForRsa(modulus_length_bits);
 }
 
 // Does signature verification using either RSA or ECDSA.
 //
 // Note that the |signature_value| input is expected to be a byte string (and
 // not a DER-encoded BIT STRING)
 WARN_UNUSED_RESULT bool DoVerify(const SignatureAlgorithm& algorithm,
                                  const der::Input& signed_data,
                                  const der::Input& signature_value,
-                                 EVP_PKEY* public_key) {
+                                 EVP_PKEY* public_key,
+                                 const VerificationPolicy* policy) {
   DCHECK(algorithm.algorithm() == SignatureAlgorithmId::RsaPkcs1 ||
          algorithm.algorithm() == SignatureAlgorithmId::RsaPss ||
          algorithm.algorithm() == SignatureAlgorithmId::Ecdsa);
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
   EVP_PKEY_CTX* pctx = nullptr;  // Owned by |ctx|.
 
   const EVP_MD* digest;
-  if (!GetDigest(algorithm.digest(), &digest))
+  if (!GetDigest(algorithm.digest(), policy, &digest))
     return false;
 
   if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key))
     return false;
 
   // Set the RSASSA-PSS specific options.
   if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss &&
-      !ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx)) {
+      !ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx, policy)) {
     return false;
   }
 
   if (!EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(),
                               signed_data.Length())) {
     return false;
   }
 
   return 1 == EVP_DigestVerifyFinal(ctx.get(), signature_value.UnsafeData(),
                                     signature_value.Length());
 }
 
-// Returns true if the given curve is allowed for ECDSA. The input is a
-// BoringSSL NID.
-//
-// TODO(eroman): Extract policy decisions such as allowed curves, hashes, RSA
-// modulus size, to somewhere more central.
-WARN_UNUSED_RESULT bool IsAllowedCurveName(int curve_nid) {
-  switch (curve_nid) {
-    case NID_X9_62_prime256v1:
-    case NID_secp384r1:
-    case NID_secp521r1:
-      return true;
-  }
-  return false;
-}
-
 // Parses an EC public key from SPKI to an EVP_PKEY.
 //
 // Returns true on success.
 //
 // RFC 5912 describes all the ECDSA signature algorithms as requiring a public
 // key of type "pk-ec":
 //
 //     pk-ec PUBLIC-KEY ::= {
 //      IDENTIFIER id-ecPublicKey
 //      KEY ECPoint
@@ skipping 25 matching lines @@
 //
 //     NamedCurve CURVE ::= {
 //     { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
 //     { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
 //     { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
 //     { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
 //     { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
 //     ... -- Extensible
 //     }
 WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
-                                           crypto::ScopedEVP_PKEY* pkey) {
+                                           crypto::ScopedEVP_PKEY* pkey,
+                                           const VerificationPolicy* policy) {
   if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_EC, pkey))
     return false;
 
-  // Enforce policy on allowed curves in case ImportPkeyFromSpki() were to
-  // recognize and allow use of a weak curve.
+  // Extract the curve name.
   crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey->get()));
   if (!ec.get())
     return false;  // Unexpected.
+  int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
 
-  int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
-  return IsAllowedCurveName(curve_nid);
+  return policy->IsAcceptableCurveForEcdsa(curve_nid);
 }
 
 }  // namespace
 
 bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
                       const der::Input& signed_data,
                       const der::Input& signature_value_bit_string,
-                      const der::Input& public_key_spki) {
+                      const der::Input& public_key_spki,
+                      const VerificationPolicy* policy) {
+  // Optimization: Check the digest before parsing the SPKI. This isn't
+  // strictly necessary as it will also get checked by GetDigest().
+  if (!policy->IsAcceptableDigestAlgorithm(signature_algorithm.digest()))
+    return false;
+
   crypto::ScopedEVP_PKEY public_key;
 
   // Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm.
   switch (signature_algorithm.algorithm()) {
     case SignatureAlgorithmId::RsaPkcs1:
     case SignatureAlgorithmId::RsaPss:
-      if (!ParseRsaKeyFromSpki(public_key_spki, &public_key))
+      if (!ParseRsaKeyFromSpki(public_key_spki, &public_key, policy))
         return false;
       break;
     case SignatureAlgorithmId::Ecdsa:
-      if (!ParseEcKeyFromSpki(public_key_spki, &public_key))
+      if (!ParseEcKeyFromSpki(public_key_spki, &public_key, policy))
         return false;
       break;
   }
 
   // Extract the bytes of the signature_value. Assume that the BIT STRING has
   // no unused bits (in other words, is a multiple of 8 bits), since that is the
   // case for all of the currently supported algorithms.
   der::Input signature_value;
   der::Parser parser(signature_value_bit_string);
   if (!parser.ReadBitStringNoUnusedBits(&signature_value))
     return false;
   // By definition signature_value_bit_string must be a single BIT STRING.
   if (parser.HasMore())
     return false;
 
   return DoVerify(signature_algorithm, signed_data, signature_value,
-                  public_key.get());
+                  public_key.get(), policy);
 }
 
 }  // namespace net
 
 #endif