Set Token-Binding HTTP header

net/ssl/token_binding_openssl.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/ssl/token_binding.h"
+
+#include <openssl/bytestring.h>
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/mem.h>
+
+#include "base/stl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "net/base/net_errors.h"
+#include "net/ssl/ssl_config.h"
+
+namespace net {
+
+namespace {
+
+enum TokenBindingType {
+  TB_TYPE_PROVIDED = 0,
+  TB_TYPE_REFERRED = 1,
+};
+
+bool BuildTokenBindingID(TokenBindingType type,
+                         crypto::ECPrivateKey* key,
+                         CBB* out) {
+  CBB ec_point;
+  if (!CBB_add_u8(out, type) || !CBB_add_u8(out, TB_PARAM_ECDSAP256) ||
+      !CBB_add_u8_length_prefixed(out, &ec_point)) {
+    return false;
+  }
+
+  EVP_PKEY* pkey = key->key();
+  static const int kExpectedKeyLength = 65;
+  uint8_t* buf;
+  if (pkey->type != EVP_PKEY_EC ||
+      i2o_ECPublicKey(pkey->pkey.ec, nullptr) != kExpectedKeyLength ||
+      !CBB_add_space(&ec_point, &buf, kExpectedKeyLength) ||
+      i2o_ECPublicKey(pkey->pkey.ec, &buf) != kExpectedKeyLength ||
+      !CBB_flush(out)) {

[davidben, 2016/01/22 00:19:22]

[Later there'll be an EC_POINT_point2cbb but apparently it's part of the giant
mass of unreviewed CLs I have in Adam's queue. :-) ]

[nharper, 2016/01/22 19:36:52]

Added a TODO to use EC_POINT_point2cbb.

+    return false;
+  }
+  return true;
+}
+
+}  // namespace
+
+Error BuildTokenBindingMessageFromTokenBindings(
+    const std::vector<base::StringPiece>& token_bindings,
+    std::string* out) {
+  CBB tb_message, child;
+  if (!CBB_init(&tb_message, 0) ||
+      !CBB_add_u16_length_prefixed(&tb_message, &child)) {
+    CBB_cleanup(&tb_message);
+    return ERR_FAILED;
+  }
+  for (const base::StringPiece& token_binding : token_bindings) {
+    if (!CBB_add_bytes(&child,
+                       reinterpret_cast<const uint8_t*>(token_binding.data()),
+                       token_binding.size())) {
+      CBB_cleanup(&tb_message);
+      return ERR_FAILED;
+    }
+  }
+
+  uint8_t* out_data;
+  size_t out_len;
+  if (!CBB_finish(&tb_message, &out_data, &out_len)) {
+    CBB_cleanup(&tb_message);
+    return ERR_FAILED;
+  }
+  out->assign(reinterpret_cast<char*>(out_data), out_len);
+  OPENSSL_free(out_data);
+  return OK;
+}
+
+Error BuildProvidedTokenBinding(crypto::ECPrivateKey* key,
+                                const std::vector<uint8_t>& signed_ekm,
+                                std::string* out) {
+  uint8_t* out_data;
+  size_t out_len;
+  CBB token_binding;
+  if (!CBB_init(&token_binding, 0) ||
+      !BuildTokenBindingID(TB_TYPE_PROVIDED, key, &token_binding) ||
+      !CBB_add_u16(&token_binding, signed_ekm.size()) ||
+      !CBB_add_bytes(&token_binding, signed_ekm.data(), signed_ekm.size()) ||
+      // 0-length extensions
+      !CBB_add_u16(&token_binding, 0) ||
+      !CBB_finish(&token_binding, &out_data, &out_len)) {
+    CBB_cleanup(&token_binding);
+    return ERR_FAILED;
+  }
+  out->assign(reinterpret_cast<char*>(out_data), out_len);
+  OPENSSL_free(out_data);
+  return OK;
+}
+
+bool ParseTokenBindingMessage(base::StringPiece token_binding_message,
+                              base::StringPiece* ec_point_out,
+                              base::StringPiece* signature_out) {
+  CBS tb_message, tb, ec_point, signature;
+  uint8_t tb_type, tb_param;
+  CBS_init(&tb_message,
+           reinterpret_cast<const uint8_t*>(token_binding_message.data()),
+           token_binding_message.size());
+  if (!CBS_get_u16_length_prefixed(&tb_message, &tb) ||
+      !CBS_get_u8(&tb, &tb_type) || !CBS_get_u8(&tb, &tb_param) ||
+      !CBS_get_u8_length_prefixed(&tb, &ec_point) ||
+      !CBS_get_u16_length_prefixed(&tb, &signature) ||
+      tb_type != TB_TYPE_PROVIDED || tb_param != TB_PARAM_ECDSAP256) {
+    return false;
+  }
+
+  *ec_point_out = base::StringPiece(
+      reinterpret_cast<const char*>(CBS_data(&ec_point)), CBS_len(&ec_point));
+  *signature_out = base::StringPiece(
+      reinterpret_cast<const char*>(CBS_data(&signature)), CBS_len(&signature));
+  return true;
+}
+
+bool VerifyEKMSignature(base::StringPiece ec_point,
+                        base::StringPiece signature,
+                        base::StringPiece ekm) {
+  crypto::ScopedEC_Key key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+  EC_KEY* keyp = key.get();
+  const uint8_t* ec_point_data =
+      reinterpret_cast<const uint8_t*>(ec_point.data());
+  if (o2i_ECPublicKey(&keyp, &ec_point_data, ec_point.size()) != key.get())
+    return false;
+  crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
+  if (!EVP_PKEY_assign_EC_KEY(pkey.get(), key.release()))
+    return false;
+  crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+  if (!EVP_PKEY_verify_init(pctx.get()) ||
+      !EVP_PKEY_verify(
+          pctx.get(), reinterpret_cast<const uint8_t*>(signature.data()),
+          signature.size(), reinterpret_cast<const uint8_t*>(ekm.data()),
+          ekm.size())) {
+    return false;
+  }
+  return true;
+}
+
+}  // namespace net