OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/x509_util_openssl.h" | 5 #include "net/cert/x509_util_openssl.h" |
6 | 6 |
7 #include <limits.h> | 7 #include <limits.h> |
8 #include <openssl/asn1.h> | 8 #include <openssl/asn1.h> |
9 #include <openssl/digest.h> | |
9 #include <openssl/mem.h> | 10 #include <openssl/mem.h> |
10 | 11 |
11 #include <algorithm> | 12 #include <algorithm> |
12 | 13 |
13 #include "base/lazy_instance.h" | 14 #include "base/lazy_instance.h" |
14 #include "base/logging.h" | 15 #include "base/logging.h" |
15 #include "base/macros.h" | 16 #include "base/macros.h" |
16 #include "base/strings/string_piece.h" | 17 #include "base/strings/string_piece.h" |
17 #include "base/strings/string_util.h" | 18 #include "base/strings/string_util.h" |
18 #include "crypto/ec_private_key.h" | 19 #include "crypto/ec_private_key.h" |
19 #include "crypto/openssl_util.h" | 20 #include "crypto/openssl_util.h" |
20 #include "crypto/rsa_private_key.h" | 21 #include "crypto/rsa_private_key.h" |
21 #include "crypto/scoped_openssl_types.h" | 22 #include "crypto/scoped_openssl_types.h" |
23 #include "net/cert/internal/parse_certificate.h" | |
24 #include "net/cert/internal/signature_algorithm.h" | |
22 #include "net/cert/x509_cert_types.h" | 25 #include "net/cert/x509_cert_types.h" |
26 #include "net/cert/x509_certificate.h" | |
23 #include "net/cert/x509_util.h" | 27 #include "net/cert/x509_util.h" |
24 #include "net/ssl/scoped_openssl_types.h" | 28 #include "net/ssl/scoped_openssl_types.h" |
25 | 29 |
26 namespace net { | 30 namespace net { |
27 | 31 |
28 namespace { | 32 namespace { |
29 | 33 |
30 using ScopedASN1_INTEGER = | 34 using ScopedASN1_INTEGER = |
31 crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free>; | 35 crypto::ScopedOpenSSL<ASN1_INTEGER, ASN1_INTEGER_free>; |
32 using ScopedASN1_OCTET_STRING = | 36 using ScopedASN1_OCTET_STRING = |
(...skipping 263 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
296 scoped_ptr<DERCache> new_cache(new DERCache); | 300 scoped_ptr<DERCache> new_cache(new DERCache); |
297 if (!DerEncodeCert(x509, &new_cache->data)) | 301 if (!DerEncodeCert(x509, &new_cache->data)) |
298 return false; | 302 return false; |
299 internal_cache = new_cache.get(); | 303 internal_cache = new_cache.get(); |
300 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release()); | 304 X509_set_ex_data(x509, x509_der_cache_index, new_cache.release()); |
301 } | 305 } |
302 *der_cache = base::StringPiece(internal_cache->data); | 306 *der_cache = base::StringPiece(internal_cache->data); |
303 return true; | 307 return true; |
304 } | 308 } |
305 | 309 |
310 bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate, | |
311 std::string* token) { | |
312 static const char kChannelBindingPrefix[] = "tls-server-end-point:"; | |
313 | |
314 std::string der_encoded_certificate; | |
315 if (!X509Certificate::GetDEREncoded(certificate.os_cert_handle(), | |
316 &der_encoded_certificate)) | |
317 return false; | |
318 | |
319 ParsedCertificate parsed_certificate; | |
320 if (!ParseCertificate(der::Input(base::StringPiece(der_encoded_certificate)), | |
321 &parsed_certificate)) | |
322 return false; | |
323 | |
324 scoped_ptr<SignatureAlgorithm> signature_algorithm = | |
325 SignatureAlgorithm::CreateFromDer( | |
326 parsed_certificate.signature_algorithm_tlv); | |
327 if (!signature_algorithm) | |
328 return false; | |
329 | |
330 const EVP_MD* digest_evp_md = nullptr; | |
331 switch (signature_algorithm->digest()) { | |
332 case net::DigestAlgorithm::Sha1: | |
eroman
2017/03/02 21:13:02
Is this fall-through intentional? Seems like eithe
asanka
2017/03/02 21:28:57
This is per https://tools.ietf.org/html/rfc5929#se
| |
333 case net::DigestAlgorithm::Sha256: | |
334 digest_evp_md = EVP_sha256(); | |
335 break; | |
336 | |
337 case net::DigestAlgorithm::Sha384: | |
338 digest_evp_md = EVP_sha384(); | |
339 break; | |
340 | |
341 case net::DigestAlgorithm::Sha512: | |
342 digest_evp_md = EVP_sha512(); | |
343 break; | |
344 } | |
345 if (!digest_evp_md) | |
346 return false; | |
347 | |
348 std::vector<uint8_t> digest(EVP_MAX_MD_SIZE); | |
349 unsigned int out_size = digest.size(); | |
350 if (!EVP_Digest(der_encoded_certificate.data(), | |
351 der_encoded_certificate.size(), digest.data(), &out_size, | |
352 digest_evp_md, nullptr)) | |
353 return false; | |
354 | |
355 digest.resize(out_size); | |
356 token->assign(kChannelBindingPrefix); | |
357 token->append(digest.begin(), digest.end()); | |
358 return true; | |
359 } | |
360 | |
306 } // namespace x509_util | 361 } // namespace x509_util |
307 | 362 |
308 } // namespace net | 363 } // namespace net |
OLD | NEW |