Verify certificate of Privet v3 device

chrome/browser/local_discovery/privet_http_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/local_discovery/privet_http_impl.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/rand_util.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/thread_task_runner_handle.h"
 #include "chrome/browser/local_discovery/privet_constants.h"
+#include "chrome/common/chrome_content_client.h"
 #include "chrome/common/cloud_print/cloud_print_constants.h"
 #include "net/base/url_util.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_builder.h"
 #include "url/gurl.h"
 
 #if defined(ENABLE_PRINT_PREVIEW)
 #include "chrome/browser/local_discovery/pwg_raster_converter.h"
 #include "components/cloud_devices/common/printer_description.h"
 #include "printing/pdf_render_settings.h"
 #include "printing/pwg_raster_settings.h"
 #include "ui/gfx/text_elider.h"
 #endif  // ENABLE_PRINT_PREVIEW
 
 namespace local_discovery {
 
 namespace {
+
 const char kUrlPlaceHolder[] = "http://host/";
 const char kPrivetRegisterActionArgName[] = "action";
 const char kPrivetRegisterUserArgName[] = "user";
 
 const int kPrivetCancelationTimeoutSeconds = 3;
 
 #if defined(ENABLE_PRINT_PREVIEW)
 const char kPrivetURLKeyUserName[] = "user_name";
 const char kPrivetURLKeyClientName[] = "client_name";
 const char kPrivetURLKeyJobname[] = "job_name";
@@ skipping 31 matching lines @@
                           const std::string& query_params) {
   GURL url(kUrlPlaceHolder);
   GURL::Replacements replacements;
   replacements.SetPathStr(path);
   if (!query_params.empty()) {
     replacements.SetQueryStr(query_params);
   }
   return url.ReplaceComponents(replacements);
 }
 
+// Used before we have any certificate fingerprint.
+class FailingCertVerifier : public net::CertVerifier {
+ public:
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override {
+    verify_result->verified_cert = cert;

[Ryan Sleevi, 2015/10/28 22:52:15]

BUG: You fail to reset the verify_result, causing old results to be potentially
re-used.

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

Done.

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

That one was copied from ssl_hmac_channel_authenticator.cc

+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+    return net::ERR_CERT_INVALID;
+  }
+};
+
+// Used before when we have the certificate fingerprint.
+// Privet v3 devices should supports https but with self-signed sertificates.

[Ryan Sleevi, 2015/10/28 22:52:15]

TYPO: certificates

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

Done.

+// So normal validation is not usefull.
+// Before using https Privet v3 pairing generates same secret on device and
+// client side Spake2 on insecure channel. Than device sends fingerprint

[Ryan Sleevi, 2015/10/28 22:52:15]

typo: SPAKE2

// Before using HTTPS, Privet v3 pairing generates a shared secret using
// SPAKE2 over an insecure channel. Then the device sends the fingerprint
// to the client, over the insecure channel, but signed using the
// shared secret.
// For more information on paring:
// https://

(The comments at present have spelling and grammar issues)

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

Done.

+// to client using same insecure channel. fingerprint is signed with the secret
+// generated before.
+// More info on pairing:
+// https://developers.google.com/cloud-devices/v1/reference/local-api/pairing_start
+class FingerprintVerifier : public net::CertVerifier {

[Ryan Sleevi, 2015/10/28 22:52:15]

Your class documentation doesn't explain at all what's going on here; it's
entirely unrelated to the FingerprintVerifier, which simply verifies that
fingerprints match what are expected.

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

Moved large part of comment to SwitchToHttps to keep only relevant info here.

+ public:
+  explicit FingerprintVerifier(
+      const net::SHA256HashValue& certificate_fingerprint)
+      : certificate_fingerprint_(certificate_fingerprint) {}
+
+  int Verify(net::X509Certificate* cert,
+             const std::string& hostname,
+             const std::string& ocsp_response,
+             int flags,
+             net::CRLSet* crl_set,
+             net::CertVerifyResult* verify_result,
+             const net::CompletionCallback& callback,
+             scoped_ptr<Request>* out_req,
+             const net::BoundNetLog& net_log) override {
+    // Mark certificat as invalid as we didn't check that.
+    verify_result->verified_cert = cert;
+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+
+    auto fingerprint =
+        net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle());
+
+    return certificate_fingerprint_.Equals(fingerprint) ? net::OK
+                                                        : net::ERR_CERT_INVALID;
+  }
+
+ private:
+  net::SHA256HashValue certificate_fingerprint_;
+
+  DISALLOW_COPY_AND_ASSIGN(FingerprintVerifier);
+};
+
+class PrivetContextGetter : public net::URLRequestContextGetter {
+ public:
+  PrivetContextGetter(
+      const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner,
+      const net::SHA256HashValue& certificate_fingerprint)
+      : verifier_(new FingerprintVerifier(certificate_fingerprint)),
+        net_task_runner_(net_task_runner) {}
+
+  // Don't allow any https without fingerprint. Device with valid certificate
+  // may be different from the one which user is trying to pair.
+  explicit PrivetContextGetter(
+      const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner)
+      : verifier_(new FailingCertVerifier()),
+        net_task_runner_(net_task_runner) {}
+
+  net::URLRequestContext* GetURLRequestContext() override {
+    if (!context_) {
+      net::URLRequestContextBuilder builder;
+      builder.set_proxy_service(net::ProxyService::CreateDirect());
+      builder.SetSpdyAndQuicEnabled(false, false);
+      builder.DisableHttpCache();
+      builder.SetCertVerifier(verifier_.Pass());
+      builder.set_user_agent(::GetUserAgent());
+      context_ = builder.Build();
+    }
+    return context_.get();

[Ryan Sleevi, 2015/10/28 22:52:15]

This is all VERY surprising; creating new URL request contexts should be a very
rare thing.

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

I create one context per context getter and two context getters per device.
One before certificate and one after we have certificate.

I can have one getter for entire local discovery. But I don't think performance
is
critical here. With shared getter we will need share Verifier between devices.
So
we will have some way to pick correct fingerprint. This will make code more
complicated without known benefits.

Also it's not clear what is reused inside of context, or will be reused in
future.
Seems having context per device is more secure.

+  }
+
+  scoped_refptr<base::SingleThreadTaskRunner> GetNetworkTaskRunner()
+      const override {
+    return net_task_runner_;
+  }
+
+ protected:
+  ~PrivetContextGetter() override = default;
+
+ private:
+  scoped_ptr<net::CertVerifier> verifier_;
+  scoped_ptr<net::URLRequestContext> context_;
+  scoped_refptr<base::SingleThreadTaskRunner> net_task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(PrivetContextGetter);
+};
+
 }  // namespace
 
 PrivetInfoOperationImpl::PrivetInfoOperationImpl(
     PrivetHTTPClient* privet_client,
     const PrivetJSONOperation::ResultCallback& callback)
     : privet_client_(privet_client), callback_(callback) {
 }
 
 PrivetInfoOperationImpl::~PrivetInfoOperationImpl() {
 }
@@ skipping 78 matching lines @@
   int visible_http_code = -1;
   FailureReason reason = FAILURE_NETWORK;
 
   if (error == PrivetURLFetcher::RESPONSE_CODE_ERROR) {
     visible_http_code = fetcher->response_code();
     reason = FAILURE_HTTP_ERROR;
   } else if (error == PrivetURLFetcher::JSON_PARSE_ERROR) {
     reason = FAILURE_MALFORMED_RESPONSE;
   } else if (error == PrivetURLFetcher::TOKEN_ERROR) {
     reason = FAILURE_TOKEN;
-  } else if (error == PrivetURLFetcher::RETRY_ERROR) {
-    reason = FAILURE_RETRY;
+  } else if (error == PrivetURLFetcher::UNKNOWN_ERROR) {
+    reason = FAILURE_UNKNOWN;
   }
 
   delegate_->OnPrivetRegisterError(this,
                                    current_action_,
                                    reason,
                                    visible_http_code,
                                    NULL);
 }
 
 void PrivetRegisterOperationImpl::OnParsedJson(
@@ skipping 490 matching lines @@
 void PrivetLocalPrintOperationImpl::SetPWGRasterConverterForTesting(
     scoped_ptr<PWGRasterConverter> pwg_raster_converter) {
   pwg_raster_converter_ = pwg_raster_converter.Pass();
 }
 #endif  // ENABLE_PRINT_PREVIEW
 
 PrivetHTTPClientImpl::PrivetHTTPClientImpl(
     const std::string& name,
     const net::HostPortPair& host_port,
     net::URLRequestContextGetter* request_context)
-    : name_(name), request_context_(request_context), host_port_(host_port) {}
+    : PrivetHTTPClientImpl(name,
+                           host_port,
+                           request_context->GetNetworkTaskRunner()) {}
+
+PrivetHTTPClientImpl::PrivetHTTPClientImpl(
+    const std::string& name,
+    const net::HostPortPair& host_port,
+    const scoped_refptr<base::SingleThreadTaskRunner>& net_task_runner)
+    : name_(name),
+      context_getter_(new PrivetContextGetter(net_task_runner)),
+      host_port_(host_port) {}
 
 PrivetHTTPClientImpl::~PrivetHTTPClientImpl() {
 }
 
 const std::string& PrivetHTTPClientImpl::GetName() {
   return name_;
 }
 
 scoped_ptr<PrivetJSONOperation> PrivetHTTPClientImpl::CreateInfoOperation(
     const PrivetJSONOperation::ResultCallback& callback) {
   return scoped_ptr<PrivetJSONOperation>(
       new PrivetInfoOperationImpl(this, callback));
 }
 
 scoped_ptr<PrivetURLFetcher> PrivetHTTPClientImpl::CreateURLFetcher(
     const GURL& url,
     net::URLFetcher::RequestType request_type,
     PrivetURLFetcher::Delegate* delegate) {
   GURL::Replacements replacements;
   replacements.SetHostStr(host_port_.host());
-  std::string port(
-      base::UintToString(host_port_.port()));  // Keep string alive.
+  std::string port = base::UintToString(host_port_.port());
   replacements.SetPortStr(port);
+  std::string scheme = IsInHttpsMode() ? "https" : "http";
+  replacements.SetSchemeStr(scheme);
   return scoped_ptr<PrivetURLFetcher>(
-      new PrivetURLFetcher(url.ReplaceComponents(replacements),
-                           request_type,
-                           request_context_.get(),
-                           delegate));
+      new PrivetURLFetcher(url.ReplaceComponents(replacements), request_type,
+                           context_getter_, delegate));
 }
 
 void PrivetHTTPClientImpl::RefreshPrivetToken(
     const PrivetURLFetcher::TokenCallback& callback) {
   token_callbacks_.push_back(callback);
 
   if (!info_operation_) {
     info_operation_ = CreateInfoOperation(
         base::Bind(&PrivetHTTPClientImpl::OnPrivetInfoDone,
                    base::Unretained(this)));
     info_operation_->Start();
   }
 }
 
+void PrivetHTTPClientImpl::SwitchToHttps(
+    uint16_t port,
+    const net::SHA256HashValue& certificate_fingerprint) {
+  use_https_ = true;
+  host_port_.set_port(port);
+  context_getter_ = new PrivetContextGetter(
+      context_getter_->GetNetworkTaskRunner(), certificate_fingerprint);

[Ryan Sleevi, 2015/10/28 22:52:15]

I'm fairly certain this is all sorts of wrong re: lifetimes of
URLRequestContexts and friends.

[Vitaly Buka (NO REVIEWS), 2015/10/29 00:19:10]

Did you mean performance? Two getters per device?

+}
+
+bool PrivetHTTPClientImpl::IsInHttpsMode() const {
+  return use_https_;
+}
+
 void PrivetHTTPClientImpl::OnPrivetInfoDone(
     const base::DictionaryValue* value) {
   info_operation_.reset();
   std::string token;
 
   // If this does not succeed, token will be empty, and an empty string
   // is our sentinel value, since empty X-Privet-Tokens are not allowed.
   if (value) {
     value->GetString(kPrivetInfoKeyToken, &token);
   }
@@ skipping 44 matching lines @@
     PrivetLocalPrintOperation::Delegate* delegate) {
 #if defined(ENABLE_PRINT_PREVIEW)
   return scoped_ptr<PrivetLocalPrintOperation>(
       new PrivetLocalPrintOperationImpl(info_client(), delegate));
 #else
   return scoped_ptr<PrivetLocalPrintOperation>();
 #endif  // ENABLE_PRINT_PREVIEW
 }
 
 }  // namespace local_discovery