OLD | NEW |
| (Empty) |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/sha256_legacy_support_win.h" | |
6 | |
7 #include <openssl/asn1.h> | |
8 #include <openssl/bytestring.h> | |
9 #include <openssl/evp.h> | |
10 #include <openssl/obj.h> | |
11 #include <openssl/x509.h> | |
12 | |
13 #include "base/logging.h" | |
14 #include "crypto/scoped_openssl_types.h" | |
15 | |
16 namespace net { | |
17 | |
18 namespace sha256_interception { | |
19 | |
20 namespace { | |
21 | |
22 using ScopedX509_ALGOR = crypto::ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free>; | |
23 | |
24 bool IsSupportedSubjectType(DWORD subject_type) { | |
25 switch (subject_type) { | |
26 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: | |
27 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: | |
28 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: | |
29 return true; | |
30 } | |
31 return false; | |
32 } | |
33 | |
34 bool IsSupportedIssuerType(DWORD issuer_type) { | |
35 switch (issuer_type) { | |
36 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
37 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: | |
38 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: | |
39 return true; | |
40 } | |
41 return false; | |
42 } | |
43 | |
44 base::StringPiece GetSubjectSignature(DWORD subject_type, | |
45 void* subject_data) { | |
46 switch (subject_type) { | |
47 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: { | |
48 CRYPT_DATA_BLOB* data_blob = | |
49 reinterpret_cast<CRYPT_DATA_BLOB*>(subject_data); | |
50 return base::StringPiece(reinterpret_cast<char*>(data_blob->pbData), | |
51 data_blob->cbData); | |
52 } | |
53 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: { | |
54 PCCERT_CONTEXT subject_cert = | |
55 reinterpret_cast<PCCERT_CONTEXT>(subject_data); | |
56 return base::StringPiece( | |
57 reinterpret_cast<char*>(subject_cert->pbCertEncoded), | |
58 subject_cert->cbCertEncoded); | |
59 } | |
60 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: { | |
61 PCCRL_CONTEXT subject_crl = | |
62 reinterpret_cast<PCCRL_CONTEXT>(subject_data); | |
63 return base::StringPiece( | |
64 reinterpret_cast<char*>(subject_crl->pbCrlEncoded), | |
65 subject_crl->cbCrlEncoded); | |
66 } | |
67 } | |
68 return base::StringPiece(); | |
69 } | |
70 | |
71 PCERT_PUBLIC_KEY_INFO GetIssuerPublicKey(DWORD issuer_type, | |
72 void* issuer_data) { | |
73 switch (issuer_type) { | |
74 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
75 return reinterpret_cast<PCERT_PUBLIC_KEY_INFO>(issuer_data); | |
76 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: { | |
77 PCCERT_CONTEXT cert = reinterpret_cast<PCCERT_CONTEXT>(issuer_data); | |
78 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
79 } | |
80 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: { | |
81 PCCERT_CHAIN_CONTEXT chain = | |
82 reinterpret_cast<PCCERT_CHAIN_CONTEXT>(issuer_data); | |
83 PCCERT_CONTEXT cert = chain->rgpChain[0]->rgpElement[0]->pCertContext; | |
84 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
85 } | |
86 } | |
87 return NULL; | |
88 } | |
89 | |
90 // Parses |subject_signature| and writes the components into |*out_tbs_data|, | |
91 // |*out_algor|, and |*out_signature|. The BIT STRING in the signature must be | |
92 // a multiple of 8 bits. |*out_signature| will have the padding byte removed. | |
93 // It returns true on success and false on failure. | |
94 bool ParseSubjectSignature(const base::StringPiece& subject_signature, | |
95 CBS* out_tbs_data, | |
96 ScopedX509_ALGOR* out_algor, | |
97 CBS* out_signature) { | |
98 CBS cbs, sequence, tbs_data, algorithm, signature; | |
99 CBS_init(&cbs, reinterpret_cast<const uint8_t*>(subject_signature.data()), | |
100 subject_signature.size()); | |
101 if (!CBS_get_asn1(&cbs, &sequence, CBS_ASN1_SEQUENCE) || CBS_len(&cbs) != 0 || | |
102 !CBS_get_any_asn1_element(&sequence, &tbs_data, nullptr, nullptr) || | |
103 !CBS_get_asn1_element(&sequence, &algorithm, CBS_ASN1_SEQUENCE) || | |
104 !CBS_get_asn1(&sequence, &signature, CBS_ASN1_BITSTRING) || | |
105 CBS_len(&sequence) != 0) { | |
106 return false; | |
107 } | |
108 | |
109 // Decode the algorithm. | |
110 const uint8_t* ptr = CBS_data(&algorithm); | |
111 ScopedX509_ALGOR algor(d2i_X509_ALGOR(NULL, &ptr, CBS_len(&algorithm))); | |
112 if (!algor || ptr != CBS_data(&algorithm) + CBS_len(&algorithm)) | |
113 return false; | |
114 | |
115 // An ASN.1 BIT STRING is encoded with a leading byte denoting the number of | |
116 // padding bits. All supported signature algorithms output octets, so the | |
117 // leading byte must be zero. | |
118 uint8_t padding; | |
119 if (!CBS_get_u8(&signature, &padding) || padding != 0) | |
120 return false; | |
121 | |
122 *out_tbs_data = tbs_data; | |
123 *out_algor = algor.Pass(); | |
124 *out_signature = signature; | |
125 return true; | |
126 } | |
127 | |
128 } // namespace | |
129 | |
130 BOOL CryptVerifyCertificateSignatureExHook( | |
131 CryptVerifyCertificateSignatureExFunc original_func, | |
132 HCRYPTPROV_LEGACY provider, | |
133 DWORD encoding_type, | |
134 DWORD subject_type, | |
135 void* subject_data, | |
136 DWORD issuer_type, | |
137 void* issuer_data, | |
138 DWORD flags, | |
139 void* extra) { | |
140 CHECK(original_func); | |
141 | |
142 // Only intercept if the arguments are supported. | |
143 if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || | |
144 !IsSupportedSubjectType(subject_type) || subject_data == NULL || | |
145 !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { | |
146 return original_func(provider, encoding_type, subject_type, subject_data, | |
147 issuer_type, issuer_data, flags, extra); | |
148 } | |
149 | |
150 base::StringPiece subject_signature = | |
151 GetSubjectSignature(subject_type, subject_data); | |
152 bool should_intercept = false; | |
153 | |
154 // Parse out the data, AlgorithmIdentifier, and signature. | |
155 CBS tbs_data, signature; | |
156 ScopedX509_ALGOR algor; | |
157 if (ParseSubjectSignature(subject_signature, &tbs_data, &algor, &signature)) { | |
158 // If the signature algorithm is RSA with one of the SHA-2 algorithms | |
159 // supported by BoringSSL (excluding SHA-224, which is pointless), then | |
160 // defer to the BoringSSL implementation. Otherwise, fall back and let the | |
161 // OS handle it (e.g. in case there are any algorithm policies in effect). | |
162 int nid = OBJ_obj2nid(algor->algorithm); | |
163 if (nid == NID_sha256WithRSAEncryption || | |
164 nid == NID_sha384WithRSAEncryption || | |
165 nid == NID_sha512WithRSAEncryption) { | |
166 should_intercept = true; | |
167 } | |
168 } | |
169 | |
170 if (!should_intercept) { | |
171 return original_func(provider, encoding_type, subject_type, subject_data, | |
172 issuer_type, issuer_data, flags, extra); | |
173 } | |
174 | |
175 // Rather than attempting to synthesize an EVP_PKEY by hand, just force the | |
176 // OS to do an ASN.1 encoding and then decode it back into BoringSSL. This | |
177 // is silly for performance, but safest for consistency. | |
178 PCERT_PUBLIC_KEY_INFO issuer_public_key = | |
179 GetIssuerPublicKey(issuer_type, issuer_data); | |
180 if (!issuer_public_key) { | |
181 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
182 return FALSE; | |
183 } | |
184 | |
185 uint8_t* issuer_spki_data = NULL; | |
186 DWORD issuer_spki_len = 0; | |
187 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, | |
188 issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, | |
189 &issuer_spki_data, &issuer_spki_len)) { | |
190 return FALSE; | |
191 } | |
192 | |
193 const uint8_t* ptr = issuer_spki_data; | |
194 crypto::ScopedEVP_PKEY pubkey(d2i_PUBKEY(NULL, &ptr, issuer_spki_len)); | |
195 if (!pubkey.get() || ptr != issuer_spki_data + issuer_spki_len) { | |
196 ::LocalFree(issuer_spki_data); | |
197 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
198 return FALSE; | |
199 } | |
200 ::LocalFree(issuer_spki_data); | |
201 | |
202 crypto::ScopedEVP_MD_CTX md_ctx(EVP_MD_CTX_create()); | |
203 if (!EVP_DigestVerifyInitFromAlgorithm(md_ctx.get(), algor.get(), | |
204 pubkey.get()) || | |
205 !EVP_DigestVerifyUpdate(md_ctx.get(), CBS_data(&tbs_data), | |
206 CBS_len(&tbs_data)) || | |
207 !EVP_DigestVerifyFinal(md_ctx.get(), CBS_data(&signature), | |
208 CBS_len(&signature))) { | |
209 SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE)); | |
210 return FALSE; | |
211 } | |
212 return TRUE; | |
213 } | |
214 | |
215 } // namespace sha256_interception | |
216 | |
217 } // namespace net | |
OLD | NEW |