| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/update_client/client_update_protocol_ecdsa.h" | 5 #include "components/update_client/client_update_protocol_ecdsa.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/macros.h" | 8 #include "base/macros.h" |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/strings/string_number_conversions.h" | 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_piece.h" | 11 #include "base/strings/string_piece.h" |
| 12 #include "base/strings/string_util.h" | 12 #include "base/strings/string_util.h" |
| 13 #include "base/strings/stringprintf.h" | 13 #include "base/strings/stringprintf.h" |
| 14 #include "crypto/random.h" | 14 #include "crypto/random.h" |
| 15 #include "crypto/sha2.h" | 15 #include "crypto/sha2.h" |
| 16 #include "crypto/signature_verifier.h" | 16 #include "crypto/signature_verifier.h" |
| 17 | 17 |
| 18 namespace update_client { | 18 namespace update_client { |
| 19 | 19 |
| 20 namespace { | 20 namespace { |
| 21 | 21 |
| 22 // This is the algorithm ID for ECDSA with SHA-256. Parameters are ABSENT. | |
| 23 // RFC 5758: | |
| 24 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |
| 25 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } | |
| 26 // ... | |
| 27 // When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or | |
| 28 // ecdsa-with-SHA512 algorithm identifier appears in the algorithm field | |
| 29 // as an AlgorithmIdentifier, the encoding MUST omit the parameters | |
| 30 // field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one | |
| 31 // component, the OID ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with- | |
| 32 // SHA384, or ecdsa-with-SHA512. | |
| 33 // See also RFC 5480, Appendix A. | |
| 34 static const uint8_t kECDSAWithSHA256AlgorithmID[] = { | |
| 35 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, | |
| 36 }; | |
| 37 | |
| 38 std::vector<uint8_t> SHA256HashStr(const base::StringPiece& str) { | 22 std::vector<uint8_t> SHA256HashStr(const base::StringPiece& str) { |
| 39 std::vector<uint8_t> result(crypto::kSHA256Length); | 23 std::vector<uint8_t> result(crypto::kSHA256Length); |
| 40 crypto::SHA256HashString(str, &result.front(), result.size()); | 24 crypto::SHA256HashString(str, &result.front(), result.size()); |
| 41 return result; | 25 return result; |
| 42 } | 26 } |
| 43 | 27 |
| 44 std::vector<uint8_t> SHA256HashVec(const std::vector<uint8_t>& vec) { | 28 std::vector<uint8_t> SHA256HashVec(const std::vector<uint8_t>& vec) { |
| 45 if (vec.empty()) | 29 if (vec.empty()) |
| 46 return SHA256HashStr(base::StringPiece()); | 30 return SHA256HashStr(base::StringPiece()); |
| 47 | 31 |
| (...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 182 response_hash.end()); | 166 response_hash.end()); |
| 183 signed_message.insert(signed_message.end(), request_query_cup2key_.begin(), | 167 signed_message.insert(signed_message.end(), request_query_cup2key_.begin(), |
| 184 request_query_cup2key_.end()); | 168 request_query_cup2key_.end()); |
| 185 | 169 |
| 186 const std::vector<uint8_t> signed_message_hash = | 170 const std::vector<uint8_t> signed_message_hash = |
| 187 SHA256HashVec(signed_message); | 171 SHA256HashVec(signed_message); |
| 188 | 172 |
| 189 // Initialize the signature verifier. | 173 // Initialize the signature verifier. |
| 190 crypto::SignatureVerifier verifier; | 174 crypto::SignatureVerifier verifier; |
| 191 if (!verifier.VerifyInit( | 175 if (!verifier.VerifyInit( |
| 192 kECDSAWithSHA256AlgorithmID, sizeof(kECDSAWithSHA256AlgorithmID), | 176 crypto::SignatureVerifier::ECDSA_SHA256, &signature.front(), |
| 193 &signature.front(), static_cast<int>(signature.size()), | 177 static_cast<int>(signature.size()), &public_key_.front(), |
| 194 &public_key_.front(), static_cast<int>(public_key_.size()))) { | 178 static_cast<int>(public_key_.size()))) { |
| 195 DVLOG(1) << "Couldn't init SignatureVerifier."; | 179 DVLOG(1) << "Couldn't init SignatureVerifier."; |
| 196 return false; | 180 return false; |
| 197 } | 181 } |
| 198 | 182 |
| 199 // If the verification fails, that implies one of two outcomes: | 183 // If the verification fails, that implies one of two outcomes: |
| 200 // * The signature was modified | 184 // * The signature was modified |
| 201 // * The buffer that the server signed does not match the buffer that the | 185 // * The buffer that the server signed does not match the buffer that the |
| 202 // client assembled -- implying that either request body or response body | 186 // client assembled -- implying that either request body or response body |
| 203 // was modified, or a different nonce value was used. | 187 // was modified, or a different nonce value was used. |
| 204 verifier.VerifyUpdate(&signed_message_hash.front(), | 188 verifier.VerifyUpdate(&signed_message_hash.front(), |
| 205 static_cast<int>(signed_message_hash.size())); | 189 static_cast<int>(signed_message_hash.size())); |
| 206 return verifier.VerifyFinal(); | 190 return verifier.VerifyFinal(); |
| 207 } | 191 } |
| 208 | 192 |
| 209 } // namespace update_client | 193 } // namespace update_client |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1679873005:
Switch SignatureVerifier to taking an algorithm enum. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master