OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/quic/crypto/proof_verifier_chromium.h" | |
6 | |
7 #include "base/bind.h" | |
8 #include "base/bind_helpers.h" | |
9 #include "base/callback_helpers.h" | |
10 #include "base/compiler_specific.h" | |
11 #include "base/logging.h" | |
12 #include "crypto/signature_verifier.h" | |
13 #include "net/base/net_errors.h" | |
14 #include "net/base/net_log.h" | |
15 #include "net/cert/asn1_util.h" | |
16 #include "net/cert/cert_status_flags.h" | |
17 #include "net/cert/cert_verifier.h" | |
18 #include "net/cert/cert_verify_result.h" | |
19 #include "net/cert/single_request_cert_verifier.h" | |
20 #include "net/cert/x509_certificate.h" | |
21 #include "net/cert/x509_util.h" | |
22 #include "net/quic/crypto/crypto_protocol.h" | |
23 #include "net/ssl/ssl_config_service.h" | |
24 | |
25 using base::StringPiece; | |
26 using std::string; | |
27 using std::vector; | |
28 | |
29 namespace net { | |
30 | |
31 ProofVerifierChromium::ProofVerifierChromium(CertVerifier* cert_verifier) | |
32 : cert_verifier_(cert_verifier), | |
33 completed_cert_verification_(false), | |
34 server_cert_(NULL), | |
35 next_cert_state_(STATE_NONE) { | |
36 } | |
37 | |
38 ProofVerifierChromium::~ProofVerifierChromium() { | |
39 verifier_.reset(); | |
40 | |
41 // Reset object state. | |
42 callback_.Reset(); | |
43 server_cert_verify_result_.Reset(); | |
44 completed_cert_verification_ = false; | |
45 } | |
46 | |
47 int ProofVerifierChromium::VerifyProof(const string& hostname, | |
48 const string& server_config, | |
49 const vector<string>& certs, | |
50 const string& signature, | |
51 const CompletionCallback& callback, | |
52 string* error_details) { | |
53 // We call VerifySignature first to avoid copying of server_config data. | |
wtc
2013/06/24 22:36:56
server_config => server_config and signature.
Rem
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
54 if (!VerifySignature(server_config, signature, certs[0])) { | |
55 *error_details = "Failed to verify signature of server config"; | |
56 return ERR_FAILED; | |
57 } | |
58 | |
59 hostname_ = hostname; | |
60 callback_ = callback; | |
61 completed_cert_verification_ = false; | |
62 | |
63 int error = VerifyChain(certs); | |
64 if (error <= ERR_FAILED) { | |
65 *error_details = "Failed to verify certificate chain"; | |
66 // TODO(rtenneti): do we need to save the original |error|? | |
wtc
2013/06/24 22:36:56
I suggest saving the original |error| in string fo
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
67 error = ERR_FAILED; | |
68 } | |
69 | |
70 return error; | |
71 } | |
72 | |
73 int ProofVerifierChromium::VerifyChain(const vector<string>& certs) { | |
74 if (certs.empty()) { | |
75 DLOG(WARNING) << "certs are empty"; | |
76 return ERR_FAILED; | |
77 } | |
78 | |
79 // Convert certs to X509. | |
wtc
2013/06/24 22:36:56
X509 => X509Certificate
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
80 vector<StringPiece> v(certs.size()); | |
81 for (unsigned i = 0; i < certs.size(); i++) { | |
82 v[i] = base::StringPiece(certs[i]); | |
83 } | |
84 server_cert_ = X509Certificate::CreateFromDERCertChain(v); | |
85 if (!server_cert_.get()) { | |
86 server_cert_verify_result_.Reset(); | |
87 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; | |
88 return ERR_FAILED; | |
wtc
2013/06/24 22:36:56
ERR_FAILED => ERR_CERT_INVALID
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
89 } | |
90 | |
91 // Let's verify the certificate. | |
92 next_cert_state_ = STATE_VERIFY_CERT; | |
93 return DoVerifyCertLoop(OK); | |
94 } | |
95 | |
96 int ProofVerifierChromium::DoVerifyCertLoop(int last_result) { | |
97 int rv = last_result; | |
98 do { | |
99 State state = next_cert_state_; | |
100 next_cert_state_ = STATE_NONE; | |
101 switch (state) { | |
102 case STATE_VERIFY_CERT: | |
103 DCHECK(rv == OK); | |
104 rv = DoVerifyCert(rv); | |
105 break; | |
106 case STATE_VERIFY_CERT_COMPLETE: | |
107 rv = DoVerifyCertComplete(rv); | |
108 break; | |
109 case STATE_NONE: | |
110 default: | |
111 rv = ERR_UNEXPECTED; | |
112 LOG(DFATAL) << "unexpected state " << state; | |
113 break; | |
114 } | |
115 } while (rv != ERR_IO_PENDING && next_cert_state_ != STATE_NONE); | |
116 return rv; | |
117 } | |
118 | |
119 void ProofVerifierChromium::OnVerifyCertIOComplete(int result) { | |
120 int rv = DoVerifyCertLoop(result); | |
121 if (rv != ERR_IO_PENDING) { | |
122 // TODO(rtenneti): do we need to save the original |rv|? | |
123 base::ResetAndReturn(&callback_).Run(rv >= OK ? OK : ERR_FAILED); | |
wtc
2013/06/24 22:36:56
We should pass just |rv| to Run(). The error code
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
124 } | |
125 } | |
126 | |
127 int ProofVerifierChromium::DoVerifyCert(int result) { | |
128 next_cert_state_ = STATE_VERIFY_CERT_COMPLETE; | |
129 | |
130 // TODO(rtenneti): Are the following flags correct?? | |
wtc
2013/06/24 22:36:56
Let's start with the following:
int flags = Cert
ramant (doing other things)
2013/06/28 19:16:56
Done.
| |
131 int flags = 0; | |
132 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED; // | |
133 flags |= CertVerifier::VERIFY_EV_CERT; // | |
134 flags |= CertVerifier::VERIFY_CERT_IO_ENABLED; | |
135 verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); | |
136 return verifier_->Verify( | |
137 server_cert_.get(), | |
138 hostname_, | |
139 flags, | |
140 SSLConfigService::GetCRLSet().get(), | |
141 &server_cert_verify_result_, | |
142 base::Bind(&ProofVerifierChromium::OnVerifyCertIOComplete, | |
143 base::Unretained(this)), | |
144 net_log_); | |
145 } | |
146 | |
147 int ProofVerifierChromium::DoVerifyCertComplete(int result) { | |
148 verifier_.reset(); | |
149 | |
150 completed_cert_verification_ = true; | |
151 | |
152 // Exit DoVerifyCertLoop and return the result to the caller to ProofVerify. | |
153 DCHECK_EQ(STATE_NONE, next_cert_state_); | |
154 return result; | |
155 } | |
156 | |
157 // static | |
158 bool ProofVerifierChromium::VerifySignature(const string& signed_data, | |
159 const string& signature, | |
160 const string& cert) { | |
161 StringPiece spki; | |
162 if (!asn1::ExtractSPKIFromDERCert(cert, &spki)) { | |
163 DLOG(WARNING) << "ExtractSPKIFromDERCert failed"; | |
164 return false; | |
165 } | |
166 | |
167 // We use the signature verifier to perform signature verification. | |
168 crypto::SignatureVerifier verifier; | |
169 | |
170 // TODO(rtenneti): Define the algorithm ID for RSA_PKCS1_PSS_PADDING based on | |
171 // the cert. | |
172 | |
173 // This is the algorithm ID for SHA-256 with EC encryption. | |
174 const uint8 kECDSAWithSHA256AlgorithmID[] = { | |
175 0x30, 0x0c, | |
176 0x06, 0x08, | |
177 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, | |
178 0x05, 0x00 | |
179 }; | |
180 | |
181 if (!verifier.VerifyInit( | |
182 kECDSAWithSHA256AlgorithmID, sizeof(kECDSAWithSHA256AlgorithmID), | |
183 reinterpret_cast<const uint8*>(signature.data()), | |
184 signature.size(), | |
185 reinterpret_cast<const uint8*>(spki.data()), | |
186 spki.size())) { | |
187 DLOG(WARNING) << "VerifyInit failed"; | |
188 return false; | |
189 } | |
190 | |
191 verifier.VerifyUpdate(reinterpret_cast<const uint8*>(kProofSignatureLabel), | |
192 sizeof(kProofSignatureLabel)); | |
193 verifier.VerifyUpdate(reinterpret_cast<const uint8*>(signed_data.data()), | |
194 signed_data.size()); | |
195 | |
196 if (!verifier.VerifyFinal()) { | |
197 DLOG(WARNING) << "VerifyFinal failed"; | |
198 return false; | |
199 } | |
200 | |
201 return true; | |
202 } | |
203 | |
204 } // namespace net | |
OLD | NEW |