| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/cert_verify_proc_openssl_ios.h" |
| 6 |
| 7 #include <CommonCrypto/CommonDigest.h> |
| 8 #include <Security/Security.h> |
| 9 |
| 10 #include "base/logging.h" |
| 11 #include "base/mac/scoped_cftyperef.h" |
| 12 #include "base/strings/sys_string_conversions.h" |
| 13 #include "crypto/sha2.h" |
| 14 #include "net/base/net_errors.h" |
| 15 #include "net/cert/asn1_util.h" |
| 16 #include "net/cert/cert_verify_result.h" |
| 17 #include "net/cert/crl_set.h" |
| 18 #include "net/cert/test_root_certs.h" |
| 19 #include "net/cert/x509_certificate.h" |
| 20 #include "net/ssl/openssl_ssl_util.h" |
| 21 |
| 22 using base::ScopedCFTypeRef; |
| 23 |
| 24 namespace net { |
| 25 |
| 26 namespace { |
| 27 |
| 28 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, |
| 29 CFDictionaryRef*); |
| 30 |
| 31 int NetErrorFromOSStatus(OSStatus status) { |
| 32 switch (status) { |
| 33 case noErr: |
| 34 return OK; |
| 35 case errSecNotAvailable: |
| 36 return ERR_NOT_IMPLEMENTED; |
| 37 case errSecAuthFailed: |
| 38 return ERR_ACCESS_DENIED; |
| 39 default: |
| 40 return ERR_FAILED; |
| 41 } |
| 42 } |
| 43 |
| 44 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to |
| 45 // validate a certificate for an SSL server. |hostname| contains the name of |
| 46 // the SSL server that the certificate should be verified against. If |
| 47 // successful, returns noErr, and stores the resultant array of SecPolicyRefs |
| 48 // in |policies|. |
| 49 OSStatus CreateTrustPolicies(const std::string& hostname, |
| 50 ScopedCFTypeRef<CFArrayRef>* policies) { |
| 51 ScopedCFTypeRef<CFMutableArrayRef> local_policies( |
| 52 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); |
| 53 if (!local_policies) |
| 54 return errSecAllocate; |
| 55 |
| 56 SecPolicyRef ssl_policy = SecPolicyCreateBasicX509(); |
| 57 CFArrayAppendValue(local_policies, ssl_policy); |
| 58 CFRelease(ssl_policy); |
| 59 ssl_policy = SecPolicyCreateSSL(true, base::SysUTF8ToCFStringRef(hostname)); |
| 60 CFArrayAppendValue(local_policies, ssl_policy); |
| 61 CFRelease(ssl_policy); |
| 62 |
| 63 policies->reset(local_policies.release()); |
| 64 return noErr; |
| 65 } |
| 66 |
| 67 // Builds and evaluates a SecTrustRef for the certificate chain contained |
| 68 // in |cert_array|, using the verification policies in |trust_policies|. On |
| 69 // success, returns OK, and updates |trust_ref| and |trust_result|. On failure, |
| 70 // no output parameters are modified. |
| 71 // |
| 72 // Note: An OK return does not mean that |cert_array| is trusted, merely that |
| 73 // verification was performed successfully. |
| 74 int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array, |
| 75 CFArrayRef trust_policies, |
| 76 ScopedCFTypeRef<SecTrustRef>* trust_ref, |
| 77 ScopedCFTypeRef<CFArrayRef>* verified_chain, |
| 78 SecTrustResultType* trust_result) { |
| 79 SecTrustRef tmp_trust = NULL; |
| 80 OSStatus status = |
| 81 SecTrustCreateWithCertificates(cert_array, trust_policies, &tmp_trust); |
| 82 if (status) |
| 83 return NetErrorFromOSStatus(status); |
| 84 ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust); |
| 85 |
| 86 if (TestRootCerts::HasInstance()) { |
| 87 status = TestRootCerts::GetInstance()->FixupSecTrustRef(tmp_trust); |
| 88 if (status) |
| 89 return NetErrorFromOSStatus(status); |
| 90 } |
| 91 |
| 92 SecTrustResultType tmp_trust_result; |
| 93 status = SecTrustEvaluate(tmp_trust, &tmp_trust_result); |
| 94 if (status) |
| 95 return NetErrorFromOSStatus(status); |
| 96 |
| 97 ScopedCFTypeRef<CFMutableArrayRef> tmp_verified_chain( |
| 98 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); |
| 99 const CFIndex chain_length = SecTrustGetCertificateCount(tmp_trust); |
| 100 for (CFIndex i = 0; i < chain_length; ++i) { |
| 101 SecCertificateRef chain_cert = SecTrustGetCertificateAtIndex(tmp_trust, i); |
| 102 CFArrayAppendValue(tmp_verified_chain, chain_cert); |
| 103 CFRelease(chain_cert); |
| 104 } |
| 105 |
| 106 trust_ref->swap(scoped_tmp_trust); |
| 107 *trust_result = tmp_trust_result; |
| 108 verified_chain->reset(tmp_verified_chain.release()); |
| 109 return OK; |
| 110 } |
| 111 |
| 112 void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) { |
| 113 DCHECK_LT(0, CFArrayGetCount(cert_chain)); |
| 114 |
| 115 verify_result->has_md2 = false; |
| 116 verify_result->has_md4 = false; |
| 117 verify_result->has_md5 = false; |
| 118 verify_result->has_sha1 = false; |
| 119 verify_result->has_sha1_leaf = false; |
| 120 |
| 121 SecCertificateRef verified_cert = NULL; |
| 122 std::vector<SecCertificateRef> verified_chain; |
| 123 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { |
| 124 SecCertificateRef chain_cert = |
| 125 X509Certificate::DupOSCertHandle(reinterpret_cast<SecCertificateRef>( |
| 126 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)))); |
| 127 if (i == 0) { |
| 128 verified_cert = chain_cert; |
| 129 } else { |
| 130 verified_chain.push_back(chain_cert); |
| 131 } |
| 132 |
| 133 ScopedX509 x509_cert = OSCertHandleToOpenSSL(chain_cert); |
| 134 int sig_alg = OBJ_obj2nid(x509_cert->sig_alg->algorithm); |
| 135 if (sig_alg == NID_md2WithRSAEncryption) { |
| 136 verify_result->has_md2 = true; |
| 137 } else if (sig_alg == NID_md4WithRSAEncryption) { |
| 138 verify_result->has_md4 = true; |
| 139 } else if (sig_alg == NID_md5WithRSAEncryption || |
| 140 sig_alg == NID_md5WithRSA) { |
| 141 verify_result->has_md5 = true; |
| 142 } else if (sig_alg == NID_sha1WithRSAEncryption || |
| 143 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || |
| 144 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || |
| 145 sig_alg == NID_ecdsa_with_SHA1) { |
| 146 verify_result->has_sha1 = true; |
| 147 if (i == 0) |
| 148 verify_result->has_sha1_leaf = true; |
| 149 } |
| 150 } |
| 151 if (!verified_cert) { |
| 152 NOTREACHED(); |
| 153 return; |
| 154 } |
| 155 |
| 156 verify_result->verified_cert = |
| 157 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 158 } |
| 159 |
| 160 void AppendPublicKeyHashes(CFArrayRef chain, HashValueVector* hashes) { |
| 161 const CFIndex n = CFArrayGetCount(chain); |
| 162 for (CFIndex i = 0; i < n; i++) { |
| 163 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
| 164 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); |
| 165 |
| 166 std::string der_bytes; |
| 167 if (!X509Certificate::GetDEREncoded(cert, &der_bytes)) |
| 168 return; |
| 169 base::StringPiece spki_bytes; |
| 170 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) |
| 171 continue; |
| 172 |
| 173 HashValue sha1(HASH_VALUE_SHA1); |
| 174 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data()); |
| 175 hashes->push_back(sha1); |
| 176 |
| 177 HashValue sha256(HASH_VALUE_SHA256); |
| 178 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data()); |
| 179 hashes->push_back(sha256); |
| 180 } |
| 181 } |
| 182 |
| 183 bool CheckRevocationWithCRLSet(CFArrayRef chain, CRLSet* crl_set) { |
| 184 if (CFArrayGetCount(chain) == 0) |
| 185 return true; |
| 186 |
| 187 // We iterate from the root certificate down to the leaf, keeping track of |
| 188 // the issuer's SPKI at each step. |
| 189 std::string issuer_spki_hash; |
| 190 for (CFIndex i = CFArrayGetCount(chain) - 1; i >= 0; i--) { |
| 191 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( |
| 192 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); |
| 193 |
| 194 std::string der_bytes; |
| 195 if (!X509Certificate::GetDEREncoded(cert, &der_bytes)) |
| 196 return false; |
| 197 base::StringPiece spki; |
| 198 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki)) { |
| 199 NOTREACHED(); |
| 200 continue; |
| 201 } |
| 202 |
| 203 const std::string spki_hash = crypto::SHA256HashString(spki); |
| 204 scoped_refptr<X509Certificate::X509Certificate> x509_cert = |
| 205 X509Certificate::CreateFromHandle(cert, |
| 206 X509Certificate::OSCertHandles()); |
| 207 |
| 208 CRLSet::Result result = crl_set->CheckSPKI(spki_hash); |
| 209 |
| 210 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) { |
| 211 result = |
| 212 crl_set->CheckSerial(x509_cert->serial_number(), issuer_spki_hash); |
| 213 } |
| 214 |
| 215 issuer_spki_hash = spki_hash; |
| 216 |
| 217 switch (result) { |
| 218 case CRLSet::REVOKED: |
| 219 return false; |
| 220 case CRLSet::UNKNOWN: |
| 221 case CRLSet::GOOD: |
| 222 continue; |
| 223 default: |
| 224 NOTREACHED(); |
| 225 return false; |
| 226 } |
| 227 } |
| 228 |
| 229 return true; |
| 230 } |
| 231 |
| 232 } // namespace |
| 233 |
| 234 CertVerifyProcOpenSSLIOS::CertVerifyProcOpenSSLIOS() {} |
| 235 |
| 236 CertVerifyProcOpenSSLIOS::~CertVerifyProcOpenSSLIOS() {} |
| 237 |
| 238 bool CertVerifyProcOpenSSLIOS::SupportsAdditionalTrustAnchors() const { |
| 239 return false; |
| 240 } |
| 241 |
| 242 bool CertVerifyProcOpenSSLIOS::SupportsOCSPStapling() const { |
| 243 return false; |
| 244 } |
| 245 |
| 246 int CertVerifyProcOpenSSLIOS::VerifyInternal( |
| 247 X509Certificate* cert, |
| 248 const std::string& hostname, |
| 249 const std::string& ocsp_response, |
| 250 int flags, |
| 251 CRLSet* crl_set, |
| 252 const CertificateList& additional_trust_anchors, |
| 253 CertVerifyResult* verify_result) { |
| 254 ScopedCFTypeRef<CFArrayRef> trust_policies; |
| 255 OSStatus status = CreateTrustPolicies(hostname, &trust_policies); |
| 256 if (status) |
| 257 return NetErrorFromOSStatus(status); |
| 258 |
| 259 ScopedCFTypeRef<CFMutableArrayRef> cert_array( |
| 260 cert->CreateOSCertChainForCert()); |
| 261 ScopedCFTypeRef<SecTrustRef> trust_ref; |
| 262 SecTrustResultType trust_result = kSecTrustResultDeny; |
| 263 ScopedCFTypeRef<CFArrayRef> final_chain; |
| 264 |
| 265 status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref, |
| 266 &final_chain, &trust_result); |
| 267 if (status) |
| 268 return NetErrorFromOSStatus(status); |
| 269 |
| 270 if (CFArrayGetCount(final_chain) > 0) { |
| 271 GetCertChainInfo(final_chain, verify_result); |
| 272 } |
| 273 |
| 274 if (crl_set && !CheckRevocationWithCRLSet(final_chain, crl_set)) |
| 275 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 276 |
| 277 switch (trust_result) { |
| 278 case kSecTrustResultUnspecified: |
| 279 case kSecTrustResultProceed: |
| 280 break; |
| 281 case kSecTrustResultDeny: |
| 282 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
| 283 default: |
| 284 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 285 } |
| 286 |
| 287 // Perform hostname verification independent of SecTrustEvaluate. In order to |
| 288 // do so, mask off any reported name errors first. |
| 289 verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; |
| 290 if (!cert->VerifyNameMatch(hostname, |
| 291 &verify_result->common_name_fallback_used)) { |
| 292 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| 293 } |
| 294 |
| 295 verify_result->cert_status &= ~CERT_STATUS_NO_REVOCATION_MECHANISM; |
| 296 AppendPublicKeyHashes(final_chain, &verify_result->public_key_hashes); |
| 297 verify_result->is_issued_by_known_root = true; |
| 298 |
| 299 if (IsCertStatusError(verify_result->cert_status)) |
| 300 return MapCertStatusToNetError(verify_result->cert_status); |
| 301 |
| 302 return OK; |
| 303 } |
| 304 |
| 305 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1810153002:
Adding iOS OpenSSL Implementation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master