Chromium Code Reviews| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_verify_proc_openssl_ios.h" | |
| 6 | |
| 7 #include <CommonCrypto/CommonDigest.h> | |
| 8 #include <Security/Security.h> | |
| 9 | |
| 10 #include "base/logging.h" | |
| 11 #include "base/mac/scoped_cftyperef.h" | |
| 12 #include "base/strings/sys_string_conversions.h" | |
| 13 #include "crypto/sha2.h" | |
| 14 #include "net/base/net_errors.h" | |
| 15 #include "net/cert/asn1_util.h" | |
| 16 #include "net/cert/cert_verify_result.h" | |
| 17 #include "net/cert/crl_set.h" | |
| 18 #include "net/cert/test_root_certs.h" | |
| 19 #include "net/cert/x509_certificate.h" | |
| 20 #include "net/ssl/openssl_ssl_util.h" | |
| 21 | |
| 22 using base::ScopedCFTypeRef; | |
| 23 | |
| 24 namespace net { | |
| 25 | |
| 26 namespace { | |
| 27 | |
| 28 typedef OSStatus (*SecTrustCopyExtendedResultFuncPtr)(SecTrustRef, | |
| 29 CFDictionaryRef*); | |
| 30 | |
| 31 int NetErrorFromOSStatus(OSStatus status) { | |
| 32 switch (status) { | |
| 33 case noErr: | |
| 34 return OK; | |
| 35 case errSecNotAvailable: | |
| 36 return ERR_NOT_IMPLEMENTED; | |
| 37 case errSecAuthFailed: | |
| 38 return ERR_ACCESS_DENIED; | |
| 39 default: | |
| 40 return ERR_FAILED; | |
| 41 } | |
| 42 } | |
| 43 | |
| 44 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to | |
| 45 // validate a certificate for an SSL server. |hostname| contains the name of | |
| 46 // the SSL server that the certificate should be verified against. If | |
| 47 // successful, returns noErr, and stores the resultant array of SecPolicyRefs | |
| 48 // in |policies|. | |
| 49 OSStatus CreateTrustPolicies(const std::string& hostname, | |
|
Ryan Sleevi
2016/03/24 18:50:24
unused arg
svaldez
2016/03/24 19:46:01
Done.
| |
| 50 ScopedCFTypeRef<CFArrayRef>* policies) { | |
| 51 ScopedCFTypeRef<CFMutableArrayRef> local_policies( | |
| 52 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); | |
| 53 if (!local_policies) | |
| 54 return errSecAllocate; | |
| 55 | |
| 56 SecPolicyRef ssl_policy = SecPolicyCreateBasicX509(); | |
| 57 CFArrayAppendValue(local_policies, ssl_policy); | |
| 58 CFRelease(ssl_policy); | |
| 59 ssl_policy = SecPolicyCreateSSL(true, NULL); | |
|
Ryan Sleevi
2016/03/24 18:50:24
Should this be nullptr? I'm guessing we can't use
svaldez
2016/03/24 19:46:01
Done.
| |
| 60 CFArrayAppendValue(local_policies, ssl_policy); | |
| 61 CFRelease(ssl_policy); | |
| 62 | |
| 63 policies->reset(local_policies.release()); | |
| 64 return noErr; | |
| 65 } | |
| 66 | |
| 67 // Builds and evaluates a SecTrustRef for the certificate chain contained | |
| 68 // in |cert_array|, using the verification policies in |trust_policies|. On | |
| 69 // success, returns OK, and updates |trust_ref| and |trust_result|. On failure, | |
| 70 // no output parameters are modified. | |
| 71 // | |
| 72 // Note: An OK return does not mean that |cert_array| is trusted, merely that | |
| 73 // verification was performed successfully. | |
| 74 int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array, | |
| 75 CFArrayRef trust_policies, | |
| 76 ScopedCFTypeRef<SecTrustRef>* trust_ref, | |
| 77 ScopedCFTypeRef<CFArrayRef>* verified_chain, | |
| 78 SecTrustResultType* trust_result) { | |
| 79 SecTrustRef tmp_trust = NULL; | |
| 80 OSStatus status = | |
| 81 SecTrustCreateWithCertificates(cert_array, trust_policies, &tmp_trust); | |
| 82 if (status) | |
| 83 return NetErrorFromOSStatus(status); | |
| 84 ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust); | |
| 85 | |
| 86 if (TestRootCerts::HasInstance()) { | |
| 87 status = TestRootCerts::GetInstance()->FixupSecTrustRef(tmp_trust); | |
| 88 if (status) | |
| 89 return NetErrorFromOSStatus(status); | |
| 90 } | |
| 91 | |
| 92 SecTrustResultType tmp_trust_result; | |
|
Ryan Sleevi
2016/03/24 18:50:24
naming wise, you don't need to keep the tmp_ name
svaldez
2016/03/24 19:46:01
We still need some temporary variables for this si
| |
| 93 status = SecTrustEvaluate(tmp_trust, &tmp_trust_result); | |
| 94 if (status) | |
| 95 return NetErrorFromOSStatus(status); | |
| 96 | |
| 97 ScopedCFTypeRef<CFMutableArrayRef> tmp_verified_chain( | |
| 98 CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks)); | |
| 99 const CFIndex chain_length = SecTrustGetCertificateCount(tmp_trust); | |
| 100 for (CFIndex i = 0; i < chain_length; ++i) { | |
| 101 SecCertificateRef chain_cert = SecTrustGetCertificateAtIndex(tmp_trust, i); | |
| 102 CFArrayAppendValue(tmp_verified_chain, chain_cert); | |
| 103 } | |
| 104 | |
| 105 trust_ref->swap(scoped_tmp_trust); | |
| 106 *trust_result = tmp_trust_result; | |
| 107 verified_chain->reset(tmp_verified_chain.release()); | |
| 108 return OK; | |
| 109 } | |
| 110 | |
| 111 void GetCertChainInfo(CFArrayRef cert_chain, | |
| 112 CertVerifyResult* verify_result, | |
| 113 bool* leaf_is_weak) { | |
| 114 DCHECK_LT(0, CFArrayGetCount(cert_chain)); | |
| 115 | |
| 116 *leaf_is_weak = false; | |
| 117 verify_result->has_md2 = false; | |
| 118 verify_result->has_md4 = false; | |
| 119 verify_result->has_md5 = false; | |
| 120 verify_result->has_sha1 = false; | |
| 121 verify_result->has_sha1_leaf = false; | |
| 122 | |
| 123 SecCertificateRef verified_cert = NULL; | |
| 124 std::vector<SecCertificateRef> verified_chain; | |
| 125 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { | |
| 126 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( | |
| 127 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); | |
| 128 if (i == 0) { | |
| 129 verified_cert = chain_cert; | |
| 130 } else { | |
| 131 verified_chain.push_back(chain_cert); | |
| 132 } | |
| 133 | |
| 134 ScopedX509 x509_cert = OSCertHandleToOpenSSL(chain_cert); | |
| 135 int sig_alg = OBJ_obj2nid(x509_cert->sig_alg->algorithm); | |
| 136 if (sig_alg == NID_md2WithRSAEncryption) { | |
| 137 verify_result->has_md2 = true; | |
| 138 if (i == 0) | |
| 139 *leaf_is_weak = true; | |
| 140 } else if (sig_alg == NID_md4WithRSAEncryption) { | |
| 141 verify_result->has_md4 = true; | |
| 142 if (i == 0) | |
| 143 *leaf_is_weak = true; | |
| 144 } else if (sig_alg == NID_md5WithRSAEncryption || | |
| 145 sig_alg == NID_md5WithRSA) { | |
| 146 verify_result->has_md5 = true; | |
| 147 if (i == 0) | |
| 148 *leaf_is_weak = true; | |
| 149 } else if (sig_alg == NID_sha1WithRSAEncryption || | |
| 150 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || | |
| 151 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || | |
| 152 sig_alg == NID_ecdsa_with_SHA1) { | |
| 153 verify_result->has_sha1 = true; | |
| 154 if (i == 0) { | |
| 155 verify_result->has_sha1_leaf = true; | |
| 156 *leaf_is_weak = true; | |
| 157 } | |
| 158 } | |
| 159 } | |
| 160 if (!verified_cert) { | |
| 161 NOTREACHED(); | |
| 162 return; | |
| 163 } | |
| 164 | |
| 165 verify_result->verified_cert = | |
| 166 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | |
| 167 } | |
| 168 | |
| 169 void AppendPublicKeyHashes(CFArrayRef chain, HashValueVector* hashes) { | |
|
Ryan Sleevi
2016/03/24 18:50:24
It seems like it makes sense to fold this into Get
svaldez
2016/03/24 19:46:01
Done.
| |
| 170 const CFIndex n = CFArrayGetCount(chain); | |
| 171 for (CFIndex i = 0; i < n; i++) { | |
| 172 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>( | |
| 173 const_cast<void*>(CFArrayGetValueAtIndex(chain, i))); | |
| 174 | |
| 175 std::string der_bytes; | |
| 176 if (!X509Certificate::GetDEREncoded(cert, &der_bytes)) | |
| 177 return; | |
| 178 base::StringPiece spki_bytes; | |
| 179 if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) | |
| 180 continue; | |
| 181 | |
| 182 HashValue sha1(HASH_VALUE_SHA1); | |
| 183 CC_SHA1(spki_bytes.data(), spki_bytes.size(), sha1.data()); | |
| 184 hashes->push_back(sha1); | |
| 185 | |
| 186 HashValue sha256(HASH_VALUE_SHA256); | |
| 187 CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data()); | |
| 188 hashes->push_back(sha256); | |
| 189 } | |
| 190 } | |
| 191 | |
| 192 } // namespace | |
| 193 | |
| 194 CertVerifyProcIOS::CertVerifyProcIOS() {} | |
| 195 | |
| 196 CertVerifyProcIOS::~CertVerifyProcIOS() {} | |
| 197 | |
| 198 bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const { | |
| 199 return false; | |
| 200 } | |
| 201 | |
| 202 bool CertVerifyProcIOS::SupportsOCSPStapling() const { | |
| 203 return false; | |
| 204 } | |
| 205 | |
| 206 int CertVerifyProcIOS::VerifyInternal( | |
| 207 X509Certificate* cert, | |
| 208 const std::string& hostname, | |
| 209 const std::string& ocsp_response, | |
| 210 int flags, | |
| 211 CRLSet* crl_set, | |
| 212 const CertificateList& additional_trust_anchors, | |
| 213 CertVerifyResult* verify_result) { | |
| 214 ScopedCFTypeRef<CFArrayRef> trust_policies; | |
| 215 OSStatus status = CreateTrustPolicies(hostname, &trust_policies); | |
| 216 if (status) | |
| 217 return NetErrorFromOSStatus(status); | |
| 218 | |
| 219 ScopedCFTypeRef<CFMutableArrayRef> cert_array( | |
| 220 cert->CreateOSCertChainForCert()); | |
| 221 ScopedCFTypeRef<SecTrustRef> trust_ref; | |
| 222 SecTrustResultType trust_result = kSecTrustResultDeny; | |
| 223 ScopedCFTypeRef<CFArrayRef> final_chain; | |
| 224 | |
| 225 status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref, | |
| 226 &final_chain, &trust_result); | |
| 227 if (status) | |
| 228 return NetErrorFromOSStatus(status); | |
| 229 | |
| 230 if (CFArrayGetCount(final_chain) > 0) { | |
|
Ryan Sleevi
2016/03/24 18:50:24
If the final_chain count == 0, we should be failin
svaldez
2016/03/24 19:46:01
Done.
| |
| 231 bool unused_leaf_weak; | |
| 232 GetCertChainInfo(final_chain, verify_result, &unused_leaf_weak); | |
| 233 } | |
| 234 | |
| 235 // TODO(sleevi): Support CRLSet revocation. | |
| 236 // TODO(svaldez): Add expiration handling. | |
| 237 switch (trust_result) { | |
| 238 case kSecTrustResultUnspecified: | |
| 239 case kSecTrustResultProceed: | |
| 240 break; | |
| 241 case kSecTrustResultDeny: | |
| 242 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | |
| 243 default: | |
| 244 verify_result->cert_status |= CERT_STATUS_INVALID; | |
| 245 } | |
| 246 | |
| 247 // Perform hostname verification independent of SecTrustEvaluate. | |
| 248 if (!cert->VerifyNameMatch(hostname, | |
|
Ryan Sleevi
2016/03/24 18:50:24
For safety/robustness, even though it should be a
svaldez
2016/03/24 19:46:01
Done.
| |
| 249 &verify_result->common_name_fallback_used)) { | |
| 250 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; | |
| 251 } | |
| 252 | |
| 253 AppendPublicKeyHashes(final_chain, &verify_result->public_key_hashes); | |
| 254 verify_result->is_issued_by_known_root = false; | |
| 255 | |
| 256 if (IsCertStatusError(verify_result->cert_status)) | |
| 257 return MapCertStatusToNetError(verify_result->cert_status); | |
| 258 | |
| 259 return OK; | |
| 260 } | |
| 261 | |
| 262 } // namespace net | |
| OLD | NEW |