Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(649)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/ct_log_verifier_nss.cc

Issue 1882433002: Removing NSS files and USE_OPENSSL flag (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fixing more nits. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/ct_log_verifier.h ('k') | net/cert/ct_objects_extractor_nss.cc » ('j') | net/quic/test_tools/crypto_test_utils_chromium.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/ct_log_verifier.h"
6
7 #include <cryptohi.h>
8 #include <keyhi.h>
9 #include <nss.h>
10 #include <pk11pub.h>
11 #include <secitem.h>
12 #include <secoid.h>
13
14 #include "base/logging.h"
15 #include "crypto/nss_util.h"
16 #include "crypto/sha2.h"
17 #include "net/cert/signed_tree_head.h"
18
19 namespace net {
20
21 namespace {
22
23 SECOidTag GetNSSSigAlg(ct::DigitallySigned::SignatureAlgorithm alg) {
24 switch (alg) {
25 case ct::DigitallySigned::SIG_ALGO_RSA:
26 return SEC_OID_PKCS1_RSA_ENCRYPTION;
27 case ct::DigitallySigned::SIG_ALGO_DSA:
28 return SEC_OID_ANSIX9_DSA_SIGNATURE;
29 case ct::DigitallySigned::SIG_ALGO_ECDSA:
30 return SEC_OID_ANSIX962_EC_PUBLIC_KEY;
31 case ct::DigitallySigned::SIG_ALGO_ANONYMOUS:
32 default:
33 NOTREACHED();
34 return SEC_OID_UNKNOWN;
35 }
36 }
37
38 SECOidTag GetNSSHashAlg(ct::DigitallySigned::HashAlgorithm alg) {
39 switch (alg) {
40 case ct::DigitallySigned::HASH_ALGO_MD5:
41 return SEC_OID_MD5;
42 case ct::DigitallySigned::HASH_ALGO_SHA1:
43 return SEC_OID_SHA1;
44 case ct::DigitallySigned::HASH_ALGO_SHA224:
45 return SEC_OID_SHA224;
46 case ct::DigitallySigned::HASH_ALGO_SHA256:
47 return SEC_OID_SHA256;
48 case ct::DigitallySigned::HASH_ALGO_SHA384:
49 return SEC_OID_SHA384;
50 case ct::DigitallySigned::HASH_ALGO_SHA512:
51 return SEC_OID_SHA512;
52 case ct::DigitallySigned::HASH_ALGO_NONE:
53 default:
54 NOTREACHED();
55 return SEC_OID_UNKNOWN;
56 }
57 }
58
59 } // namespace
60
61 CTLogVerifier::~CTLogVerifier() {
62 if (public_key_)
63 SECKEY_DestroyPublicKey(public_key_);
64 }
65
66 bool CTLogVerifier::Init(const base::StringPiece& public_key) {
67 SECItem key_data;
68
69 crypto::EnsureNSSInit();
70
71 key_data.data = reinterpret_cast<unsigned char*>(
72 const_cast<char*>(public_key.data()));
73 key_data.len = public_key.size();
74
75 CERTSubjectPublicKeyInfo* public_key_info =
76 SECKEY_DecodeDERSubjectPublicKeyInfo(&key_data);
77 if (!public_key_info) {
78 DVLOG(1) << "Failed decoding public key.";
79 return false;
80 }
81
82 public_key_ = SECKEY_ExtractPublicKey(public_key_info);
83 SECKEY_DestroySubjectPublicKeyInfo(public_key_info);
84
85 if (!public_key_) {
86 DVLOG(1) << "Failed extracting public key.";
87 return false;
88 }
89
90 key_id_ = crypto::SHA256HashString(public_key);
91
92 // Right now, only RSASSA-PKCS1v15 with SHA-256 and ECDSA with SHA-256 are
93 // supported.
94 switch (SECKEY_GetPublicKeyType(public_key_)) {
95 case rsaKey:
96 hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
97 signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_RSA;
98 break;
99 case ecKey:
100 hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
101 signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_ECDSA;
102 break;
103 default:
104 DVLOG(1) << "Unsupported key type: "
105 << SECKEY_GetPublicKeyType(public_key_);
106 return false;
107 }
108
109 // Extra sanity check: Require RSA keys of at least 2048 bits.
110 if (signature_algorithm_ == ct::DigitallySigned::SIG_ALGO_RSA &&
111 SECKEY_PublicKeyStrengthInBits(public_key_) < 2048) {
112 DVLOG(1) << "Too small a public key.";
113 return false;
114 }
115
116 return true;
117 }
118
119 bool CTLogVerifier::VerifySignature(const base::StringPiece& data_to_sign,
120 const base::StringPiece& signature) const {
121 SECItem sig_data;
122 sig_data.data = reinterpret_cast<unsigned char*>(const_cast<char*>(
123 signature.data()));
124 sig_data.len = signature.size();
125
126 SECStatus rv = VFY_VerifyDataDirect(
127 reinterpret_cast<const unsigned char*>(data_to_sign.data()),
128 data_to_sign.size(), public_key_, &sig_data,
129 GetNSSSigAlg(signature_algorithm_), GetNSSHashAlg(hash_algorithm_),
130 NULL, NULL);
131 DVLOG(1) << "Signature verification result: " << (rv == SECSuccess);
132 return rv == SECSuccess;
133 }
134
135 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/ct_log_verifier.h ('k') | net/cert/ct_objects_extractor_nss.cc » ('j') | net/quic/test_tools/crypto_test_utils_chromium.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698