Make Cast certificate verification enforce constraints specified in the trusted root certificate.

net/cert/internal/verify_certificate_chain.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
 #include "base/logging.h"
 #include "net/cert/internal/name_constraints.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
@@ skipping 178 matching lines @@
 //    to the rules specified in Section 7.1).  In general, the issuer and
 //    subject of the certificates that make up a path are different for
 //    each certificate.  However, a CA may issue a certificate to itself to
 //    support key rollover or changes in certificate policies.  These
 //    self-issued certificates are not counted when evaluating path length
 //    or name constraints.
 WARN_UNUSED_RESULT bool IsSelfIssued(const FullyParsedCert& cert) {
   return NameMatches(cert.tbs.subject_tlv, cert.tbs.issuer_tlv);
 }
 
-// Finds a trust anchor that matches |name| in |trust_store| or returns
-// nullptr. The returned pointer references data in |trust_store|.
-//
-// TODO(eroman): This implementation is linear in the size of the trust store,
-// and also presumes that all names are unique. In practice it is possible to
-// have multiple SPKIs with the same name. Also this mechanism of
-// searching is fairly primitive, and does not take advantage of other
-// properties like the authority key id.
-WARN_UNUSED_RESULT const TrustAnchor* FindTrustAnchorByName(
-    const TrustStore& trust_store,
-    const der::Input& name) {
-  for (const auto& anchor : trust_store.anchors) {
-    if (NameMatches(name, der::Input(&anchor.name)))
-      return &anchor;
-  }
-  return nullptr;
-}
-
 // Returns true if |cert| is valid at time |time|.
 //
 // The certificate's validity requirements are described by RFC 5280 section
 // 4.1.2.5:
 //
 //    The validity period for a certificate is the period of time from
 //    notBefore through notAfter, inclusive.
 WARN_UNUSED_RESULT bool VerifyTimeValidity(const FullyParsedCert& cert,
                                            const der::GeneralizedTime time) {
   return !(time < cert.tbs.validity_not_before) &&
@@ skipping 266 matching lines @@
   if (!VerifyTargetCertHasConsistentCaBits(cert))
     return false;
 
   return true;
 }
 
 }  // namespace
 
 TrustAnchor::~TrustAnchor() {}
 
+bool TrustAnchor::AssignCertData(const uint8_t* data,
+                                 size_t length,
+                                 bool copy) {
+  // Reset all the fields.
+  *this = TrustAnchor();
+
+  if (copy) {
+    owned_cert_tlv.assign(data, data + length);
+    cert_tlv = der::Input(&owned_cert_tlv);
+  } else {
+    owned_cert_tlv.clear();
+    cert_tlv = der::Input(data, length);
+  }
+
+  if (!ParseCertificate(cert_tlv, &cert))
+    return false;
+
+  if (!ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs))
+    return false;
+
+  return true;
+}
+
 TrustStore::TrustStore() {}
 TrustStore::TrustStore(const TrustStore& other) = default;
 TrustStore::~TrustStore() {}
 
+bool TrustStore::AddTrustedCertificate(const uint8_t* data, size_t length) {
+  TrustAnchor anchor;
+  if (!anchor.AssignCertData(data, length, true))
+    return false;
+  anchors.push_back(std::move(anchor));
+  return true;
+}
+
+bool TrustStore::AddTrustedCertificate(const base::StringPiece& data) {
+  return AddTrustedCertificate(reinterpret_cast<const uint8_t*>(data.data()),
+                               data.size());
+}
+
+bool TrustStore::AddTrustedCertificateWithoutCopying(const uint8_t* data,
+                                                     size_t length) {
+  TrustAnchor anchor;
+  if (!anchor.AssignCertData(data, length, false))
+    return false;
+  anchors.push_back(std::move(anchor));
+  return true;
+}
+
+const der::Input* TrustStore::FindTrustedCertificateByName(
+    const der::Input& name) const {
+  for (const auto& anchor : anchors) {
+    if (NameMatches(name, anchor.tbs.subject_tlv))
+      return &anchor.cert_tlv;
+  }
+  return nullptr;
+}
+
+bool TrustStore::IsTrustedCertificate(const der::Input& cert_der) const {
+  for (const auto& anchor : anchors) {
+    if (anchor.cert_tlv == cert_der)
+      return true;
+  }
+  return false;
+}
+
+// TODO(eroman): Move this into existing anonymous namespace.
+namespace {
+
 // This implementation is structured to mimic the description of certificate
 // path verification given by RFC 5280 section 6.1.
-bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
-                            const TrustStore& trust_store,
-                            const SignaturePolicy* signature_policy,
-                            const der::GeneralizedTime& time) {
+//
+// Unlike RFC 5280, the trust anchor is specified as the root certificate in
+// the chain. This root certificate is assumed to be trusted -- neither its
+// signature nor expiration are checked.
+bool VerifyCertificateChainAssumingTrustedRoot(
+    const std::vector<der::Input>& certs_der,
+    // The trust store is only used for assertions.
+    const TrustStore& trust_store,
+    const SignaturePolicy* signature_policy,
+    const der::GeneralizedTime& time) {
   // An empty chain is necessarily invalid.
   if (certs_der.empty())
     return false;
 
+  // IMPORTANT: the assumption being made is that the root certificate in
+  // the given path is trusted.
+  DCHECK(trust_store.IsTrustedCertificate(certs_der.back()));
+
   // Will contain a NameConstraints for each previous cert in the chain which
   // had nameConstraints. This corresponds to the permitted_subtrees and
   // excluded_subtrees state variables from RFC 5280.
   std::vector<scoped_ptr<NameConstraints>> name_constraints_list;
 
   // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
   //    * working_public_key
   //    * working_public_key_algorithm
   //    * working_public_key_parameters
   //
@@ skipping 20 matching lines @@
   der::Input working_issuer_name;
 
   // |max_path_length| corresponds with the same named variable in RFC 5280
   // section 6.1.2:
   //
   //    max_path_length:  this integer is initialized to n, is
   //    decremented for each non-self-issued certificate in the path,
   //    and may be reduced to the value in the path length constraint
   //    field within the basic constraints extension of a CA
   //    certificate.
   size_t max_path_length = certs_der.size();

[mattm, 2016/04/16 02:40:29]

does this still work correctly now that certs_der.size is one greater? (And the
trust anchor would usually, though not guaranteed to be, self-issued.)
Though I'm having trouble thinking of how this would break something.

Not sure if passing anchor as part of the cert chain will lead to any subtle
issues vs handling it separately like in the RFC procedure.

[eroman, 2016/04/18 20:43:03]

Yes I believe so, although you are correct that the internal value of
max_path_length does change.

However when max_path_length is restricted is unchanged (it only comes into play
if there is at least one certificate in the path which limits it via a pathlen
Basic Constraint).
I believe everything works without problems.

Conceptually if the trust anchor is a certificate, it can be added to the chain
and verification is unchanged.

The questions that come up are:
  * If the root certificate is self-signed, should its signature be verified?
    The considerations here are:
    - If it is known valid when adding to trust store, then this work is
redundant
      (since the bytes should be coming from trust store)
  * If the root certificate is not self-signed, its signature cannot be verified
  * Should expiration be tested on the root certificate? (If we are considering
it trusted, does it matter whether it is expired?)


In the first draft I am:
  * not testing expiration of this root certificate obtained from trust store
  * not testing the self-signed signature

Testing the signature is probably something best done once when adding the
certificate to the trust store rather than every time the chain is verified. Or
lazily the first time it is used.

Testing the expiration I am not sure on, but will err on the side of caution and
change this CL to check expiration of the root certificate too.

 
   // Iterate over all the certificates in the reverse direction: starting from
   // the trust anchor and progressing towards the target certificate.
   //
   // Note that |i| uses 0-based indexing whereas in RFC 5280 it is 1-based.
   //
-  //   * i=0    :  Certificate signed by a trust anchor.
+  //   * i=0    :  Trust anchor.
   //   * i=N-1  :  Target certificate.
   for (size_t i = 0; i < certs_der.size(); ++i) {
     const size_t index_into_certs_der = certs_der.size() - i - 1;
     const bool is_target_cert = index_into_certs_der == 0;
+    const bool is_trust_anchor_cert = i == 0;
 
     // Parse the current certificate into |cert|.
     FullyParsedCert cert;
     const der::Input& cert_der = certs_der[index_into_certs_der];
     if (!FullyParseCertificate(cert_der, &cert))
       return false;
 
-    // When processing the first certificate, initialize |working_spki|
-    // and |working_issuer_name| to the trust anchor per RFC 5280 section 6.1.2.
-    // This is done inside the loop in order to have access to the parsed
-    // certificate.
-    if (i == 0) {
-      const TrustAnchor* trust_anchor =
-          FindTrustAnchorByName(trust_store, cert.tbs.issuer_tlv);
-      if (!trust_anchor)
-        return false;
-      working_spki = der::Input(&trust_anchor->spki);
-      working_issuer_name = der::Input(&trust_anchor->name);
-    }
-
     // Per RFC 5280 section 6.1:
     //  * Do basic processing for each certificate
     //  * If it is the last certificate in the path (target certificate)
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
-    if (!BasicCertificateProcessing(cert, is_target_cert, signature_policy,
-                                    time, working_spki, working_issuer_name,
-                                    name_constraints_list)) {
-      return false;
+    if (!is_trust_anchor_cert) {
+      // Note that  BasicCertificateProcessing() is skipped for the root
+      // certificate as it is implicitly trusted already. It will be
+      // accepted even if its signature is invalid, or it has expired.
+      if (!BasicCertificateProcessing(cert, is_target_cert, signature_policy,
+                                      time, working_spki, working_issuer_name,
+                                      name_constraints_list)) {
+        return false;
+      }
     }
     if (!is_target_cert) {
       if (!PrepareForNextCertificate(cert, &max_path_length, &working_spki,
                                      &working_issuer_name,
                                      &name_constraints_list)) {
         return false;
       }
     } else {
       if (!WrapUp(cert))
         return false;
     }
   }
 
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 
   return true;
 }
 
+// TODO(eroman): This function is a temporary hack in the absence of full
+// path building. It will insert 0 or 1 certificates at the root of the
+// chain to ensure that the path's root certificate is in the trust store.
+// Beyond this no other verification is done on the chain. The caller is
+// responsible for verifying the chain's correctness.
+WARN_UNUSED_RESULT bool BuildSimplePathToTrustAnchor(
+    const std::vector<der::Input>& certs_der,
+    const TrustStore& trust_store,
+    std::vector<der::Input>* certs_der_trusted_root) {
+  // Copy the input chain.
+  *certs_der_trusted_root = certs_der;
+
+  if (certs_der.empty())
+    return false;
+
+  // Check if the current root certificate is trusted. If it is then no
+  // extra work is needed.
+  if (trust_store.IsTrustedCertificate(certs_der_trusted_root->back()))
+    return true;
+
+  // Otherwise if it is not trusted, check whether its issuer is trusted. If
+  // so, make *that* trusted certificate the root. If the issuer is not in
+  // the trust store then give up and fail (this is not full path building).
+  ParsedCertificate cert;
+  ParsedTbsCertificate tbs;
+  if (!ParseCertificate(certs_der.back(), &cert) ||
+      !ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs)) {
+    return false;
+  }
+
+  const der::Input* trusted_issuer =
+      trust_store.FindTrustedCertificateByName(tbs.issuer_tlv);
+  if (!trusted_issuer)
+    return false;
+  certs_der_trusted_root->push_back(*trusted_issuer);
+  return true;
+}
+
+}  // namespace
+
+bool VerifyCertificateChain(const std::vector<der::Input>& certs_der,
+                            const TrustStore& trust_store,
+                            const SignaturePolicy* signature_policy,
+                            const der::GeneralizedTime& time) {
+  // Modify the certificate chain so that its root is a trusted certificate.
+  std::vector<der::Input> certs_der_trusted_root;
+  if (!BuildSimplePathToTrustAnchor(certs_der, trust_store,
+                                    &certs_der_trusted_root)) {
+    return false;
+  }
+
+  // Verify the chain.
+  return VerifyCertificateChainAssumingTrustedRoot(
+      certs_der_trusted_root, trust_store, signature_policy, time);
+}
+
 }  // namespace net