| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/cast/cast_cert_validator.h" | 5 #include "extensions/common/cast/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 |
| 9 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> |
| 10 #include <utility> | 12 #include <utility> |
| 11 | 13 |
| 14 #include "base/memory/ptr_util.h" |
| 12 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 13 #include "net/cert/internal/certificate_policies.h" | 16 #include "net/cert/internal/certificate_policies.h" |
| 14 #include "net/cert/internal/extended_key_usage.h" | 17 #include "net/cert/internal/extended_key_usage.h" |
| 15 #include "net/cert/internal/parse_certificate.h" | 18 #include "net/cert/internal/parse_certificate.h" |
| 16 #include "net/cert/internal/parse_name.h" | 19 #include "net/cert/internal/parse_name.h" |
| 17 #include "net/cert/internal/signature_algorithm.h" | 20 #include "net/cert/internal/signature_algorithm.h" |
| 18 #include "net/cert/internal/signature_policy.h" | 21 #include "net/cert/internal/signature_policy.h" |
| 19 #include "net/cert/internal/verify_certificate_chain.h" | 22 #include "net/cert/internal/verify_certificate_chain.h" |
| 20 #include "net/cert/internal/verify_signed_data.h" | 23 #include "net/cert/internal/verify_signed_data.h" |
| 21 #include "net/der/input.h" | 24 #include "net/der/input.h" |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 // The following signature policy specifies which signature algorithms (and key | 93 // The following signature policy specifies which signature algorithms (and key |
| 91 // sizes) are acceptable. It is used when verifying a chain of certificates, as | 94 // sizes) are acceptable. It is used when verifying a chain of certificates, as |
| 92 // well as when verifying digital signature using the target certificate's | 95 // well as when verifying digital signature using the target certificate's |
| 93 // SPKI. | 96 // SPKI. |
| 94 // | 97 // |
| 95 // This particular policy allows for: | 98 // This particular policy allows for: |
| 96 // * ECDSA, RSA-SSA, and RSA-PSS | 99 // * ECDSA, RSA-SSA, and RSA-PSS |
| 97 // * Supported EC curves: P-256, P-384, P-521. | 100 // * Supported EC curves: P-256, P-384, P-521. |
| 98 // * Hashes: All SHA hashes including SHA-1 (despite being known weak). | 101 // * Hashes: All SHA hashes including SHA-1 (despite being known weak). |
| 99 // * RSA keys must have a modulus at least 2048-bits long. | 102 // * RSA keys must have a modulus at least 2048-bits long. |
| 100 scoped_ptr<net::SignaturePolicy> CreateCastSignaturePolicy() { | 103 std::unique_ptr<net::SignaturePolicy> CreateCastSignaturePolicy() { |
| 101 return make_scoped_ptr(new net::SimpleSignaturePolicy(2048)); | 104 return base::WrapUnique(new net::SimpleSignaturePolicy(2048)); |
| 102 } | 105 } |
| 103 | 106 |
| 104 class CertVerificationContextImpl : public CertVerificationContext { | 107 class CertVerificationContextImpl : public CertVerificationContext { |
| 105 public: | 108 public: |
| 106 // Save a copy of the passed in public key (DER) and common name (text). | 109 // Save a copy of the passed in public key (DER) and common name (text). |
| 107 CertVerificationContextImpl(const net::der::Input& spki, | 110 CertVerificationContextImpl(const net::der::Input& spki, |
| 108 const base::StringPiece& common_name) | 111 const base::StringPiece& common_name) |
| 109 : spki_(spki.AsString()), common_name_(common_name.as_string()) {} | 112 : spki_(spki.AsString()), common_name_(common_name.as_string()) {} |
| 110 | 113 |
| 111 bool VerifySignatureOverData(const base::StringPiece& signature, | 114 bool VerifySignatureOverData(const base::StringPiece& signature, |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 164 } | 167 } |
| 165 | 168 |
| 166 // Checks properties on the target certificate. | 169 // Checks properties on the target certificate. |
| 167 // | 170 // |
| 168 // * The Key Usage must include Digital Signature | 171 // * The Key Usage must include Digital Signature |
| 169 // * THe Extended Key Usage must includ TLS Client Auth | 172 // * THe Extended Key Usage must includ TLS Client Auth |
| 170 // * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it | 173 // * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it |
| 171 // is an audio-only device. | 174 // is an audio-only device. |
| 172 WARN_UNUSED_RESULT bool CheckTargetCertificate( | 175 WARN_UNUSED_RESULT bool CheckTargetCertificate( |
| 173 const net::der::Input& cert_der, | 176 const net::der::Input& cert_der, |
| 174 scoped_ptr<CertVerificationContext>* context, | 177 std::unique_ptr<CertVerificationContext>* context, |
| 175 CastDeviceCertPolicy* policy) { | 178 CastDeviceCertPolicy* policy) { |
| 176 // TODO(eroman): Simplify this. The certificate chain verification | 179 // TODO(eroman): Simplify this. The certificate chain verification |
| 177 // function already parses this stuff, awkward to re-do it here. | 180 // function already parses this stuff, awkward to re-do it here. |
| 178 | 181 |
| 179 net::ParsedCertificate cert; | 182 net::ParsedCertificate cert; |
| 180 if (!net::ParseCertificate(cert_der, &cert)) | 183 if (!net::ParseCertificate(cert_der, &cert)) |
| 181 return false; | 184 return false; |
| 182 | 185 |
| 183 net::ParsedTbsCertificate tbs; | 186 net::ParsedTbsCertificate tbs; |
| 184 if (!net::ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs)) | 187 if (!net::ParseTbsCertificate(cert.tbs_certificate_tlv, &tbs)) |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 250 result.hours = exploded.hour; | 253 result.hours = exploded.hour; |
| 251 result.minutes = exploded.minute; | 254 result.minutes = exploded.minute; |
| 252 result.seconds = exploded.second; | 255 result.seconds = exploded.second; |
| 253 return result; | 256 return result; |
| 254 } | 257 } |
| 255 | 258 |
| 256 } // namespace | 259 } // namespace |
| 257 | 260 |
| 258 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 261 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 259 const base::Time::Exploded& time, | 262 const base::Time::Exploded& time, |
| 260 scoped_ptr<CertVerificationContext>* context, | 263 std::unique_ptr<CertVerificationContext>* context, |
| 261 CastDeviceCertPolicy* policy) { | 264 CastDeviceCertPolicy* policy) { |
| 262 // The underlying verification function expects a sequence of | 265 // The underlying verification function expects a sequence of |
| 263 // der::Input, so wrap the data in it (cheap). | 266 // der::Input, so wrap the data in it (cheap). |
| 264 std::vector<net::der::Input> input_chain; | 267 std::vector<net::der::Input> input_chain; |
| 265 for (const auto& cert : certs) | 268 for (const auto& cert : certs) |
| 266 input_chain.push_back(net::der::Input(&cert)); | 269 input_chain.push_back(net::der::Input(&cert)); |
| 267 | 270 |
| 268 // Use a signature policy compatible with Cast's PKI. | 271 // Use a signature policy compatible with Cast's PKI. |
| 269 auto signature_policy = CreateCastSignaturePolicy(); | 272 auto signature_policy = CreateCastSignaturePolicy(); |
| 270 | 273 |
| 271 // Do RFC 5280 compatible certificate verification using the two Cast | 274 // Do RFC 5280 compatible certificate verification using the two Cast |
| 272 // trust anchors and Cast signature policy. | 275 // trust anchors and Cast signature policy. |
| 273 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), | 276 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), |
| 274 signature_policy.get(), | 277 signature_policy.get(), |
| 275 ConvertExplodedTime(time))) { | 278 ConvertExplodedTime(time))) { |
| 276 return false; | 279 return false; |
| 277 } | 280 } |
| 278 | 281 |
| 279 // Check properties of the leaf certificate (key usage, policy), and construct | 282 // Check properties of the leaf certificate (key usage, policy), and construct |
| 280 // a CertVerificationContext that uses its public key. | 283 // a CertVerificationContext that uses its public key. |
| 281 return CheckTargetCertificate(input_chain[0], context, policy); | 284 return CheckTargetCertificate(input_chain[0], context, policy); |
| 282 } | 285 } |
| 283 | 286 |
| 284 scoped_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 287 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 285 const base::StringPiece& spki) { | 288 const base::StringPiece& spki) { |
| 286 // Use a bogus CommonName, since this is just exposed for testing signature | 289 // Use a bogus CommonName, since this is just exposed for testing signature |
| 287 // verification by unittests. | 290 // verification by unittests. |
| 288 return make_scoped_ptr( | 291 return base::WrapUnique( |
| 289 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 292 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 290 } | 293 } |
| 291 | 294 |
| 292 } // namespace cast_crypto | 295 } // namespace cast_crypto |
| 293 } // namespace api | 296 } // namespace api |
| 294 } // namespace extensions | 297 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1908953003:
Convert //extensions/{common,shell} from scoped_ptr to std::unique_ptr (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master