Cast device revocation checking.

components/cast_certificate/cast_crl.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cast_certificate/cast_crl.h"
+
+#include "base/base64.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/singleton.h"
+#include "components/cast_certificate/proto/revocation.pb.h"
+#include "crypto/sha2.h"
+#include "net/cert/internal/parse_certificate.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/signature_policy.h"
+#include "net/cert/internal/trust_store.h"
+#include "net/cert/internal/verify_certificate_chain.h"
+#include "net/cert/internal/verify_signed_data.h"
+#include "net/cert/x509_certificate.h"
+#include "net/der/input.h"
+#include "net/der/parser.h"
+#include "net/der/parse_values.h"
+
+namespace cast_certificate {
+namespace {
+
+enum CrlVersion {
+  // version 0: Spki Hash Algorithm = SHA-256
+  //            Signature Algorithm = RSA-PKCS1 V1.5 with SHA-256
+  CRL_VERSION_0 = 0,
+};
+
+// -------------------------------------------------------------------------
+// Cast CRL trust anchors.
+// -------------------------------------------------------------------------
+
+// There is one trusted root for Cast CRL certificate chains:
+//
+//   (1) CN=Cast CRL Root CA    (kCastCRLRootCaDer)
+//
+// These constants are defined by the file included next:
+
+#include "components/cast_certificate/cast_crl_root_ca_cert_der-inc.h"
+
+// Singleton for the Cast CRL trust store.
+class CastCRLTrustStore {
+ public:
+  static CastCRLTrustStore* GetInstance() {
+    return base::Singleton<CastCRLTrustStore, base::LeakySingletonTraits<
+                                                  CastCRLTrustStore>>::get();
+  }
+
+  static net::TrustStore& Get() { return GetInstance()->store_; }
+
+ private:
+  friend struct base::DefaultSingletonTraits<CastCRLTrustStore>;
+
+  CastCRLTrustStore() {
+    // Initialize the trust store with the root certificate.
+    // TODO (ryanchung): Add official Cast CRL Root here
+    // scoped_refptr<net::ParsedCertificate> root = net::ParsedCertificate::
+    //     net::ParsedCertificate::CreateFromCertificateData(
+    //         kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer),
+    //         net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
+    // CHECK(root);
+    // store_.AddTrustedCertificate(std::move(root));
+  }
+
+  net::TrustStore store_;
+  DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore);
+};
+
+// Converts a base::Time::Exploded to a net::der::GeneralizedTime.
+net::der::GeneralizedTime ConvertExplodedTime(
+    const base::Time::Exploded& exploded) {
+  net::der::GeneralizedTime result;
+  result.year = exploded.year;
+  result.month = exploded.month;
+  result.day = exploded.day_of_month;
+  result.hours = exploded.hour;
+  result.minutes = exploded.minute;
+  result.seconds = exploded.second;
+  return result;
+}
+
+// Converts a ner::der::GeneralizedTime to base::Time::Exploded
+base::Time::Exploded ConvertGeneralizedTime(
+    const net::der::GeneralizedTime generalized) {
+  base::Time::Exploded result;
+  result.year = generalized.year;
+  result.month = generalized.month;
+  result.day_of_month = generalized.day;
+  result.hour = generalized.hours;
+  result.minute = generalized.minutes;
+  result.second = generalized.seconds;
+  return result;
+}
+
+// Specifies the signature verification policy.
+std::unique_ptr<net::SignaturePolicy> CreateCastSignaturePolicy() {
+  return base::WrapUnique(new net::SimpleSignaturePolicy(2048));
+}
+
+class ScopedCheckUnreferencedCert {
+ public:
+  explicit ScopedCheckUnreferencedCert(net::ParsedCertificate* cert)
+      : cert_(cert) {}
+  ~ScopedCheckUnreferencedCert() { DCHECK(cert_->HasOneRef()); }
+
+ private:
+  net::ParsedCertificate* cert_;
+};
+
+// Verifies the CRL is signed by a trusted CRL authority at the time the CRL was
+// issued.
+bool VerifyCRL(const Crl& crl,
+               const TbsCrl& tbs_crl,
+               const base::Time::Exploded& time,
+               base::Time* overall_validity_end) {
+  // Verify the trust of the CRL authority.
+  net::der::GeneralizedTime signing_time_generalized =
+      ConvertExplodedTime(time);
+  std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
+  scoped_refptr<net::ParsedCertificate> parsed_cert =
+      net::ParsedCertificate::CreateFromCertificateData(
+          reinterpret_cast<const uint8_t*>(crl.signer_cert().data()),
+          crl.signer_cert().size(),
+          net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
+  if (parsed_cert == nullptr)
+    return false;
+
+  // Parse the signature.
+  std::string signature;
+  signature = crl.signature();
+  net::der::BitString signature_value_bit_string;
+  signature_value_bit_string =
+      net::der::BitString(net::der::Input(&signature), 0);
+
+  // Verify the signature
+  std::unique_ptr<net::SignaturePolicy> policy =
+      base::WrapUnique(new net::SimpleSignaturePolicy(2048));
+  std::unique_ptr<net::SignatureAlgorithm> signature_algorithm_type =
+      net::SignatureAlgorithm::CreateRsaPkcs1(net::DigestAlgorithm::Sha256);
+  if (!VerifySignedData(*signature_algorithm_type,
+                        net::der::Input(&crl.tbs_crl()),
+                        signature_value_bit_string, parsed_cert->tbs().spki_tlv,
+                        policy.get())) {
+    VLOG(2) << "CRL - Signature verification failed.";
+    return false;
+  }
+
+  // Verify the issuer certificate
+  ScopedCheckUnreferencedCert ref_checker(parsed_cert.get());
+  input_chain.push_back(std::move(parsed_cert));
+
+  auto signature_policy = CreateCastSignaturePolicy();
+  std::vector<scoped_refptr<net::ParsedCertificate>> trusted_chain;
+  if (!net::VerifyCertificateChain(input_chain, CastCRLTrustStore::Get(),
+                                   signature_policy.get(),
+                                   signing_time_generalized, &trusted_chain)) {
+    return false;

[sheretov, 2016/06/24 20:24:30]

Any reason this failure is not logged like the signature verification failure
above?  Same for the time validity failure below.

[ryanchung, 2016/06/29 22:09:47]

Done.

+  }
+
+  // Verify the CRL is still valid
+  base::Time utc_time = base::Time::FromUTCExploded(time);
+  base::Time validity_start =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis());
+  base::Time validity_end =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis() +
+                                        tbs_crl.validity_period_millis());
+  if ((utc_time < validity_start) || (utc_time >= validity_end))
+    return false;
+
+  // Set CRL expiry to the earliest of the cert chain expiry and CRL expiry.
+  *overall_validity_end = validity_end;
+  for (const auto cert : trusted_chain) {
+    base::Time::Exploded cert_expiry_exploded =
+        ConvertGeneralizedTime(cert->tbs().validity_not_after);
+    base::Time utc_time = base::Time::FromUTCExploded(cert_expiry_exploded);
+    if (utc_time < *overall_validity_end)
+      *overall_validity_end = utc_time;
+  }
+  return true;
+}
+
+class CastCRLImpl : public CastCRL {
+ public:
+  CastCRLImpl(const TbsCrl& tbs_crl, const base::Time overall_validity_end);
+  ~CastCRLImpl() override;
+
+  bool CheckRevocation(
+      const std::vector<scoped_refptr<net::ParsedCertificate>>& trusted_chain,
+      const base::Time::Exploded& time) const override;
+
+ private:
+  base::Time validity_start;
+  base::Time validity_end;
+
+  // Hash of all revoked public key.
+  std::unordered_set<std::string> revoked_hashes_;
+
+  // Revoked serial number ranges indexed by issuer public key hash.
+  std::unordered_map<std::string, std::pair<uint64_t, uint64_t>>
+      revoked_serial_numbers_;
+  DISALLOW_COPY_AND_ASSIGN(CastCRLImpl);
+};
+
+CastCRLImpl::CastCRLImpl(const TbsCrl& tbs_crl,
+                         const base::Time overall_validity_end) {

[sheretov, 2016/06/24 20:24:31]

Any reason why this is not a reference?

[ryanchung, 2016/06/29 22:09:48]

Done.

+  // Parse the validity information.
+  validity_start =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis());
+  validity_end =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis() +
+                                        tbs_crl.validity_period_millis());
+  if (overall_validity_end < validity_end)
+    validity_end = overall_validity_end;
+
+  // Parse the revoked hashes.
+  for (const auto& hash : tbs_crl.revoked_public_key_hashes()) {
+    revoked_hashes_.insert(hash);
+  }
+
+  // Parse the revoked serial ranges.
+  for (const auto& range : tbs_crl.revoked_serial_number_ranges()) {
+    std::string hash = range.issuer_public_key_hash();
+    uint64_t first_serial_number = range.first_serial_number();
+    uint64_t last_serial_number = range.last_serial_number();
+    std::pair<uint64_t, uint64_t> revocation_range(first_serial_number,
+                                                   last_serial_number);
+    std::pair<std::string, std::pair<uint64_t, uint64_t>> revocation_entry(
+        hash, revocation_range);
+    revoked_serial_numbers_.insert(revocation_entry);
+  }
+}
+
+CastCRLImpl::~CastCRLImpl() {}
+
+// Verifies the revocation status of the certificate chain, at the specified
+// time.
+bool CastCRLImpl::CheckRevocation(
+    const std::vector<scoped_refptr<net::ParsedCertificate>>& trusted_chain,
+    const base::Time::Exploded& time) const {
+  if (trusted_chain.empty())
+    return false;
+
+  // Check the validity of the CRl at the specified time.

[sheretov, 2016/06/24 20:24:31]

nit: s/CRl/CRL/

[ryanchung, 2016/06/29 22:09:48]

Done.

+  base::Time utc_time = base::Time::FromUTCExploded(time);
+  if ((utc_time < validity_start) || (utc_time >= validity_end)) {
+    VLOG(2) << "CRL expired. Perform hard fail.";
+    return false;
+  }
+
+  // Check revocation
+  std::string issuer_key_hash;
+  for (int i = trusted_chain.size() - 1; i >= 0; --i) {
+    // Check public key revocation.
+    scoped_refptr<net::ParsedCertificate> parsed_cert = trusted_chain[i];
+    if (parsed_cert == nullptr)
+      return false;
+    // Calculate the public key's hash.
+    std::string spki_hash =
+        crypto::SHA256HashString(parsed_cert->tbs().spki_tlv.AsString());
+    if (revoked_hashes_.find(spki_hash) != revoked_hashes_.end()) {
+      VLOG(2) << "Public key is revoked.";
+      return false;
+    }
+
+    // Check serial range revocation.
+    if (!issuer_key_hash.empty()) {
+      DCHECK(!issuer_key_hash.empty());

[sheretov, 2016/06/24 20:24:30]

Is this DCHECK needed given the condition in the if statement just above?

[ryanchung, 2016/06/29 22:09:48]

Done.

+      auto issuer_revoked_serials =
+          revoked_serial_numbers_.find(issuer_key_hash);
+      if (issuer_revoked_serials != revoked_serial_numbers_.end()) {
+        uint64_t serial_number;
+        if (!net::der::ParseUint64(parsed_cert->tbs().serial_number,
+                                   &serial_number)) {
+          return false;

[sheretov, 2016/06/24 20:24:31]

This effectively (once there is at least one revoked SN range) revokes all certs
with a serial number that does not fit into 64 bits.  Seems like fringe
scenario, but one that we should probably agree on a consistent behavior for. 
My inclination is to be lenient here and skip to the next cert in the chain in
this case (that's what the current Java implementation does). The resulting
behavior would be: if the Cast ecosystem ever has certs with serial numbers that
don't fit within 64 bits, such certs cannot be revoked by serial number range.

[ryanchung, 2016/06/29 22:09:48]

Done.

+        }
+        if (issuer_revoked_serials->second.first <= serial_number &&
+            issuer_revoked_serials->second.second >= serial_number) {
+          VLOG(2) << "Serial number is revoked";
+          return false;
+        }
+      }
+    }
+    issuer_key_hash = spki_hash;
+  }
+  return true;
+}
+
+}  // namespace
+
+std::unique_ptr<CastCRL> ParseCRL(const std::string& crl_proto,
+                                  const base::Time::Exploded& time) {
+  CrlBundle cast_crl;
+  if (!cast_crl.ParseFromString(crl_proto)) {
+    LOG(ERROR) << "CRL - Binary could not be parsed.";
+    return nullptr;
+  }
+  for (auto const& crl : cast_crl.crls()) {
+    TbsCrl tbs_crl;
+    if (!tbs_crl.ParseFromString(crl.tbs_crl())) {
+      LOG(WARNING) << "Binary TBS CRL could not be parsed.";
+      continue;
+    }
+    switch (tbs_crl.version()) {

[sheretov, 2016/06/24 20:24:30]

A switch statement seems less readable than a simple if statement here, at least
for now.  If/when there is another version number to handle, this code can be
updated to use a switch statement.

[ryanchung, 2016/06/29 22:09:48]

Done.

+      case CRL_VERSION_0: {
+        base::Time overall_validity_end;
+        if (!VerifyCRL(crl, tbs_crl, time, &overall_validity_end)) {
+          LOG(ERROR) << "CRL - Verification failed.";
+          continue;
+        }
+        return base::WrapUnique(new CastCRLImpl(tbs_crl, overall_validity_end));
+      }
+      default:
+        continue;
+    }
+  }
+  LOG(ERROR) << "No supported version of revocation data.";
+  return nullptr;
+}
+
+bool AddCRLTrustAnchorForTest(const uint8_t* data, size_t length) {
+  scoped_refptr<net::ParsedCertificate> anchor(
+      net::ParsedCertificate::CreateFromCertificateData(
+          data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
+          {}));
+  if (!anchor)
+    return false;
+  CastCRLTrustStore::Get().AddTrustedCertificate(std::move(anchor));
+  return true;
+}
+
+void ClearCRLTrustAnchorForTest() {
+  CastCRLTrustStore::Get().Clear();
+}
+
+}  // namespace cast_certificate