Cast device revocation checking.

components/cast_certificate/cast_crl.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/cast_certificate/cast_crl.h"
+
+#include <unordered_map>
+#include <unordered_set>
+
+#include "base/base64.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/singleton.h"
+#include "components/cast_certificate/proto/revocation.pb.h"
+#include "crypto/sha2.h"
+#include "net/cert/internal/parse_certificate.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/signature_algorithm.h"
+#include "net/cert/internal/signature_policy.h"
+#include "net/cert/internal/trust_store.h"
+#include "net/cert/internal/verify_certificate_chain.h"
+#include "net/cert/internal/verify_signed_data.h"
+#include "net/cert/x509_certificate.h"
+#include "net/der/input.h"
+#include "net/der/parser.h"
+#include "net/der/parse_values.h"
+
+namespace cast_certificate {
+namespace {
+
+enum CrlVersion {
+  // version 0: Spki Hash Algorithm = SHA-256
+  //            Signature Algorithm = RSA-PKCS1 V1.5 with SHA-256
+  CRL_VERSION_0 = 0,
+};
+
+// -------------------------------------------------------------------------
+// Cast CRL trust anchors.
+// -------------------------------------------------------------------------
+
+// There is one trusted root for Cast CRL certificate chains:
+//
+//   (1) CN=Cast CRL Root CA    (kCastCRLRootCaDer)
+//
+// These constants are defined by the file included next:
+
+#include "components/cast_certificate/cast_crl_root_ca_cert_der-inc.h"
+
+// Singleton for the Cast CRL trust store.
+class CastCRLTrustStore {
+ public:
+  static CastCRLTrustStore* GetInstance() {
+    return base::Singleton<CastCRLTrustStore, base::LeakySingletonTraits<
+                                                  CastCRLTrustStore>>::get();
+  }
+
+  static net::TrustStore& Get() { return GetInstance()->store_; }
+
+ private:
+  friend struct base::DefaultSingletonTraits<CastCRLTrustStore>;
+
+  CastCRLTrustStore() {
+    // Initialize the trust store with the root certificate.
+    // TODO (ryanchung): Add official Cast CRL Root here
+    // scoped_refptr<net::ParsedCertificate> root = net::ParsedCertificate::
+    //     net::ParsedCertificate::CreateFromCertificateData(
+    //         kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer),
+    //         net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
+    // CHECK(root);
+    // store_.AddTrustedCertificate(std::move(root));
+  }
+
+  net::TrustStore store_;
+  DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore);
+};
+
+// Converts a base::Time::Exploded to a net::der::GeneralizedTime.
+net::der::GeneralizedTime ConvertExplodedTime(
+    const base::Time::Exploded& exploded) {
+  // Add 500 milliseconds and strip the milliseconds.
+  // Effectively rounding the original time to the nearest second.
+  base::Time rounded_time = base::Time::FromUTCExploded(exploded);
+  rounded_time += base::TimeDelta::FromMilliseconds(500);
+  base::Time::Exploded rounded_exploded_time;
+  rounded_time.UTCExplode(&rounded_exploded_time);
+
+  net::der::GeneralizedTime result;
+  result.year = rounded_exploded_time.year;
+  result.month = rounded_exploded_time.month;
+  result.day = rounded_exploded_time.day_of_month;
+  result.hours = rounded_exploded_time.hour;
+  result.minutes = rounded_exploded_time.minute;
+  result.seconds = rounded_exploded_time.second;
+  return result;
+}
+
+// Converts a ner::der::GeneralizedTime to base::Time::Exploded
+base::Time::Exploded ConvertGeneralizedTime(
+    const net::der::GeneralizedTime generalized) {
+  base::Time::Exploded result = {0};
+  result.year = generalized.year;
+  result.month = generalized.month;
+  result.day_of_month = generalized.day;
+  result.hour = generalized.hours;
+  result.minute = generalized.minutes;
+  result.second = generalized.seconds;
+  return result;
+}
+
+// Specifies the signature verification policy.
+std::unique_ptr<net::SignaturePolicy> CreateCastSignaturePolicy() {
+  return base::WrapUnique(new net::SimpleSignaturePolicy(2048));
+}
+
+class ScopedCheckUnreferencedCert {
+ public:
+  explicit ScopedCheckUnreferencedCert(net::ParsedCertificate* cert)
+      : cert_(cert) {}
+  ~ScopedCheckUnreferencedCert() { DCHECK(cert_->HasOneRef()); }
+
+ private:
+  net::ParsedCertificate* cert_;
+};
+
+// Verifies the CRL is signed by a trusted CRL authority at the time the CRL was
+// issued.
+bool VerifyCRL(const Crl& crl,

[sheretov, 2016/07/08 18:07:07]

Documenting the arguments might be useful for readability here.  Especially the
overall_validity_end argument.

[ryanchung, 2016/07/08 22:49:29]

Done.

+               const TbsCrl& tbs_crl,
+               const base::Time::Exploded& time,
+               base::Time* overall_validity_end) {
+  // Verify the trust of the CRL authority.
+  net::der::GeneralizedTime signing_time_generalized =

[sheretov, 2016/07/08 18:07:07]

I would call this "verification_time_generalized".

[ryanchung, 2016/07/08 22:49:29]

Done.

+      ConvertExplodedTime(time);
+  std::vector<scoped_refptr<net::ParsedCertificate>> input_chain;
+  scoped_refptr<net::ParsedCertificate> parsed_cert =
+      net::ParsedCertificate::CreateFromCertificateData(
+          reinterpret_cast<const uint8_t*>(crl.signer_cert().data()),
+          crl.signer_cert().size(),
+          net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {});
+  if (parsed_cert == nullptr) {
+    VLOG(2) << "CRL - Issuer certificate parsing failed.";
+    return false;
+  }
+
+  // Parse the signature.
+  std::string signature;
+  signature = crl.signature();

[sheretov, 2016/07/08 18:07:07]

I would combine this with the previous line:
std::string signature = crl.signature();

Same for signature_value_bit_string below.

[ryanchung, 2016/07/08 22:49:29]

Done.

+  net::der::BitString signature_value_bit_string;
+  signature_value_bit_string =
+      net::der::BitString(net::der::Input(&signature), 0);
+
+  // Verify the signature

[sheretov, 2016/07/08 18:07:07]

style consistency nit: "// Parse the signature." comment above ends with a
period, and this comment does not.  Same with "//Verify XXX" comments below.

[ryanchung, 2016/07/08 22:49:29]

Done.

+  std::unique_ptr<net::SignaturePolicy> policy =
+      base::WrapUnique(new net::SimpleSignaturePolicy(2048));
+  std::unique_ptr<net::SignatureAlgorithm> signature_algorithm_type =
+      net::SignatureAlgorithm::CreateRsaPkcs1(net::DigestAlgorithm::Sha256);
+  if (!VerifySignedData(*signature_algorithm_type,
+                        net::der::Input(&crl.tbs_crl()),
+                        signature_value_bit_string, parsed_cert->tbs().spki_tlv,
+                        policy.get())) {
+    VLOG(2) << "CRL - Signature verification failed.";
+    return false;
+  }
+
+  // Verify the issuer certificate
+  ScopedCheckUnreferencedCert ref_checker(parsed_cert.get());
+  input_chain.push_back(std::move(parsed_cert));
+
+  auto signature_policy = CreateCastSignaturePolicy();
+  std::vector<scoped_refptr<net::ParsedCertificate>> trusted_chain;
+  if (!net::VerifyCertificateChain(input_chain, CastCRLTrustStore::Get(),
+                                   signature_policy.get(),
+                                   signing_time_generalized, &trusted_chain)) {
+    VLOG(2) << "CRL - Issuer certificate verification failed.";
+    return false;
+  }
+
+  // Verify the CRL is still valid
+  base::Time utc_time = base::Time::FromUTCExploded(time);
+  base::Time validity_start =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis());
+  base::Time validity_end =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis() +
+                                        tbs_crl.validity_period_millis());
+  if ((utc_time < validity_start) || (utc_time >= validity_end)) {
+    VLOG(2) << "CRL - Expired.";

[sheretov, 2016/07/08 18:07:07]

"CRL not time-valid" or something to that effect, since we are checking for
validity_start as well.

[ryanchung, 2016/07/08 22:49:29]

Done.

+    return false;
+  }
+
+  // Set CRL expiry to the earliest of the cert chain expiry and CRL expiry.
+  *overall_validity_end = validity_end;
+  for (const auto cert : trusted_chain) {
+    base::Time::Exploded cert_expiry_exploded =
+        ConvertGeneralizedTime(cert->tbs().validity_not_after);
+    base::Time cert_time;
+    if (!base::Time::FromUTCExploded(cert_expiry_exploded, &cert_time))
+      return false;

[sheretov, 2016/07/08 18:07:07]

This may warrant a log statement.

[ryanchung, 2016/07/08 22:49:29]

Done.

+    cert_time += base::TimeDelta::FromMilliseconds(500);

[sheretov, 2016/07/08 18:07:07]

Consider explaining the rounding logic and why it's needed in a comment.

[ryanchung, 2016/07/08 22:49:29]

Done.

+    if (cert_time < *overall_validity_end)
+      *overall_validity_end = cert_time;
+  }
+
+  // Perform sanity check on serial numbers
+  for (const auto& range : tbs_crl.revoked_serial_number_ranges()) {
+    uint64_t first_serial_number = range.first_serial_number();
+    uint64_t last_serial_number = range.last_serial_number();
+    if (last_serial_number < first_serial_number) {
+      VLOG(2) << "CRL - Malformed serial number range.";
+      return false;
+    }
+  }
+  return true;
+}
+
+class CastCRLImpl : public CastCRL {
+ public:
+  CastCRLImpl(const TbsCrl& tbs_crl, const base::Time& overall_validity_end);
+  ~CastCRLImpl() override;
+
+  bool CheckRevocation(
+      const std::vector<scoped_refptr<net::ParsedCertificate>>& trusted_chain,
+      const base::Time::Exploded& time) const override;
+
+ private:
+  base::Time validity_start;
+  base::Time validity_end;
+
+  // Hash of all revoked public key.

[sheretov, 2016/07/08 18:07:07]

s/Hash/Hashes/
s/key/keys/

[ryanchung, 2016/07/08 22:49:29]

Done.

+  std::unordered_set<std::string> revoked_hashes_;
+
+  // Revoked serial number ranges indexed by issuer public key hash.
+  std::unordered_map<std::string, std::unordered_map<uint64_t, uint64_t>>

[sheretov, 2016/07/08 18:07:07]

std::unordered_map<uint64_t, uint64_t> seems like a poor choice for a value type
here.  If there are multiple ranges that start with the same serial number under
the same issuer, they must contend for the same entry in the map.  This could be
alleviated with some kind of incremental range merge, so that {10, 12}, {10,
30}, {10, 20} => {10, 30}, but I don't see it below.  So, right now this
admittedly contrived example will result in an incorrect effective range of {10,
12}, because the first range with the same first_serial_number wins.

Aside: I should add this example to the test suite :)

Using something like std::unordered_set<std::pair<uint64_t, uint64_t>> might be
simpler to understand reason about.

[ryanchung, 2016/07/08 22:49:29]

Done.

+      revoked_serial_numbers_;
+  DISALLOW_COPY_AND_ASSIGN(CastCRLImpl);
+};
+
+CastCRLImpl::CastCRLImpl(const TbsCrl& tbs_crl,
+                         const base::Time& overall_validity_end) {
+  // Parse the validity information.
+  validity_start =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis());
+  validity_end =
+      base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(tbs_crl.issuance_time_millis() +
+                                        tbs_crl.validity_period_millis());
+  if (overall_validity_end < validity_end)
+    validity_end = overall_validity_end;
+
+  // Parse the revoked hashes.
+  for (const auto& hash : tbs_crl.revoked_public_key_hashes()) {
+    revoked_hashes_.insert(hash);
+  }
+
+  // Parse the revoked serial ranges.
+  for (const auto& range : tbs_crl.revoked_serial_number_ranges()) {
+    std::string hash = range.issuer_public_key_hash();
+    uint64_t first_serial_number = range.first_serial_number();
+    uint64_t last_serial_number = range.last_serial_number();
+
+    auto issuer_revoked_serials = revoked_serial_numbers_.find(hash);

[sheretov, 2016/07/08 18:07:07]

readability nit: I find that naming variables like this with an "_iter" suffix
enhances readability.  In this case I would probably go something like
"issuer_iter".

[ryanchung, 2016/07/08 22:49:29]

Done.

+    if (issuer_revoked_serials == revoked_serial_numbers_.end()) {
+      std::unordered_map<uint64_t, uint64_t> serials;
+      std::pair<std::string, std::unordered_map<uint64_t, uint64_t>>

[sheretov, 2016/07/08 18:07:07]

Consider using std::make_pair to improve readability.

[ryanchung, 2016/07/08 22:49:29]

Done.

+          revocation_entry(hash, serials);
+      revoked_serial_numbers_.insert(revocation_entry);
+      issuer_revoked_serials = revoked_serial_numbers_.find(hash);

[sheretov, 2016/07/08 18:07:07]

No need to call find(). insert() will give you the iterator to the new entry:
issuer_revoked_serials = revoked_serial_numbers.insert(revocation_entry).first;

[ryanchung, 2016/07/08 22:49:29]

Done.

+    }
+    std::pair<uint64_t, uint64_t> revocation_range(first_serial_number,
+                                                   last_serial_number);
+    issuer_revoked_serials->second.insert(revocation_range);
+  }
+}
+
+CastCRLImpl::~CastCRLImpl() {}
+
+// Verifies the revocation status of the certificate chain, at the specified
+// time.
+bool CastCRLImpl::CheckRevocation(
+    const std::vector<scoped_refptr<net::ParsedCertificate>>& trusted_chain,
+    const base::Time::Exploded& time) const {
+  if (trusted_chain.empty())
+    return false;
+
+  // Check the validity of the CRL at the specified time.
+  base::Time utc_time = base::Time::FromUTCExploded(time);
+  if ((utc_time < validity_start) || (utc_time >= validity_end)) {
+    VLOG(2) << "CRL expired. Perform hard fail.";

[sheretov, 2016/07/08 18:07:07]

"CRL not time-valid" or something to that effect, since we are checking for
validity_start as well.

[ryanchung, 2016/07/08 22:49:29]

Done.

+    return false;
+  }
+
+  // Check revocation
+  std::string issuer_key_hash;
+  for (int i = trusted_chain.size() - 1; i >= 0; --i) {
+    // Check public key revocation.
+    scoped_refptr<net::ParsedCertificate> parsed_cert = trusted_chain[i];
+    if (parsed_cert == nullptr)
+      return false;

[sheretov, 2016/07/08 18:07:07]

Log reason?

[ryanchung, 2016/07/08 22:49:29]

Done.

+    // Calculate the public key's hash.
+    std::string spki_hash =
+        crypto::SHA256HashString(parsed_cert->tbs().spki_tlv.AsString());
+    if (revoked_hashes_.find(spki_hash) != revoked_hashes_.end()) {
+      VLOG(2) << "Public key is revoked.";
+      return false;
+    }
+
+    // Check serial range revocation.
+    if (!issuer_key_hash.empty()) {
+      auto issuer_revoked_serials =
+          revoked_serial_numbers_.find(issuer_key_hash);
+      if (issuer_revoked_serials != revoked_serial_numbers_.end()) {
+        for (auto const& revoked_serial : issuer_revoked_serials->second) {
+          uint64_t serial_number;
+          if (!net::der::ParseUint64(parsed_cert->tbs().serial_number,

[sheretov, 2016/07/08 18:07:07]

Derive the value of serial_number once and then use it for every serial number
range in this loop.

[ryanchung, 2016/07/08 22:49:29]

Done.

+                                     &serial_number)) {
+            continue;
+          }
+          if (revoked_serial.first <= serial_number &&
+              revoked_serial.second >= serial_number) {
+            VLOG(2) << "Serial number is revoked";
+            return false;
+          }
+        }
+      }
+    }
+    issuer_key_hash = spki_hash;
+  }
+  return true;
+}
+
+}  // namespace
+
+std::unique_ptr<CastCRL> ParseAndVerifyCRL(const std::string& crl_proto,
+                                           const base::Time::Exploded& time) {
+  CrlBundle cast_crl;

[sheretov, 2016/07/08 18:07:07]

s/cast_crl/crl_bundle/

[ryanchung, 2016/07/08 22:49:29]

Done.

+  if (!cast_crl.ParseFromString(crl_proto)) {
+    LOG(ERROR) << "CRL - Binary could not be parsed.";
+    return nullptr;
+  }
+  for (auto const& crl : cast_crl.crls()) {
+    TbsCrl tbs_crl;
+    if (!tbs_crl.ParseFromString(crl.tbs_crl())) {
+      LOG(WARNING) << "Binary TBS CRL could not be parsed.";
+      continue;
+    }
+    if (tbs_crl.version() != CRL_VERSION_0) {
+      continue;
+    }
+    base::Time overall_validity_end;
+    if (!VerifyCRL(crl, tbs_crl, time, &overall_validity_end)) {
+      LOG(ERROR) << "CRL - Verification failed.";
+      return nullptr;
+    }
+    return base::WrapUnique(new CastCRLImpl(tbs_crl, overall_validity_end));
+  }
+  LOG(ERROR) << "No supported version of revocation data.";
+  return nullptr;
+}
+
+bool SetCRLTrustAnchorForTest(const uint8_t* data, size_t length) {
+  scoped_refptr<net::ParsedCertificate> anchor(
+      net::ParsedCertificate::CreateFromCertificateData(
+          data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE,
+          {}));
+  if (!anchor)
+    return false;
+  CastCRLTrustStore::Get().Clear();
+  CastCRLTrustStore::Get().AddTrustedCertificate(std::move(anchor));
+  return true;
+}
+
+void ClearCRLTrustAnchorForTest() {
+  CastCRLTrustStore::Get().Clear();
+}
+
+}  // namespace cast_certificate