| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| 11 #include <memory> | 11 #include <memory> |
| 12 #include <utility> | 12 #include <utility> |
| 13 | 13 |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/singleton.h" | 15 #include "base/memory/singleton.h" |
| 16 #include "net/cert/internal/cert_issuer_source_static.h" | 16 #include "net/cert/internal/cert_issuer_source_static.h" |
| 17 #include "components/cast_certificate/cast_crl.h" |
| 17 #include "net/cert/internal/certificate_policies.h" | 18 #include "net/cert/internal/certificate_policies.h" |
| 18 #include "net/cert/internal/extended_key_usage.h" | 19 #include "net/cert/internal/extended_key_usage.h" |
| 19 #include "net/cert/internal/parse_certificate.h" | 20 #include "net/cert/internal/parse_certificate.h" |
| 20 #include "net/cert/internal/parse_name.h" | 21 #include "net/cert/internal/parse_name.h" |
| 21 #include "net/cert/internal/parsed_certificate.h" | 22 #include "net/cert/internal/parsed_certificate.h" |
| 22 #include "net/cert/internal/path_builder.h" | 23 #include "net/cert/internal/path_builder.h" |
| 23 #include "net/cert/internal/signature_algorithm.h" | 24 #include "net/cert/internal/signature_algorithm.h" |
| 24 #include "net/cert/internal/signature_policy.h" | 25 #include "net/cert/internal/signature_policy.h" |
| 25 #include "net/cert/internal/trust_store.h" | 26 #include "net/cert/internal/trust_store.h" |
| 26 #include "net/cert/internal/verify_signed_data.h" | 27 #include "net/cert/internal/verify_signed_data.h" |
| 28 #include "net/der/encode_values.h" |
| 27 #include "net/der/input.h" | 29 #include "net/der/input.h" |
| 28 | 30 |
| 29 namespace cast_certificate { | 31 namespace cast_certificate { |
| 30 namespace { | 32 namespace { |
| 31 | 33 |
| 32 // ------------------------------------------------------------------------- | 34 // ------------------------------------------------------------------------- |
| 33 // Cast trust anchors. | 35 // Cast trust anchors. |
| 34 // ------------------------------------------------------------------------- | 36 // ------------------------------------------------------------------------- |
| 35 | 37 |
| 36 // There are two trusted roots for Cast certificate chains: | 38 // There are two trusted roots for Cast certificate chains: |
| (...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 226 // Get the Common Name for the certificate. | 228 // Get the Common Name for the certificate. |
| 227 std::string common_name; | 229 std::string common_name; |
| 228 if (!GetCommonNameFromSubject(cert->tbs().subject_tlv, &common_name)) | 230 if (!GetCommonNameFromSubject(cert->tbs().subject_tlv, &common_name)) |
| 229 return false; | 231 return false; |
| 230 | 232 |
| 231 context->reset( | 233 context->reset( |
| 232 new CertVerificationContextImpl(cert->tbs().spki_tlv, common_name)); | 234 new CertVerificationContextImpl(cert->tbs().spki_tlv, common_name)); |
| 233 return true; | 235 return true; |
| 234 } | 236 } |
| 235 | 237 |
| 236 // Converts a base::Time::Exploded to a net::der::GeneralizedTime. | |
| 237 net::der::GeneralizedTime ConvertExplodedTime( | |
| 238 const base::Time::Exploded& exploded) { | |
| 239 net::der::GeneralizedTime result; | |
| 240 result.year = exploded.year; | |
| 241 result.month = exploded.month; | |
| 242 result.day = exploded.day_of_month; | |
| 243 result.hours = exploded.hour; | |
| 244 result.minutes = exploded.minute; | |
| 245 result.seconds = exploded.second; | |
| 246 return result; | |
| 247 } | |
| 248 | |
| 249 // Returns the parsing options used for Cast certificates. | 238 // Returns the parsing options used for Cast certificates. |
| 250 net::ParseCertificateOptions GetCertParsingOptions() { | 239 net::ParseCertificateOptions GetCertParsingOptions() { |
| 251 net::ParseCertificateOptions options; | 240 net::ParseCertificateOptions options; |
| 252 | 241 |
| 253 // Some cast intermediate certificates contain serial numbers that are | 242 // Some cast intermediate certificates contain serial numbers that are |
| 254 // 21 octets long, and might also not use valid DER encoding for an | 243 // 21 octets long, and might also not use valid DER encoding for an |
| 255 // INTEGER (non-minimal encoding). | 244 // INTEGER (non-minimal encoding). |
| 256 // | 245 // |
| 257 // Allow these sorts of serial numbers. | 246 // Allow these sorts of serial numbers. |
| 258 // | 247 // |
| 259 // TODO(eroman): At some point in the future this workaround will no longer be | 248 // TODO(eroman): At some point in the future this workaround will no longer be |
| 260 // necessary. Should revisit this for removal in 2017 if not earlier. | 249 // necessary. Should revisit this for removal in 2017 if not earlier. |
| 261 options.allow_invalid_serial_numbers = true; | 250 options.allow_invalid_serial_numbers = true; |
| 262 return options; | 251 return options; |
| 263 } | 252 } |
| 264 | 253 |
| 265 } // namespace | 254 } // namespace |
| 266 | 255 |
| 267 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 256 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 268 const base::Time::Exploded& time, | 257 const base::Time& time, |
| 269 std::unique_ptr<CertVerificationContext>* context, | 258 std::unique_ptr<CertVerificationContext>* context, |
| 270 CastDeviceCertPolicy* policy) { | 259 CastDeviceCertPolicy* policy, |
| 260 const CastCRL* crl, |
| 261 CRLPolicy crl_policy) { |
| 271 if (certs.empty()) | 262 if (certs.empty()) |
| 272 return false; | 263 return false; |
| 273 | 264 |
| 274 // No reference to these ParsedCertificates is kept past the end of this | 265 // No reference to these ParsedCertificates is kept past the end of this |
| 275 // function, so using EXTERNAL_REFERENCE here is safe. | 266 // function, so using EXTERNAL_REFERENCE here is safe. |
| 276 scoped_refptr<net::ParsedCertificate> target_cert; | 267 scoped_refptr<net::ParsedCertificate> target_cert; |
| 277 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | 268 net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
| 278 for (size_t i = 0; i < certs.size(); ++i) { | 269 for (size_t i = 0; i < certs.size(); ++i) { |
| 279 scoped_refptr<net::ParsedCertificate> cert( | 270 scoped_refptr<net::ParsedCertificate> cert( |
| 280 net::ParsedCertificate::CreateFromCertificateData( | 271 net::ParsedCertificate::CreateFromCertificateData( |
| 281 reinterpret_cast<const uint8_t*>(certs[i].data()), certs[i].size(), | 272 reinterpret_cast<const uint8_t*>(certs[i].data()), certs[i].size(), |
| 282 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 273 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, |
| 283 GetCertParsingOptions())); | 274 GetCertParsingOptions())); |
| 284 if (!cert) | 275 if (!cert) |
| 285 return false; | 276 return false; |
| 286 | 277 |
| 287 if (i == 0) | 278 if (i == 0) |
| 288 target_cert = std::move(cert); | 279 target_cert = std::move(cert); |
| 289 else | 280 else |
| 290 intermediate_cert_issuer_source.AddCert(std::move(cert)); | 281 intermediate_cert_issuer_source.AddCert(std::move(cert)); |
| 291 } | 282 } |
| 292 | 283 |
| 293 // Use a signature policy compatible with Cast's PKI. | 284 // Use a signature policy compatible with Cast's PKI. |
| 294 auto signature_policy = CreateCastSignaturePolicy(); | 285 auto signature_policy = CreateCastSignaturePolicy(); |
| 295 | 286 |
| 296 // Do path building and RFC 5280 compatible certificate verification using the | 287 // Do path building and RFC 5280 compatible certificate verification using the |
| 297 // two Cast trust anchors and Cast signature policy. | 288 // two Cast trust anchors and Cast signature policy. |
| 289 net::der::GeneralizedTime verification_time; |
| 290 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) |
| 291 return false; |
| 298 net::CertPathBuilder::Result result; | 292 net::CertPathBuilder::Result result; |
| 299 net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(), | 293 net::CertPathBuilder path_builder(target_cert.get(), &CastTrustStore::Get(), |
| 300 signature_policy.get(), | 294 signature_policy.get(), verification_time, |
| 301 ConvertExplodedTime(time), &result); | 295 &result); |
| 302 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | 296 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 303 net::CompletionStatus rv = path_builder.Run(base::Closure()); | 297 net::CompletionStatus rv = path_builder.Run(base::Closure()); |
| 304 DCHECK_EQ(rv, net::CompletionStatus::SYNC); | 298 DCHECK_EQ(rv, net::CompletionStatus::SYNC); |
| 305 if (!result.is_success()) | 299 if (!result.is_success()) |
| 306 return false; | 300 return false; |
| 307 | 301 |
| 308 // Check properties of the leaf certificate (key usage, policy), and construct | 302 // Check properties of the leaf certificate (key usage, policy), and construct |
| 309 // a CertVerificationContext that uses its public key. | 303 // a CertVerificationContext that uses its public key. |
| 310 return CheckTargetCertificate(target_cert.get(), context, policy); | 304 if (!CheckTargetCertificate(target_cert.get(), context, policy)) |
| 305 return false; |
| 306 |
| 307 // Check if a CRL is available. |
| 308 if (!crl) { |
| 309 if (crl_policy == CRLPolicy::CRL_REQUIRED) { |
| 310 return false; |
| 311 } |
| 312 } else { |
| 313 if (result.paths.empty() || |
| 314 !result.paths[result.best_result_index]->is_success()) |
| 315 return false; |
| 316 |
| 317 if (!crl->CheckRevocation(result.paths[result.best_result_index]->path, |
| 318 time)) { |
| 319 return false; |
| 320 } |
| 321 } |
| 322 return true; |
| 311 } | 323 } |
| 312 | 324 |
| 313 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 325 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 314 const base::StringPiece& spki) { | 326 const base::StringPiece& spki) { |
| 315 // Use a bogus CommonName, since this is just exposed for testing signature | 327 // Use a bogus CommonName, since this is just exposed for testing signature |
| 316 // verification by unittests. | 328 // verification by unittests. |
| 317 return base::WrapUnique( | 329 return base::WrapUnique( |
| 318 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 330 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 319 } | 331 } |
| 320 | 332 |
| 321 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 333 bool SetTrustAnchorForTest(const std::string& cert) { |
| 322 scoped_refptr<net::ParsedCertificate> anchor( | 334 scoped_refptr<net::ParsedCertificate> anchor( |
| 323 net::ParsedCertificate::CreateFromCertificateData( | 335 net::ParsedCertificate::CreateFromCertificateCopy( |
| 324 data, length, net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, | 336 cert, GetCertParsingOptions())); |
| 325 GetCertParsingOptions())); | |
| 326 if (!anchor) | 337 if (!anchor) |
| 327 return false; | 338 return false; |
| 339 CastTrustStore::Get().Clear(); |
| 328 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); | 340 CastTrustStore::Get().AddTrustedCertificate(std::move(anchor)); |
| 329 return true; | 341 return true; |
| 330 } | 342 } |
| 331 | 343 |
| 332 } // namespace cast_certificate | 344 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2050983002:
Cast device revocation checking. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master