| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_cert_validator.h" | 5 #include "components/cast_certificate/cast_cert_validator.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 157 | 157 |
| 158 // Returns true if the extended key usage list |ekus| contains client auth. | 158 // Returns true if the extended key usage list |ekus| contains client auth. |
| 159 bool HasClientAuth(const std::vector<net::der::Input>& ekus) { | 159 bool HasClientAuth(const std::vector<net::der::Input>& ekus) { |
| 160 for (const auto& oid : ekus) { | 160 for (const auto& oid : ekus) { |
| 161 if (oid == net::ClientAuth()) | 161 if (oid == net::ClientAuth()) |
| 162 return true; | 162 return true; |
| 163 } | 163 } |
| 164 return false; | 164 return false; |
| 165 } | 165 } |
| 166 | 166 |
| 167 // Returns the parsing options used for Cast certificates. |
| 168 net::ParseCertificateOptions GetCertParsingOptions() { |
| 169 net::ParseCertificateOptions options; |
| 170 |
| 171 // Some cast intermediate certificates contain serial numbers that are |
| 172 // 21 octets long, and might also not use valid DER encoding for an |
| 173 // INTEGER (non-minimal encoding). |
| 174 // |
| 175 // Allow these sorts of serial numbers. |
| 176 // |
| 177 // TODO(eroman): At some point in the future this workaround will no longer be |
| 178 // necessary. Should revisit this for removal in 2017 if not earlier. |
| 179 options.allow_invalid_serial_numbers = true; |
| 180 return options; |
| 181 } |
| 182 |
| 167 // Checks properties on the target certificate. | 183 // Checks properties on the target certificate. |
| 168 // | 184 // |
| 169 // * The Key Usage must include Digital Signature | 185 // * The Key Usage must include Digital Signature |
| 170 // * THe Extended Key Usage must includ TLS Client Auth | 186 // * THe Extended Key Usage must includ TLS Client Auth |
| 171 // * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it | 187 // * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it |
| 172 // is an audio-only device. | 188 // is an audio-only device. |
| 173 WARN_UNUSED_RESULT bool CheckTargetCertificate( | 189 WARN_UNUSED_RESULT bool CheckTargetCertificate( |
| 174 const net::der::Input& cert_der, | 190 const net::der::Input& cert_der, |
| 175 std::unique_ptr<CertVerificationContext>* context, | 191 std::unique_ptr<CertVerificationContext>* context, |
| 176 CastDeviceCertPolicy* policy) { | 192 CastDeviceCertPolicy* policy) { |
| 177 // TODO(eroman): Simplify this. The certificate chain verification | 193 // TODO(eroman): Simplify this. The certificate chain verification |
| 178 // function already parses this stuff, awkward to re-do it here. | 194 // function already parses this stuff, awkward to re-do it here. |
| 179 | 195 |
| 180 net::der::Input tbs_certificate_tlv; | 196 net::der::Input tbs_certificate_tlv; |
| 181 net::der::Input signature_algorithm_tlv; | 197 net::der::Input signature_algorithm_tlv; |
| 182 net::der::BitString signature_value; | 198 net::der::BitString signature_value; |
| 183 if (!net::ParseCertificate(cert_der, &tbs_certificate_tlv, | 199 if (!net::ParseCertificate(cert_der, &tbs_certificate_tlv, |
| 184 &signature_algorithm_tlv, &signature_value)) | 200 &signature_algorithm_tlv, &signature_value)) |
| 185 return false; | 201 return false; |
| 186 | 202 |
| 187 net::ParsedTbsCertificate tbs; | 203 net::ParsedTbsCertificate tbs; |
| 188 if (!net::ParseTbsCertificate(tbs_certificate_tlv, &tbs)) | 204 if (!net::ParseTbsCertificate(tbs_certificate_tlv, GetCertParsingOptions(), |
| 205 &tbs)) |
| 189 return false; | 206 return false; |
| 190 | 207 |
| 191 // Get the extensions. | 208 // Get the extensions. |
| 192 if (!tbs.has_extensions) | 209 if (!tbs.has_extensions) |
| 193 return false; | 210 return false; |
| 194 ExtensionsMap extensions; | 211 ExtensionsMap extensions; |
| 195 if (!net::ParseExtensions(tbs.extensions_tlv, &extensions)) | 212 if (!net::ParseExtensions(tbs.extensions_tlv, &extensions)) |
| 196 return false; | 213 return false; |
| 197 | 214 |
| 198 net::der::Input extension_value; | 215 net::der::Input extension_value; |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 266 // der::Input, so wrap the data in it (cheap). | 283 // der::Input, so wrap the data in it (cheap). |
| 267 std::vector<net::der::Input> input_chain; | 284 std::vector<net::der::Input> input_chain; |
| 268 for (const auto& cert : certs) | 285 for (const auto& cert : certs) |
| 269 input_chain.push_back(net::der::Input(&cert)); | 286 input_chain.push_back(net::der::Input(&cert)); |
| 270 | 287 |
| 271 // Use a signature policy compatible with Cast's PKI. | 288 // Use a signature policy compatible with Cast's PKI. |
| 272 auto signature_policy = CreateCastSignaturePolicy(); | 289 auto signature_policy = CreateCastSignaturePolicy(); |
| 273 | 290 |
| 274 // Do RFC 5280 compatible certificate verification using the two Cast | 291 // Do RFC 5280 compatible certificate verification using the two Cast |
| 275 // trust anchors and Cast signature policy. | 292 // trust anchors and Cast signature policy. |
| 276 if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(), | 293 if (!net::VerifyCertificateChain( |
| 277 signature_policy.get(), | 294 input_chain, GetCertParsingOptions(), CastTrustStore::Get(), |
| 278 ConvertExplodedTime(time))) { | 295 signature_policy.get(), ConvertExplodedTime(time))) { |
| 279 return false; | 296 return false; |
| 280 } | 297 } |
| 281 | 298 |
| 282 // Check properties of the leaf certificate (key usage, policy), and construct | 299 // Check properties of the leaf certificate (key usage, policy), and construct |
| 283 // a CertVerificationContext that uses its public key. | 300 // a CertVerificationContext that uses its public key. |
| 284 return CheckTargetCertificate(input_chain[0], context, policy); | 301 return CheckTargetCertificate(input_chain[0], context, policy); |
| 285 } | 302 } |
| 286 | 303 |
| 287 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 304 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 288 const base::StringPiece& spki) { | 305 const base::StringPiece& spki) { |
| 289 // Use a bogus CommonName, since this is just exposed for testing signature | 306 // Use a bogus CommonName, since this is just exposed for testing signature |
| 290 // verification by unittests. | 307 // verification by unittests. |
| 291 return base::WrapUnique( | 308 return base::WrapUnique( |
| 292 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); | 309 new CertVerificationContextImpl(net::der::Input(spki), "CommonName")); |
| 293 } | 310 } |
| 294 | 311 |
| 295 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { | 312 bool AddTrustAnchorForTest(const uint8_t* data, size_t length) { |
| 296 return CastTrustStore::Get().AddTrustedCertificateWithoutCopying(data, | 313 return CastTrustStore::Get().AddTrustedCertificateWithoutCopying(data, |
| 297 length); | 314 length); |
| 298 } | 315 } |
| 299 | 316 |
| 300 } // namespace cast_certificate | 317 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2093223002:
Allow Cast certificates to have serial numbers greater than 20 bytes, as well as non-minimal INTEGE… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@2743