OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/tools/cert_verify_tool/verify_using_path_builder.h" | |
6 | |
7 #include <iostream> | |
8 | |
9 #include "base/memory/ptr_util.h" | |
10 #include "base/strings/string_number_conversions.h" | |
11 #include "base/strings/string_util.h" | |
12 #include "crypto/sha2.h" | |
13 #include "net/base/net_errors.h" | |
14 #include "net/base/test_completion_callback.h" | |
eroman
2016/07/07 00:07:19
is it allowed to depend on a test-only file?
mattm
2016/07/07 00:49:55
several other things in net/tools do, so.. I guess
eroman
2016/07/07 01:21:44
acknowledged
| |
15 #include "net/cert/internal/cert_issuer_source_aia.h" | |
16 #include "net/cert/internal/cert_issuer_source_static.h" | |
17 #include "net/cert/internal/parse_name.h" | |
18 #include "net/cert/internal/parsed_certificate.h" | |
19 #include "net/cert/internal/path_builder.h" | |
20 #include "net/cert/internal/signature_policy.h" | |
21 #include "net/cert/internal/trust_store.h" | |
22 #include "net/cert_net/cert_net_fetcher_impl.h" | |
23 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h" | |
24 #include "net/url_request/url_request_context.h" | |
25 #include "net/url_request/url_request_context_builder.h" | |
26 | |
27 #if defined(OS_LINUX) | |
28 #include "net/proxy/proxy_config.h" | |
29 #include "net/proxy/proxy_config_service_fixed.h" | |
30 #endif | |
31 | |
32 namespace { | |
33 | |
34 std::string GetUserAgent() { | |
35 return "cert_verify_tool/0.1"; | |
36 } | |
37 | |
38 // Converts a base::Time::Exploded to a net::der::GeneralizedTime. | |
39 // TODO(mattm): This function exists in cast_cert_validator.cc also. Dedupe it? | |
eroman
2016/07/07 00:07:19
Probably. Or alternately have the PKI code take a
mattm
2016/07/07 00:49:55
Yeah. There just doesn't seem to be an obvious pla
eroman
2016/07/07 01:21:44
Maybe GeneralizedTime::FromExplodedTime() or Gener
| |
40 net::der::GeneralizedTime ConvertExplodedTime( | |
41 const base::Time::Exploded& exploded) { | |
42 net::der::GeneralizedTime result; | |
43 result.year = exploded.year; | |
44 result.month = exploded.month; | |
45 result.day = exploded.day_of_month; | |
46 result.hours = exploded.hour; | |
47 result.minutes = exploded.minute; | |
48 result.seconds = exploded.second; | |
49 return result; | |
50 } | |
51 | |
52 // Dumps a chain of ParsedCertificate objects to a PEM file. | |
53 bool DumpParsedCertificateChain( | |
54 const base::FilePath& file_path, | |
55 const std::vector<scoped_refptr<net::ParsedCertificate>>& chain) { | |
56 std::vector<std::string> pem_encoded_chain; | |
57 for (const auto& cert : chain) { | |
58 std::string der_cert; | |
59 cert->der_cert().AsStringPiece().CopyToString(&der_cert); | |
60 std::string pem; | |
61 if (!net::X509Certificate::GetPEMEncodedFromDER(der_cert, &pem)) { | |
62 std::cerr << "ERROR: GetPEMEncodedFromDER failed\n"; | |
63 return false; | |
64 } | |
65 pem_encoded_chain.push_back(pem); | |
66 } | |
67 return WriteToFile(file_path, base::JoinString(pem_encoded_chain, "")); | |
68 } | |
69 | |
70 // Returns a hex-encoded sha256 of the DER-encoding of |cert|. | |
71 std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) { | |
72 std::string hash = crypto::SHA256HashString(cert->der_cert().AsStringPiece()); | |
73 return base::HexEncode(hash.data(), hash.size()); | |
74 } | |
75 | |
76 // Returns a textual representation of the Subject of |cert|. | |
77 std::string SubjectFromParsedCertificate(const net::ParsedCertificate* cert) { | |
78 net::RDNSequence subject, issuer; | |
79 if (!net::ParseName(cert->tbs().subject_tlv, &subject)) | |
80 return std::string(); | |
81 std::string subject_str; | |
82 if (!net::ConvertToRFC2253(subject, &subject_str)) | |
83 return std::string(); | |
84 return subject_str; | |
85 } | |
86 | |
87 } // namespace | |
88 | |
89 // Verifies |target_der_cert| using CertPathBuilder. | |
90 bool VerifyUsingPathBuilder( | |
91 const CertInput& target_der_cert, | |
92 const std::vector<CertInput>& intermediate_der_certs, | |
93 const std::vector<CertInput>& root_der_certs, | |
94 const base::Time at_time, | |
95 const base::FilePath& dump_prefix_path) { | |
96 std::cout << "NOTE: CertPathBuilder does not currently use OS trust settings " | |
97 "(--roots must be specified).\n"; | |
98 std::cerr << "WARNING: --hostname is not yet verified with CertPathBuilder\n"; | |
99 | |
100 base::Time::Exploded exploded_time; | |
101 at_time.UTCExplode(&exploded_time); | |
102 net::der::GeneralizedTime time = ConvertExplodedTime(exploded_time); | |
103 | |
104 net::TrustStore trust_store; | |
105 for (const auto& der_cert : root_der_certs) { | |
106 scoped_refptr<net::ParsedCertificate> cert = | |
107 net::ParsedCertificate::CreateFromCertificateCopy(der_cert.der_cert, | |
108 {}); | |
109 if (!cert) | |
110 PrintCertError("ERROR: ParsedCertificate failed:", der_cert); | |
111 else | |
112 trust_store.AddTrustedCertificate(cert); | |
113 } | |
114 | |
115 net::CertIssuerSourceStatic intermediate_cert_issuer_source; | |
116 for (const auto& der_cert : intermediate_der_certs) { | |
117 scoped_refptr<net::ParsedCertificate> cert = | |
118 net::ParsedCertificate::CreateFromCertificateCopy(der_cert.der_cert, | |
119 {}); | |
120 if (!cert) | |
121 PrintCertError("ERROR: ParsedCertificate failed:", der_cert); | |
122 else | |
123 intermediate_cert_issuer_source.AddCert(cert); | |
124 } | |
125 | |
126 scoped_refptr<net::ParsedCertificate> target_cert = | |
127 net::ParsedCertificate::CreateFromCertificateCopy( | |
128 target_der_cert.der_cert, {}); | |
129 if (!target_cert) { | |
130 PrintCertError("ERROR: ParsedCertificate failed:", target_der_cert); | |
131 return false; | |
132 } | |
133 | |
134 // Verify the chain. | |
135 net::SimpleSignaturePolicy signature_policy(2048); | |
136 net::CertPathBuilder::Result result; | |
137 net::CertPathBuilder path_builder(target_cert, &trust_store, | |
138 &signature_policy, time, &result); | |
139 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); | |
140 | |
141 // TODO(mattm): add command line flags to configure using CertIssuerSourceAia | |
142 // (similar to VERIFY_CERT_IO_ENABLED flag for CertVerifyProc). | |
143 net::URLRequestContextBuilder url_request_context_builder; | |
144 url_request_context_builder.set_user_agent(GetUserAgent()); | |
145 #if defined(OS_LINUX) | |
146 // On Linux, use a fixed ProxyConfigService, since the default one | |
147 // depends on glib. | |
148 // | |
149 // TODO(akalin): Remove this once http://crbug.com/146421 is fixed. | |
150 url_request_context_builder.set_proxy_config_service( | |
151 base::WrapUnique(new net::ProxyConfigServiceFixed(net::ProxyConfig()))); | |
152 #endif | |
153 std::unique_ptr<net::URLRequestContext> url_request_context = | |
154 url_request_context_builder.Build(); | |
155 net::CertNetFetcherImpl cert_net_fetcher(url_request_context.get()); | |
156 net::CertIssuerSourceAia aia_cert_issuer_source(&cert_net_fetcher); | |
157 path_builder.AddCertIssuerSource(&aia_cert_issuer_source); | |
158 | |
159 net::TestClosure callback; | |
160 net::CompletionStatus rv = path_builder.Run(callback.closure()); | |
161 | |
162 if (rv == net::CompletionStatus::ASYNC) { | |
163 DVLOG(1) << "waiting for async completion..."; | |
164 callback.WaitForResult(); | |
165 DVLOG(1) << "async completed."; | |
166 } | |
167 | |
168 std::cout << "CertPathBuilder best result: " | |
169 << net::ErrorToShortString(result.error()) << "\n"; | |
170 | |
171 for (size_t i = 0; i < result.paths.size(); ++i) { | |
172 std::cout << "path " << i << " " | |
173 << net::ErrorToShortString(result.paths[i]->error) | |
174 << ((result.best_result_index == i) ? " (best)" : "") << "\n"; | |
175 for (const auto& cert : result.paths[i]->path) { | |
176 std::cout << " " << FingerPrintParsedCertificate(cert.get()) << " " | |
177 << SubjectFromParsedCertificate(cert.get()) << "\n"; | |
178 } | |
179 } | |
180 | |
181 // TODO(mattm): add flag to dump all paths, not just the final one? | |
182 if (!dump_prefix_path.empty() && result.paths.size()) { | |
183 if (!DumpParsedCertificateChain( | |
184 dump_prefix_path.AddExtension( | |
185 FILE_PATH_LITERAL(".CertPathBuilder.pem")), | |
186 result.paths[result.best_result_index]->path)) { | |
187 return false; | |
188 } | |
189 } | |
190 | |
191 return result.error() == net::OK; | |
192 } | |
OLD | NEW |