OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/tools/cert_verify_tool/verify_using_path_builder.h" |
| 6 |
| 7 #include <iostream> |
| 8 |
| 9 #include "base/memory/ptr_util.h" |
| 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_util.h" |
| 12 #include "crypto/sha2.h" |
| 13 #include "net/base/net_errors.h" |
| 14 #include "net/base/test_completion_callback.h" |
| 15 #include "net/cert/internal/cert_issuer_source_aia.h" |
| 16 #include "net/cert/internal/cert_issuer_source_static.h" |
| 17 #include "net/cert/internal/parse_name.h" |
| 18 #include "net/cert/internal/parsed_certificate.h" |
| 19 #include "net/cert/internal/path_builder.h" |
| 20 #include "net/cert/internal/signature_policy.h" |
| 21 #include "net/cert/internal/trust_store.h" |
| 22 #include "net/cert_net/cert_net_fetcher_impl.h" |
| 23 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h" |
| 24 #include "net/url_request/url_request_context.h" |
| 25 #include "net/url_request/url_request_context_builder.h" |
| 26 |
| 27 #if defined(OS_LINUX) |
| 28 #include "net/proxy/proxy_config.h" |
| 29 #include "net/proxy/proxy_config_service_fixed.h" |
| 30 #endif |
| 31 |
| 32 namespace { |
| 33 |
| 34 std::string GetUserAgent() { |
| 35 return "cert_verify_tool/0.1"; |
| 36 } |
| 37 |
| 38 // Converts a base::Time::Exploded to a net::der::GeneralizedTime. |
| 39 // TODO(mattm): This function exists in cast_cert_validator.cc also. Dedupe it? |
| 40 net::der::GeneralizedTime ConvertExplodedTime( |
| 41 const base::Time::Exploded& exploded) { |
| 42 net::der::GeneralizedTime result; |
| 43 result.year = exploded.year; |
| 44 result.month = exploded.month; |
| 45 result.day = exploded.day_of_month; |
| 46 result.hours = exploded.hour; |
| 47 result.minutes = exploded.minute; |
| 48 result.seconds = exploded.second; |
| 49 return result; |
| 50 } |
| 51 |
| 52 // Dumps a chain of ParsedCertificate objects to a PEM file. |
| 53 bool DumpParsedCertificateChain( |
| 54 const base::FilePath& file_path, |
| 55 const std::vector<scoped_refptr<net::ParsedCertificate>>& chain) { |
| 56 std::vector<std::string> pem_encoded_chain; |
| 57 for (const auto& cert : chain) { |
| 58 std::string der_cert; |
| 59 cert->der_cert().AsStringPiece().CopyToString(&der_cert); |
| 60 std::string pem; |
| 61 if (!net::X509Certificate::GetPEMEncodedFromDER(der_cert, &pem)) { |
| 62 std::cerr << "ERROR: GetPEMEncodedFromDER failed\n"; |
| 63 return false; |
| 64 } |
| 65 pem_encoded_chain.push_back(pem); |
| 66 } |
| 67 return WriteToFile(file_path, base::JoinString(pem_encoded_chain, "")); |
| 68 } |
| 69 |
| 70 // Returns a hex-encoded sha256 of the DER-encoding of |cert|. |
| 71 std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) { |
| 72 std::string hash = crypto::SHA256HashString(cert->der_cert().AsStringPiece()); |
| 73 return base::HexEncode(hash.data(), hash.size()); |
| 74 } |
| 75 |
| 76 // Returns a textual representation of the Subject of |cert|. |
| 77 std::string SubjectFromParsedCertificate(const net::ParsedCertificate* cert) { |
| 78 net::RDNSequence subject, issuer; |
| 79 if (!net::ParseName(cert->tbs().subject_tlv, &subject)) |
| 80 return std::string(); |
| 81 std::string subject_str; |
| 82 if (!net::ConvertToRFC2253(subject, &subject_str)) |
| 83 return std::string(); |
| 84 return subject_str; |
| 85 } |
| 86 |
| 87 } // namespace |
| 88 |
| 89 // Verifies |target_der_cert| using CertPathBuilder. |
| 90 bool VerifyUsingPathBuilder( |
| 91 const CertInput& target_der_cert, |
| 92 const std::vector<CertInput>& intermediate_der_certs, |
| 93 const std::vector<CertInput>& root_der_certs, |
| 94 const base::Time at_time, |
| 95 const base::FilePath& dump_prefix_path) { |
| 96 std::cout << "NOTE: CertPathBuilder does not currently use OS trust settings " |
| 97 "(--roots must be specified).\n"; |
| 98 std::cerr << "WARNING: --hostname is not yet verified with CertPathBuilder\n"; |
| 99 |
| 100 base::Time::Exploded exploded_time; |
| 101 at_time.UTCExplode(&exploded_time); |
| 102 net::der::GeneralizedTime time = ConvertExplodedTime(exploded_time); |
| 103 |
| 104 net::TrustStore trust_store; |
| 105 for (const auto& der_cert : root_der_certs) { |
| 106 scoped_refptr<net::ParsedCertificate> cert = |
| 107 net::ParsedCertificate::CreateFromCertificateCopy(der_cert.der_cert, |
| 108 {}); |
| 109 if (!cert) |
| 110 PrintCertError("ERROR: ParsedCertificate failed:", der_cert); |
| 111 else |
| 112 trust_store.AddTrustedCertificate(cert); |
| 113 } |
| 114 |
| 115 net::CertIssuerSourceStatic intermediate_cert_issuer_source; |
| 116 for (const auto& der_cert : intermediate_der_certs) { |
| 117 scoped_refptr<net::ParsedCertificate> cert = |
| 118 net::ParsedCertificate::CreateFromCertificateCopy(der_cert.der_cert, |
| 119 {}); |
| 120 if (!cert) |
| 121 PrintCertError("ERROR: ParsedCertificate failed:", der_cert); |
| 122 else |
| 123 intermediate_cert_issuer_source.AddCert(cert); |
| 124 } |
| 125 |
| 126 scoped_refptr<net::ParsedCertificate> target_cert = |
| 127 net::ParsedCertificate::CreateFromCertificateCopy( |
| 128 target_der_cert.der_cert, {}); |
| 129 if (!target_cert) { |
| 130 PrintCertError("ERROR: ParsedCertificate failed:", target_der_cert); |
| 131 return false; |
| 132 } |
| 133 |
| 134 // Verify the chain. |
| 135 net::SimpleSignaturePolicy signature_policy(2048); |
| 136 net::CertPathBuilder::Result result; |
| 137 net::CertPathBuilder path_builder(target_cert, &trust_store, |
| 138 &signature_policy, time, &result); |
| 139 path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source); |
| 140 |
| 141 // TODO(mattm): add command line flags to configure using CertIssuerSourceAia |
| 142 // (similar to VERIFY_CERT_IO_ENABLED flag for CertVerifyProc). |
| 143 net::URLRequestContextBuilder url_request_context_builder; |
| 144 url_request_context_builder.set_user_agent(GetUserAgent()); |
| 145 #if defined(OS_LINUX) |
| 146 // On Linux, use a fixed ProxyConfigService, since the default one |
| 147 // depends on glib. |
| 148 // |
| 149 // TODO(akalin): Remove this once http://crbug.com/146421 is fixed. |
| 150 url_request_context_builder.set_proxy_config_service( |
| 151 base::WrapUnique(new net::ProxyConfigServiceFixed(net::ProxyConfig()))); |
| 152 #endif |
| 153 std::unique_ptr<net::URLRequestContext> url_request_context = |
| 154 url_request_context_builder.Build(); |
| 155 net::CertNetFetcherImpl cert_net_fetcher(url_request_context.get()); |
| 156 net::CertIssuerSourceAia aia_cert_issuer_source(&cert_net_fetcher); |
| 157 path_builder.AddCertIssuerSource(&aia_cert_issuer_source); |
| 158 |
| 159 net::TestClosure callback; |
| 160 net::CompletionStatus rv = path_builder.Run(callback.closure()); |
| 161 |
| 162 if (rv == net::CompletionStatus::ASYNC) { |
| 163 DVLOG(1) << "waiting for async completion..."; |
| 164 callback.WaitForResult(); |
| 165 DVLOG(1) << "async completed."; |
| 166 } |
| 167 |
| 168 std::cout << "CertPathBuilder best result: " |
| 169 << net::ErrorToShortString(result.error()) << "\n"; |
| 170 |
| 171 for (size_t i = 0; i < result.paths.size(); ++i) { |
| 172 std::cout << "path " << i << " " |
| 173 << net::ErrorToShortString(result.paths[i]->error) |
| 174 << ((result.best_result_index == i) ? " (best)" : "") << "\n"; |
| 175 for (const auto& cert : result.paths[i]->path) { |
| 176 std::cout << " " << FingerPrintParsedCertificate(cert.get()) << " " |
| 177 << SubjectFromParsedCertificate(cert.get()) << "\n"; |
| 178 } |
| 179 } |
| 180 |
| 181 // TODO(mattm): add flag to dump all paths, not just the final one? |
| 182 if (!dump_prefix_path.empty() && result.paths.size()) { |
| 183 if (!DumpParsedCertificateChain( |
| 184 dump_prefix_path.AddExtension( |
| 185 FILE_PATH_LITERAL(".CertPathBuilder.pem")), |
| 186 result.paths[result.best_result_index]->path)) { |
| 187 return false; |
| 188 } |
| 189 } |
| 190 |
| 191 return result.error() == net::OK; |
| 192 } |
OLD | NEW |