net/quic/crypto/proof_verifier_chromium.cc - Issue 22647002: Add support to QUIC for QUIC_VERSION_8: for RSA-PSS signatures, set

Side by Side Diff: net/quic/crypto/proof_verifier_chromium.cc

Issue 22647002: Add support to QUIC for QUIC_VERSION_8: for RSA-PSS signatures, set (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/quic/crypto/proof_verifier_chromium.h"	5 #include "net/quic/crypto/proof_verifier_chromium.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/bind_helpers.h"	8 #include "base/bind_helpers.h"

9 #include "base/callback_helpers.h"	9 #include "base/callback_helpers.h"

10 #include "base/compiler_specific.h"	10 #include "base/compiler_specific.h"

(...skipping 24 matching lines...) Expand all Loading...
35 : cert_verifier_(cert_verifier),	35 : cert_verifier_(cert_verifier),

36 next_state_(STATE_NONE),	36 next_state_(STATE_NONE),

37 net_log_(net_log) {	37 net_log_(net_log) {

38 }	38 }

39	39

40 ProofVerifierChromium::~ProofVerifierChromium() {	40 ProofVerifierChromium::~ProofVerifierChromium() {

41 verifier_.reset();	41 verifier_.reset();

42 }	42 }

43	43

44 ProofVerifierChromium::Status ProofVerifierChromium::VerifyProof(	44 ProofVerifierChromium::Status ProofVerifierChromium::VerifyProof(

	45 QuicVersion version,

45 const string& hostname,	46 const string& hostname,

46 const string& server_config,	47 const string& server_config,

47 const vector<string>& certs,	48 const vector<string>& certs,

48 const string& signature,	49 const string& signature,

49 std::string* error_details,	50 std::string* error_details,

50 scoped_ptr<ProofVerifyDetails>* details,	51 scoped_ptr<ProofVerifyDetails>* details,

51 ProofVerifierCallback* callback) {	52 ProofVerifierCallback* callback) {

52 DCHECK(error_details);	53 DCHECK(error_details);

53 DCHECK(details);	54 DCHECK(details);

54 DCHECK(callback);	55 DCHECK(callback);

(...skipping 27 matching lines...) Expand all Loading...
82 if (!cert_.get()) {	83 if (!cert_.get()) {

83 *error_details = "Failed to create certificate chain";	84 *error_details = "Failed to create certificate chain";

84 DLOG(WARNING) << *error_details;	85 DLOG(WARNING) << *error_details;

85 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;	86 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;

86 details->reset(verify_details_.release());	87 details->reset(verify_details_.release());

87 return FAILURE;	88 return FAILURE;

88 }	89 }

89	90

90 // We call VerifySignature first to avoid copying of server_config and	91 // We call VerifySignature first to avoid copying of server_config and

91 // signature.	92 // signature.

92 if (!VerifySignature(server_config, signature, certs[0])) {	93 if (!VerifySignature(version, server_config, signature, certs[0])) {

93 *error_details = "Failed to verify signature of server config";	94 *error_details = "Failed to verify signature of server config";

94 DLOG(WARNING) << *error_details;	95 DLOG(WARNING) << *error_details;

95 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;	96 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;

96 details->reset(verify_details_.release());	97 details->reset(verify_details_.release());

97 return FAILURE;	98 return FAILURE;

98 }	99 }

99	100

100 hostname_ = hostname;	101 hostname_ = hostname;

101	102

102 next_state_ = STATE_VERIFY_CERT;	103 next_state_ = STATE_VERIFY_CERT;

(...skipping 66 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
169 ErrorToString(result));	170 ErrorToString(result));

170 DLOG(WARNING) << error_details_;	171 DLOG(WARNING) << error_details_;

171 result = ERR_FAILED;	172 result = ERR_FAILED;

172 }	173 }

173	174

174 // Exit DoLoop and return the result to the caller to VerifyProof.	175 // Exit DoLoop and return the result to the caller to VerifyProof.

175 DCHECK_EQ(STATE_NONE, next_state_);	176 DCHECK_EQ(STATE_NONE, next_state_);

176 return result;	177 return result;

177 }	178 }

178	179

179 bool ProofVerifierChromium::VerifySignature(const string& signed_data,	180 bool ProofVerifierChromium::VerifySignature(QuicVersion version,

	181 const string& signed_data,

180 const string& signature,	182 const string& signature,

181 const string& cert) {	183 const string& cert) {

182 StringPiece spki;	184 StringPiece spki;

183 if (!asn1::ExtractSPKIFromDERCert(cert, &spki)) {	185 if (!asn1::ExtractSPKIFromDERCert(cert, &spki)) {

184 DLOG(WARNING) << "ExtractSPKIFromDERCert failed";	186 DLOG(WARNING) << "ExtractSPKIFromDERCert failed";

185 return false;	187 return false;

186 }	188 }

187	189

188 crypto::SignatureVerifier verifier;	190 crypto::SignatureVerifier verifier;

189	191

190 size_t size_bits;	192 size_t size_bits;

191 X509Certificate::PublicKeyType type;	193 X509Certificate::PublicKeyType type;

192 X509Certificate::GetPublicKeyInfo(cert_->os_cert_handle(), &size_bits,	194 X509Certificate::GetPublicKeyInfo(cert_->os_cert_handle(), &size_bits,

193 &type);	195 &type);

194 if (type == X509Certificate::kPublicKeyTypeRSA) {	196 if (type == X509Certificate::kPublicKeyTypeRSA) {

195 crypto::SignatureVerifier::HashAlgorithm hash_alg =	197 crypto::SignatureVerifier::HashAlgorithm hash_alg =

196 crypto::SignatureVerifier::SHA256;	198 crypto::SignatureVerifier::SHA256;

197 crypto::SignatureVerifier::HashAlgorithm mask_hash_alg = hash_alg;	199 crypto::SignatureVerifier::HashAlgorithm mask_hash_alg = hash_alg;

198 unsigned int hash_len = 32; // 32 is the length of a SHA-256 hash.	200 unsigned int hash_len = 32; // 32 is the length of a SHA-256 hash.

199 // TODO(wtc): change this to hash_len when we can change the wire format.	201 unsigned int salt_len =

200 unsigned int salt_len = signature.size() - hash_len - 2;	202 version >= QUIC_VERSION_8 ? hash_len : signature.size() - hash_len - 2;
	wtc 2013/08/08 00:37:33 This is the most important change, which selects t This is the most important change, which selects the salt length based on the Quic version.
201	203

202 bool ok = verifier.VerifyInitRSAPSS(	204 bool ok = verifier.VerifyInitRSAPSS(

203 hash_alg, mask_hash_alg, salt_len,	205 hash_alg, mask_hash_alg, salt_len,

204 reinterpret_cast<const uint8*>(signature.data()), signature.size(),	206 reinterpret_cast<const uint8*>(signature.data()), signature.size(),

205 reinterpret_cast<const uint8*>(spki.data()), spki.size());	207 reinterpret_cast<const uint8*>(spki.data()), spki.size());

206 if (!ok) {	208 if (!ok) {

207 DLOG(WARNING) << "VerifyInitRSAPSS failed";	209 DLOG(WARNING) << "VerifyInitRSAPSS failed";

208 return false;	210 return false;

209 }	211 }

210 } else if (type == X509Certificate::kPublicKeyTypeECDSA) {	212 } else if (type == X509Certificate::kPublicKeyTypeECDSA) {

(...skipping 37 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
248 if (!verifier.VerifyFinal()) {	250 if (!verifier.VerifyFinal()) {

249 DLOG(WARNING) << "VerifyFinal failed";	251 DLOG(WARNING) << "VerifyFinal failed";

250 return false;	252 return false;

251 }	253 }

252	254

253 DLOG(INFO) << "VerifyFinal success";	255 DLOG(INFO) << "VerifyFinal success";

254 return true;	256 return true;

255 }	257 }

256	258

257 } // namespace net	259 } // namespace net

OLD	NEW

« no previous file with comments | « net/quic/crypto/proof_verifier_chromium.h ('k') | net/quic/quic_crypto_client_stream.cc » ('j') | no next file with comments »