| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/cast_certificate/cast_crl.h" | 5 #include "components/cast_certificate/cast_crl.h" |
| 6 | 6 |
| 7 #include <unordered_map> | 7 #include <unordered_map> |
| 8 #include <unordered_set> | 8 #include <unordered_set> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| 11 #include "base/memory/ptr_util.h" | 11 #include "base/memory/ptr_util.h" |
| 12 #include "base/memory/singleton.h" | 12 #include "base/memory/singleton.h" |
| 13 #include "components/cast_certificate/proto/revocation.pb.h" | 13 #include "components/cast_certificate/proto/revocation.pb.h" |
| 14 #include "crypto/sha2.h" | 14 #include "crypto/sha2.h" |
| 15 #include "net/cert/internal/cert_errors.h" |
| 15 #include "net/cert/internal/parse_certificate.h" | 16 #include "net/cert/internal/parse_certificate.h" |
| 16 #include "net/cert/internal/parsed_certificate.h" | 17 #include "net/cert/internal/parsed_certificate.h" |
| 17 #include "net/cert/internal/path_builder.h" | 18 #include "net/cert/internal/path_builder.h" |
| 18 #include "net/cert/internal/signature_algorithm.h" | 19 #include "net/cert/internal/signature_algorithm.h" |
| 19 #include "net/cert/internal/signature_policy.h" | 20 #include "net/cert/internal/signature_policy.h" |
| 20 #include "net/cert/internal/trust_store_in_memory.h" | 21 #include "net/cert/internal/trust_store_in_memory.h" |
| 21 #include "net/cert/internal/verify_certificate_chain.h" | 22 #include "net/cert/internal/verify_certificate_chain.h" |
| 22 #include "net/cert/internal/verify_signed_data.h" | 23 #include "net/cert/internal/verify_signed_data.h" |
| 23 #include "net/cert/x509_certificate.h" | 24 #include "net/cert/x509_certificate.h" |
| 24 #include "net/der/encode_values.h" | 25 #include "net/der/encode_values.h" |
| 25 #include "net/der/input.h" | 26 #include "net/der/input.h" |
| 27 #include "net/der/parse_values.h" |
| 26 #include "net/der/parser.h" | 28 #include "net/der/parser.h" |
| 27 #include "net/der/parse_values.h" | |
| 28 | 29 |
| 29 namespace cast_certificate { | 30 namespace cast_certificate { |
| 30 namespace { | 31 namespace { |
| 31 | 32 |
| 32 enum CrlVersion { | 33 enum CrlVersion { |
| 33 // version 0: Spki Hash Algorithm = SHA-256 | 34 // version 0: Spki Hash Algorithm = SHA-256 |
| 34 // Signature Algorithm = RSA-PKCS1 V1.5 with SHA-256 | 35 // Signature Algorithm = RSA-PKCS1 V1.5 with SHA-256 |
| 35 CRL_VERSION_0 = 0, | 36 CRL_VERSION_0 = 0, |
| 36 }; | 37 }; |
| 37 | 38 |
| (...skipping 17 matching lines...) Expand all Loading... |
| 55 CastCRLTrustStore>>::get(); | 56 CastCRLTrustStore>>::get(); |
| 56 } | 57 } |
| 57 | 58 |
| 58 static net::TrustStore& Get() { return GetInstance()->store_; } | 59 static net::TrustStore& Get() { return GetInstance()->store_; } |
| 59 | 60 |
| 60 private: | 61 private: |
| 61 friend struct base::DefaultSingletonTraits<CastCRLTrustStore>; | 62 friend struct base::DefaultSingletonTraits<CastCRLTrustStore>; |
| 62 | 63 |
| 63 CastCRLTrustStore() { | 64 CastCRLTrustStore() { |
| 64 // Initialize the trust store with the root certificate. | 65 // Initialize the trust store with the root certificate. |
| 66 net::CertErrors errors; |
| 65 scoped_refptr<net::ParsedCertificate> cert = | 67 scoped_refptr<net::ParsedCertificate> cert = |
| 66 net::ParsedCertificate::CreateFromCertificateData( | 68 net::ParsedCertificate::CreateWithoutCopyingUnsafe( |
| 67 kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer), | 69 kCastCRLRootCaDer, sizeof(kCastCRLRootCaDer), {}, &errors); |
| 68 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}); | 70 CHECK(cert) << errors.ToDebugString(); |
| 69 CHECK(cert); | |
| 70 // Enforce pathlen constraints and policies defined on the root certificate. | 71 // Enforce pathlen constraints and policies defined on the root certificate. |
| 71 scoped_refptr<net::TrustAnchor> anchor = | 72 scoped_refptr<net::TrustAnchor> anchor = |
| 72 net::TrustAnchor::CreateFromCertificateWithConstraints(std::move(cert)); | 73 net::TrustAnchor::CreateFromCertificateWithConstraints(std::move(cert)); |
| 73 CHECK(anchor); | 74 CHECK(anchor); |
| 74 store_.AddTrustAnchor(std::move(anchor)); | 75 store_.AddTrustAnchor(std::move(anchor)); |
| 75 } | 76 } |
| 76 | 77 |
| 77 net::TrustStoreInMemory store_; | 78 net::TrustStoreInMemory store_; |
| 78 DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore); | 79 DISALLOW_COPY_AND_ASSIGN(CastCRLTrustStore); |
| 79 }; | 80 }; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 100 // certificate and signature in |crl|. The validity of |tbs_crl| is verified | 101 // certificate and signature in |crl|. The validity of |tbs_crl| is verified |
| 101 // at |time|. The validity period of the CRL is adjusted to be the earliest | 102 // at |time|. The validity period of the CRL is adjusted to be the earliest |
| 102 // of the issuer certificate chain's expiration and the CRL's expiration and | 103 // of the issuer certificate chain's expiration and the CRL's expiration and |
| 103 // the result is stored in |overall_not_after|. | 104 // the result is stored in |overall_not_after|. |
| 104 bool VerifyCRL(const Crl& crl, | 105 bool VerifyCRL(const Crl& crl, |
| 105 const TbsCrl& tbs_crl, | 106 const TbsCrl& tbs_crl, |
| 106 const base::Time& time, | 107 const base::Time& time, |
| 107 net::TrustStore* trust_store, | 108 net::TrustStore* trust_store, |
| 108 net::der::GeneralizedTime* overall_not_after) { | 109 net::der::GeneralizedTime* overall_not_after) { |
| 109 // Verify the trust of the CRL authority. | 110 // Verify the trust of the CRL authority. |
| 111 net::CertErrors parse_errors; |
| 110 scoped_refptr<net::ParsedCertificate> parsed_cert = | 112 scoped_refptr<net::ParsedCertificate> parsed_cert = |
| 111 net::ParsedCertificate::CreateFromCertificateData( | 113 net::ParsedCertificate::Create(crl.signer_cert(), {}, &parse_errors); |
| 112 reinterpret_cast<const uint8_t*>(crl.signer_cert().data()), | |
| 113 crl.signer_cert().size(), | |
| 114 net::ParsedCertificate::DataSource::EXTERNAL_REFERENCE, {}); | |
| 115 if (parsed_cert == nullptr) { | 114 if (parsed_cert == nullptr) { |
| 116 VLOG(2) << "CRL - Issuer certificate parsing failed."; | 115 VLOG(2) << "CRL - Issuer certificate parsing failed:\n" |
| 116 << parse_errors.ToDebugString(); |
| 117 return false; | 117 return false; |
| 118 } | 118 } |
| 119 | 119 |
| 120 // Wrap the signature in a BitString. | 120 // Wrap the signature in a BitString. |
| 121 net::der::BitString signature_value_bit_string = net::der::BitString( | 121 net::der::BitString signature_value_bit_string = net::der::BitString( |
| 122 net::der::Input(base::StringPiece(crl.signature())), 0); | 122 net::der::Input(base::StringPiece(crl.signature())), 0); |
| 123 | 123 |
| 124 // Verify the signature. | 124 // Verify the signature. |
| 125 auto signature_policy = CreateCastSignaturePolicy(); | 125 auto signature_policy = CreateCastSignaturePolicy(); |
| 126 std::unique_ptr<net::SignatureAlgorithm> signature_algorithm_type = | 126 std::unique_ptr<net::SignatureAlgorithm> signature_algorithm_type = |
| 127 net::SignatureAlgorithm::CreateRsaPkcs1(net::DigestAlgorithm::Sha256); | 127 net::SignatureAlgorithm::CreateRsaPkcs1(net::DigestAlgorithm::Sha256); |
| 128 net::CertErrors errors; | 128 net::CertErrors verify_errors; |
| 129 if (!VerifySignedData(*signature_algorithm_type, | 129 if (!VerifySignedData(*signature_algorithm_type, |
| 130 net::der::Input(&crl.tbs_crl()), | 130 net::der::Input(&crl.tbs_crl()), |
| 131 signature_value_bit_string, parsed_cert->tbs().spki_tlv, | 131 signature_value_bit_string, parsed_cert->tbs().spki_tlv, |
| 132 signature_policy.get(), &errors)) { | 132 signature_policy.get(), &verify_errors)) { |
| 133 // TODO(634443): Dump the error information. | 133 VLOG(2) << "CRL - Signature verification failed:\n" |
| 134 VLOG(2) << "CRL - Signature verification failed."; | 134 << verify_errors.ToDebugString(); |
| 135 return false; | 135 return false; |
| 136 } | 136 } |
| 137 | 137 |
| 138 // Verify the issuer certificate. | 138 // Verify the issuer certificate. |
| 139 net::der::GeneralizedTime verification_time; | 139 net::der::GeneralizedTime verification_time; |
| 140 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) { | 140 if (!net::der::EncodeTimeAsGeneralizedTime(time, &verification_time)) { |
| 141 VLOG(2) << "CRL - Unable to parse verification time."; | 141 VLOG(2) << "CRL - Unable to parse verification time."; |
| 142 return false; | 142 return false; |
| 143 } | 143 } |
| 144 net::CertPathBuilder::Result result; | 144 net::CertPathBuilder::Result result; |
| (...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 354 } | 354 } |
| 355 | 355 |
| 356 std::unique_ptr<CastCRL> ParseAndVerifyCRLForTest( | 356 std::unique_ptr<CastCRL> ParseAndVerifyCRLForTest( |
| 357 const std::string& crl_proto, | 357 const std::string& crl_proto, |
| 358 const base::Time& time, | 358 const base::Time& time, |
| 359 net::TrustStore* trust_store) { | 359 net::TrustStore* trust_store) { |
| 360 return ParseAndVerifyCRL(crl_proto, time, trust_store); | 360 return ParseAndVerifyCRL(crl_proto, time, trust_store); |
| 361 } | 361 } |
| 362 | 362 |
| 363 } // namespace cast_certificate | 363 } // namespace cast_certificate |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2327973002:
Add CertErrors* parameter to the main Certificate parsing functions. (Closed)
