Chromium Code Reviews Chromium Code Reviews
Issue 23710003:
Added NetworkingPrivateCrypto and its unit test. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/extensions/api/networking_private/networking_private_crypto.cc |
| diff --git a/chrome/browser/extensions/api/networking_private/networking_private_crypto.cc b/chrome/browser/extensions/api/networking_private/networking_private_crypto.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..e3b1ce2aa69c8f358cdfea5c707b2db19d12dcca |
| --- /dev/null |
| +++ b/chrome/browser/extensions/api/networking_private/networking_private_crypto.cc |
| @@ -0,0 +1,211 @@ |
| +// Copyright 2013 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "chrome/browser/extensions/api/networking_private/networking_private_crypto.h" |
| + |
| +#include <cert.h> |
| +#include <cryptohi.h> |
| +#include <keyhi.h> |
| +#include <keythi.h> |
| +#include <pk11pub.h> |
| +#include <sechash.h> |
| +#include <secport.h> |
| + |
| +#include "base/base64.h" |
| +#include "base/memory/scoped_ptr.h" |
| +#include "base/strings/string_number_conversions.h" |
| +#include "base/strings/string_util.h" |
| +#include "base/strings/stringprintf.h" |
| +#include "crypto/nss_util.h" |
| +#include "crypto/rsa_private_key.h" |
| +#include "crypto/scoped_nss_types.h" |
| +#include "net/cert/pem_tokenizer.h" |
| +#include "net/cert/x509_certificate.h" |
| + |
| +const char kTrustedCAPublicKeyDER[] = |
| + "MIIBCgKCAQEAvCKAvYD2OiEAO652XjV/PcNkXFWUhjQvBYcozfdpjBezUKe4gvrfx0Mt1n6roG" |
| + "+3E3KApEcVwSCZUM3sFGIJW6SYzdJBtjZO/+guMjBKgahCo2ybM27KsvVTZuAnU4YahR6nOT9K" |
| + "d477VGZm+1hUwF45x/VQBgvgitTO4WpVH4sXAOZpoyfmCCVpPBKdjQUs1i6iMd60UlDWIEneca" |
| + "D5rSBAEvHdJevV5rg29NaPf8pD3NcQW+Y/UYqFs/P/9gMtyyNPnK0Y55MFjKxSmvdM6Zl6vm5+" |
| + "TQrjxhypk/o6pZFdHL1m68xg3IZ0ys/4khyYfVf6YUeeq4C35EiAKpLFGwIDAQAB"; |
| + |
| +namespace { |
| +bool GetDERFromPEM(const std::string& pem_data, |
| + const std::string& pem_type, |
| + std::string* der_output) { |
| + std::vector<std::string> headers; |
| + headers.push_back(pem_type); |
| + net::PEMTokenizer pem_tok(pem_data, headers); |
| + if (!pem_tok.GetNext()) { |
| + return false; |
| + } |
| + |
| + *der_output = pem_tok.data(); |
| + return true; |
| +} |
| + |
| +} // namespace |
| + |
| +namespace crypto { |
| +typedef scoped_ptr_malloc< |
| + CERTCertificate, |
| + ::crypto::NSSDestroyer<CERTCertificate, |
| + CERT_DestroyCertificate> > |
| + ScopedCERTCertificate; |
|
Ryan Sleevi
2013/08/29 21:30:43
Clang-format messing up again. May be worth filing
mef
2013/08/30 17:07:39
Done.
|
| +} // namespace crypto |
| + |
| +NetworkingPrivateCrypto::NetworkingPrivateCrypto() {} |
| + |
| +NetworkingPrivateCrypto::~NetworkingPrivateCrypto() {} |
| + |
| +bool NetworkingPrivateCrypto::VerifyCredentials( |
| + const std::string& certificate, |
| + const std::string& signed_data, |
| + const std::string& unsigned_data, |
| + const std::string& connected_mac) { |
| + crypto::EnsureNSSInit(); |
| + |
| + std::string cert_data; |
| + if (!GetDERFromPEM(certificate, "CERTIFICATE", &cert_data)) { |
| + LOG(ERROR) << "Failed to parse certificate."; |
| + return false; |
| + } |
| + SECItem der_cert = { |
| + siDERCertBuffer, |
| + reinterpret_cast<unsigned char*>(const_cast<char*>(cert_data.c_str())), |
| + cert_data.length()}; |
| + // Parse into a certificate structure. |
| + crypto::ScopedCERTCertificate cert(CERT_NewTempCertificate( |
| + CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE)); |
| + if (!cert.get()) { |
| + LOG(ERROR) << "Failed to parse certificate."; |
| + return false; |
| + } |
| + // Check that the certificate is signed by trusted CA. |
| + std::string ca_key_der; |
| + base::Base64Decode(kTrustedCAPublicKeyDER, &ca_key_der); |
| + SECItem trusted_ca_key_der_item = { |
| + siDERCertBuffer, |
| + reinterpret_cast<unsigned char*>(const_cast<char*>(ca_key_der.c_str())), |
| + ca_key_der.size()}; |
| + crypto::ScopedSECKEYPublicKey ca_public_key( |
| + SECKEY_ImportDERPublicKey(&trusted_ca_key_der_item, CKK_RSA)); |
| + SECStatus verified = CERT_VerifySignedDataWithPublicKey( |
| + &cert->signatureWrap, ca_public_key.get(), NULL); |
| + if (verified != SECSuccess) { |
| + LOG(ERROR) << "Certificate is not issued by trusted CA."; |
| + return false; |
| + } |
| + |
| + // Check that the device listed in the certificate is correct. |
| + // Something like evt_e161 001a11ffacdf |
| + char* common_name = CERT_GetCommonName(&cert->subject); |
| + if (!common_name) { |
| + LOG(ERROR) << "Certificate does not have common name."; |
| + return false; |
| + } |
| + |
| + std::string subject_name(common_name); |
| + PORT_Free(common_name); |
| + std::string translated_mac; |
| + RemoveChars(connected_mac, ":", &translated_mac); |
| + if (!EndsWith(subject_name, translated_mac, false)) { |
| + LOG(ERROR) << "MAC addresses don't match."; |
| + return false; |
| + } |
| + |
| + // Make sure that the certificate matches the unsigned data presented. |
| + // Verify that hash(unsigned_data) == public(signed_data) |
|
Ryan Sleevi
2013/08/29 21:30:43
This comment doesn't really make sense, especially
mef
2013/08/30 17:07:39
Done.
|
| + crypto::ScopedSECKEYPublicKey public_key(CERT_ExtractPublicKey(cert.get())); |
| + if (!public_key.get()) { |
| + LOG(ERROR) << "Unable to extract public key from certificate."; |
| + return false; |
| + } |
| + SECItem signature_item = { |
| + siBuffer, |
| + reinterpret_cast<unsigned char*>(const_cast<char*>(signed_data.c_str())), |
| + static_cast<unsigned int>(signed_data.size())}; |
| + verified = VFY_VerifyDataDirect(reinterpret_cast<unsigned char*>( |
| + const_cast<char*>(unsigned_data.c_str())), unsigned_data.size(), |
| + public_key.get(), &signature_item, SEC_OID_PKCS1_RSA_ENCRYPTION, |
| + SEC_OID_SHA1, NULL, NULL); |
| + if (verified != SECSuccess) { |
| + LOG(ERROR) << "Signed blobs did not match."; |
| + return false; |
| + } |
| + return true; |
| +} |
| + |
| +bool NetworkingPrivateCrypto::EncryptByteString(const std::string& pub_key_der, |
| + const std::string& data, |
| + std::string* encrypted_output) { |
| + crypto::EnsureNSSInit(); |
| + |
| + SECItem pub_key_der_item = { |
| + siDERCertBuffer, |
| + reinterpret_cast<unsigned char*>(const_cast<char*>(pub_key_der.c_str())), |
| + pub_key_der.size()}; |
| + crypto::ScopedSECKEYPublicKey public_key(SECKEY_ImportDERPublicKey( |
| + &pub_key_der_item, CKK_RSA)); |
| + if (!public_key.get()) { |
| + LOG(ERROR) << "Failed to parse public key."; |
| + return false; |
| + } |
| + |
| + size_t encrypted_length = SECKEY_SignatureLen(public_key.get()); |
| + scoped_ptr<unsigned char[]> rsa_output(new unsigned char[encrypted_length]); |
| + SECStatus encrypted = PK11_PubEncryptPKCS1( |
| + public_key.get(), |
| + rsa_output.get(), |
| + reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())), |
| + data.length(), |
| + NULL); |
| + if (encrypted != SECSuccess) { |
| + LOG(ERROR) << "Error during encryption."; |
| + return false; |
| + } |
| + encrypted_output->assign(reinterpret_cast<char*>(rsa_output.get()), |
| + encrypted_length); |
| + return true; |
| +} |
| + |
| +bool NetworkingPrivateCrypto::DecryptByteString( |
| + const std::string& private_key_pem, |
| + const std::string& encrypted_data, |
| + std::string* decrypted_output) { |
| + crypto::EnsureNSSInit(); |
| + |
| + std::string private_key_der; |
| + if (!GetDERFromPEM(private_key_pem, "PRIVATE KEY", &private_key_der)) { |
| + LOG(ERROR) << "Failed to parse private key PEM."; |
| + return false; |
| + } |
| + std::vector<uint8> private_key_data(private_key_der.begin(), |
| + private_key_der.end()); |
| + scoped_ptr<crypto::RSAPrivateKey> private_key( |
| + crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(private_key_data)); |
| + if (!private_key || !private_key->public_key()) { |
| + LOG(ERROR) << "Failed to parse private key DER."; |
| + return false; |
| + } |
| + |
| + size_t encrypted_length = SECKEY_SignatureLen(private_key->public_key()); |
| + scoped_ptr<unsigned char[]> rsa_output(new unsigned char[encrypted_length]); |
| + unsigned int output_length = 0; |
| + SECStatus decrypted = |
| + PK11_PrivDecryptPKCS1(private_key->key(), |
| + rsa_output.get(), |
| + &output_length, |
| + encrypted_length, |
| + reinterpret_cast<unsigned char*>( |
| + const_cast<char*>(encrypted_data.data())), |
| + encrypted_data.length()); |
| + if (decrypted != SECSuccess) { |
| + LOG(ERROR) << "Error during encryption."; |
| + return false; |
| + } |
| + decrypted_output->assign(reinterpret_cast<char*>(rsa_output.get()), |
| + output_length); |
| + return true; |
| +} |
