OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_signed_data.h" | 5 #include "net/cert/internal/verify_signed_data.h" |
6 | 6 |
7 #include "base/compiler_specific.h" | 7 #include "base/compiler_specific.h" |
8 #include "base/logging.h" | 8 #include "base/logging.h" |
9 #include "base/numerics/safe_math.h" | 9 #include "base/numerics/safe_math.h" |
10 #include "crypto/openssl_util.h" | 10 #include "crypto/openssl_util.h" |
(...skipping 22 matching lines...) Expand all Loading... |
33 DEFINE_CERT_ERROR_ID(kUnacceptableEcdsaCurve, | 33 DEFINE_CERT_ERROR_ID(kUnacceptableEcdsaCurve, |
34 "Unacceptable curve for ECDSA key"); | 34 "Unacceptable curve for ECDSA key"); |
35 DEFINE_CERT_ERROR_ID(kSignatureVerificationFailed, | 35 DEFINE_CERT_ERROR_ID(kSignatureVerificationFailed, |
36 "Signature verification failed"); | 36 "Signature verification failed"); |
37 | 37 |
38 // Converts a DigestAlgorithm to an equivalent EVP_MD*. | 38 // Converts a DigestAlgorithm to an equivalent EVP_MD*. |
39 WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) { | 39 WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) { |
40 *out = nullptr; | 40 *out = nullptr; |
41 | 41 |
42 switch (digest) { | 42 switch (digest) { |
| 43 case DigestAlgorithm::Md2: |
| 44 case DigestAlgorithm::Md4: |
| 45 case DigestAlgorithm::Md5: |
| 46 // Unsupported. |
| 47 break; |
43 case DigestAlgorithm::Sha1: | 48 case DigestAlgorithm::Sha1: |
44 *out = EVP_sha1(); | 49 *out = EVP_sha1(); |
45 break; | 50 break; |
46 case DigestAlgorithm::Sha256: | 51 case DigestAlgorithm::Sha256: |
47 *out = EVP_sha256(); | 52 *out = EVP_sha256(); |
48 break; | 53 break; |
49 case DigestAlgorithm::Sha384: | 54 case DigestAlgorithm::Sha384: |
50 *out = EVP_sha384(); | 55 *out = EVP_sha384(); |
51 break; | 56 break; |
52 case DigestAlgorithm::Sha512: | 57 case DigestAlgorithm::Sha512: |
(...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
285 | 290 |
286 } // namespace | 291 } // namespace |
287 | 292 |
288 bool VerifySignedData(const SignatureAlgorithm& signature_algorithm, | 293 bool VerifySignedData(const SignatureAlgorithm& signature_algorithm, |
289 const der::Input& signed_data, | 294 const der::Input& signed_data, |
290 const der::BitString& signature_value, | 295 const der::BitString& signature_value, |
291 const der::Input& public_key_spki, | 296 const der::Input& public_key_spki, |
292 const SignaturePolicy* policy, | 297 const SignaturePolicy* policy, |
293 CertErrors* errors) { | 298 CertErrors* errors) { |
294 if (!policy->IsAcceptableSignatureAlgorithm(signature_algorithm, errors)) { | 299 if (!policy->IsAcceptableSignatureAlgorithm(signature_algorithm, errors)) { |
| 300 // TODO(crbug.com/634443): Include the DER for the AlgorithmIdentifier |
295 errors->AddError(kUnacceptableSignatureAlgorithm); | 301 errors->AddError(kUnacceptableSignatureAlgorithm); |
296 return false; | 302 return false; |
297 } | 303 } |
298 | 304 |
299 bssl::UniquePtr<EVP_PKEY> public_key; | 305 bssl::UniquePtr<EVP_PKEY> public_key; |
300 | 306 |
301 // Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm. | 307 // Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm. |
302 switch (signature_algorithm.algorithm()) { | 308 switch (signature_algorithm.algorithm()) { |
303 case SignatureAlgorithmId::RsaPkcs1: | 309 case SignatureAlgorithmId::RsaPkcs1: |
304 case SignatureAlgorithmId::RsaPss: | 310 case SignatureAlgorithmId::RsaPss: |
305 if (!ParseRsaKeyFromSpki(public_key_spki, &public_key, policy, errors)) | 311 if (!ParseRsaKeyFromSpki(public_key_spki, &public_key, policy, errors)) |
306 return false; | 312 return false; |
307 break; | 313 break; |
308 case SignatureAlgorithmId::Ecdsa: | 314 case SignatureAlgorithmId::Ecdsa: |
309 if (!ParseEcKeyFromSpki(public_key_spki, &public_key, policy, errors)) | 315 if (!ParseEcKeyFromSpki(public_key_spki, &public_key, policy, errors)) |
310 return false; | 316 return false; |
311 break; | 317 break; |
312 } | 318 } |
313 | 319 |
314 if (!DoVerify(signature_algorithm, signed_data, signature_value, | 320 if (!DoVerify(signature_algorithm, signed_data, signature_value, |
315 public_key.get())) { | 321 public_key.get())) { |
316 errors->AddError(kSignatureVerificationFailed); | 322 errors->AddError(kSignatureVerificationFailed); |
317 return false; | 323 return false; |
318 } | 324 } |
319 | 325 |
320 return true; | 326 return true; |
321 } | 327 } |
322 | 328 |
323 } // namespace net | 329 } // namespace net |
OLD | NEW |