Add initial CertVerifyProcBuiltin.

net/cert/cert_verify_proc_builtin.cc

+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verify_proc_builtin.h"
+
+#include <string>
+#include <vector>
+
+#if defined(USE_NSS_CERTS)
+#include <cert.h>
+#include <pk11pub.h>
+#endif
+
+#include "base/logging.h"
+#include "base/memory/ptr_util.h"
+#include "base/sha1.h"
+#include "base/strings/string_piece.h"
+#include "crypto/sha2.h"
+#include "net/base/net_errors.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/internal/cert_errors.h"
+#include "net/cert/internal/cert_issuer_source_static.h"
+#include "net/cert/internal/parsed_certificate.h"
+#include "net/cert/internal/path_builder.h"
+#include "net/cert/internal/signature_policy.h"
+#include "net/cert/internal/trust_store_collection.h"
+#include "net/cert/internal/trust_store_in_memory.h"
+#include "net/cert/internal/verify_certificate_chain.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
+#include "net/der/encode_values.h"
+
+#if defined(USE_NSS_CERTS)
+#include "crypto/nss_util.h"
+#include "net/cert/internal/cert_issuer_source_nss.h"
+#include "net/cert/internal/trust_store_nss.h"
+#include "net/cert/scoped_nss_types.h"
+#endif
+
+namespace net {
+
+namespace {
+
+class CertVerifyProcBuiltin : public CertVerifyProc {
+ public:
+  CertVerifyProcBuiltin();
+
+  bool SupportsAdditionalTrustAnchors() const override;
+  bool SupportsOCSPStapling() const override;
+
+ protected:
+  ~CertVerifyProcBuiltin() override;
+
+ private:
+  int VerifyInternal(X509Certificate* cert,
+                     const std::string& hostname,
+                     const std::string& ocsp_response,
+                     int flags,
+                     CRLSet* crl_set,
+                     const CertificateList& additional_trust_anchors,
+                     CertVerifyResult* verify_result) override;
+};
+
+CertVerifyProcBuiltin::CertVerifyProcBuiltin() {}
+
+CertVerifyProcBuiltin::~CertVerifyProcBuiltin() {}
+
+bool CertVerifyProcBuiltin::SupportsAdditionalTrustAnchors() const {
+  return true;
+}
+
+bool CertVerifyProcBuiltin::SupportsOCSPStapling() const {
+  // TODO(crbug.com/649017): Implement.
+  return false;
+}
+
+scoped_refptr<ParsedCertificate> ParseCertificateFromOSHandle(
+    X509Certificate::OSCertHandle cert_handle,
+    CertErrors* errors) {
+  std::string cert_bytes;
+  if (!X509Certificate::GetDEREncoded(cert_handle, &cert_bytes))
+    return nullptr;
+  return ParsedCertificate::Create(x509_util::CreateCryptoBuffer(cert_bytes),
+                                   {}, errors);
+}
+
+void AddIntermediatesToIssuerSource(X509Certificate* x509_cert,
+                                    CertIssuerSourceStatic* intermediates) {
+  const X509Certificate::OSCertHandles& cert_handles =
+      x509_cert->GetIntermediateCertificates();
+  CertErrors errors;
+  for (auto it = cert_handles.begin(); it != cert_handles.end(); ++it) {
+    scoped_refptr<ParsedCertificate> cert =
+        ParseCertificateFromOSHandle(*it, &errors);
+    if (cert)
+      intermediates->AddCert(std::move(cert));
+    // TODO(crbug.com/634443): Surface these parsing errors?
+  }
+}
+
+// The SystemTrustStore interface augments the TrustStore interface with some
+// additional functionality:
+//
+//  * Determine if a trust anchor was one of the known roots
+//  * Determine if a trust anchor was one of the "extra" ones that
+//    was specified during verification.
+//
+// Implementations of SystemTrustStore create an effective trust
+// store that is the composition of:
+//
+//  (1) System trust store
+//  (2) |additional_trust_anchors|.
+//  (3) Test certificates (if they are separate from system trust store)
+class SystemTrustStore {
+ public:
+  virtual ~SystemTrustStore() {}
+
+  virtual TrustStore* GetTrustStore() = 0;
+
+  // TODO(eroman): Can this be exposed through the TrustStore
+  //               interface instead?
+  virtual CertIssuerSource* GetCertIssuerSource() = 0;
+
+  // IsKnownRoot returns true if the given trust anchor is a standard one (as
+  // opposed to a user-installed root)
+  virtual bool IsKnownRoot(
+      const scoped_refptr<TrustAnchor>& trust_anchor) const = 0;
+
+  virtual bool IsAdditionalTrustAnchor(
+      const scoped_refptr<TrustAnchor>& trust_anchor) const = 0;
+};
+
+#if defined(USE_NSS_CERTS)
+class SystemTrustStoreNSS : public SystemTrustStore {
+ public:
+  explicit SystemTrustStoreNSS(const CertificateList& additional_trust_anchors)
+      : trust_store_nss_(trustSSL) {
+    CertErrors errors;
+
+    trust_store_.AddTrustStore(&additional_trust_store_);
+    for (const auto& x509_cert : additional_trust_anchors) {
+      scoped_refptr<ParsedCertificate> cert =
+          ParseCertificateFromOSHandle(x509_cert->os_cert_handle(), &errors);
+      if (cert) {
+        additional_trust_store_.AddTrustAnchor(
+            TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)));
+      }
+      // TODO(eroman): Surface parsing errors of additional trust anchor.
+    }
+
+    trust_store_.AddTrustStore(&trust_store_nss_);
+  }
+
+  TrustStore* GetTrustStore() override { return &trust_store_; }
+
+  CertIssuerSource* GetCertIssuerSource() override {
+    return &cert_issuer_source_nss_;
+  }
+
+  // IsKnownRoot returns true if the given trust anchor is a standard one (as
+  // opposed to a user-installed root)
+  bool IsKnownRoot(
+      const scoped_refptr<TrustAnchor>& trust_anchor) const override {
+    // TODO(eroman): Based on how the TrustAnchors are created by this
+    // integration, there will always be an associated certificate. However this
+    // contradicts the API for TrustAnchor that states it is optional.
+    DCHECK(trust_anchor->cert());
+
+    // TODO(eroman): The overall approach of IsKnownRoot() is inefficient -- it
+    // requires searching for the trust anchor by DER in NSS, however path
+    // building already had a handle to it.
+    SECItem der_cert;
+    der_cert.data =
+        const_cast<uint8_t*>(trust_anchor->cert()->der_cert().UnsafeData());
+    der_cert.len = trust_anchor->cert()->der_cert().Length();
+    der_cert.type = siDERCertBuffer;
+    ScopedCERTCertificate nss_cert(
+        CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert));
+    if (!nss_cert)
+      return false;
+
+    return IsKnownRoot(nss_cert.get());
+  }
+
+  bool IsAdditionalTrustAnchor(
+      const scoped_refptr<TrustAnchor>& trust_anchor) const override {
+    return additional_trust_store_.Contains(trust_anchor.get());
+  }
+
+ private:
+  // TODO(eroman): This function was copied verbatim from
+  // cert_verify_proc_nss.cc
+  //
+  // IsKnownRoot returns true if the given certificate is one that we believe
+  // is a standard (as opposed to user-installed) root.
+  bool IsKnownRoot(CERTCertificate* root) const {
+    if (!root || !root->slot)
+      return false;
+
+    // This magic name is taken from
+    // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
+    return 0 == strcmp(PK11_GetSlotName(root->slot), "NSS Builtin Objects");
+  }
+
+  TrustStoreCollection trust_store_;
+  TrustStoreInMemory additional_trust_store_;
+
+  TrustStoreNSS trust_store_nss_;
+  CertIssuerSourceNSS cert_issuer_source_nss_;
+};
+#endif
+
+std::unique_ptr<SystemTrustStore> CreateSystemTrustStore(
+    const CertificateList& additional_trust_anchors) {
+#if defined(USE_NSS_CERTS)
+  return base::MakeUnique<SystemTrustStoreNSS>(additional_trust_anchors);
+#else
+  // TODO(crbug.com/649017): Integrate with other system trust stores.
+  NOTIMPLEMENTED();
+  return nullptr;
+#endif
+}
+
+// Appends the SHA1 and SHA256 hashes of |spki_bytes| to |*hashes|.
+void AppendPublicKeyHashes(const der::Input& spki_bytes,
+                           HashValueVector* hashes) {
+  HashValue sha1(HASH_VALUE_SHA1);
+  base::SHA1HashBytes(spki_bytes.UnsafeData(), spki_bytes.Length(),
+                      sha1.data());
+  hashes->push_back(sha1);
+
+  HashValue sha256(HASH_VALUE_SHA256);
+  crypto::SHA256HashString(spki_bytes.AsStringPiece(), sha256.data(),
+                           crypto::kSHA256Length);
+  hashes->push_back(sha256);
+}
+
+// Appends the SubjectPublicKeyInfo hashes for all certificates (and trust
+// anchor) in |partial_path| to |*hashes|.
+void AppendPublicKeyHashes(const CertPathBuilder::ResultPath& partial_path,
+                           HashValueVector* hashes) {
+  for (const scoped_refptr<ParsedCertificate>& cert : partial_path.path.certs)
+    AppendPublicKeyHashes(cert->tbs().spki_tlv, hashes);
+
+  if (partial_path.path.trust_anchor)
+    AppendPublicKeyHashes(partial_path.path.trust_anchor->spki(), hashes);
+}
+
+// Sets the bits on |cert_status| for all the errors encountered during the path
+// building of |partial_path|.
+void MapPathBuilderErrorsToCertStatus(
+    const CertPathBuilder::ResultPath& partial_path,
+    const std::string& hostname,
+    CertStatus* cert_status) {
+  // If path building was successful, there are no errors to map (there may have
+  // been warnings but they do not map to CertStatus).
+  if (partial_path.valid)
+    return;
+
+  LOG(ERROR) << "CertVerifyProcBuiltin for " << hostname << " failed:\n"
+             << partial_path.errors.ToDebugString();
+
+  if (partial_path.errors.ContainsError(kRsaModulusTooSmall))
+    *cert_status |= CERT_STATUS_WEAK_KEY;
+
+  if (partial_path.errors.ContainsError(kValidityFailedNotAfter) ||
+      partial_path.errors.ContainsError(kValidityFailedNotBefore)) {
+    *cert_status |= CERT_STATUS_DATE_INVALID;
+  }
+
+  // IMPORTANT: If the path was invalid for a reason that was not
+  // explicity checked above, set a general error. This is important as
+  // |cert_status| is what ultimately indicates whether verification was
+  // successful or not (absense of errors implies success).
+  if (!IsCertStatusError(*cert_status))
+    *cert_status |= CERT_STATUS_INVALID;
+}
+
+X509Certificate::OSCertHandle CreateOSCertHandle(
+    const scoped_refptr<ParsedCertificate>& certificate) {
+  return X509Certificate::CreateOSCertHandleFromBytes(
+      reinterpret_cast<const char*>(certificate->der_cert().UnsafeData()),
+      certificate->der_cert().Length());
+}
+
+// Creates a X509Certificate (chain) to return as the verified result.
+//
+//  * |target_cert|: The original X509Certificate that was passed in to
+//                   VerifyInternal()
+//  * |path|: The result (possibly failed) from path building.
+scoped_refptr<X509Certificate> CreateVerifiedCertChain(
+    X509Certificate* target_cert,
+    const CertPathBuilder::ResultPath& path) {
+  X509Certificate::OSCertHandles intermediates;
+
+  // Skip the first certificate in the path as that is the target certificate
+  for (size_t i = 1; i < path.path.certs.size(); ++i)
+    intermediates.push_back(CreateOSCertHandle(path.path.certs[i]));
+
+  if (path.path.trust_anchor) {
+    // TODO(eroman): This assumes that TrustAnchor::cert() cannot be null,
+    //               which disagrees with the documentation.
+    intermediates.push_back(CreateOSCertHandle(path.path.trust_anchor->cert()));
+  }
+
+  scoped_refptr<X509Certificate> result = X509Certificate::CreateFromHandle(
+      target_cert->os_cert_handle(), intermediates);
+
+  for (const X509Certificate::OSCertHandle handle : intermediates)
+    X509Certificate::FreeOSCertHandle(handle);
+
+  return result;
+}
+
+// TODO(crbug.com/649017): Make use of |flags|, |crl_set|, and |ocsp_response|.
+// Also handle key usages, policies and EV.
+//
+// Any failure short-circuits from the function must set
+// |verify_result->cert_status|.
+void DoVerify(X509Certificate* input_cert,
+              const std::string& hostname,
+              const std::string& ocsp_response,
+              int flags,
+              CRLSet* crl_set,
+              const CertificateList& additional_trust_anchors,
+              CertVerifyResult* verify_result) {
+  CertErrors errors;
+
+  // Parse the target certificate.
+  scoped_refptr<ParsedCertificate> target =
+      ParseCertificateFromOSHandle(input_cert->os_cert_handle(), &errors);
+  if (!target) {
+    // TODO(crbug.com/634443): Surface these parsing errors?
+    verify_result->cert_status |= CERT_STATUS_INVALID;
+    return;
+  }
+
+  std::unique_ptr<SystemTrustStore> trust_store =
+      CreateSystemTrustStore(additional_trust_anchors);
+
+  // TODO(eroman): The path building code in this file enforces its idea of weak
+  // keys, and separately cert_verify_proc.cc also checks the chains with its
+  // own policy. These policies should be aligned, to give path building the
+  // best chance of finding a good path.
+  // Another difference to resolve is the path building here does not check the
+  // target certificate's key strength, whereas cert_verify_proc.cc does.
+  SimpleSignaturePolicy signature_policy(1024);
+
+  // Use the current time.
+  der::GeneralizedTime verification_time;
+  if (!der::EncodeTimeAsGeneralizedTime(base::Time::Now(),
+                                        &verification_time)) {
+    // This really shouldn't be possible unless Time::Now() returned
+    // something crazy.
+    verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
+    return;
+  }
+
+  // Initialize the path builder.
+  CertPathBuilder::Result result;
+  CertPathBuilder path_builder(target, trust_store->GetTrustStore(),
+                               &signature_policy, verification_time, &result);
+
+  // Allow the path builder to discover intermediates from the trust store.
+  if (trust_store->GetCertIssuerSource())
+    path_builder.AddCertIssuerSource(trust_store->GetCertIssuerSource());
+
+  // Allow the path builder to discover the explicitly provided intermediates in
+  // |input_cert|.
+  CertIssuerSourceStatic intermediates;
+  AddIntermediatesToIssuerSource(input_cert, &intermediates);
+  path_builder.AddCertIssuerSource(&intermediates);
+
+  // TODO(crbug.com/649017): Allow the path builder to discover intermediates
+  // through AIA fetching.
+
+  path_builder.Run();
+
+  if (result.best_result_index >= result.paths.size()) {
+    // TODO(crbug.com/634443): What errors to communicate? Maybe the path
+    // builder should always return some partial path (even if just containing
+    // the target), then there is a CertErrors to test.
+    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+    return;
+  }
+
+  // Use the best path that was built. This could be a partial path, or it could
+  // be a valid complete path.
+  const CertPathBuilder::ResultPath& partial_path =
+      *result.paths[result.best_result_index].get();
+
+  if (partial_path.path.trust_anchor) {
+    verify_result->is_issued_by_known_root =
+        trust_store->IsKnownRoot(partial_path.path.trust_anchor);
+
+    verify_result->is_issued_by_additional_trust_anchor =
+        trust_store->IsAdditionalTrustAnchor(partial_path.path.trust_anchor);
+  } else {
+    verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+  }
+
+  verify_result->verified_cert =
+      CreateVerifiedCertChain(input_cert, partial_path);
+
+  AppendPublicKeyHashes(partial_path, &verify_result->public_key_hashes);
+  MapPathBuilderErrorsToCertStatus(partial_path, hostname,
+                                   &verify_result->cert_status);
+}
+
+int CertVerifyProcBuiltin::VerifyInternal(
+    X509Certificate* input_cert,
+    const std::string& hostname,
+    const std::string& ocsp_response,
+    int flags,
+    CRLSet* crl_set,
+    const CertificateList& additional_trust_anchors,
+    CertVerifyResult* verify_result) {
+  DoVerify(input_cert, hostname, ocsp_response, flags, crl_set,
+           additional_trust_anchors, verify_result);
+
+  return IsCertStatusError(verify_result->cert_status)
+             ? MapCertStatusToNetError(verify_result->cert_status)
+             : OK;
+}
+
+}  // namespace
+
+scoped_refptr<CertVerifyProc> CreateCertVerifyProcBuiltin() {
+  return scoped_refptr<CertVerifyProc>(new CertVerifyProcBuiltin());
+}
+
+}  // namespace net