OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/memory/scoped_ptr.h" | 5 #include "base/memory/scoped_ptr.h" |
6 #include "crypto/ec_private_key.h" | 6 #include "crypto/ec_private_key.h" |
7 #include "crypto/openssl_util.h" | 7 #include "crypto/openssl_util.h" |
| 8 #include "crypto/scoped_openssl_types.h" |
8 #include "net/cert/x509_util.h" | 9 #include "net/cert/x509_util.h" |
9 #include "net/cert/x509_util_openssl.h" | 10 #include "net/cert/x509_util_openssl.h" |
10 #include "testing/gtest/include/gtest/gtest.h" | 11 #include "testing/gtest/include/gtest/gtest.h" |
11 | 12 |
12 namespace net { | 13 namespace net { |
13 | 14 |
14 namespace { | 15 namespace { |
15 | 16 |
| 17 typedef scoped_ptr<X509, crypto::OpenSSLDestroyer<X509, X509_free> > ScopedX509; |
| 18 |
16 // Verify that a given certificate was signed with the private key corresponding | 19 // Verify that a given certificate was signed with the private key corresponding |
17 // to a given public key. | 20 // to a given public key. |
18 // |der_cert| is the DER-encoded X.509 certificate. | 21 // |der_cert| is the DER-encoded X.509 certificate. |
19 // |der_spki| is the DER-encoded public key of the signer. | 22 // |der_spki| is the DER-encoded public key of the signer. |
20 void VerifyCertificateSignature(const std::string& der_cert, | 23 void VerifyCertificateSignature(const std::string& der_cert, |
21 const std::vector<uint8>& der_spki) { | 24 const std::vector<uint8>& der_spki) { |
22 const unsigned char* cert_data = | 25 const unsigned char* cert_data = |
23 reinterpret_cast<const unsigned char*>(der_cert.data()); | 26 reinterpret_cast<const unsigned char*>(der_cert.data()); |
24 int cert_data_len = static_cast<int>(der_cert.size()); | 27 int cert_data_len = static_cast<int>(der_cert.size()); |
25 crypto::ScopedOpenSSL<X509, X509_free> cert( | 28 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); |
26 d2i_X509(NULL, &cert_data, cert_data_len)); | |
27 ASSERT_TRUE(cert.get()); | 29 ASSERT_TRUE(cert.get()); |
28 | 30 |
29 // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier | 31 // NOTE: SignatureVerifier wants the DER-encoded ASN.1 AlgorithmIdentifier |
30 // but there is no OpenSSL API to extract it from an X509 object (!?) | 32 // but there is no OpenSSL API to extract it from an X509 object (!?) |
31 // Use X509_verify() directly instead, which takes an EVP_PKEY. | 33 // Use X509_verify() directly instead, which takes an EVP_PKEY. |
32 const unsigned char* pub_key_data = &der_spki.front(); | 34 const unsigned char* pub_key_data = &der_spki.front(); |
33 int pub_key_len = static_cast<int>(der_spki.size()); | 35 int pub_key_len = static_cast<int>(der_spki.size()); |
34 crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pub_key( | 36 crypto::ScopedEVP_PKEY pub_key(d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); |
35 d2i_PUBKEY(NULL, &pub_key_data, pub_key_len)); | |
36 ASSERT_TRUE(pub_key.get()); | 37 ASSERT_TRUE(pub_key.get()); |
37 | 38 |
38 // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. | 39 // NOTE: X509_verify() returns 1 in case of succes, 0 or -1 on error. |
39 EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get())); | 40 EXPECT_EQ(1, X509_verify(cert.get(), pub_key.get())); |
40 } | 41 } |
41 | 42 |
42 // Verify the attributes of a domain-bound certificate. | 43 // Verify the attributes of a domain-bound certificate. |
43 // |domain| is the bound domain name. | 44 // |domain| is the bound domain name. |
44 // |der_cert| is the DER-encoded X.509 certificate. | 45 // |der_cert| is the DER-encoded X.509 certificate. |
45 void VerifyDomainBoundCert(const std::string& domain, | 46 void VerifyDomainBoundCert(const std::string& domain, |
46 const std::string& der_cert) { | 47 const std::string& der_cert) { |
47 // Origin Bound Cert OID. | 48 // Origin Bound Cert OID. |
48 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; | 49 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6"; |
49 crypto::ScopedOpenSSL<ASN1_OBJECT, ASN1_OBJECT_free> oid_obj( | 50 scoped_ptr<ASN1_OBJECT, |
50 OBJ_txt2obj(oid_string, 0)); | 51 crypto::OpenSSLDestroyer<ASN1_OBJECT, ASN1_OBJECT_free> > |
| 52 oid_obj(OBJ_txt2obj(oid_string, 0)); |
51 ASSERT_TRUE(oid_obj.get()); | 53 ASSERT_TRUE(oid_obj.get()); |
52 | 54 |
53 const unsigned char* cert_data = | 55 const unsigned char* cert_data = |
54 reinterpret_cast<const unsigned char*>(der_cert.data()); | 56 reinterpret_cast<const unsigned char*>(der_cert.data()); |
55 int cert_data_len = static_cast<int>(der_cert.size()); | 57 int cert_data_len = static_cast<int>(der_cert.size()); |
56 crypto::ScopedOpenSSL<X509, X509_free> cert( | 58 ScopedX509 cert(d2i_X509(NULL, &cert_data, cert_data_len)); |
57 d2i_X509(NULL, &cert_data, cert_data_len)); | |
58 ASSERT_TRUE(cert.get()); | 59 ASSERT_TRUE(cert.get()); |
59 | 60 |
60 // Find the extension. | 61 // Find the extension. |
61 int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1); | 62 int ext_pos = X509_get_ext_by_OBJ(cert.get(), oid_obj.get(), -1); |
62 ASSERT_NE(-1, ext_pos); | 63 ASSERT_NE(-1, ext_pos); |
63 X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos); | 64 X509_EXTENSION* ext = X509_get_ext(cert.get(), ext_pos); |
64 ASSERT_TRUE(ext); | 65 ASSERT_TRUE(ext); |
65 | 66 |
66 // Check its value, it must be an ASN.1 IA5STRING | 67 // Check its value, it must be an ASN.1 IA5STRING |
67 // Which means <tag> <length> <domain>, with: | 68 // Which means <tag> <length> <domain>, with: |
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
131 | 132 |
132 VerifyDomainBoundCert(domain, der_cert); | 133 VerifyDomainBoundCert(domain, der_cert); |
133 | 134 |
134 // signature_verifier_win and signature_verifier_mac can't handle EC certs. | 135 // signature_verifier_win and signature_verifier_mac can't handle EC certs. |
135 std::vector<uint8> spki; | 136 std::vector<uint8> spki; |
136 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); | 137 ASSERT_TRUE(private_key->ExportPublicKey(&spki)); |
137 VerifyCertificateSignature(der_cert, spki); | 138 VerifyCertificateSignature(der_cert, spki); |
138 } | 139 } |
139 | 140 |
140 } // namespace net | 141 } // namespace net |
OLD | NEW |