CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a sin…

net/cert/ct_log_verifier_nss.cc

Index: net/cert/ct_log_verifier_nss.cc
diff --git a/net/cert/ct_log_verifier_nss.cc b/net/cert/ct_log_verifier_nss.cc
new file mode 100644
index 0000000000000000000000000000000000000000..67ce382c1ea80b6df50c692958febd948047b861
--- /dev/null
+++ b/net/cert/ct_log_verifier_nss.cc
@@ -0,0 +1,141 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_log_verifier.h"
+
+#include <cryptohi.h>
+#include <keyhi.h>
+#include <nss.h>
+#include <pk11pub.h>
+#include <secitem.h>
+#include <secoid.h>
+
+#include "base/logging.h"
+#include "crypto/nss_util.h"
+#include "crypto/sha2.h"
+#include "net/cert/signed_certificate_timestamp.h"
+
+namespace net {
+
+namespace {
+
+SECOidTag GetNssSigAlg(ct::DigitallySigned::SignatureAlgorithm alg) {

[wtc, 2013/11/08 21:04:00]

Nit: Nss => NSS

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+  switch (alg) {
+    case ct::DigitallySigned::SIG_ALGO_RSA:
+      return SEC_OID_PKCS1_RSA_ENCRYPTION;
+    case ct::DigitallySigned::SIG_ALGO_DSA:
+      return SEC_OID_ANSIX9_DSA_SIGNATURE;
+    case ct::DigitallySigned::SIG_ALGO_ECDSA:
+      return SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+    case ct::DigitallySigned::SIG_ALGO_ANONYMOUS:
+      // FALLTHROUGH

[wtc, 2013/11/08 21:04:00]

This FALLTHROUGH comment and the FALLTHROUGH comment on line 54 are not
necessary because there is no code under this case.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+    default:
+      NOTREACHED();
+      return SEC_OID_UNKNOWN;
+  }
+}
+
+SECOidTag GetNssHashAlg(ct::DigitallySigned::HashAlgorithm alg) {
+  switch (alg) {
+    case ct::DigitallySigned::HASH_ALGO_MD5:
+      return SEC_OID_MD5;
+    case ct::DigitallySigned::HASH_ALGO_SHA1:
+      return SEC_OID_SHA1;
+    case ct::DigitallySigned::HASH_ALGO_SHA224:
+      return SEC_OID_SHA224;
+    case ct::DigitallySigned::HASH_ALGO_SHA256:
+      return SEC_OID_SHA256;
+    case ct::DigitallySigned::HASH_ALGO_SHA384:
+      return SEC_OID_SHA384;
+    case ct::DigitallySigned::HASH_ALGO_SHA512:
+      return SEC_OID_SHA512;
+    case ct::DigitallySigned::HASH_ALGO_NONE:
+      // FALLTHROUGH
+    default:
+      NOTREACHED();
+      return SEC_OID_UNKNOWN;
+  }
+}
+
+}  // namespace
+
+CTLogVerifier::~CTLogVerifier() {
+  if (public_key_)
+    SECKEY_DestroyPublicKey(public_key_);
+}
+
+CTLogVerifier::CTLogVerifier() : public_key_(NULL) {}

[wtc, 2013/11/08 21:04:00]

hash_algorithm_ and sig_algorithm_ should also be initialized.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+
+bool CTLogVerifier::Init(const base::StringPiece& public_key,
+                         const base::StringPiece& description) {
+  SECItem key_data;
+
+  crypto::EnsureNSSInit();
+
+  key_data.data = reinterpret_cast<unsigned char*>(
+      const_cast<char*>(public_key.data()));
+  key_data.len = public_key.size();
+
+  CERTSubjectPublicKeyInfo* public_key_info =
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&key_data);
+  if (!public_key_info) {
+    DVLOG(1) << "Failed decoding public key: " << public_key;

[wtc, 2013/11/08 21:04:00]

public_key contains binary data, so it is not suitable for direct use in error
messages. See also line 91.

[Eran M. (Google), 2013/11/12 12:01:28]

Done - removed.

+    return false;
+  }
+
+  public_key_ = SECKEY_ExtractPublicKey(public_key_info);
+  SECKEY_DestroySubjectPublicKeyInfo(public_key_info);
+
+  if (!public_key_) {
+    DVLOG(1) << "Failed extracting public key from " << public_key;
+    return false;
+  }
+
+  key_id_ = crypto::SHA256HashString(public_key);
+  description_ = description.as_string();
+
+
+  // Right now, only RSASSA-PKCS1v15 with SHA-256 and ECDSA with SHA-256 are
+  // supported.

[wtc, 2013/11/08 21:04:00]

Nit: copy this comment to the _openssl.cc file.

Nit: delete the blank line 98.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+  switch (public_key_->keyType) {

[Ryan Sleevi, 2013/11/08 00:30:43]

Use SECKEY_GetPublicKeyType()

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+    case rsaKey:
+      hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+      sig_algorithm_ = ct::DigitallySigned::SIG_ALGO_RSA;
+      break;
+    case ecKey:
+      hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+      sig_algorithm_ = ct::DigitallySigned::SIG_ALGO_ECDSA;
+      break;
+    default:
+      DVLOG(1) << "Unsupported key type: " << public_key_->keyType;
+      return false;
+  }
+
+  // Extra sanity check: Require RSA signatures of at least 2048 bits.

[wtc, 2013/11/08 21:04:00]

Nit: signatures => keys

Nit: copy this comment to the _openssl.cc file.

[Eran M. (Google), 2013/11/12 12:01:28]

Done.

+  if (sig_algorithm_ == ct::DigitallySigned::SIG_ALGO_RSA &&
+      SECKEY_PublicKeyStrengthInBits(public_key_) < 2048) {
+    DVLOG(1) << "Too small a public key.";
+    return false;
+  }
+
+  return true;
+}
+
+bool CTLogVerifier::VerifySignature(const base::StringPiece& data_to_sign,
+                                    const base::StringPiece& signature) {
+  SECItem sig_data;
+  sig_data.data = reinterpret_cast<unsigned char*>(const_cast<char*>(
+      signature.data()));
+  sig_data.len = signature.size();
+
+  SECStatus rv = VFY_VerifyDataDirect(
+      reinterpret_cast<const unsigned char*>(data_to_sign.data()),
+      data_to_sign.size(), public_key_, &sig_data,
+      GetNssSigAlg(sig_algorithm_), GetNssHashAlg(hash_algorithm_),
+      NULL, NULL);
+  DVLOG(1) << "Signature verification result: " << (rv == SECSuccess);
+  return rv == SECSuccess;
+}
+
+}  // namespace net