Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(160)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/ct_log_verifier_openssl.cc

Issue 55953002: CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a sin… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/ct_log_verifier_nss.cc ('K') | « net/cert/ct_log_verifier_nss.cc ('k') | net/cert/ct_log_verifier_unittest.cc » ('j') | net/cert/ct_log_verifier_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/ct_log_verifier_openssl.cc
diff --git a/net/cert/ct_log_verifier_openssl.cc b/net/cert/ct_log_verifier_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..c3ae1b7d7abb69d84278114cf0c20485fe25674b
--- /dev/null
+++ b/net/cert/ct_log_verifier_openssl.cc
@@ -0,0 +1,113 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_log_verifier.h"
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "base/logging.h"
+#include "crypto/openssl_util.h"
+#include "crypto/sha2.h"
+
+namespace net {
+
+namespace {
+
+const EVP_MD* GetEvpAlg(ct::DigitallySigned::HashAlgorithm alg) {
+ switch (alg) {
+ case ct::DigitallySigned::HASH_ALGO_MD5:
+ return EVP_md5();
+ case ct::DigitallySigned::HASH_ALGO_SHA1:
+ return EVP_sha1();
+ case ct::DigitallySigned::HASH_ALGO_SHA224:
+ return EVP_sha224();
+ case ct::DigitallySigned::HASH_ALGO_SHA256:
+ return EVP_sha256();
+ case ct::DigitallySigned::HASH_ALGO_SHA384:
+ return EVP_sha384();
+ case ct::DigitallySigned::HASH_ALGO_SHA512:
+ return EVP_sha512();
+ case ct::DigitallySigned::HASH_ALGO_NONE:
wtc 2013/11/08 21:04:00 Nit: add a default case, unless you know it is imp
Eran M. (Google) 2013/11/12 12:01:28 Done.
+ NOTREACHED();
+ return NULL;
+ }
+}
+
+} // namespace
+
+CTLogVerifier::~CTLogVerifier() {
+ crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+ if (public_key_)
+ EVP_PKEY_free(public_key_);
+}
+
+CTLogVerifier::CTLogVerifier() : public_key_(NULL) {}
wtc 2013/11/08 21:04:00 Should also initialize hash_algorithm_ and sig_alg
Eran M. (Google) 2013/11/12 12:01:28 Done.
+
+bool CTLogVerifier::Init(const base::StringPiece& public_key,
+ const base::StringPiece& description) {
+ crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+ crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(
+ BIO_new_mem_buf(const_cast<char*>(public_key.data()), public_key.size()));
+ if (!bio.get())
+ return false;
+
+ public_key_ = d2i_PUBKEY_bio(bio.get(), NULL);
+ if (!public_key_)
+ return false;
+
+ key_id_ = crypto::SHA256HashString(public_key);
+ description_ = description.as_string();
+
+ switch (EVP_PKEY_type(public_key_->type)) {
+ case EVP_PKEY_RSA:
+ hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+ sig_algorithm_ = ct::DigitallySigned::SIG_ALGO_RSA;
+ break;
+ case EVP_PKEY_EC:
+ hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+ sig_algorithm_ = ct::DigitallySigned::SIG_ALGO_ECDSA;
+ break;
+ default:
+ DVLOG(1) << "Unsupported key type: " << EVP_PKEY_type(public_key_->type);
+ return false;
+ }
+
+ // EVP_PKEY_size returns the size in bytes. 256 = 2048-bit RSA key.
+ if (sig_algorithm_ == ct::DigitallySigned::SIG_ALGO_RSA &&
+ EVP_PKEY_size(public_key_) < 256) {
+ DVLOG(1) << "Too small a public key.";
+ return false;
+ }
+
+ return true;
+}
+
+bool CTLogVerifier::VerifySignature(const base::StringPiece& data_to_sign,
+ const base::StringPiece& signature) {
+ crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+ const EVP_MD* hash_alg = GetEvpAlg(hash_algorithm_);
+ if (hash_alg == NULL)
+ return false;
+
+ EVP_MD_CTX ctx;
+ EVP_MD_CTX_init(&ctx);
+
+ bool ok =
+ (1 == EVP_VerifyInit(&ctx, hash_alg) &&
wtc 2013/11/08 21:04:00 I am not familiar with OpenSSL. Would EVP_DigestVe
Eran M. (Google) 2013/11/12 12:01:28 Converted the code to using EVP_DigestVerify altho
wtc 2013/11/14 18:46:30 I was hoping you could ask Ben Laurie :-) The onl
Eran M. (Google) 2013/11/16 22:59:16 As mentioned in an offline email, I ended up askin
+ 1 == EVP_VerifyUpdate(&ctx, data_to_sign.data(), data_to_sign.size()) &&
+ 1 == EVP_VerifyFinal(
+ &ctx,
+ reinterpret_cast<const unsigned char*>(signature.data()),
+ signature.size(),
+ public_key_));
+
+ EVP_MD_CTX_cleanup(&ctx);
+ return ok;
+}
+
+} // namespace net
« net/cert/ct_log_verifier_nss.cc ('K') | « net/cert/ct_log_verifier_nss.cc ('k') | net/cert/ct_log_verifier_unittest.cc » ('j') | net/cert/ct_log_verifier_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698