CT: Adding SCT verification functionality: A CTLogVerifier instance can verify SCTs signed by a sin…

net/cert/ct_log_verifier_openssl.cc

Index: net/cert/ct_log_verifier_openssl.cc
diff --git a/net/cert/ct_log_verifier_openssl.cc b/net/cert/ct_log_verifier_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0201ec4ed8b9b3e472679ddf2519a258f742dd9e
--- /dev/null
+++ b/net/cert/ct_log_verifier_openssl.cc
@@ -0,0 +1,120 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_log_verifier.h"
+
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "base/logging.h"
+#include "crypto/openssl_util.h"
+#include "crypto/sha2.h"
+
+namespace net {
+
+namespace {
+
+const EVP_MD* GetEvpAlg(ct::DigitallySigned::HashAlgorithm alg) {
+  switch (alg) {
+    case ct::DigitallySigned::HASH_ALGO_MD5:
+      return EVP_md5();
+    case ct::DigitallySigned::HASH_ALGO_SHA1:
+      return EVP_sha1();
+    case ct::DigitallySigned::HASH_ALGO_SHA224:
+      return EVP_sha224();
+    case ct::DigitallySigned::HASH_ALGO_SHA256:
+      return EVP_sha256();
+    case ct::DigitallySigned::HASH_ALGO_SHA384:
+      return EVP_sha384();
+    case ct::DigitallySigned::HASH_ALGO_SHA512:
+      return EVP_sha512();
+    case ct::DigitallySigned::HASH_ALGO_NONE:
+    default:
+      NOTREACHED();
+      return NULL;
+  }
+}
+
+}  // namespace
+
+CTLogVerifier::~CTLogVerifier() {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  if (public_key_)
+    EVP_PKEY_free(public_key_);
+}
+
+CTLogVerifier::CTLogVerifier() :
+  hash_algorithm_(ct::DigitallySigned::HASH_ALGO_NONE),
+  signature_algorithm_(ct::DigitallySigned::SIG_ALGO_ANONYMOUS),
+  public_key_(NULL) {}

[wtc, 2013/11/14 18:46:30]

Please see the Style Guide's recommendation on how to format a constructor
initializer list:

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Constructor_In...

+
+bool CTLogVerifier::Init(const base::StringPiece& public_key,
+                         const base::StringPiece& description) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  crypto::ScopedOpenSSL<BIO, BIO_free_all> bio(
+      BIO_new_mem_buf(const_cast<char*>(public_key.data()), public_key.size()));
+  if (!bio.get())
+    return false;
+
+  public_key_ = d2i_PUBKEY_bio(bio.get(), NULL);
+  if (!public_key_)
+    return false;
+
+  key_id_ = crypto::SHA256HashString(public_key);
+  description_ = description.as_string();
+
+  // Right now, only RSASSA-PKCS1v15 with SHA-256 and ECDSA with SHA-256 are
+  // supported.
+  switch (EVP_PKEY_type(public_key_->type)) {
+    case EVP_PKEY_RSA:
+      hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+      signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_RSA;
+      break;
+    case EVP_PKEY_EC:
+      hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256;
+      signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_ECDSA;
+      break;
+    default:
+      DVLOG(1) << "Unsupported key type: " << EVP_PKEY_type(public_key_->type);
+      return false;
+  }
+
+  // Extra sanity check: Require RSA keys of at least 2048 bits.
+  // EVP_PKEY_size returns the size in bytes. 256 = 2048-bit RSA key.
+  if (signature_algorithm_ == ct::DigitallySigned::SIG_ALGO_RSA &&
+      EVP_PKEY_size(public_key_) < 256) {
+    DVLOG(1) << "Too small a public key.";
+    return false;
+  }
+
+  return true;
+}
+
+bool CTLogVerifier::VerifySignature(const base::StringPiece& data_to_sign,
+                                    const base::StringPiece& signature) {
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  const EVP_MD* hash_alg = GetEvpAlg(hash_algorithm_);
+  if (hash_alg == NULL)
+    return false;
+
+  EVP_MD_CTX ctx;
+  EVP_MD_CTX_init(&ctx);
+
+  bool ok = (
+      1 == EVP_DigestVerifyInit(&ctx, NULL, hash_alg, NULL, public_key_) &&
+      1 == EVP_DigestVerifyUpdate(
+          &ctx, data_to_sign.data(), data_to_sign.size()) &&
+      1 == EVP_DigestVerifyFinal(
+          &ctx,
+          reinterpret_cast<unsigned char*>(const_cast<char*>(signature.data())),

[wtc, 2013/11/14 18:46:30]

It is unfortunate that EVP_DigestVerifyFinal requires us to use a const_cast.
This seems to be a bug in the function prototype of EVP_DigestVerifyFinal.

[Eran M. (Google), 2013/11/16 22:59:17]

Yes, I've noticed a few of the OpenSSL's functions not accepting a const pointer
where they should.

+          signature.size()));
+
+  EVP_MD_CTX_cleanup(&ctx);
+  return ok;
+}
+
+}  // namespace net