OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/sha256_legacy_support_win.h" | |
6 | |
7 #include <windows.h> | |
8 #include <wincrypt.h> | |
9 | |
10 #include <cert.h> | |
11 #include <keyhi.h> | |
12 #include <secoid.h> | |
13 | |
14 #include "base/lazy_instance.h" | |
15 #include "base/logging.h" | |
16 #include "base/strings/string_piece.h" | |
17 #include "base/win/windows_version.h" | |
18 #include "crypto/scoped_nss_types.h" | |
davidben
2014/09/12 22:51:17
Hrm. This is going to be somewhat a nuisance for t
Ryan Sleevi
2014/09/23 21:59:59
Right, that was my plan as well.
| |
19 | |
20 namespace net { | |
21 | |
22 namespace sha256_interception { | |
23 | |
24 namespace { | |
25 | |
26 bool IsSupportedSubjectType(DWORD subject_type) { | |
27 switch (subject_type) { | |
28 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: | |
29 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: | |
30 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: | |
31 return true; | |
32 } | |
33 return false; | |
34 } | |
35 | |
36 bool IsSupportedIssuerType(DWORD issuer_type) { | |
37 switch (issuer_type) { | |
38 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
39 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: | |
40 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: | |
41 return true; | |
42 } | |
43 return false; | |
44 } | |
45 | |
46 base::StringPiece GetSubjectSignature(DWORD subject_type, | |
47 void* subject_data) { | |
48 switch (subject_type) { | |
49 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: { | |
50 CRYPT_DATA_BLOB* data_blob = | |
51 reinterpret_cast<CRYPT_DATA_BLOB*>(subject_data); | |
52 return base::StringPiece(reinterpret_cast<char*>(data_blob->pbData), | |
53 data_blob->cbData); | |
54 } | |
55 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: { | |
56 PCCERT_CONTEXT subject_cert = | |
57 reinterpret_cast<PCCERT_CONTEXT>(subject_data); | |
58 return base::StringPiece( | |
59 reinterpret_cast<char*>(subject_cert->pbCertEncoded), | |
60 subject_cert->cbCertEncoded); | |
61 } | |
62 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: { | |
63 PCCRL_CONTEXT subject_crl = | |
64 reinterpret_cast<PCCRL_CONTEXT>(subject_data); | |
65 return base::StringPiece( | |
66 reinterpret_cast<char*>(subject_crl->pbCrlEncoded), | |
67 subject_crl->cbCrlEncoded); | |
68 } | |
69 } | |
70 return base::StringPiece(); | |
71 } | |
72 | |
73 PCERT_PUBLIC_KEY_INFO GetIssuerPublicKey(DWORD issuer_type, | |
74 void* issuer_data) { | |
75 switch (issuer_type) { | |
76 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
77 return reinterpret_cast<PCERT_PUBLIC_KEY_INFO>(issuer_data); | |
78 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: { | |
79 PCCERT_CONTEXT cert = reinterpret_cast<PCCERT_CONTEXT>(issuer_data); | |
80 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
davidben
2014/09/12 22:51:17
I'm assuming it's safe to assume cert->pCertInfo i
Ryan Sleevi
2014/09/23 21:59:59
Correct. Windows will crash too.
| |
81 } | |
82 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: { | |
83 PCCERT_CHAIN_CONTEXT chain = | |
84 reinterpret_cast<PCCERT_CHAIN_CONTEXT>(issuer_data); | |
85 PCCERT_CONTEXT cert = chain->rgpChain[0]->rgpElement[0]->pCertContext; | |
davidben
2014/09/12 22:51:17
Is it possible for chain->cChain or chain->rgpChai
Ryan Sleevi
2014/09/23 21:59:58
Nope. Windows will crash if they are as well, but
| |
86 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
87 } | |
88 } | |
89 return NULL; | |
90 } | |
91 | |
92 } // namespace | |
93 | |
94 bool IsNeeded() { | |
95 base::win::OSInfo* os_info = base::win::OSInfo::GetInstance(); | |
96 if (os_info->version() > base::win::VERSION_SERVER_2003) | |
97 return false; // New enough to have SHA-256 support | |
98 if (os_info->version() < base::win::VERSION_XP) | |
99 return false; // Too old to matter. | |
100 if (os_info->version() == base::win::VERSION_XP) { | |
101 if (os_info->service_pack().major >= 3) | |
102 return false; // SP3 added SHA-256 support | |
103 return true; | |
104 } | |
105 | |
106 // Just assume it's needed. While it's possible to hotfix in support via | |
107 // patches from Microsoft, or to install a third-party CSP that was signed by | |
108 // Microsoft, the only reason to use that implementation would be to allow | |
109 // administrators to disable SHA-2 by policy, and doing so would just force | |
110 // this path. | |
davidben
2014/09/12 22:51:17
DCHECK_EQ(VERSION_SERVER_2003, os_info->version())
Ryan Sleevi
2014/09/23 21:59:58
This is now unnecessary in ToT, due to base/win/wi
| |
111 return true; | |
112 } | |
113 | |
114 BOOL CryptVerifyCertificateSignatureExHook( | |
115 CryptVerifyCertificateSignatureExFunc original_func, | |
116 HCRYPTPROV_LEGACY provider, | |
117 DWORD encoding_type, | |
118 DWORD subject_type, | |
119 void* subject_data, | |
120 DWORD issuer_type, | |
121 void* issuer_data, | |
122 DWORD flags, | |
123 void* extra) { | |
124 CHECK(original_func); | |
125 | |
126 // Only intercept if the arguments are supported. | |
127 if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || | |
128 !IsSupportedSubjectType(subject_type) || subject_data == NULL || | |
129 !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { | |
130 return original_func(provider, encoding_type, subject_type, subject_data, | |
131 issuer_type, issuer_data, flags, extra); | |
132 } | |
133 | |
134 base::StringPiece subject_signature = | |
135 GetSubjectSignature(subject_type, subject_data); | |
136 bool should_intercept = false; | |
137 | |
138 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
139 CERTSignedData signed_data; | |
140 memset(&signed_data, 0, sizeof(signed_data)); | |
141 | |
142 // Attempt to decode the subject using the generic "Signed Data" template, | |
143 // which all of the supported subject types match. If the signature | |
davidben
2014/09/12 22:51:17
(I was unable to find a reference for this for the
Ryan Sleevi
2014/09/23 21:59:58
Yeah, like most of CryptoAPI, WinCrypt.h has bette
| |
144 // algorithm is RSA with one of the SHA-2 algorithms supported by NSS | |
145 // (excluding SHA-224, which is pointless), then defer to the NSS | |
146 // implementation. Otherwise, fall back and let the OS handle it (e.g. | |
147 // in case there are any algorithm policies in effect). | |
148 if (!subject_signature.empty()) { | |
149 SECItem subject_sig_item; | |
150 subject_sig_item.data = const_cast<unsigned char*>( | |
151 reinterpret_cast<const unsigned char*>(subject_signature.data())); | |
152 subject_sig_item.len = subject_signature.size(); | |
153 SECStatus rv = SEC_QuickDERDecodeItem( | |
154 arena.get(), &signed_data, SEC_ASN1_GET(CERT_SignedDataTemplate), | |
155 &subject_sig_item); | |
156 if (rv == SECSuccess) { | |
157 SECOidTag signature_alg = | |
158 SECOID_GetAlgorithmTag(&signed_data.signatureAlgorithm); | |
159 if (signature_alg == SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION || | |
160 signature_alg == SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION || | |
161 signature_alg == SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION) { | |
162 should_intercept = true; | |
163 } | |
164 } | |
165 } | |
166 | |
167 if (!should_intercept) { | |
168 return original_func(provider, encoding_type, subject_type, subject_data, | |
169 issuer_type, issuer_data, flags, extra); | |
170 } | |
171 | |
172 // Rather than attempting to synthesize a CERTSubjectPublicKeyInfo by hand, | |
173 // just force the OS to do an ASN.1 encoding and then decode it back into | |
174 // NSS. This is silly for performance, but safest for consistency. | |
175 PCERT_PUBLIC_KEY_INFO issuer_public_key = | |
176 GetIssuerPublicKey(issuer_type, issuer_data); | |
177 if (!issuer_public_key) { | |
davidben
2014/09/12 22:51:17
Comment about blahChain[0] above aside, should thi
Ryan Sleevi
2014/09/23 21:59:58
We've already determined this is a SHA-2 signature
| |
178 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
179 return FALSE; | |
180 } | |
181 | |
182 unsigned char* issuer_spki_data = NULL; | |
183 DWORD issuer_spki_len = 0; | |
184 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, | |
185 issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, | |
186 &issuer_spki_data, &issuer_spki_len)) { | |
187 return FALSE; | |
188 } | |
189 | |
190 SECItem nss_issuer_spki; | |
191 nss_issuer_spki.data = issuer_spki_data; | |
192 nss_issuer_spki.len = issuer_spki_len; | |
193 CERTSubjectPublicKeyInfo* spki = | |
194 SECKEY_DecodeDERSubjectPublicKeyInfo(&nss_issuer_spki); | |
195 ::LocalFree(issuer_spki_data); | |
196 if (!spki) { | |
197 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
davidben
2014/09/12 22:51:17
I don't have a better suggestion out of the ones t
Ryan Sleevi
2014/09/23 21:59:58
It doesn't match the documentation, but it does ma
| |
198 return FALSE; | |
199 } | |
200 | |
201 // Attempt to actually verify the signed data. If it fails, synthesize the | |
202 // failure as a generic "bad signature" and let CryptoAPI handle the rest. | |
203 SECStatus rv = CERT_VerifySignedDataWithPublicKeyInfo( | |
204 &signed_data, spki, NULL); | |
205 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
206 if (rv != SECSuccess) { | |
207 SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE)); | |
208 return FALSE; | |
209 } | |
210 return TRUE; | |
211 } | |
212 | |
213 } // namespace sha256_interception | |
214 | |
215 } // namespace net | |
OLD | NEW |