Chromium Code Reviews Chromium Code Reviews
Issue 561613002:
Support SHA-256 on pre-Vista Windows clients (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/sha256_legacy_support_win.h" | |
| 6 | |
| 7 #include <windows.h> | |
| 8 #include <wincrypt.h> | |
| 9 | |
| 10 #include <cert.h> | |
| 11 #include <keyhi.h> | |
| 12 #include <secoid.h> | |
| 13 | |
| 14 #include "base/lazy_instance.h" | |
| 15 #include "base/logging.h" | |
| 16 #include "base/strings/string_piece.h" | |
| 17 #include "base/win/windows_version.h" | |
| 18 #include "crypto/scoped_nss_types.h" | |
|
davidben
2014/09/12 22:51:17
Hrm. This is going to be somewhat a nuisance for t
Ryan Sleevi
2014/09/23 21:59:59
Right, that was my plan as well.
| |
| 19 | |
| 20 namespace net { | |
| 21 | |
| 22 namespace sha256_interception { | |
| 23 | |
| 24 namespace { | |
| 25 | |
| 26 bool IsSupportedSubjectType(DWORD subject_type) { | |
| 27 switch (subject_type) { | |
| 28 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: | |
| 29 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: | |
| 30 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: | |
| 31 return true; | |
| 32 } | |
| 33 return false; | |
| 34 } | |
| 35 | |
| 36 bool IsSupportedIssuerType(DWORD issuer_type) { | |
| 37 switch (issuer_type) { | |
| 38 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
| 39 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: | |
| 40 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: | |
| 41 return true; | |
| 42 } | |
| 43 return false; | |
| 44 } | |
| 45 | |
| 46 base::StringPiece GetSubjectSignature(DWORD subject_type, | |
| 47 void* subject_data) { | |
| 48 switch (subject_type) { | |
| 49 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: { | |
| 50 CRYPT_DATA_BLOB* data_blob = | |
| 51 reinterpret_cast<CRYPT_DATA_BLOB*>(subject_data); | |
| 52 return base::StringPiece(reinterpret_cast<char*>(data_blob->pbData), | |
| 53 data_blob->cbData); | |
| 54 } | |
| 55 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: { | |
| 56 PCCERT_CONTEXT subject_cert = | |
| 57 reinterpret_cast<PCCERT_CONTEXT>(subject_data); | |
| 58 return base::StringPiece( | |
| 59 reinterpret_cast<char*>(subject_cert->pbCertEncoded), | |
| 60 subject_cert->cbCertEncoded); | |
| 61 } | |
| 62 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: { | |
| 63 PCCRL_CONTEXT subject_crl = | |
| 64 reinterpret_cast<PCCRL_CONTEXT>(subject_data); | |
| 65 return base::StringPiece( | |
| 66 reinterpret_cast<char*>(subject_crl->pbCrlEncoded), | |
| 67 subject_crl->cbCrlEncoded); | |
| 68 } | |
| 69 } | |
| 70 return base::StringPiece(); | |
| 71 } | |
| 72 | |
| 73 PCERT_PUBLIC_KEY_INFO GetIssuerPublicKey(DWORD issuer_type, | |
| 74 void* issuer_data) { | |
| 75 switch (issuer_type) { | |
| 76 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: | |
| 77 return reinterpret_cast<PCERT_PUBLIC_KEY_INFO>(issuer_data); | |
| 78 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: { | |
| 79 PCCERT_CONTEXT cert = reinterpret_cast<PCCERT_CONTEXT>(issuer_data); | |
| 80 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
|
davidben
2014/09/12 22:51:17
I'm assuming it's safe to assume cert->pCertInfo i
Ryan Sleevi
2014/09/23 21:59:59
Correct. Windows will crash too.
| |
| 81 } | |
| 82 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: { | |
| 83 PCCERT_CHAIN_CONTEXT chain = | |
| 84 reinterpret_cast<PCCERT_CHAIN_CONTEXT>(issuer_data); | |
| 85 PCCERT_CONTEXT cert = chain->rgpChain[0]->rgpElement[0]->pCertContext; | |
|
davidben
2014/09/12 22:51:17
Is it possible for chain->cChain or chain->rgpChai
Ryan Sleevi
2014/09/23 21:59:58
Nope. Windows will crash if they are as well, but
| |
| 86 return &cert->pCertInfo->SubjectPublicKeyInfo; | |
| 87 } | |
| 88 } | |
| 89 return NULL; | |
| 90 } | |
| 91 | |
| 92 } // namespace | |
| 93 | |
| 94 bool IsNeeded() { | |
| 95 base::win::OSInfo* os_info = base::win::OSInfo::GetInstance(); | |
| 96 if (os_info->version() > base::win::VERSION_SERVER_2003) | |
| 97 return false; // New enough to have SHA-256 support | |
| 98 if (os_info->version() < base::win::VERSION_XP) | |
| 99 return false; // Too old to matter. | |
| 100 if (os_info->version() == base::win::VERSION_XP) { | |
| 101 if (os_info->service_pack().major >= 3) | |
| 102 return false; // SP3 added SHA-256 support | |
| 103 return true; | |
| 104 } | |
| 105 | |
| 106 // Just assume it's needed. While it's possible to hotfix in support via | |
| 107 // patches from Microsoft, or to install a third-party CSP that was signed by | |
| 108 // Microsoft, the only reason to use that implementation would be to allow | |
| 109 // administrators to disable SHA-2 by policy, and doing so would just force | |
| 110 // this path. | |
|
davidben
2014/09/12 22:51:17
DCHECK_EQ(VERSION_SERVER_2003, os_info->version())
Ryan Sleevi
2014/09/23 21:59:58
This is now unnecessary in ToT, due to base/win/wi
| |
| 111 return true; | |
| 112 } | |
| 113 | |
| 114 BOOL CryptVerifyCertificateSignatureExHook( | |
| 115 CryptVerifyCertificateSignatureExFunc original_func, | |
| 116 HCRYPTPROV_LEGACY provider, | |
| 117 DWORD encoding_type, | |
| 118 DWORD subject_type, | |
| 119 void* subject_data, | |
| 120 DWORD issuer_type, | |
| 121 void* issuer_data, | |
| 122 DWORD flags, | |
| 123 void* extra) { | |
| 124 CHECK(original_func); | |
| 125 | |
| 126 // Only intercept if the arguments are supported. | |
| 127 if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || | |
| 128 !IsSupportedSubjectType(subject_type) || subject_data == NULL || | |
| 129 !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { | |
| 130 return original_func(provider, encoding_type, subject_type, subject_data, | |
| 131 issuer_type, issuer_data, flags, extra); | |
| 132 } | |
| 133 | |
| 134 base::StringPiece subject_signature = | |
| 135 GetSubjectSignature(subject_type, subject_data); | |
| 136 bool should_intercept = false; | |
| 137 | |
| 138 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); | |
| 139 CERTSignedData signed_data; | |
| 140 memset(&signed_data, 0, sizeof(signed_data)); | |
| 141 | |
| 142 // Attempt to decode the subject using the generic "Signed Data" template, | |
| 143 // which all of the supported subject types match. If the signature | |
|
davidben
2014/09/12 22:51:17
(I was unable to find a reference for this for the
Ryan Sleevi
2014/09/23 21:59:58
Yeah, like most of CryptoAPI, WinCrypt.h has bette
| |
| 144 // algorithm is RSA with one of the SHA-2 algorithms supported by NSS | |
| 145 // (excluding SHA-224, which is pointless), then defer to the NSS | |
| 146 // implementation. Otherwise, fall back and let the OS handle it (e.g. | |
| 147 // in case there are any algorithm policies in effect). | |
| 148 if (!subject_signature.empty()) { | |
| 149 SECItem subject_sig_item; | |
| 150 subject_sig_item.data = const_cast<unsigned char*>( | |
| 151 reinterpret_cast<const unsigned char*>(subject_signature.data())); | |
| 152 subject_sig_item.len = subject_signature.size(); | |
| 153 SECStatus rv = SEC_QuickDERDecodeItem( | |
| 154 arena.get(), &signed_data, SEC_ASN1_GET(CERT_SignedDataTemplate), | |
| 155 &subject_sig_item); | |
| 156 if (rv == SECSuccess) { | |
| 157 SECOidTag signature_alg = | |
| 158 SECOID_GetAlgorithmTag(&signed_data.signatureAlgorithm); | |
| 159 if (signature_alg == SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION || | |
| 160 signature_alg == SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION || | |
| 161 signature_alg == SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION) { | |
| 162 should_intercept = true; | |
| 163 } | |
| 164 } | |
| 165 } | |
| 166 | |
| 167 if (!should_intercept) { | |
| 168 return original_func(provider, encoding_type, subject_type, subject_data, | |
| 169 issuer_type, issuer_data, flags, extra); | |
| 170 } | |
| 171 | |
| 172 // Rather than attempting to synthesize a CERTSubjectPublicKeyInfo by hand, | |
| 173 // just force the OS to do an ASN.1 encoding and then decode it back into | |
| 174 // NSS. This is silly for performance, but safest for consistency. | |
| 175 PCERT_PUBLIC_KEY_INFO issuer_public_key = | |
| 176 GetIssuerPublicKey(issuer_type, issuer_data); | |
| 177 if (!issuer_public_key) { | |
|
davidben
2014/09/12 22:51:17
Comment about blahChain[0] above aside, should thi
Ryan Sleevi
2014/09/23 21:59:58
We've already determined this is a SHA-2 signature
| |
| 178 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
| 179 return FALSE; | |
| 180 } | |
| 181 | |
| 182 unsigned char* issuer_spki_data = NULL; | |
| 183 DWORD issuer_spki_len = 0; | |
| 184 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, | |
| 185 issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, | |
| 186 &issuer_spki_data, &issuer_spki_len)) { | |
| 187 return FALSE; | |
| 188 } | |
| 189 | |
| 190 SECItem nss_issuer_spki; | |
| 191 nss_issuer_spki.data = issuer_spki_data; | |
| 192 nss_issuer_spki.len = issuer_spki_len; | |
| 193 CERTSubjectPublicKeyInfo* spki = | |
| 194 SECKEY_DecodeDERSubjectPublicKeyInfo(&nss_issuer_spki); | |
| 195 ::LocalFree(issuer_spki_data); | |
| 196 if (!spki) { | |
| 197 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
|
davidben
2014/09/12 22:51:17
I don't have a better suggestion out of the ones t
Ryan Sleevi
2014/09/23 21:59:58
It doesn't match the documentation, but it does ma
| |
| 198 return FALSE; | |
| 199 } | |
| 200 | |
| 201 // Attempt to actually verify the signed data. If it fails, synthesize the | |
| 202 // failure as a generic "bad signature" and let CryptoAPI handle the rest. | |
| 203 SECStatus rv = CERT_VerifySignedDataWithPublicKeyInfo( | |
| 204 &signed_data, spki, NULL); | |
| 205 SECKEY_DestroySubjectPublicKeyInfo(spki); | |
| 206 if (rv != SECSuccess) { | |
| 207 SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE)); | |
| 208 return FALSE; | |
| 209 } | |
| 210 return TRUE; | |
| 211 } | |
| 212 | |
| 213 } // namespace sha256_interception | |
| 214 | |
| 215 } // namespace net | |
| OLD | NEW |
