OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
10 #include <seccomon.h> | 10 #include <seccomon.h> |
(...skipping 658 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
669 crypto::EnsureNSSInit(); | 669 crypto::EnsureNSSInit(); |
670 SECItem der_cert; | 670 SECItem der_cert; |
671 der_cert.type = siDERCertBuffer; | 671 der_cert.type = siDERCertBuffer; |
672 // Make a copy of certificate string so it is safe to type cast. | 672 // Make a copy of certificate string so it is safe to type cast. |
673 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>( | 673 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>( |
674 certificate.data())); | 674 certificate.data())); |
675 der_cert.len = certificate.length(); | 675 der_cert.len = certificate.length(); |
676 | 676 |
677 // Parse into a certificate structure. | 677 // Parse into a certificate structure. |
678 ScopedCERTCertificate cert(CERT_NewTempCertificate( | 678 ScopedCERTCertificate cert(CERT_NewTempCertificate( |
679 CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE)); | 679 CERT_GetDefaultCertDB(), &der_cert, nullptr, PR_FALSE, PR_TRUE)); |
680 if (!cert.get()) { | 680 if (!cert.get()) { |
681 return AuthResult::CreateWithNSSError( | 681 return AuthResult::CreateWithNSSError( |
682 kErrorPrefix + "Failed to parse certificate.", | 682 kErrorPrefix + "Failed to parse certificate.", |
683 AuthResult::ERROR_NSS_CERT_PARSING_FAILED, | 683 AuthResult::ERROR_NSS_CERT_PARSING_FAILED, |
684 PORT_GetError()); | 684 PORT_GetError()); |
685 } | 685 } |
686 | 686 |
687 // Check that the certificate is signed by trusted CA. | 687 // Check that the certificate is signed by trusted CA. |
688 // NOTE: We const_cast trusted_ca_key_der since on some platforms | 688 // NOTE: We const_cast trusted_ca_key_der since on some platforms |
689 // SECKEY_ImportDERPublicKey API takes in SECItem* and not const | 689 // SECKEY_ImportDERPublicKey API takes in SECItem* and not const |
690 // SECItem*. | 690 // SECItem*. |
691 crypto::ScopedSECKEYPublicKey ca_public_key( | 691 crypto::ScopedSECKEYPublicKey ca_public_key( |
692 SECKEY_ImportDERPublicKey( | 692 SECKEY_ImportDERPublicKey( |
693 const_cast<SECItem*>(trusted_ca_key_der), CKK_RSA)); | 693 const_cast<SECItem*>(trusted_ca_key_der), CKK_RSA)); |
694 SECStatus verified = CERT_VerifySignedDataWithPublicKey( | 694 SECStatus verified = CERT_VerifySignedDataWithPublicKey( |
695 &cert->signatureWrap, ca_public_key.get(), NULL); | 695 &cert->signatureWrap, ca_public_key.get(), nullptr); |
696 if (verified != SECSuccess) { | 696 if (verified != SECSuccess) { |
697 return AuthResult::CreateWithNSSError( | 697 return AuthResult::CreateWithNSSError( |
698 kErrorPrefix + "Cert not signed by trusted CA", | 698 kErrorPrefix + "Cert not signed by trusted CA", |
699 AuthResult::ERROR_NSS_CERT_NOT_SIGNED_BY_TRUSTED_CA, | 699 AuthResult::ERROR_NSS_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
700 PORT_GetError()); | 700 PORT_GetError()); |
701 } | 701 } |
702 | 702 |
703 VLOG(1) << "Cert signed by trusted CA"; | 703 VLOG(1) << "Cert signed by trusted CA"; |
704 | 704 |
705 // Verify that the |signature| matches |data|. | 705 // Verify that the |signature| matches |data|. |
706 crypto::ScopedSECKEYPublicKey public_key(CERT_ExtractPublicKey(cert.get())); | 706 crypto::ScopedSECKEYPublicKey public_key(CERT_ExtractPublicKey(cert.get())); |
707 if (!public_key.get()) { | 707 if (!public_key.get()) { |
708 return AuthResult::CreateWithNSSError( | 708 return AuthResult::CreateWithNSSError( |
709 kErrorPrefix + "Unable to extract public key from certificate", | 709 kErrorPrefix + "Unable to extract public key from certificate", |
710 AuthResult::ERROR_NSS_CANNOT_EXTRACT_PUBLIC_KEY, | 710 AuthResult::ERROR_NSS_CANNOT_EXTRACT_PUBLIC_KEY, |
711 PORT_GetError()); | 711 PORT_GetError()); |
712 } | 712 } |
713 SECItem signature_item; | 713 SECItem signature_item; |
714 signature_item.type = siBuffer; | 714 signature_item.type = siBuffer; |
715 signature_item.data = reinterpret_cast<unsigned char*>( | 715 signature_item.data = reinterpret_cast<unsigned char*>( |
716 const_cast<char*>(signature.data())); | 716 const_cast<char*>(signature.data())); |
717 signature_item.len = signature.length(); | 717 signature_item.len = signature.length(); |
718 verified = VFY_VerifyDataDirect( | 718 verified = VFY_VerifyDataDirect( |
719 reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())), | 719 reinterpret_cast<unsigned char*>(const_cast<char*>(data.data())), |
720 data.size(), | 720 data.size(), |
721 public_key.get(), | 721 public_key.get(), |
722 &signature_item, | 722 &signature_item, |
723 SEC_OID_PKCS1_RSA_ENCRYPTION, | 723 SEC_OID_PKCS1_RSA_ENCRYPTION, |
724 SEC_OID_SHA1, NULL, NULL); | 724 SEC_OID_SHA1, |
| 725 nullptr, |
| 726 nullptr); |
725 | 727 |
726 if (verified != SECSuccess) { | 728 if (verified != SECSuccess) { |
727 return AuthResult::CreateWithNSSError( | 729 return AuthResult::CreateWithNSSError( |
728 kErrorPrefix + "Signed blobs did not match", | 730 kErrorPrefix + "Signed blobs did not match", |
729 AuthResult::ERROR_NSS_SIGNED_BLOBS_MISMATCH, | 731 AuthResult::ERROR_NSS_SIGNED_BLOBS_MISMATCH, |
730 PORT_GetError()); | 732 PORT_GetError()); |
731 } | 733 } |
732 | 734 |
733 VLOG(1) << "Signature verification succeeded"; | 735 VLOG(1) << "Signature verification succeeded"; |
734 | 736 |
(...skipping 26 matching lines...) Expand all Loading... |
761 << ", NSS error code: " << result.nss_error_code; | 763 << ", NSS error code: " << result.nss_error_code; |
762 return result; | 764 return result; |
763 } | 765 } |
764 | 766 |
765 return AuthResult(); | 767 return AuthResult(); |
766 } | 768 } |
767 | 769 |
768 } // namespace cast_channel | 770 } // namespace cast_channel |
769 } // namespace core_api | 771 } // namespace core_api |
770 } // namespace extensions | 772 } // namespace extensions |
OLD | NEW |