| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <openssl/err.h> |
| 8 #include <openssl/evp.h> |
| 9 #include <openssl/rsa.h> |
| 10 #include <openssl/x509.h> |
| 11 #include <stddef.h> |
| 12 |
| 7 #include "base/logging.h" | 13 #include "base/logging.h" |
| 14 #include "base/strings/stringprintf.h" |
| 15 #include "crypto/openssl_util.h" |
| 16 #include "crypto/scoped_openssl_types.h" |
| 17 #include "extensions/browser/api/cast_channel/cast_auth_ica.h" |
| 18 #include "extensions/browser/api/cast_channel/cast_message_util.h" |
| 19 #include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| 20 #include "net/cert/x509_certificate.h" |
| 21 #include "net/cert/x509_util_openssl.h" |
| 8 | 22 |
| 9 namespace extensions { | 23 namespace extensions { |
| 10 namespace core_api { | 24 namespace core_api { |
| 11 namespace cast_channel { | 25 namespace cast_channel { |
| 26 namespace { |
| 12 | 27 |
| 13 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, | 28 typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; |
| 14 const std::string& peer_cert) { | 29 |
| 15 NOTREACHED(); | 30 std::vector<OpenSslErrorEntry> GetErrorStack() { |
| 31 const char* filename; |
| 32 int line_num; |
| 33 std::vector<OpenSslErrorEntry> output; |
| 34 while (ERR_get_error_line(&filename, &line_num) != 0) { |
| 35 OpenSslErrorEntry next_error { filename, line_num }; |
| 36 output.push_back(next_error); |
| 37 } |
| 38 return output; |
| 39 } |
| 40 |
| 41 } // namespace |
| 42 |
| 43 // This function does the following |
| 44 // * Verifies that the trusted CA |response.intermediate_certificate| is |
| 45 // whitelisted for use. |
| 46 // * Verifies that |response.client_auth_certificate| is signed |
| 47 // by the trusted CA certificate. |
| 48 // * Verifies that |response.signature| matches the signature |
| 49 // of |peer_cert| by |response.client_auth_certificate|'s public |
| 50 // key. |
| 51 AuthResult VerifyCredentials(const AuthResponse& response, |
| 52 const std::string& peer_cert) { |
| 53 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 54 |
| 55 // Get the public key of the ICA that was used to sign the client's cert. |
| 56 base::StringPiece ca_public_key_bytes; |
| 57 if (response.intermediate_certificate().size() <= 0) { |
| 58 ca_public_key_bytes = GetDefaultTrustedICAPublicKey(); |
| 59 } else { |
| 60 ca_public_key_bytes = |
| 61 GetTrustedICAPublicKey(response.intermediate_certificate(0)); |
| 62 if (ca_public_key_bytes.empty()) { |
| 63 LOG(ERROR) << "Couldn't find trusted ICA."; |
| 64 return AuthResult::CreateWithOpenSSLErrors( |
| 65 "failed to verify credentials: cert not signed by trusted CA", |
| 66 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
| 67 GetErrorStack()); |
| 68 } |
| 69 } |
| 70 |
| 71 // Parse the CA public key. |
| 72 const uint8_t* ca_ptr = |
| 73 reinterpret_cast<const uint8_t*>(ca_public_key_bytes.data()); |
| 74 const uint8_t* ca_public_key_end = ca_ptr + ca_public_key_bytes.size(); |
| 75 crypto::ScopedRSA ca_public_key_rsa( |
| 76 d2i_RSAPublicKey(NULL, &ca_ptr, ca_public_key_bytes.size())); |
| 77 if (!ca_public_key_rsa || ca_ptr != ca_public_key_end) { |
| 78 LOG(ERROR) << "Failed to import trusted public key."; |
| 79 return AuthResult::CreateWithOpenSSLErrors( |
| 80 "failed to import trusted public key.", |
| 81 AuthResult::ERROR_CERT_PARSING_FAILED, |
| 82 GetErrorStack()); |
| 83 } |
| 84 crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new()); |
| 85 if (!ca_public_key || |
| 86 !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) { |
| 87 LOG(ERROR) << "Failed to initialize EVP_PKEY"; |
| 88 return AuthResult::CreateWithOpenSSLErrors( |
| 89 "failed to initialize EVP_PKEY.", |
| 90 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, |
| 91 GetErrorStack()); |
| 92 } |
| 93 |
| 94 // Parse the client auth certificate. |
| 95 const uint8_t* client_cert_ptr = reinterpret_cast<const uint8_t*>( |
| 96 response.client_auth_certificate().data()); |
| 97 const uint8_t* client_cert_end = |
| 98 client_cert_ptr + |
| 99 response.client_auth_certificate().size(); |
| 100 const ScopedX509 client_cert( |
| 101 d2i_X509(NULL, &client_cert_ptr, |
| 102 response.client_auth_certificate().size())); |
| 103 if (!client_cert || client_cert_ptr != client_cert_end) { |
| 104 LOG(ERROR) << "Failed to parse certificate."; |
| 105 return AuthResult::CreateWithOpenSSLErrors( |
| 106 "failed to parse client_auth_certificate.", |
| 107 AuthResult::ERROR_CERT_PARSING_FAILED, |
| 108 GetErrorStack()); |
| 109 } |
| 110 |
| 111 // Verify that the client auth certificate was signed by a trusted CA. |
| 112 if (X509_verify(client_cert.get(), ca_public_key.get()) <= 0) { |
| 113 LOG(ERROR) << "Certificate is not issued by a trusted CA."; |
| 114 return AuthResult::CreateWithOpenSSLErrors( |
| 115 "cert not signed by trusted CA", |
| 116 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
| 117 GetErrorStack()); |
| 118 } |
| 119 |
| 120 // Get the client auth certificate's public key. |
| 121 const crypto::ScopedEVP_PKEY client_public_key( |
| 122 X509_get_pubkey(client_cert.get())); |
| 123 const int client_public_key_type = EVP_PKEY_id(client_public_key.get()); |
| 124 if (client_public_key_type != EVP_PKEY_RSA) { |
| 125 LOG(ERROR) << "Expected RSA key type for client certificate, got " |
| 126 << client_public_key_type << " instead."; |
| 127 return AuthResult::CreateWithOpenSSLErrors( |
| 128 "couldn't extract public_key from client cert.", |
| 129 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, |
| 130 GetErrorStack()); |
| 131 } |
| 132 |
| 133 // Check that the SSL peer certificate was signed using the client's public |
| 134 // key. |
| 135 const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); |
| 136 if (!ctx) { |
| 137 LOG(ERROR) << "Unable to allocate EVP_MD_CTX."; |
| 138 return AuthResult::CreateWithOpenSSLErrors( |
| 139 "unable to allocate EVP_MD_CTX.", |
| 140 AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| 141 GetErrorStack()); |
| 142 } |
| 143 if (!EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL, |
| 144 client_public_key.get())) { |
| 145 LOG(ERROR) << "EVP_DigestVerifyInit failed."; |
| 146 return AuthResult::CreateWithOpenSSLErrors( |
| 147 "EVP_DigestVerifyInit failed.", |
| 148 AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| 149 GetErrorStack()); |
| 150 } |
| 151 if (!EVP_DigestVerifyUpdate(ctx.get(), peer_cert.data(), peer_cert.size())) { |
| 152 LOG(ERROR) << "EVP_DigestVerifyUpdate failed."; |
| 153 return AuthResult::CreateWithOpenSSLErrors( |
| 154 "EVP_DigestVerifyUpdate failed.", |
| 155 AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| 156 GetErrorStack()); |
| 157 } |
| 158 const std::string& signature = response.signature(); |
| 159 if (!EVP_DigestVerifyFinal( |
| 160 ctx.get(), |
| 161 reinterpret_cast<uint8_t*>(const_cast<char*>(signature.data())), |
| 162 signature.size())) { |
| 163 return AuthResult::CreateWithOpenSSLErrors( |
| 164 "payload verification failed.", |
| 165 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, |
| 166 GetErrorStack()); |
| 167 } |
| 168 |
| 16 return AuthResult(); | 169 return AuthResult(); |
| 17 } | 170 } |
| 18 | 171 |
| 19 } // namespace cast_channel | 172 } // namespace cast_channel |
| 20 } // namespace core_api | 173 } // namespace core_api |
| 21 } // namespace extensions | 174 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 687733004:
Implement crypto signature verification routines using OpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master