Chromium Code Reviews Chromium Code Reviews
Issue 687733004:
Implement crypto signature verification routines using OpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: extensions/browser/api/cast_channel/cast_auth_util_openssl.cc |
| diff --git a/extensions/browser/api/cast_channel/cast_auth_util_openssl.cc b/extensions/browser/api/cast_channel/cast_auth_util_openssl.cc |
| index 3ebceed1f107a848a36cfdeb2424c08e2592e85e..2d6848aea12f0da20243771ee7dbc92ff96cf8e3 100644 |
| --- a/extensions/browser/api/cast_channel/cast_auth_util_openssl.cc |
| +++ b/extensions/browser/api/cast_channel/cast_auth_util_openssl.cc |
| @@ -4,15 +4,167 @@ |
| #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| +#include <openssl/err.h> |
| +#include <openssl/evp.h> |
| +#include <openssl/rsa.h> |
| +#include <openssl/x509.h> |
| +#include <stddef.h> |
| + |
| #include "base/logging.h" |
| +#include "base/strings/stringprintf.h" |
| +#include "crypto/openssl_util.h" |
| +#include "crypto/scoped_openssl_types.h" |
| +#include "extensions/browser/api/cast_channel/cast_auth_ica.h" |
| +#include "extensions/browser/api/cast_channel/cast_message_util.h" |
| +#include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| +#include "net/cert/x509_certificate.h" |
| +#include "net/cert/x509_util_openssl.h" |
| namespace extensions { |
| namespace core_api { |
| namespace cast_channel { |
| +namespace { |
| + |
| +typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; |
| + |
| +std::vector<std::pair<std::string, int>> GetOpenSSLErrors() { |
| + const char* filename; |
| + int line_num; |
| + std::vector<std::pair<std::string, int>> output; |
| + while (ERR_get_error_line(&filename, &line_num) != 0) { |
|
mark a. foltz
2014/10/31 22:29:25
Do we want to capture the return value from this t
davidben
2014/11/01 00:19:34
Please do not use ERR_error_string and use ERR_err
Kevin M
2014/11/03 18:35:57
? The code is calling ERR_get_error_line(), which
davidben
2014/11/03 19:01:50
Nah, that was fine. Sorry, I was referring to the
|
| + output.push_back(std::make_pair(filename, line_num)); |
| + } |
| + return output; |
| +} |
| + |
| +} // namespace |
| + |
| +// This function does the following |
| +// * Verifies that the trusted CA |response.intermediate_certificate| is |
| +// whitelisted for use. |
| +// * Verifies that |response.client_auth_certificate| is signed |
| +// by the trusted CA certificate. |
| +// * Verifies that |response.signature| matches the signature |
| +// of |peer_cert| by |response.client_auth_certificate|'s public |
| +// key. |
| +AuthResult VerifyCredentials(const AuthResponse& response, |
| + const std::string& peer_cert) { |
| + crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| + |
| + // Get the public key of the ICA that was used to sign the client's cert. |
| + base::StringPiece ca_public_key_bytes; |
| + if (response.intermediate_certificate().size() <= 0) { |
| + ca_public_key_bytes = GetDefaultTrustedICAPublicKey(); |
| + } else { |
| + ca_public_key_bytes = |
| + GetTrustedICAPublicKey(response.intermediate_certificate(0)); |
| + if (ca_public_key_bytes.empty()) { |
| + LOG(ERROR) << "Couldn't find trusted ICA."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "failed to verify credentials: cert not signed by trusted CA", |
| + AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
| + GetOpenSSLErrors()); |
| + } |
| + } |
| + |
| + // Parse the CA public key. |
| + const uint8_t* ca_ptr = |
| + reinterpret_cast<const uint8_t*>(ca_public_key_bytes.data()); |
| + const uint8_t* ca_public_key_end = ca_ptr + ca_public_key_bytes.size(); |
| + crypto::ScopedRSA ca_public_key_rsa( |
| + d2i_RSAPublicKey(NULL, &ca_ptr, ca_public_key_bytes.size())); |
| + if (!ca_public_key_rsa || ca_ptr != ca_public_key_end) { |
| + LOG(ERROR) << "Failed to import trusted public key."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "failed to import trusted public key.", |
| + AuthResult::ERROR_CERT_PARSING_FAILED, |
| + GetOpenSSLErrors()); |
| + } |
| + crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new()); |
| + if (!ca_public_key || |
| + !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) { |
| + LOG(ERROR) << "Failed to initialize EVP_PKEY"; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "failed to initialize EVP_PKEY.", |
| + AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, |
| + GetOpenSSLErrors()); |
| + } |
| + |
| + // Parse the client auth certificate. |
| + const uint8_t* client_cert_ptr = reinterpret_cast<const uint8_t*>( |
| + response.client_auth_certificate().data()); |
| + const uint8_t* client_cert_end = |
| + client_cert_ptr + |
| + response.client_auth_certificate().size(); |
| + const ScopedX509 client_cert( |
| + d2i_X509(NULL, &client_cert_ptr, |
| + response.client_auth_certificate().size())); |
| + if (!client_cert || client_cert_ptr != client_cert_end) { |
| + LOG(ERROR) << "Failed to parse certificate."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "failed to parse client_auth_certificate.", |
| + AuthResult::ERROR_CERT_PARSING_FAILED, |
| + GetOpenSSLErrors()); |
| + } |
| + |
| + // Verify that the client auth certificate was signed by a trusted CA. |
| + if (X509_verify(client_cert.get(), ca_public_key.get()) <= 0) { |
| + LOG(ERROR) << "Certificate is not issued by a trusted CA."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "cert not signed by trusted CA", |
| + AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
| + GetOpenSSLErrors()); |
| + } |
| + |
| + // Get the client auth certificate's public key. |
| + const crypto::ScopedEVP_PKEY client_public_key( |
| + X509_get_pubkey(client_cert.get())); |
| + const int client_public_key_type = EVP_PKEY_id(client_public_key.get()); |
| + if (client_public_key_type != EVP_PKEY_RSA) { |
| + LOG(ERROR) << "Expected RSA key type for client certificate, got " |
| + << client_public_key_type << " instead."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "couldn't extract public_key from client cert.", |
| + AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, |
| + GetOpenSSLErrors()); |
| + } |
| + |
| + // Check that the SSL peer certificate was signed using the client's public |
| + // key. |
| + const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); |
| + if (!ctx) { |
|
davidben
2014/11/01 00:19:35
135 through 150 can be coalesced into one block no
Kevin M
2014/11/03 19:41:55
Done.
|
| + LOG(ERROR) << "Unable to allocate EVP_MD_CTX."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "unable to allocate EVP_MD_CTX.", |
| + AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| + GetOpenSSLErrors()); |
| + } |
| + if (!EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL, |
| + client_public_key.get())) { |
| + LOG(ERROR) << "EVP_DigestVerifyInit failed."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "EVP_DigestVerifyInit failed.", |
| + AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| + GetOpenSSLErrors()); |
| + } |
| + if (!EVP_DigestVerifyUpdate(ctx.get(), peer_cert.data(), peer_cert.size())) { |
| + LOG(ERROR) << "EVP_DigestVerifyUpdate failed."; |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "EVP_DigestVerifyUpdate failed.", |
| + AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT, |
| + GetOpenSSLErrors()); |
| + } |
| + const std::string& signature = response.signature(); |
| + if (!EVP_DigestVerifyFinal( |
| + ctx.get(), |
| + reinterpret_cast<uint8_t*>(const_cast<char*>(signature.data())), |
| + signature.size())) { |
| + return AuthResult::CreateWithOpenSSLErrors( |
| + "payload verification failed.", |
| + AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, |
| + GetOpenSSLErrors()); |
| + } |
| -AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, |
| - const std::string& peer_cert) { |
| - NOTREACHED(); |
| return AuthResult(); |
| } |
