Chromium Code Reviews Chromium Code Reviews
Issue 792353002:
Refactoring of Cast-related crypto code (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "extensions/common/cast/cast_cert_validator.h" | |
| 6 | |
| 7 #include <openssl/digest.h> | |
| 8 #include <openssl/evp.h> | |
| 9 #include <openssl/rsa.h> | |
| 10 #include <openssl/x509.h> | |
| 11 | |
| 12 #include "base/logging.h" | |
| 13 #include "base/strings/string_util.h" | |
| 14 #include "base/strings/stringprintf.h" | |
| 15 #include "crypto/openssl_util.h" | |
| 16 #include "crypto/scoped_openssl_types.h" | |
| 17 #include "extensions/browser/api/cast_channel/cast_auth_ica.h" | |
| 18 #include "net/cert/x509_certificate.h" | |
| 19 #include "net/cert/x509_util_openssl.h" | |
| 20 | |
| 21 namespace extensions { | |
| 22 namespace core_api { | |
| 23 namespace cast_crypto { | |
| 24 namespace { | |
| 25 | |
| 26 typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509; | |
| 27 | |
| 28 class CertVerificationContextOpenSSL : public CertVerificationContext { | |
| 29 public: | |
| 30 // Takes ownership of the passed-in x509 object | |
| 31 explicit CertVerificationContextOpenSSL(X509* x509) : x509_(x509) {} | |
| 32 | |
| 33 VerificationResult VerifySignatureOverData( | |
| 34 const base::StringPiece& signature, | |
| 35 const base::StringPiece& data) const override { | |
| 36 // retrieve public key object | |
| 37 crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(x509_.get())); | |
| 38 if (!public_key) { | |
| 39 LOG(ERROR) << "Failed to extract device certificate public key."; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM: Unnecessary, covered on line 41.
sheretov
2014/12/16 08:44:21
Done.
| |
| 40 return VerificationResult( | |
| 41 "Failed to extract device certificate public key.", | |
| 42 VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY); | |
| 43 } | |
| 44 | |
| 45 // Make sure the key is RSA | |
| 46 const int public_key_type = EVP_PKEY_id(public_key.get()); | |
| 47 if (public_key_type != EVP_PKEY_RSA) { | |
| 48 LOG(ERROR) << "Expected RSA key type for client certificate, got " | |
| 49 << public_key_type << " instead."; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM: Unnecessary, line 51 covers this.
sheretov
2014/12/16 08:44:22
Done.
| |
| 50 return VerificationResult( | |
| 51 "Public key algorithm is unsupported.", | |
| 52 VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY); | |
| 53 } | |
| 54 | |
| 55 const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create()); | |
| 56 if (!ctx || | |
| 57 !EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL, | |
| 58 public_key.get()) || | |
| 59 !EVP_DigestVerifyUpdate(ctx.get(), data.data(), data.size())) { | |
| 60 return VerificationResult("Signature verification operation failed.", | |
| 61 VerificationResult::ERROR_CRYPTO_LIBRARY); | |
| 62 } | |
| 63 if (EVP_DigestVerifyFinal( | |
| 64 ctx.get(), | |
| 65 reinterpret_cast<uint8_t*>(const_cast<char*>(signature.data())), | |
| 66 signature.size()) <= 0) { | |
| 67 return VerificationResult("Signature is invalid.", | |
| 68 VerificationResult::ERROR_SIGNATURE_INVALID); | |
| 69 } | |
| 70 | |
| 71 return VerificationResult(); | |
| 72 } | |
| 73 | |
| 74 std::string getCommonName() const override { | |
| 75 std::string common_name; | |
| 76 int common_name_length = X509_NAME_get_text_by_NID( | |
| 77 x509_->cert_info->subject, NID_commonName, NULL, 0); | |
| 78 if (common_name_length < 0) { | |
| 79 LOG(ERROR) << "Certificate does not have common name."; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM
sheretov
2014/12/16 08:44:21
Done.
| |
| 80 return ""; | |
|
Ryan Sleevi
2014/12/15 21:43:00
s/""/std::string()
sheretov
2014/12/16 08:44:21
Done.
| |
| 81 } | |
| 82 if (common_name_length > 0) { | |
| 83 common_name_length = X509_NAME_get_text_by_NID( | |
| 84 x509_->cert_info->subject, NID_commonName, | |
| 85 WriteInto(&common_name, common_name_length + 1), | |
|
Ryan Sleevi
2014/12/15 21:43:00
DANGER: You're adding before integer promotion, th
sheretov
2014/12/16 08:44:21
Done.
| |
| 86 common_name_length + 1); | |
| 87 DCHECK_EQ((int)common_name.size(), common_name_length); | |
|
Ryan Sleevi
2014/12/15 21:43:00
STYLE: static_cast<int>(common_name.size())
sheretov
2014/12/16 08:44:22
Done.
| |
| 88 if (common_name_length < 0) { | |
| 89 LOG(ERROR) << "Certificate does not have common name."; | |
|
Ryan Sleevi
2014/12/15 21:43:00
SPAM - and also false (considering line 82)
sheretov
2014/12/16 08:44:21
Done.
| |
| 90 return ""; | |
| 91 } | |
| 92 common_name.resize(common_name_length); | |
| 93 } | |
| 94 return common_name; | |
| 95 } | |
| 96 | |
| 97 private: | |
| 98 ScopedX509 x509_; | |
| 99 }; | |
| 100 | |
| 101 } // namespace | |
| 102 | |
| 103 VerificationResult VerifyCert(const base::StringPiece& device_cert, | |
| 104 const std::vector<std::string>& ica_certs, | |
| 105 CertVerificationContext** out_context) { | |
| 106 crypto::EnsureOpenSSLInit(); | |
| 107 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | |
| 108 | |
| 109 // Get the public key of the ICA that was used to sign the client's cert. | |
| 110 base::StringPiece ca_public_key_bytes; | |
| 111 if (ica_certs.size() <= 0) { | |
|
Ryan Sleevi
2014/12/15 21:43:00
BUG: It's impossible for a size_t to ever be < 0
sheretov
2014/12/16 08:44:22
Done.
| |
| 112 ca_public_key_bytes = cast_channel::GetDefaultTrustedICAPublicKey(); | |
| 113 } else { | |
| 114 ca_public_key_bytes = cast_channel::GetTrustedICAPublicKey(ica_certs[0]); | |
| 115 if (ca_public_key_bytes.empty()) { | |
| 116 LOG(ERROR) << "Couldn't find trusted ICA."; | |
| 117 return VerificationResult( | |
| 118 "failed to verify credentials: cert not signed by trusted CA", | |
| 119 VerificationResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); | |
| 120 } | |
| 121 } | |
| 122 | |
| 123 // Parse the CA public key. | |
| 124 const uint8_t* ca_ptr = | |
| 125 reinterpret_cast<const uint8_t*>(ca_public_key_bytes.data()); | |
| 126 const uint8_t* ca_public_key_end = ca_ptr + ca_public_key_bytes.size(); | |
| 127 crypto::ScopedRSA ca_public_key_rsa( | |
| 128 d2i_RSAPublicKey(NULL, &ca_ptr, ca_public_key_bytes.size())); | |
| 129 if (!ca_public_key_rsa || ca_ptr != ca_public_key_end) { | |
| 130 LOG(ERROR) << "Failed to import trusted public key."; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM
sheretov
2014/12/16 08:44:21
Done.
| |
| 131 return VerificationResult("failed to import trusted public key.", | |
|
Ryan Sleevi
2014/12/15 21:43:01
GRAMMAR: s/failed/Failed/
sheretov
2014/12/16 08:44:21
Done.
| |
| 132 VerificationResult::ERROR_CERT_PARSING_FAILED); | |
| 133 } | |
| 134 crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new()); | |
| 135 if (!ca_public_key || | |
| 136 !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) { | |
| 137 LOG(ERROR) << "Failed to initialize EVP_PKEY"; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM
sheretov
2014/12/16 08:44:22
Done.
| |
| 138 return VerificationResult( | |
| 139 "failed to initialize EVP_PKEY.", | |
|
Ryan Sleevi
2014/12/15 21:43:00
GRAMMAR: s/failed/Failed/
sheretov
2014/12/16 08:44:22
Done.
| |
| 140 VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY); | |
| 141 } | |
| 142 | |
| 143 // Parse the client auth certificate. | |
| 144 const uint8_t* device_cert_ptr = | |
| 145 reinterpret_cast<const uint8_t*>(device_cert.data()); | |
| 146 const uint8_t* device_cert_end = device_cert_ptr + device_cert.size(); | |
| 147 ScopedX509 device_cert_obj( | |
| 148 d2i_X509(NULL, &device_cert_ptr, device_cert.size())); | |
| 149 if (!device_cert_obj || device_cert_ptr != device_cert_end) { | |
| 150 LOG(ERROR) << "Failed to parse certificate."; | |
|
Ryan Sleevi
2014/12/15 21:43:00
SPAM
sheretov
2014/12/16 08:44:22
Done.
| |
| 151 return VerificationResult("failed to parse device certificate.", | |
|
Ryan Sleevi
2014/12/15 21:43:00
GRAMMAR: s/failed/Failed/
Ryan Sleevi
2014/12/15 21:43:01
GRAMMAR: s/parse device/parse device/
sheretov
2014/12/16 08:44:21
Done.
sheretov
2014/12/16 08:44:21
Done.
| |
| 152 VerificationResult::ERROR_CERT_PARSING_FAILED); | |
| 153 } | |
| 154 | |
| 155 // Verify device certificate. | |
| 156 if (X509_verify(device_cert_obj.get(), ca_public_key.get()) <= 0) { | |
| 157 LOG(ERROR) << "Certificate is not issued by a trusted CA."; | |
|
Ryan Sleevi
2014/12/15 21:43:01
SPAM
sheretov
2014/12/16 08:44:22
Done.
| |
| 158 return VerificationResult( | |
| 159 "cert not signed by trusted CA", | |
| 160 VerificationResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); | |
| 161 } | |
| 162 | |
| 163 if (out_context) | |
| 164 *out_context = | |
| 165 new CertVerificationContextOpenSSL(device_cert_obj.release()); | |
| 166 | |
| 167 return VerificationResult(); | |
| 168 } | |
| 169 | |
| 170 } // namespace cast_crypto | |
| 171 } // namespace core_api | |
| 172 } // namespace extensions | |
| OLD | NEW |
