Refactoring of Cast-related crypto code

extensions/common/cast/cast_cert_validator_openssl.cc

Index: extensions/common/cast/cast_cert_validator_openssl.cc
diff --git a/extensions/common/cast/cast_cert_validator_openssl.cc b/extensions/common/cast/cast_cert_validator_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..d787d4d0f980c5e061498ad002f49a6cce4731ff
--- /dev/null
+++ b/extensions/common/cast/cast_cert_validator_openssl.cc
@@ -0,0 +1,172 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/common/cast/cast_cert_validator.h"
+
+#include <openssl/digest.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "base/logging.h"
+#include "base/strings/string_util.h"
+#include "base/strings/stringprintf.h"
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "extensions/browser/api/cast_channel/cast_auth_ica.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util_openssl.h"
+
+namespace extensions {
+namespace core_api {
+namespace cast_crypto {
+namespace {
+
+typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
+
+class CertVerificationContextOpenSSL : public CertVerificationContext {
+ public:
+  // Takes ownership of the passed-in x509 object
+  explicit CertVerificationContextOpenSSL(X509* x509) : x509_(x509) {}
+
+  VerificationResult VerifySignatureOverData(
+      const base::StringPiece& signature,
+      const base::StringPiece& data) const override {
+    // retrieve public key object
+    crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(x509_.get()));
+    if (!public_key) {
+      LOG(ERROR) << "Failed to extract device certificate public key.";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM: Unnecessary, covered on line 41.

[sheretov, 2014/12/16 08:44:21]

Done.

+      return VerificationResult(
+          "Failed to extract device certificate public key.",
+          VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY);
+    }
+
+    // Make sure the key is RSA
+    const int public_key_type = EVP_PKEY_id(public_key.get());
+    if (public_key_type != EVP_PKEY_RSA) {
+      LOG(ERROR) << "Expected RSA key type for client certificate, got "
+                 << public_key_type << " instead.";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM: Unnecessary, line 51 covers this.

[sheretov, 2014/12/16 08:44:22]

Done.

+      return VerificationResult(
+          "Public key algorithm is unsupported.",
+          VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY);
+    }
+
+    const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+    if (!ctx ||
+        !EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL,
+                              public_key.get()) ||
+        !EVP_DigestVerifyUpdate(ctx.get(), data.data(), data.size())) {
+      return VerificationResult("Signature verification operation failed.",
+                                VerificationResult::ERROR_CRYPTO_LIBRARY);
+    }
+    if (EVP_DigestVerifyFinal(
+            ctx.get(),
+            reinterpret_cast<uint8_t*>(const_cast<char*>(signature.data())),
+            signature.size()) <= 0) {
+      return VerificationResult("Signature is invalid.",
+                                VerificationResult::ERROR_SIGNATURE_INVALID);
+    }
+
+    return VerificationResult();
+  }
+
+  std::string getCommonName() const override {
+    std::string common_name;
+    int common_name_length = X509_NAME_get_text_by_NID(
+        x509_->cert_info->subject, NID_commonName, NULL, 0);
+    if (common_name_length < 0) {
+      LOG(ERROR) << "Certificate does not have common name.";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM

[sheretov, 2014/12/16 08:44:21]

Done.

+      return "";

[Ryan Sleevi, 2014/12/15 21:43:00]

s/""/std::string()

[sheretov, 2014/12/16 08:44:21]

Done.

+    }
+    if (common_name_length > 0) {
+      common_name_length = X509_NAME_get_text_by_NID(
+          x509_->cert_info->subject, NID_commonName,
+          WriteInto(&common_name, common_name_length + 1),

[Ryan Sleevi, 2014/12/15 21:43:00]

DANGER: You're adding before integer promotion, thus may overflow into a
negative value if common_name_length == INT_MAX.

While this should crash do to the OOM handler, you're better off making your
promotion explicit

static_cast<size_t>(common_name_length) + 1

[sheretov, 2014/12/16 08:44:21]

Done.

+          common_name_length + 1);
+      DCHECK_EQ((int)common_name.size(), common_name_length);

[Ryan Sleevi, 2014/12/15 21:43:00]

STYLE: static_cast<int>(common_name.size())

[sheretov, 2014/12/16 08:44:22]

Done.

+      if (common_name_length < 0) {
+        LOG(ERROR) << "Certificate does not have common name.";

[Ryan Sleevi, 2014/12/15 21:43:00]

SPAM - and also false (considering line 82)

[sheretov, 2014/12/16 08:44:21]

Done.

+        return "";
+      }
+      common_name.resize(common_name_length);
+    }
+    return common_name;
+  }
+
+ private:
+  ScopedX509 x509_;
+};
+
+}  // namespace
+
+VerificationResult VerifyCert(const base::StringPiece& device_cert,
+                              const std::vector<std::string>& ica_certs,
+                              CertVerificationContext** out_context) {
+  crypto::EnsureOpenSSLInit();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  // Get the public key of the ICA that was used to sign the client's cert.
+  base::StringPiece ca_public_key_bytes;
+  if (ica_certs.size() <= 0) {

[Ryan Sleevi, 2014/12/15 21:43:00]

BUG: It's impossible for a size_t to ever be < 0

if (ica_certs.empty())

[sheretov, 2014/12/16 08:44:22]

Done.

+    ca_public_key_bytes = cast_channel::GetDefaultTrustedICAPublicKey();
+  } else {
+    ca_public_key_bytes = cast_channel::GetTrustedICAPublicKey(ica_certs[0]);
+    if (ca_public_key_bytes.empty()) {
+      LOG(ERROR) << "Couldn't find trusted ICA.";
+      return VerificationResult(
+          "failed to verify credentials: cert not signed by trusted CA",
+          VerificationResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA);
+    }
+  }
+
+  // Parse the CA public key.
+  const uint8_t* ca_ptr =
+      reinterpret_cast<const uint8_t*>(ca_public_key_bytes.data());
+  const uint8_t* ca_public_key_end = ca_ptr + ca_public_key_bytes.size();
+  crypto::ScopedRSA ca_public_key_rsa(
+      d2i_RSAPublicKey(NULL, &ca_ptr, ca_public_key_bytes.size()));
+  if (!ca_public_key_rsa || ca_ptr != ca_public_key_end) {
+    LOG(ERROR) << "Failed to import trusted public key.";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM

[sheretov, 2014/12/16 08:44:21]

Done.

+    return VerificationResult("failed to import trusted public key.",

[Ryan Sleevi, 2014/12/15 21:43:01]

GRAMMAR: s/failed/Failed/

[sheretov, 2014/12/16 08:44:21]

Done.

+                              VerificationResult::ERROR_CERT_PARSING_FAILED);
+  }
+  crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new());
+  if (!ca_public_key ||
+      !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) {
+    LOG(ERROR) << "Failed to initialize EVP_PKEY";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM

[sheretov, 2014/12/16 08:44:22]

Done.

+    return VerificationResult(
+        "failed to initialize EVP_PKEY.",

[Ryan Sleevi, 2014/12/15 21:43:00]

GRAMMAR: s/failed/Failed/

[sheretov, 2014/12/16 08:44:22]

Done.

+        VerificationResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY);
+  }
+
+  // Parse the client auth certificate.
+  const uint8_t* device_cert_ptr =
+      reinterpret_cast<const uint8_t*>(device_cert.data());
+  const uint8_t* device_cert_end = device_cert_ptr + device_cert.size();
+  ScopedX509 device_cert_obj(
+      d2i_X509(NULL, &device_cert_ptr, device_cert.size()));
+  if (!device_cert_obj || device_cert_ptr != device_cert_end) {
+    LOG(ERROR) << "Failed to parse certificate.";

[Ryan Sleevi, 2014/12/15 21:43:00]

SPAM

[sheretov, 2014/12/16 08:44:22]

Done.

+    return VerificationResult("failed to parse  device certificate.",

[Ryan Sleevi, 2014/12/15 21:43:00]

GRAMMAR: s/failed/Failed/

[Ryan Sleevi, 2014/12/15 21:43:01]

GRAMMAR: s/parse  device/parse device/

[sheretov, 2014/12/16 08:44:21]

Done.

[sheretov, 2014/12/16 08:44:21]

Done.

+                              VerificationResult::ERROR_CERT_PARSING_FAILED);
+  }
+
+  // Verify device certificate.
+  if (X509_verify(device_cert_obj.get(), ca_public_key.get()) <= 0) {
+    LOG(ERROR) << "Certificate is not issued by a trusted CA.";

[Ryan Sleevi, 2014/12/15 21:43:01]

SPAM

[sheretov, 2014/12/16 08:44:22]

Done.

+    return VerificationResult(
+        "cert not signed by trusted CA",
+        VerificationResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA);
+  }
+
+  if (out_context)
+    *out_context =
+        new CertVerificationContextOpenSSL(device_cert_obj.release());
+
+  return VerificationResult();
+}
+
+}  // namespace cast_crypto
+}  // namespace core_api
+}  // namespace extensions