Refactoring of Cast-related crypto code

extensions/common/cast/cast_cert_validator_openssl.cc

Index: extensions/common/cast/cast_cert_validator_openssl.cc
diff --git a/extensions/common/cast/cast_cert_validator_openssl.cc b/extensions/common/cast/cast_cert_validator_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..35303b9925c39d0a2e30847cf7510f68b263c395
--- /dev/null
+++ b/extensions/common/cast/cast_cert_validator_openssl.cc
@@ -0,0 +1,158 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/common/cast/cast_cert_validator.h"

[mark a. foltz, 2014/12/18 00:43:42]

Similar question here.

[sheretov, 2015/01/03 03:18:02]

Similar answer as with the NSS implementation.

+
+#include <openssl/digest.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "base/strings/stringprintf.h"
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "extensions/browser/api/cast_channel/cast_auth_ica.h"
+#include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util_openssl.h"
+
+namespace extensions {
+namespace core_api {
+namespace cast_crypto {
+namespace {
+
+typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
+
+class CertVerificationContextOpenSSL : public CertVerificationContext {
+ public:
+  // Takes ownership of the passed-in x509 object
+  explicit CertVerificationContextOpenSSL(X509* x509) : x509_(x509) {}
+
+  VerificationResult VerifySignatureOverData(
+      const base::StringPiece& signature,
+      const base::StringPiece& data) const override {
+    // Retrieve public key object.
+    crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(x509_.get()));
+    if (!public_key)
+      return VerificationResult(
+          "Failed to extract device certificate public key.",
+          VerificationResult::ERROR_CERT_INVALID);
+
+    // Make sure the key is RSA.
+    const int public_key_type = EVP_PKEY_id(public_key.get());
+    if (public_key_type != EVP_PKEY_RSA)
+      return VerificationResult(
+          std::string("Expected RSA key type for client certificate, got ") +
+              base::IntToString(public_key_type) + " instead.",
+          VerificationResult::ERROR_CERT_INVALID);
+
+    // Verify signature.
+    const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
+    if (!ctx ||
+        !EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL,
+                              public_key.get()) ||
+        !EVP_DigestVerifyUpdate(ctx.get(), data.data(), data.size()) ||
+        !EVP_DigestVerifyFinal(
+            ctx.get(), reinterpret_cast<const uint8_t*>(signature.data()),
+            signature.size()))
+      return VerificationResult("Signature verification failed.",
+                                VerificationResult::ERROR_SIGNATURE_INVALID);
+
+    return VerificationResult();
+  }
+
+  std::string GetCommonName() const override {
+    int common_name_length = X509_NAME_get_text_by_NID(
+        x509_->cert_info->subject, NID_commonName, NULL, 0);
+    if (common_name_length < 0)
+      return std::string();
+    std::string common_name;
+    common_name_length = X509_NAME_get_text_by_NID(
+        x509_->cert_info->subject, NID_commonName,
+        WriteInto(&common_name, static_cast<size_t>(common_name_length) + 1),
+        common_name_length + 1);
+    if (common_name_length < 0)
+      return std::string();
+    return common_name;
+  }
+
+ private:
+  ScopedX509 x509_;
+};
+
+}  // namespace
+
+VerificationResult VerifyDeviceCert(
+    const base::StringPiece& device_cert,
+    const std::vector<std::string>& ica_certs,
+    scoped_ptr<CertVerificationContext>* context) {
+  crypto::EnsureOpenSSLInit();
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  // If the list of intermediates is empty then use kPublicKeyICA1 as
+  // the trusted CA (legacy case).
+  // Otherwise, use the first intermediate in the list as long as it
+  // is in the allowed list of intermediates.
+  base::StringPiece ica_public_key_der =
+      (ica_certs.size() == 0)
+          ? cast_channel::GetDefaultTrustedICAPublicKey()
+          : cast_channel::GetTrustedICAPublicKey(ica_certs[0]);
+
+  if (ica_public_key_der.empty())
+    return VerificationResult(
+        "Device certificate is not signed by a trusted CA",
+        VerificationResult::ERROR_CERT_UNTRUSTED);
+
+  // Initialize the ICA public key.
+  const uint8_t* ica_public_key_der_ptr =
+      reinterpret_cast<const uint8_t*>(ica_public_key_der.data());
+  const uint8_t* ica_public_key_der_end =
+      ica_public_key_der_ptr + ica_public_key_der.size();
+  crypto::ScopedRSA ica_public_key_rsa(d2i_RSAPublicKey(
+      NULL, &ica_public_key_der_ptr, ica_public_key_der.size()));
+  if (!ica_public_key_rsa || ica_public_key_der_ptr != ica_public_key_der_end)
+    return VerificationResult("Failed to import trusted public key.",
+                              VerificationResult::ERROR_INTERNAL);
+
+  crypto::ScopedEVP_PKEY ica_public_key_evp(EVP_PKEY_new());
+  if (!ica_public_key_evp ||
+      !EVP_PKEY_set1_RSA(ica_public_key_evp.get(), ica_public_key_rsa.get()))
+    return VerificationResult("Failed to import trusted public key.",
+                              VerificationResult::ERROR_INTERNAL);
+
+  // Parse the device certificate.
+  const uint8_t* device_cert_der_ptr =
+      reinterpret_cast<const uint8_t*>(device_cert.data());
+  const uint8_t* device_cert_der_end = device_cert_der_ptr + device_cert.size();
+  ScopedX509 device_cert_x509(
+      d2i_X509(NULL, &device_cert_der_ptr, device_cert.size()));
+  if (!device_cert_x509 || device_cert_der_ptr != device_cert_der_end)
+    return VerificationResult("Failed to parse device certificate.",
+                              VerificationResult::ERROR_CERT_INVALID);
+
+  // Verify device certificate.
+  if (X509_verify(device_cert_x509.get(), ica_public_key_evp.get()) != 1) {
+    return VerificationResult(
+        "Device certificate signature verification failed.",
+        VerificationResult::ERROR_CERT_INVALID);
+  }
+
+  if (context) {
+    scoped_ptr<CertVerificationContext> tmpPtr(
+        new CertVerificationContextOpenSSL(device_cert_x509.release()));
+    tmpPtr.swap(*context);
+  }
+
+  return VerificationResult();
+}
+
+std::string VerificationResult::GetLogString() const {
+  return error_message;
+}
+
+}  // namespace cast_crypto
+}  // namespace core_api
+}  // namespace extensions