| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <cryptohi.h> | 8 #include <cryptohi.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 #include <seccomon.h> | 10 #include <seccomon.h> |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 70 crypto::EnsureNSSInit(); | 70 crypto::EnsureNSSInit(); |
| 71 SECItem der_cert; | 71 SECItem der_cert; |
| 72 der_cert.type = siDERCertBuffer; | 72 der_cert.type = siDERCertBuffer; |
| 73 // Make a copy of certificate string so it is safe to type cast. | 73 // Make a copy of certificate string so it is safe to type cast. |
| 74 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>( | 74 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>( |
| 75 certificate.data())); | 75 certificate.data())); |
| 76 der_cert.len = certificate.length(); | 76 der_cert.len = certificate.length(); |
| 77 | 77 |
| 78 // Parse into a certificate structure. | 78 // Parse into a certificate structure. |
| 79 ScopedCERTCertificate cert(CERT_NewTempCertificate( | 79 ScopedCERTCertificate cert(CERT_NewTempCertificate( |
| 80 CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE)); | 80 CERT_GetDefaultCertDB(), &der_cert, nullptr, PR_FALSE, PR_TRUE)); |
| 81 if (!cert.get()) { | 81 if (!cert.get()) { |
| 82 return AuthResult::CreateWithNSSError( | 82 return AuthResult::CreateWithNSSError( |
| 83 "Failed to parse certificate.", | 83 "Failed to parse certificate.", |
| 84 AuthResult::ERROR_CERT_PARSING_FAILED, PORT_GetError()); | 84 AuthResult::ERROR_CERT_PARSING_FAILED, PORT_GetError()); |
| 85 } | 85 } |
| 86 | 86 |
| 87 // Check that the certificate is signed by trusted CA. | 87 // Check that the certificate is signed by trusted CA. |
| 88 // NOTE: We const_cast trusted_ca_key_der since on some platforms | 88 // NOTE: We const_cast trusted_ca_key_der since on some platforms |
| 89 // SECKEY_ImportDERPublicKey API takes in SECItem* and not const | 89 // SECKEY_ImportDERPublicKey API takes in SECItem* and not const |
| 90 // SECItem*. | 90 // SECItem*. |
| 91 crypto::ScopedSECKEYPublicKey ca_public_key( | 91 crypto::ScopedSECKEYPublicKey ca_public_key( |
| 92 SECKEY_ImportDERPublicKey(&trusted_ca_key_der, CKK_RSA)); | 92 SECKEY_ImportDERPublicKey(&trusted_ca_key_der, CKK_RSA)); |
| 93 if (!ca_public_key) { | 93 if (!ca_public_key) { |
| 94 return AuthResult::CreateWithNSSError( | 94 return AuthResult::CreateWithNSSError( |
| 95 "Failed to import public key from CA certificate.", | 95 "Failed to import public key from CA certificate.", |
| 96 AuthResult::ERROR_CERT_PARSING_FAILED, PORT_GetError()); | 96 AuthResult::ERROR_CERT_PARSING_FAILED, PORT_GetError()); |
| 97 } | 97 } |
| 98 SECStatus verified = CERT_VerifySignedDataWithPublicKey( | 98 SECStatus verified = CERT_VerifySignedDataWithPublicKey( |
| 99 &cert->signatureWrap, ca_public_key.get(), NULL); | 99 &cert->signatureWrap, ca_public_key.get(), nullptr); |
| 100 if (verified != SECSuccess) { | 100 if (verified != SECSuccess) { |
| 101 return AuthResult::CreateWithNSSError( | 101 return AuthResult::CreateWithNSSError( |
| 102 "Cert not signed by trusted CA", | 102 "Cert not signed by trusted CA", |
| 103 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, PORT_GetError()); | 103 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, PORT_GetError()); |
| 104 } | 104 } |
| 105 | 105 |
| 106 VLOG(1) << "Cert signed by trusted CA"; | 106 VLOG(1) << "Cert signed by trusted CA"; |
| 107 | 107 |
| 108 // Verify that the |signature| matches |peer_cert|. | 108 // Verify that the |signature| matches |peer_cert|. |
| 109 crypto::ScopedSECKEYPublicKey public_key(CERT_ExtractPublicKey(cert.get())); | 109 crypto::ScopedSECKEYPublicKey public_key(CERT_ExtractPublicKey(cert.get())); |
| 110 if (!public_key.get()) { | 110 if (!public_key.get()) { |
| 111 return AuthResult::CreateWithNSSError( | 111 return AuthResult::CreateWithNSSError( |
| 112 "Unable to extract public key from certificate", | 112 "Unable to extract public key from certificate", |
| 113 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, PORT_GetError()); | 113 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, PORT_GetError()); |
| 114 } | 114 } |
| 115 SECItem signature_item; | 115 SECItem signature_item; |
| 116 signature_item.type = siBuffer; | 116 signature_item.type = siBuffer; |
| 117 signature_item.data = reinterpret_cast<unsigned char*>( | 117 signature_item.data = reinterpret_cast<unsigned char*>( |
| 118 const_cast<char*>(signature.data())); | 118 const_cast<char*>(signature.data())); |
| 119 signature_item.len = signature.length(); | 119 signature_item.len = signature.length(); |
| 120 verified = VFY_VerifyDataDirect( | 120 verified = VFY_VerifyDataDirect( |
| 121 reinterpret_cast<unsigned char*>(const_cast<char*>(peer_cert.data())), | 121 reinterpret_cast<unsigned char*>(const_cast<char*>(peer_cert.data())), |
| 122 peer_cert.size(), | 122 peer_cert.size(), public_key.get(), &signature_item, |
| 123 public_key.get(), | 123 SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA1, nullptr, nullptr); |
| 124 &signature_item, | |
| 125 SEC_OID_PKCS1_RSA_ENCRYPTION, | |
| 126 SEC_OID_SHA1, NULL, NULL); | |
| 127 | 124 |
| 128 if (verified != SECSuccess) { | 125 if (verified != SECSuccess) { |
| 129 return AuthResult::CreateWithNSSError( | 126 return AuthResult::CreateWithNSSError( |
| 130 "Signed blobs did not match", | 127 "Signed blobs did not match", |
| 131 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, | 128 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, |
| 132 PORT_GetError()); | 129 PORT_GetError()); |
| 133 } | 130 } |
| 134 | 131 |
| 135 VLOG(1) << "Signature verification succeeded"; | 132 VLOG(1) << "Signature verification succeeded"; |
| 136 | 133 |
| 137 return AuthResult(); | 134 return AuthResult(); |
| 138 } | 135 } |
| 139 | 136 |
| 140 } // namespace cast_channel | 137 } // namespace cast_channel |
| 141 } // namespace core_api | 138 } // namespace core_api |
| 142 } // namespace extensions | 139 } // namespace extensions |
| OLD | NEW |