| OLD | NEW |
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <openssl/asn1.h> | |
| 6 #include <openssl/bytestring.h> | |
| 7 #include <openssl/evp.h> | |
| 8 #include <openssl/obj.h> | |
| 9 #include <openssl/x509.h> | |
| 10 | |
| 11 #include "base/logging.h" | |
| 12 #include "crypto/scoped_openssl_types.h" | |
| 13 #include "net/cert/sha256_legacy_support_win.h" | |
| 14 | |
| 15 namespace net { | |
| 16 | |
| 17 namespace sha256_interception { | |
| 18 | |
| 19 namespace { | |
| 20 | |
| 21 typedef crypto::ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free>::Type | |
| 22 ScopedX509_ALGOR; | |
| 23 | |
| 24 // Parses |subject_signature| and writes the components into |*out_tbs_data|, | |
| 25 // |*out_algor|, and |*out_signature|. The BIT STRING in the signature must be | |
| 26 // a multiple of 8 bits. |*out_signature| will have the padding byte removed. | |
| 27 // It returns true on success and false on failure. | |
| 28 bool ParseSubjectSignature(const base::StringPiece& subject_signature, | |
| 29 CBS* out_tbs_data, | |
| 30 ScopedX509_ALGOR* out_algor, | |
| 31 CBS* out_signature) { | |
| 32 CBS cbs, sequence, tbs_data, algorithm, signature; | |
| 33 CBS_init(&cbs, reinterpret_cast<const uint8_t*>(subject_signature.data()), | |
| 34 subject_signature.size()); | |
| 35 if (!CBS_get_asn1(&cbs, &sequence, CBS_ASN1_SEQUENCE) || | |
| 36 CBS_len(&cbs) != 0 || | |
| 37 !CBS_get_any_asn1_element(&sequence, &tbs_data, nullptr, nullptr) || | |
| 38 !CBS_get_asn1_element(&sequence, &algorithm, | |
| 39 CBS_ASN1_SEQUENCE) || | |
| 40 !CBS_get_asn1(&sequence, &signature, CBS_ASN1_BITSTRING) || | |
| 41 CBS_len(&sequence) != 0) { | |
| 42 return false; | |
| 43 } | |
| 44 | |
| 45 // Decode the algorithm. | |
| 46 const uint8_t* ptr = CBS_data(&algorithm); | |
| 47 ScopedX509_ALGOR algor(d2i_X509_ALGOR(NULL, &ptr, CBS_len(&algorithm))); | |
| 48 if (!algor || ptr != CBS_data(&algorithm) + CBS_len(&algorithm)) | |
| 49 return false; | |
| 50 | |
| 51 // An ASN.1 BIT STRING is encoded with a leading byte denoting the number of | |
| 52 // padding bits. All supported signature algorithms output octets, so the | |
| 53 // leading byte must be zero. | |
| 54 uint8_t padding; | |
| 55 if (!CBS_get_u8(&signature, &padding) || padding != 0) | |
| 56 return false; | |
| 57 | |
| 58 *out_tbs_data = tbs_data; | |
| 59 *out_algor = algor.Pass(); | |
| 60 *out_signature = signature; | |
| 61 return true; | |
| 62 } | |
| 63 | |
| 64 } // namespace | |
| 65 | |
| 66 BOOL CryptVerifyCertificateSignatureExHook( | |
| 67 CryptVerifyCertificateSignatureExFunc original_func, | |
| 68 HCRYPTPROV_LEGACY provider, | |
| 69 DWORD encoding_type, | |
| 70 DWORD subject_type, | |
| 71 void* subject_data, | |
| 72 DWORD issuer_type, | |
| 73 void* issuer_data, | |
| 74 DWORD flags, | |
| 75 void* extra) { | |
| 76 CHECK(original_func); | |
| 77 | |
| 78 // Only intercept if the arguments are supported. | |
| 79 if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || | |
| 80 !IsSupportedSubjectType(subject_type) || subject_data == NULL || | |
| 81 !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { | |
| 82 return original_func(provider, encoding_type, subject_type, subject_data, | |
| 83 issuer_type, issuer_data, flags, extra); | |
| 84 } | |
| 85 | |
| 86 base::StringPiece subject_signature = | |
| 87 GetSubjectSignature(subject_type, subject_data); | |
| 88 bool should_intercept = false; | |
| 89 | |
| 90 // Parse out the data, AlgorithmIdentifier, and signature. | |
| 91 CBS tbs_data, signature; | |
| 92 ScopedX509_ALGOR algor; | |
| 93 if (ParseSubjectSignature(subject_signature, &tbs_data, &algor, | |
| 94 &signature)) { | |
| 95 // If the signature algorithm is RSA with one of the SHA-2 algorithms | |
| 96 // supported by BoringSSL (excluding SHA-224, which is pointless), then | |
| 97 // defer to the BoringSSL implementation. Otherwise, fall back and let the | |
| 98 // OS handle it (e.g. in case there are any algorithm policies in effect). | |
| 99 int nid = OBJ_obj2nid(algor->algorithm); | |
| 100 if (nid == NID_sha256WithRSAEncryption || | |
| 101 nid == NID_sha384WithRSAEncryption || | |
| 102 nid == NID_sha512WithRSAEncryption) { | |
| 103 should_intercept = true; | |
| 104 } | |
| 105 } | |
| 106 | |
| 107 if (!should_intercept) { | |
| 108 return original_func(provider, encoding_type, subject_type, subject_data, | |
| 109 issuer_type, issuer_data, flags, extra); | |
| 110 } | |
| 111 | |
| 112 // Rather than attempting to synthesize an EVP_PKEY by hand, just force the | |
| 113 // OS to do an ASN.1 encoding and then decode it back into BoringSSL. This | |
| 114 // is silly for performance, but safest for consistency. | |
| 115 PCERT_PUBLIC_KEY_INFO issuer_public_key = | |
| 116 GetIssuerPublicKey(issuer_type, issuer_data); | |
| 117 if (!issuer_public_key) { | |
| 118 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
| 119 return FALSE; | |
| 120 } | |
| 121 | |
| 122 uint8_t* issuer_spki_data = NULL; | |
| 123 DWORD issuer_spki_len = 0; | |
| 124 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, | |
| 125 issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, | |
| 126 &issuer_spki_data, &issuer_spki_len)) { | |
| 127 return FALSE; | |
| 128 } | |
| 129 | |
| 130 const uint8_t* ptr = issuer_spki_data; | |
| 131 crypto::ScopedEVP_PKEY pubkey(d2i_PUBKEY(NULL, &ptr, issuer_spki_len)); | |
| 132 if (!pubkey.get() || ptr != issuer_spki_data + issuer_spki_len) { | |
| 133 ::LocalFree(issuer_spki_data); | |
| 134 SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); | |
| 135 return FALSE; | |
| 136 } | |
| 137 ::LocalFree(issuer_spki_data); | |
| 138 | |
| 139 crypto::ScopedEVP_MD_CTX md_ctx(EVP_MD_CTX_create()); | |
| 140 if (!EVP_DigestVerifyInitFromAlgorithm(md_ctx.get(), algor.get(), | |
| 141 pubkey.get()) || | |
| 142 !EVP_DigestVerifyUpdate(md_ctx.get(), CBS_data(&tbs_data), | |
| 143 CBS_len(&tbs_data)) || | |
| 144 !EVP_DigestVerifyFinal(md_ctx.get(), CBS_data(&signature), | |
| 145 CBS_len(&signature))) { | |
| 146 SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE)); | |
| 147 return FALSE; | |
| 148 } | |
| 149 return TRUE; | |
| 150 } | |
| 151 | |
| 152 } // namespace sha256_interception | |
| 153 | |
| 154 } // namespace net | |
| OLD | NEW |