1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/net/certificate_error_reporter.h"
9 #include "base/logging.h"
10 #include "chrome/browser/net/encrypted_cert_logger.pb.h"
12 #if defined(USE_OPENSSL)
13 #include "crypto/aead_openssl.h"
16 #include "crypto/curve25519.h"
17 #include "crypto/hkdf.h"
18 #include "crypto/random.h"
19 #include "net/url_request/certificate_report_sender.h"
23 // Constants used for crypto. The corresponding private key is used by
24 // the SafeBrowsing client-side detection server to decrypt reports.
25 static const uint8 kServerPublicKey
[] = {
26 0x51, 0xcc, 0x52, 0x67, 0x42, 0x47, 0x3b, 0x10, 0xe8, 0x63, 0x18,
27 0x3c, 0x61, 0xa7, 0x96, 0x76, 0x86, 0x91, 0x40, 0x71, 0x39, 0x5f,
28 0x31, 0x1a, 0x39, 0x5b, 0x76, 0xb1, 0x6b, 0x3d, 0x6a, 0x2b};
29 static const uint32 kServerPublicKeyVersion
= 1;
31 #if defined(USE_OPENSSL)
33 static const char kHkdfLabel
[] = "certificate report";
35 std::string
GetHkdfSubkeySecret(size_t subkey_length
,
36 const uint8
* private_key
,
37 const uint8
* public_key
) {
38 uint8 shared_secret
[crypto::curve25519::kBytes
];
39 crypto::curve25519::ScalarMult(private_key
, public_key
, shared_secret
);
41 // By mistake, the HKDF label here ends up with an extra null byte on
42 // the end, due to using sizeof(kHkdfLabel) in the StringPiece
43 // constructor instead of strlen(kHkdfLabel). Ideally this code should
44 // be just passing kHkdfLabel directly into the HKDF constructor.
46 // TODO(estark): fix this in coordination with the server-side code --
47 // perhaps by rolling the public key version forward and using the
48 // version to decide whether to use the extra-null-byte version of the
49 // label. https://crbug.com/517746
50 crypto::HKDF
hkdf(base::StringPiece(reinterpret_cast<char*>(shared_secret
),
51 sizeof(shared_secret
)),
53 base::StringPiece(kHkdfLabel
, sizeof(kHkdfLabel
)),
54 0 /* key bytes */, 0 /* iv bytes */, subkey_length
);
56 return hkdf
.subkey_secret().as_string();
59 bool EncryptSerializedReport(
60 const uint8
* server_public_key
,
61 uint32 server_public_key_version
,
62 const std::string
& report
,
63 chrome_browser_net::EncryptedCertLoggerRequest
* encrypted_report
) {
64 // Generate an ephemeral key pair to generate a shared secret.
65 uint8 public_key
[crypto::curve25519::kBytes
];
66 uint8 private_key
[crypto::curve25519::kScalarBytes
];
68 crypto::RandBytes(private_key
, sizeof(private_key
));
69 crypto::curve25519::ScalarBaseMult(private_key
, public_key
);
71 crypto::Aead
aead(crypto::Aead::AES_128_CTR_HMAC_SHA256
);
72 const std::string key
=
73 GetHkdfSubkeySecret(aead
.KeyLength(), private_key
,
74 reinterpret_cast<const uint8
*>(server_public_key
));
77 // Use an all-zero nonce because the key is random per-message.
78 std::string
nonce(aead
.NonceLength(), '\0');
80 std::string ciphertext
;
81 if (!aead
.Seal(report
, nonce
, std::string(), &ciphertext
)) {
82 LOG(ERROR
) << "Error sealing certificate report.";
86 encrypted_report
->set_encrypted_report(ciphertext
);
87 encrypted_report
->set_server_public_key_version(server_public_key_version
);
88 encrypted_report
->set_client_public_key(reinterpret_cast<char*>(public_key
),
90 encrypted_report
->set_algorithm(
91 chrome_browser_net::EncryptedCertLoggerRequest::
92 AEAD_ECDH_AES_128_CTR_HMAC_SHA256
);
99 namespace chrome_browser_net
{
101 CertificateErrorReporter::CertificateErrorReporter(
102 net::URLRequestContext
* request_context
,
103 const GURL
& upload_url
,
104 net::CertificateReportSender::CookiesPreference cookies_preference
)
105 : CertificateErrorReporter(upload_url
,
107 kServerPublicKeyVersion
,
108 make_scoped_ptr(new net::CertificateReportSender(
110 cookies_preference
))) {}
112 CertificateErrorReporter::CertificateErrorReporter(
113 const GURL
& upload_url
,
114 const uint8 server_public_key
[/* 32 */],
115 const uint32 server_public_key_version
,
116 scoped_ptr
<net::CertificateReportSender
> certificate_report_sender
)
117 : certificate_report_sender_(certificate_report_sender
.Pass()),
118 upload_url_(upload_url
),
119 server_public_key_(server_public_key
),
120 server_public_key_version_(server_public_key_version
) {
121 DCHECK(certificate_report_sender_
);
122 DCHECK(!upload_url
.is_empty());
125 CertificateErrorReporter::~CertificateErrorReporter() {
128 void CertificateErrorReporter::SendExtendedReportingReport(
129 const std::string
& serialized_report
) {
130 if (upload_url_
.SchemeIsCryptographic()) {
131 certificate_report_sender_
->Send(upload_url_
, serialized_report
);
133 DCHECK(IsHttpUploadUrlSupported());
134 #if defined(USE_OPENSSL)
135 EncryptedCertLoggerRequest encrypted_report
;
136 if (!EncryptSerializedReport(server_public_key_
, server_public_key_version_
,
137 serialized_report
, &encrypted_report
)) {
138 LOG(ERROR
) << "Failed to encrypt serialized report.";
141 std::string serialized_encrypted_report
;
142 encrypted_report
.SerializeToString(&serialized_encrypted_report
);
143 certificate_report_sender_
->Send(upload_url_
, serialized_encrypted_report
);
148 bool CertificateErrorReporter::IsHttpUploadUrlSupported() {
149 #if defined(USE_OPENSSL)
156 // Used only by tests.
157 #if defined(USE_OPENSSL)
158 bool CertificateErrorReporter::DecryptCertificateErrorReport(
159 const uint8 server_private_key
[32],
160 const EncryptedCertLoggerRequest
& encrypted_report
,
161 std::string
* decrypted_serialized_report
) {
162 crypto::Aead
aead(crypto::Aead::AES_128_CTR_HMAC_SHA256
);
163 const std::string key
=
164 GetHkdfSubkeySecret(aead
.KeyLength(), server_private_key
,
165 reinterpret_cast<const uint8
*>(
166 encrypted_report
.client_public_key().data()));
169 // Use an all-zero nonce because the key is random per-message.
170 std::string
nonce(aead
.NonceLength(), 0);
172 return aead
.Open(encrypted_report
.encrypted_report(), nonce
, std::string(),
173 decrypted_serialized_report
);
177 } // namespace chrome_browser_net
