search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Delete chrome.mediaGalleriesPrivate because the functionality unique to it has since...
[chromium-blink-merge.git] / extensions / browser / api / cast_channel / cast_auth_util_openssl.cc
blobb662840b6fc8d0e916f812217aeee9324edc0492
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
6
7 #include <openssl/evp.h>
8 #include <openssl/rsa.h>
9 #include <openssl/x509.h>
10 #include <stddef.h>
11
12 #include "base/logging.h"
13 #include "base/strings/stringprintf.h"
14 #include "crypto/openssl_util.h"
15 #include "crypto/scoped_openssl_types.h"
16 #include "extensions/browser/api/cast_channel/cast_auth_ica.h"
17 #include "extensions/browser/api/cast_channel/cast_message_util.h"
18 #include "extensions/common/api/cast_channel/cast_channel.pb.h"
19 #include "net/cert/x509_certificate.h"
20 #include "net/cert/x509_util_openssl.h"
21
22 namespace extensions {
23 namespace core_api {
24 namespace cast_channel {
25 namespace {
26
27 typedef crypto::ScopedOpenSSL<X509, X509_free>::Type ScopedX509;
28
29 } // namespace
30
31 // This function does the following
32 // * Verifies that the trusted CA |response.intermediate_certificate| is
33 // whitelisted for use.
34 // * Verifies that |response.client_auth_certificate| is signed
35 // by the trusted CA certificate.
36 // * Verifies that |response.signature| matches the signature
37 // of |peer_cert| by |response.client_auth_certificate|'s public
38 // key.
39 //
40 // TODO(kmarshall): Report fine-grained errors from OpenSSL.
41 AuthResult VerifyCredentials(const AuthResponse& response,
42 const std::string& peer_cert) {
43 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
44
45 // Get the public key of the ICA that was used to sign the client's cert.
46 base::StringPiece ca_public_key_bytes;
47 if (response.intermediate_certificate().size() <= 0) {
48 ca_public_key_bytes = GetDefaultTrustedICAPublicKey();
49 } else {
50 ca_public_key_bytes =
51 GetTrustedICAPublicKey(response.intermediate_certificate(0));
52 if (ca_public_key_bytes.empty()) {
53 LOG(ERROR) << "Couldn't find trusted ICA.";
54 return AuthResult::CreateWithParseError(
55 "failed to verify credentials: cert not signed by trusted CA",
56 AuthResult::ERROR_FINGERPRINT_NOT_FOUND);
57 }
58 }
59
60 // Parse the CA public key.
61 const uint8_t* ca_ptr =
62 reinterpret_cast<const uint8_t*>(ca_public_key_bytes.data());
63 const uint8_t* ca_public_key_end = ca_ptr + ca_public_key_bytes.size();
64 crypto::ScopedRSA ca_public_key_rsa(
65 d2i_RSAPublicKey(NULL, &ca_ptr, ca_public_key_bytes.size()));
66 if (!ca_public_key_rsa || ca_ptr != ca_public_key_end) {
67 LOG(ERROR) << "Failed to import trusted public key.";
68 return AuthResult::CreateWithParseError(
69 "failed to import trusted public key.",
70 AuthResult::ERROR_CERT_PARSING_FAILED);
71 }
72 crypto::ScopedEVP_PKEY ca_public_key(EVP_PKEY_new());
73 if (!ca_public_key ||
74 !EVP_PKEY_set1_RSA(ca_public_key.get(), ca_public_key_rsa.get())) {
75 LOG(ERROR) << "Failed to initialize EVP_PKEY";
76 return AuthResult::CreateWithParseError(
77 "failed to initialize EVP_PKEY.",
78 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY);
79 }
80
81 // Parse the client auth certificate.
82 const uint8_t* client_cert_ptr = reinterpret_cast<const uint8_t*>(
83 response.client_auth_certificate().data());
84 const uint8_t* client_cert_end =
85 client_cert_ptr +
86 response.client_auth_certificate().size();
87 const ScopedX509 client_cert(
88 d2i_X509(NULL, &client_cert_ptr,
89 response.client_auth_certificate().size()));
90 if (!client_cert || client_cert_ptr != client_cert_end) {
91 LOG(ERROR) << "Failed to parse certificate.";
92 return AuthResult::CreateWithParseError(
93 "failed to parse client_auth_certificate.",
94 AuthResult::ERROR_CERT_PARSING_FAILED);
95 }
96
97 // Verify that the client auth certificate was signed by a trusted CA.
98 if (X509_verify(client_cert.get(), ca_public_key.get()) <= 0) {
99 LOG(ERROR) << "Certificate is not issued by a trusted CA.";
100 return AuthResult::CreateWithParseError(
101 "cert not signed by trusted CA",
102 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA);
103 }
104
105 // Get the client auth certificate's public key.
106 const crypto::ScopedEVP_PKEY client_public_key(
107 X509_get_pubkey(client_cert.get()));
108 const int client_public_key_type = EVP_PKEY_id(client_public_key.get());
109 if (client_public_key_type != EVP_PKEY_RSA) {
110 LOG(ERROR) << "Expected RSA key type for client certificate, got "
111 << client_public_key_type << " instead.";
112 return AuthResult::CreateWithParseError(
113 "couldn't extract public_key from client cert.",
114 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY);
115 }
116
117 // Check that the SSL peer certificate was signed using the client's public
118 // key.
119 const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
120 if (!ctx ||
121 !EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL,
122 client_public_key.get()) ||
123 !EVP_DigestVerifyUpdate(ctx.get(), peer_cert.data(), peer_cert.size())) {
124 return AuthResult::CreateWithParseError(
125 "error initializing payload verification operation.",
126 AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT);
127 }
128 const std::string& signature = response.signature();
129 if (EVP_DigestVerifyFinal(
130 ctx.get(),
131 reinterpret_cast<uint8_t*>(const_cast<char*>(signature.data())),
132 signature.size()) <= 0) {
133 return AuthResult::CreateWithParseError(
134 "payload verification failed.",
135 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH);
136 }
137
138 return AuthResult();
139 }
140
141 } // namespace cast_channel
142 } // namespace core_api
143 } // namespace extensions
144