1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/cast/cast_cert_validator.h"
7 #include <openssl/digest.h>
8 #include <openssl/evp.h>
9 #include <openssl/rsa.h>
10 #include <openssl/x509.h>
12 #include "base/logging.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/strings/string_util.h"
15 #include "base/strings/stringprintf.h"
16 #include "crypto/openssl_util.h"
17 #include "crypto/scoped_openssl_types.h"
18 #include "extensions/browser/api/cast_channel/cast_auth_ica.h"
19 #include "net/cert/x509_certificate.h"
20 #include "net/cert/x509_util_openssl.h"
21 #include "net/ssl/scoped_openssl_types.h"
23 namespace extensions
{
25 namespace cast_crypto
{
28 class CertVerificationContextOpenSSL
: public CertVerificationContext
{
30 // Takes ownership of the passed-in x509 object
31 explicit CertVerificationContextOpenSSL(X509
* x509
) : x509_(x509
) {}
33 VerificationResult
VerifySignatureOverData(
34 const base::StringPiece
& signature
,
35 const base::StringPiece
& data
) const override
{
36 // Retrieve public key object.
37 crypto::ScopedEVP_PKEY
public_key(X509_get_pubkey(x509_
.get()));
39 return VerificationResult(
40 "Failed to extract device certificate public key.",
41 VerificationResult::ERROR_CERT_INVALID
);
43 // Make sure the key is RSA.
44 const int public_key_type
= EVP_PKEY_id(public_key
.get());
45 if (public_key_type
!= EVP_PKEY_RSA
) {
46 return VerificationResult(
47 std::string("Expected RSA key type for client certificate, got ") +
48 base::IntToString(public_key_type
) + " instead.",
49 VerificationResult::ERROR_CERT_INVALID
);
52 const crypto::ScopedEVP_MD_CTX
ctx(EVP_MD_CTX_create());
54 !EVP_DigestVerifyInit(ctx
.get(), NULL
, EVP_sha1(), NULL
,
56 !EVP_DigestVerifyUpdate(ctx
.get(), data
.data(), data
.size()) ||
57 !EVP_DigestVerifyFinal(
58 ctx
.get(), reinterpret_cast<const uint8_t*>(signature
.data()),
60 return VerificationResult("Signature verification failed.",
61 VerificationResult::ERROR_SIGNATURE_INVALID
);
63 return VerificationResult();
66 std::string
GetCommonName() const override
{
67 int common_name_length
= X509_NAME_get_text_by_NID(
68 x509_
->cert_info
->subject
, NID_commonName
, NULL
, 0);
69 if (common_name_length
< 0)
71 std::string common_name
;
72 common_name_length
= X509_NAME_get_text_by_NID(
73 x509_
->cert_info
->subject
, NID_commonName
,
74 base::WriteInto(&common_name
,
75 static_cast<size_t>(common_name_length
) + 1),
76 common_name_length
+ 1);
77 if (common_name_length
< 0)
83 net::ScopedX509 x509_
;
88 VerificationResult
VerifyDeviceCert(
89 const base::StringPiece
& device_cert
,
90 const std::vector
<std::string
>& ica_certs
,
91 scoped_ptr
<CertVerificationContext
>* context
) {
92 crypto::EnsureOpenSSLInit();
93 crypto::OpenSSLErrStackTracer
err_tracer(FROM_HERE
);
95 // If the list of intermediates is empty then use kPublicKeyICA1 as
96 // the trusted CA (legacy case).
97 // Otherwise, use the first intermediate in the list as long as it
98 // is in the allowed list of intermediates.
99 base::StringPiece ica_public_key_der
=
100 (ica_certs
.size() == 0)
101 ? cast_channel::GetDefaultTrustedICAPublicKey()
102 : cast_channel::GetTrustedICAPublicKey(ica_certs
[0]);
104 if (ica_public_key_der
.empty()) {
105 return VerificationResult(
106 "Device certificate is not signed by a trusted CA",
107 VerificationResult::ERROR_CERT_UNTRUSTED
);
109 // Initialize the ICA public key.
110 const uint8_t* ica_public_key_der_ptr
=
111 reinterpret_cast<const uint8_t*>(ica_public_key_der
.data());
112 const uint8_t* ica_public_key_der_end
=
113 ica_public_key_der_ptr
+ ica_public_key_der
.size();
114 crypto::ScopedRSA
ica_public_key_rsa(d2i_RSAPublicKey(
115 NULL
, &ica_public_key_der_ptr
, ica_public_key_der
.size()));
116 if (!ica_public_key_rsa
|| ica_public_key_der_ptr
!= ica_public_key_der_end
) {
117 return VerificationResult("Failed to import trusted public key.",
118 VerificationResult::ERROR_INTERNAL
);
120 crypto::ScopedEVP_PKEY
ica_public_key_evp(EVP_PKEY_new());
121 if (!ica_public_key_evp
||
122 !EVP_PKEY_set1_RSA(ica_public_key_evp
.get(), ica_public_key_rsa
.get())) {
123 return VerificationResult("Failed to import trusted public key.",
124 VerificationResult::ERROR_INTERNAL
);
126 // Parse the device certificate.
127 const uint8_t* device_cert_der_ptr
=
128 reinterpret_cast<const uint8_t*>(device_cert
.data());
129 const uint8_t* device_cert_der_end
= device_cert_der_ptr
+ device_cert
.size();
130 net::ScopedX509
device_cert_x509(
131 d2i_X509(NULL
, &device_cert_der_ptr
, device_cert
.size()));
132 if (!device_cert_x509
|| device_cert_der_ptr
!= device_cert_der_end
) {
133 return VerificationResult("Failed to parse device certificate.",
134 VerificationResult::ERROR_CERT_INVALID
);
136 // Verify device certificate.
137 if (X509_verify(device_cert_x509
.get(), ica_public_key_evp
.get()) != 1) {
138 return VerificationResult(
139 "Device certificate signature verification failed.",
140 VerificationResult::ERROR_CERT_INVALID
);
144 scoped_ptr
<CertVerificationContext
> tmp_context(
145 new CertVerificationContextOpenSSL(device_cert_x509
.release()));
146 tmp_context
.swap(*context
);
149 return VerificationResult();
152 std::string
VerificationResult::GetLogString() const {
153 return error_message
;
156 } // namespace cast_crypto
158 } // namespace extensions
