1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/crypto/proof_verifier_chromium.h"
8 #include "base/bind_helpers.h"
9 #include "base/callback_helpers.h"
10 #include "base/compiler_specific.h"
11 #include "base/logging.h"
12 #include "base/metrics/histogram.h"
13 #include "base/profiler/scoped_tracker.h"
14 #include "base/stl_util.h"
15 #include "base/strings/stringprintf.h"
16 #include "crypto/signature_verifier.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_log.h"
19 #include "net/cert/asn1_util.h"
20 #include "net/cert/cert_status_flags.h"
21 #include "net/cert/cert_verifier.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/single_request_cert_verifier.h"
24 #include "net/cert/x509_certificate.h"
25 #include "net/cert/x509_util.h"
26 #include "net/http/transport_security_state.h"
27 #include "net/quic/crypto/crypto_protocol.h"
28 #include "net/ssl/ssl_config_service.h"
30 using base::StringPiece
;
31 using base::StringPrintf
;
37 ProofVerifyDetails
* ProofVerifyDetailsChromium::Clone() const {
38 ProofVerifyDetailsChromium
* other
= new ProofVerifyDetailsChromium
;
39 other
->cert_verify_result
= cert_verify_result
;
43 // A Job handles the verification of a single proof. It is owned by the
44 // ProofVerifier. If the verification can not complete synchronously, it
45 // will notify the ProofVerifier upon completion.
46 class ProofVerifierChromium::Job
{
48 Job(ProofVerifierChromium
* proof_verifier
,
49 CertVerifier
* cert_verifier
,
50 TransportSecurityState
* transport_security_state
,
51 const BoundNetLog
& net_log
);
53 // Starts the proof verification. If |QUIC_PENDING| is returned, then
54 // |callback| will be invoked asynchronously when the verification completes.
55 QuicAsyncStatus
VerifyProof(const std::string
& hostname
,
56 const std::string
& server_config
,
57 const std::vector
<std::string
>& certs
,
58 const std::string
& signature
,
59 std::string
* error_details
,
60 scoped_ptr
<ProofVerifyDetails
>* verify_details
,
61 ProofVerifierCallback
* callback
);
67 STATE_VERIFY_CERT_COMPLETE
,
70 int DoLoop(int last_io_result
);
71 void OnIOComplete(int result
);
72 int DoVerifyCert(int result
);
73 int DoVerifyCertComplete(int result
);
75 bool VerifySignature(const std::string
& signed_data
,
76 const std::string
& signature
,
77 const std::string
& cert
);
79 // Proof verifier to notify when this jobs completes.
80 ProofVerifierChromium
* proof_verifier_
;
82 // The underlying verifier used for verifying certificates.
83 scoped_ptr
<SingleRequestCertVerifier
> verifier_
;
85 TransportSecurityState
* transport_security_state_
;
87 // |hostname| specifies the hostname for which |certs| is a valid chain.
88 std::string hostname_
;
90 scoped_ptr
<ProofVerifierCallback
> callback_
;
91 scoped_ptr
<ProofVerifyDetailsChromium
> verify_details_
;
92 std::string error_details_
;
94 // X509Certificate from a chain of DER encoded certificates.
95 scoped_refptr
<X509Certificate
> cert_
;
101 DISALLOW_COPY_AND_ASSIGN(Job
);
104 ProofVerifierChromium::Job::Job(
105 ProofVerifierChromium
* proof_verifier
,
106 CertVerifier
* cert_verifier
,
107 TransportSecurityState
* transport_security_state
,
108 const BoundNetLog
& net_log
)
109 : proof_verifier_(proof_verifier
),
110 verifier_(new SingleRequestCertVerifier(cert_verifier
)),
111 transport_security_state_(transport_security_state
),
112 next_state_(STATE_NONE
),
116 QuicAsyncStatus
ProofVerifierChromium::Job::VerifyProof(
117 const string
& hostname
,
118 const string
& server_config
,
119 const vector
<string
>& certs
,
120 const string
& signature
,
121 std::string
* error_details
,
122 scoped_ptr
<ProofVerifyDetails
>* verify_details
,
123 ProofVerifierCallback
* callback
) {
124 DCHECK(error_details
);
125 DCHECK(verify_details
);
128 error_details
->clear();
130 if (STATE_NONE
!= next_state_
) {
131 *error_details
= "Certificate is already set and VerifyProof has begun";
132 DLOG(DFATAL
) << *error_details
;
136 verify_details_
.reset(new ProofVerifyDetailsChromium
);
139 *error_details
= "Failed to create certificate chain. Certs are empty.";
140 DLOG(WARNING
) << *error_details
;
141 verify_details_
->cert_verify_result
.cert_status
= CERT_STATUS_INVALID
;
142 *verify_details
= verify_details_
.Pass();
146 // Convert certs to X509Certificate.
147 vector
<StringPiece
> cert_pieces(certs
.size());
148 for (unsigned i
= 0; i
< certs
.size(); i
++) {
149 cert_pieces
[i
] = base::StringPiece(certs
[i
]);
151 cert_
= X509Certificate::CreateFromDERCertChain(cert_pieces
);
153 *error_details
= "Failed to create certificate chain";
154 DLOG(WARNING
) << *error_details
;
155 verify_details_
->cert_verify_result
.cert_status
= CERT_STATUS_INVALID
;
156 *verify_details
= verify_details_
.Pass();
160 // We call VerifySignature first to avoid copying of server_config and
162 if (!VerifySignature(server_config
, signature
, certs
[0])) {
163 *error_details
= "Failed to verify signature of server config";
164 DLOG(WARNING
) << *error_details
;
165 verify_details_
->cert_verify_result
.cert_status
= CERT_STATUS_INVALID
;
166 *verify_details
= verify_details_
.Pass();
170 hostname_
= hostname
;
172 next_state_
= STATE_VERIFY_CERT
;
173 switch (DoLoop(OK
)) {
175 *verify_details
= verify_details_
.Pass();
178 callback_
.reset(callback
);
181 *error_details
= error_details_
;
182 *verify_details
= verify_details_
.Pass();
187 int ProofVerifierChromium::Job::DoLoop(int last_result
) {
188 int rv
= last_result
;
190 State state
= next_state_
;
191 next_state_
= STATE_NONE
;
193 case STATE_VERIFY_CERT
:
195 rv
= DoVerifyCert(rv
);
197 case STATE_VERIFY_CERT_COMPLETE
:
198 rv
= DoVerifyCertComplete(rv
);
203 LOG(DFATAL
) << "unexpected state " << state
;
206 } while (rv
!= ERR_IO_PENDING
&& next_state_
!= STATE_NONE
);
210 void ProofVerifierChromium::Job::OnIOComplete(int result
) {
211 int rv
= DoLoop(result
);
212 if (rv
!= ERR_IO_PENDING
) {
213 scoped_ptr
<ProofVerifierCallback
> callback(callback_
.Pass());
214 // Callback expects ProofVerifyDetails not ProofVerifyDetailsChromium.
215 scoped_ptr
<ProofVerifyDetails
> verify_details(verify_details_
.Pass());
216 callback
->Run(rv
== OK
, error_details_
, &verify_details
);
217 // Will delete |this|.
218 proof_verifier_
->OnJobComplete(this);
222 int ProofVerifierChromium::Job::DoVerifyCert(int result
) {
223 next_state_
= STATE_VERIFY_CERT_COMPLETE
;
226 return verifier_
->Verify(
230 SSLConfigService::GetCRLSet().get(),
231 &verify_details_
->cert_verify_result
,
232 base::Bind(&ProofVerifierChromium::Job::OnIOComplete
,
233 base::Unretained(this)),
237 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result
) {
240 const CertVerifyResult
& cert_verify_result
=
241 verify_details_
->cert_verify_result
;
242 const CertStatus cert_status
= cert_verify_result
.cert_status
;
243 if (transport_security_state_
&&
245 (IsCertificateError(result
) && IsCertStatusMinorError(cert_status
))) &&
246 !transport_security_state_
->CheckPublicKeyPins(
248 cert_verify_result
.is_issued_by_known_root
,
249 cert_verify_result
.public_key_hashes
,
250 &verify_details_
->pinning_failure_log
)) {
251 result
= ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
;
254 scoped_refptr
<ct::EVCertsWhitelist
> ev_whitelist
=
255 SSLConfigService::GetEVCertsWhitelist();
256 if ((cert_status
& CERT_STATUS_IS_EV
) && ev_whitelist
.get() &&
257 ev_whitelist
->IsValid()) {
258 const SHA256HashValue
fingerprint(
259 X509Certificate::CalculateFingerprint256(cert_
->os_cert_handle()));
261 UMA_HISTOGRAM_BOOLEAN(
262 "Net.SSL_EVCertificateInWhitelist",
263 ev_whitelist
->ContainsCertificateHash(
264 std::string(reinterpret_cast<const char*>(fingerprint
.data
), 8)));
268 std::string error_string
= ErrorToString(result
);
269 error_details_
= StringPrintf("Failed to verify certificate chain: %s",
270 error_string
.c_str());
271 DLOG(WARNING
) << error_details_
;
274 // Exit DoLoop and return the result to the caller to VerifyProof.
275 DCHECK_EQ(STATE_NONE
, next_state_
);
279 bool ProofVerifierChromium::Job::VerifySignature(const string
& signed_data
,
280 const string
& signature
,
281 const string
& cert
) {
282 // TODO(rtenneti): Remove ScopedTracker below once crbug.com/422516 is fixed.
283 tracked_objects::ScopedTracker
tracking_profile(
284 FROM_HERE_WITH_EXPLICIT_FUNCTION(
285 "422516 ProofVerifierChromium::Job::VerifySignature"));
288 if (!asn1::ExtractSPKIFromDERCert(cert
, &spki
)) {
289 DLOG(WARNING
) << "ExtractSPKIFromDERCert failed";
293 crypto::SignatureVerifier verifier
;
296 X509Certificate::PublicKeyType type
;
297 X509Certificate::GetPublicKeyInfo(cert_
->os_cert_handle(), &size_bits
,
299 if (type
== X509Certificate::kPublicKeyTypeRSA
) {
300 crypto::SignatureVerifier::HashAlgorithm hash_alg
=
301 crypto::SignatureVerifier::SHA256
;
302 crypto::SignatureVerifier::HashAlgorithm mask_hash_alg
= hash_alg
;
303 unsigned int hash_len
= 32; // 32 is the length of a SHA-256 hash.
305 bool ok
= verifier
.VerifyInitRSAPSS(
306 hash_alg
, mask_hash_alg
, hash_len
,
307 reinterpret_cast<const uint8
*>(signature
.data()), signature
.size(),
308 reinterpret_cast<const uint8
*>(spki
.data()), spki
.size());
310 DLOG(WARNING
) << "VerifyInitRSAPSS failed";
313 } else if (type
== X509Certificate::kPublicKeyTypeECDSA
) {
314 // This is the algorithm ID for ECDSA with SHA-256. Parameters are ABSENT.
316 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
317 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
319 // When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
320 // ecdsa-with-SHA512 algorithm identifier appears in the algorithm field
321 // as an AlgorithmIdentifier, the encoding MUST omit the parameters
322 // field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one
323 // component, the OID ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-
324 // SHA384, or ecdsa-with-SHA512.
325 // See also RFC 5480, Appendix A.
326 static const uint8 kECDSAWithSHA256AlgorithmID
[] = {
329 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
332 if (!verifier
.VerifyInit(
333 kECDSAWithSHA256AlgorithmID
, sizeof(kECDSAWithSHA256AlgorithmID
),
334 reinterpret_cast<const uint8
*>(signature
.data()),
336 reinterpret_cast<const uint8
*>(spki
.data()),
338 DLOG(WARNING
) << "VerifyInit failed";
342 LOG(ERROR
) << "Unsupported public key type " << type
;
346 verifier
.VerifyUpdate(reinterpret_cast<const uint8
*>(kProofSignatureLabel
),
347 sizeof(kProofSignatureLabel
));
348 verifier
.VerifyUpdate(reinterpret_cast<const uint8
*>(signed_data
.data()),
351 if (!verifier
.VerifyFinal()) {
352 DLOG(WARNING
) << "VerifyFinal failed";
356 DVLOG(1) << "VerifyFinal success";
360 ProofVerifierChromium::ProofVerifierChromium(
361 CertVerifier
* cert_verifier
,
362 TransportSecurityState
* transport_security_state
)
363 : cert_verifier_(cert_verifier
),
364 transport_security_state_(transport_security_state
) {
367 ProofVerifierChromium::~ProofVerifierChromium() {
368 STLDeleteElements(&active_jobs_
);
371 QuicAsyncStatus
ProofVerifierChromium::VerifyProof(
372 const std::string
& hostname
,
373 const std::string
& server_config
,
374 const std::vector
<std::string
>& certs
,
375 const std::string
& signature
,
376 const ProofVerifyContext
* verify_context
,
377 std::string
* error_details
,
378 scoped_ptr
<ProofVerifyDetails
>* verify_details
,
379 ProofVerifierCallback
* callback
) {
380 if (!verify_context
) {
381 *error_details
= "Missing context";
384 const ProofVerifyContextChromium
* chromium_context
=
385 reinterpret_cast<const ProofVerifyContextChromium
*>(verify_context
);
386 scoped_ptr
<Job
> job(new Job(this,
388 transport_security_state_
,
389 chromium_context
->net_log
));
390 QuicAsyncStatus status
= job
->VerifyProof(hostname
, server_config
, certs
,
391 signature
, error_details
,
392 verify_details
, callback
);
393 if (status
== QUIC_PENDING
) {
394 active_jobs_
.insert(job
.release());
399 void ProofVerifierChromium::OnJobComplete(Job
* job
) {
400 active_jobs_
.erase(job
);