OpenSSL/NSS implementation of ProofVerfifier.

Changes to make ProofVerifier asynchronous. Each QuicSession's ProofVerifier is used to verify the signature and cert chain.

Implemented generation counter in QuicCryptoClientConfig's CachedState in case certs change when we are verifying the Proof.

Review URL: https://chromiumcodereview.appspot.com/17385010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209946 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 26 insertions, 5 deletions

diff --git a/crypto/ec_signature_creator_unittest.cc b/crypto/ec_signature_creator_unittest.cc
index b34022b..bc0cb4a 100644
--- a/crypto/ec_signature_creator_unittest.cc
+++ b/crypto/ec_signature_creator_unittest.cc
@@ -54,12 +54,22 @@ TEST(ECSignatureCreatorTest, BasicTest) {
   std::vector<uint8> public_key_info;
   ASSERT_TRUE(key_original->ExportPublicKey(&public_key_info));
 
-  // This is the algorithm ID for SHA-256 with EC encryption.
+  // This is the algorithm ID for ECDSA with SHA-256. Parameters are ABSENT.
+  // RFC 5758:
+  //   ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+  //        us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
+  //   ...
+  //   When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
+  //   ecdsa-with-SHA512 algorithm identifier appears in the algorithm field
+  //   as an AlgorithmIdentifier, the encoding MUST omit the parameters
+  //   field.  That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one
+  //   component, the OID ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-
+  //   SHA384, or ecdsa-with-SHA512.
+  // See also RFC 5480, Appendix A.
   const uint8 kECDSAWithSHA256AlgorithmID[] = {
-    0x30, 0x0c,
+    0x30, 0x0a,
       0x06, 0x08,
         0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
-      0x05, 0x00
   };
   crypto::SignatureVerifier verifier;
   ASSERT_TRUE(verifier.VerifyInit(
diff --git a/crypto/signature_verifier_openssl.cc b/crypto/signature_verifier_openssl.cc
index 1e71339..a85f00b 100644
--- a/crypto/signature_verifier_openssl.cc
+++ b/crypto/signature_verifier_openssl.cc
@@ -53,7 +53,17 @@ bool SignatureVerifier::VerifyInit(const uint8* signature_algorithm,
       d2i_X509_ALGOR(NULL, &signature_algorithm, signature_algorithm_len));
   if (!algorithm.get())
     return false;
-  const EVP_MD* digest = EVP_get_digestbyobj(algorithm.get()->algorithm);
+  int nid = OBJ_obj2nid(algorithm.get()->algorithm);
+  const EVP_MD* digest;
+  if (nid == NID_ecdsa_with_SHA1) {
+    digest = EVP_sha1();
+  } else if (nid == NID_ecdsa_with_SHA256) {
+    digest = EVP_sha256();
+  } else {
+    // This works for PKCS #1 v1.5 RSA signatures, but not for ECDSA
+    // signatures.
+    digest = EVP_get_digestbyobj(algorithm.get()->algorithm);
+  }
   if (!digest)
     return false;
 
@@ -104,7 +114,8 @@ bool SignatureVerifier::VerifyFinal() {
   int rv = EVP_DigestVerifyFinal(verify_context_->ctx.get(),
                                  vector_as_array(&signature_),
                                  signature_.size());
-  DCHECK_GE(rv, 0);
+  // rv is -1 if a DER-encoded ECDSA signature cannot be decoded correctly.
+  DCHECK_GE(rv, -1);
   Reset();
   return rv == 1;
 }