// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include #include #include #include "base/logging.h" #include "crypto/scoped_nss_types.h" #include "net/cert/sha256_legacy_support_win.h" namespace net { namespace sha256_interception { BOOL CryptVerifyCertificateSignatureExHook( CryptVerifyCertificateSignatureExFunc original_func, HCRYPTPROV_LEGACY provider, DWORD encoding_type, DWORD subject_type, void* subject_data, DWORD issuer_type, void* issuer_data, DWORD flags, void* extra) { CHECK(original_func); // Only intercept if the arguments are supported. if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || !IsSupportedSubjectType(subject_type) || subject_data == NULL || !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { return original_func(provider, encoding_type, subject_type, subject_data, issuer_type, issuer_data, flags, extra); } base::StringPiece subject_signature = GetSubjectSignature(subject_type, subject_data); bool should_intercept = false; crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); CERTSignedData signed_data; memset(&signed_data, 0, sizeof(signed_data)); // Attempt to decode the subject using the generic "Signed Data" template, // which all of the supported subject types match. If the signature // algorithm is RSA with one of the SHA-2 algorithms supported by NSS // (excluding SHA-224, which is pointless), then defer to the NSS // implementation. Otherwise, fall back and let the OS handle it (e.g. // in case there are any algorithm policies in effect). if (!subject_signature.empty()) { SECItem subject_sig_item; subject_sig_item.data = const_cast( reinterpret_cast(subject_signature.data())); subject_sig_item.len = subject_signature.size(); SECStatus rv = SEC_QuickDERDecodeItem( arena.get(), &signed_data, SEC_ASN1_GET(CERT_SignedDataTemplate), &subject_sig_item); if (rv == SECSuccess) { SECOidTag signature_alg = SECOID_GetAlgorithmTag(&signed_data.signatureAlgorithm); if (signature_alg == SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION || signature_alg == SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION || signature_alg == SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION) { should_intercept = true; } } } if (!should_intercept) { return original_func(provider, encoding_type, subject_type, subject_data, issuer_type, issuer_data, flags, extra); } // Rather than attempting to synthesize a CERTSubjectPublicKeyInfo by hand, // just force the OS to do an ASN.1 encoding and then decode it back into // NSS. This is silly for performance, but safest for consistency. PCERT_PUBLIC_KEY_INFO issuer_public_key = GetIssuerPublicKey(issuer_type, issuer_data); if (!issuer_public_key) { SetLastError(static_cast(NTE_BAD_ALGID)); return FALSE; } unsigned char* issuer_spki_data = NULL; DWORD issuer_spki_len = 0; if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, &issuer_spki_data, &issuer_spki_len)) { return FALSE; } SECItem nss_issuer_spki; nss_issuer_spki.data = issuer_spki_data; nss_issuer_spki.len = issuer_spki_len; CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&nss_issuer_spki); ::LocalFree(issuer_spki_data); if (!spki) { SetLastError(static_cast(NTE_BAD_ALGID)); return FALSE; } // Attempt to actually verify the signed data. If it fails, synthesize the // failure as a generic "bad signature" and let CryptoAPI handle the rest. SECStatus rv = CERT_VerifySignedDataWithPublicKeyInfo( &signed_data, spki, NULL); SECKEY_DestroySubjectPublicKeyInfo(spki); if (rv != SECSuccess) { SetLastError(static_cast(NTE_BAD_SIGNATURE)); return FALSE; } return TRUE; } } // namespace sha256_interception } // namespace net