1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/common/cast/cast_cert_validator.h"
#include <openssl/digest.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include "base/logging.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "crypto/openssl_util.h"
#include "crypto/scoped_openssl_types.h"
#include "extensions/browser/api/cast_channel/cast_auth_ica.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util_openssl.h"
#include "net/ssl/scoped_openssl_types.h"
namespace extensions {
namespace core_api {
namespace cast_crypto {
namespace {
class CertVerificationContextOpenSSL : public CertVerificationContext {
public:
// Takes ownership of the passed-in x509 object
explicit CertVerificationContextOpenSSL(X509* x509) : x509_(x509) {}
VerificationResult VerifySignatureOverData(
const base::StringPiece& signature,
const base::StringPiece& data) const override {
// Retrieve public key object.
crypto::ScopedEVP_PKEY public_key(X509_get_pubkey(x509_.get()));
if (!public_key) {
return VerificationResult(
"Failed to extract device certificate public key.",
VerificationResult::ERROR_CERT_INVALID);
}
// Make sure the key is RSA.
const int public_key_type = EVP_PKEY_id(public_key.get());
if (public_key_type != EVP_PKEY_RSA) {
return VerificationResult(
std::string("Expected RSA key type for client certificate, got ") +
base::IntToString(public_key_type) + " instead.",
VerificationResult::ERROR_CERT_INVALID);
}
// Verify signature.
const crypto::ScopedEVP_MD_CTX ctx(EVP_MD_CTX_create());
if (!ctx ||
!EVP_DigestVerifyInit(ctx.get(), NULL, EVP_sha1(), NULL,
public_key.get()) ||
!EVP_DigestVerifyUpdate(ctx.get(), data.data(), data.size()) ||
!EVP_DigestVerifyFinal(
ctx.get(), reinterpret_cast<const uint8_t*>(signature.data()),
signature.size())) {
return VerificationResult("Signature verification failed.",
VerificationResult::ERROR_SIGNATURE_INVALID);
}
return VerificationResult();
}
std::string GetCommonName() const override {
int common_name_length = X509_NAME_get_text_by_NID(
x509_->cert_info->subject, NID_commonName, NULL, 0);
if (common_name_length < 0)
return std::string();
std::string common_name;
common_name_length = X509_NAME_get_text_by_NID(
x509_->cert_info->subject, NID_commonName,
WriteInto(&common_name, static_cast<size_t>(common_name_length) + 1),
common_name_length + 1);
if (common_name_length < 0)
return std::string();
return common_name;
}
private:
net::ScopedX509 x509_;
};
} // namespace
VerificationResult VerifyDeviceCert(
const base::StringPiece& device_cert,
const std::vector<std::string>& ica_certs,
scoped_ptr<CertVerificationContext>* context) {
crypto::EnsureOpenSSLInit();
crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
// If the list of intermediates is empty then use kPublicKeyICA1 as
// the trusted CA (legacy case).
// Otherwise, use the first intermediate in the list as long as it
// is in the allowed list of intermediates.
base::StringPiece ica_public_key_der =
(ica_certs.size() == 0)
? cast_channel::GetDefaultTrustedICAPublicKey()
: cast_channel::GetTrustedICAPublicKey(ica_certs[0]);
if (ica_public_key_der.empty()) {
return VerificationResult(
"Device certificate is not signed by a trusted CA",
VerificationResult::ERROR_CERT_UNTRUSTED);
}
// Initialize the ICA public key.
const uint8_t* ica_public_key_der_ptr =
reinterpret_cast<const uint8_t*>(ica_public_key_der.data());
const uint8_t* ica_public_key_der_end =
ica_public_key_der_ptr + ica_public_key_der.size();
crypto::ScopedRSA ica_public_key_rsa(d2i_RSAPublicKey(
NULL, &ica_public_key_der_ptr, ica_public_key_der.size()));
if (!ica_public_key_rsa || ica_public_key_der_ptr != ica_public_key_der_end) {
return VerificationResult("Failed to import trusted public key.",
VerificationResult::ERROR_INTERNAL);
}
crypto::ScopedEVP_PKEY ica_public_key_evp(EVP_PKEY_new());
if (!ica_public_key_evp ||
!EVP_PKEY_set1_RSA(ica_public_key_evp.get(), ica_public_key_rsa.get())) {
return VerificationResult("Failed to import trusted public key.",
VerificationResult::ERROR_INTERNAL);
}
// Parse the device certificate.
const uint8_t* device_cert_der_ptr =
reinterpret_cast<const uint8_t*>(device_cert.data());
const uint8_t* device_cert_der_end = device_cert_der_ptr + device_cert.size();
net::ScopedX509 device_cert_x509(
d2i_X509(NULL, &device_cert_der_ptr, device_cert.size()));
if (!device_cert_x509 || device_cert_der_ptr != device_cert_der_end) {
return VerificationResult("Failed to parse device certificate.",
VerificationResult::ERROR_CERT_INVALID);
}
// Verify device certificate.
if (X509_verify(device_cert_x509.get(), ica_public_key_evp.get()) != 1) {
return VerificationResult(
"Device certificate signature verification failed.",
VerificationResult::ERROR_CERT_INVALID);
}
if (context) {
scoped_ptr<CertVerificationContext> tmp_context(
new CertVerificationContextOpenSSL(device_cert_x509.release()));
tmp_context.swap(*context);
}
return VerificationResult();
}
std::string VerificationResult::GetLogString() const {
return error_message;
}
} // namespace cast_crypto
} // namespace core_api
} // namespace extensions
|
