// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/ct_objects_extractor.h"
#include <cert.h>
#include <secasn1.h>
#include <secitem.h>
#include <secoid.h>
#include "base/lazy_instance.h"
#include "base/sha1.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/sha2.h"
#include "net/cert/asn1_util.h"
#include "net/cert/scoped_nss_types.h"
#include "net/cert/signed_certificate_timestamp.h"
namespace net {
namespace ct {
namespace {
// NSS black magic to get the address of externally defined template at runtime.
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate)
SEC_ASN1_MKSUB(CERT_SequenceOfCertExtensionTemplate)
// Wrapper class to convert a X509Certificate::OSCertHandle directly
// into a CERTCertificate* usable with other NSS functions. This is used for
// platforms where X509Certificate::OSCertHandle refers to a different type
// than a CERTCertificate*.
struct NSSCertWrapper {
explicit NSSCertWrapper(X509Certificate::OSCertHandle cert_handle);
~NSSCertWrapper() {}
ScopedCERTCertificate cert;
};
NSSCertWrapper::NSSCertWrapper(X509Certificate::OSCertHandle cert_handle) {
#if defined(USE_NSS)
cert.reset(CERT_DupCertificate(cert_handle));
#else
SECItem der_cert;
std::string der_data;
if (!X509Certificate::GetDEREncoded(cert_handle, &der_data))
return;
der_cert.data =
reinterpret_cast<unsigned char*>(const_cast<char*>(der_data.data()));
der_cert.len = der_data.size();
// Note: CERT_NewTempCertificate may return NULL if the certificate
// shares a serial number with another cert issued by the same CA,
// which is not supposed to happen.
cert.reset(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE));
#endif
DCHECK(cert.get() != NULL);
}
// The wire form of the OID 1.3.6.1.4.1.11129.2.4.2. See Section 3.3 of
// RFC6962.
const unsigned char kEmbeddedSCTOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
0xD6, 0x79, 0x02, 0x04, 0x02};
const char kEmbeddedSCTDescription[] =
"X.509v3 Certificate Transparency Embedded Signed Certificate Timestamp "
"List";
// The wire form of the OID 1.3.6.1.4.1.11129.2.4.5 - OCSP SingleExtension for
// X.509v3 Certificate Transparency Signed Certificate Timestamp List, see
// Section 3.3 of RFC6962.
const unsigned char kOCSPExtensionOid[] = {0x2B, 0x06, 0x01, 0x04, 0x01,
0xD6, 0x79, 0x02, 0x04, 0x05};
const SECItem kOCSPExtensionOidItem = {
siBuffer, const_cast<unsigned char*>(kOCSPExtensionOid),
sizeof(kOCSPExtensionOid)
};
// id-ad-ocsp: 1.3.6.1.5.5.7.48.1.1
const unsigned char kBasicOCSPResponseOid[] = {0x2B, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x01, 0x01};
const SECItem kBasicOCSPResponseOidItem = {
siBuffer, const_cast<unsigned char*>(kBasicOCSPResponseOid),
sizeof(kBasicOCSPResponseOid)
};
// Initializes the necessary NSS internals for use with Certificate
// Transparency.
class CTInitSingleton {
public:
SECOidTag embedded_oid() const { return embedded_oid_; }
private:
friend struct base::DefaultLazyInstanceTraits<CTInitSingleton>;
CTInitSingleton() : embedded_oid_(SEC_OID_UNKNOWN) {
embedded_oid_ = RegisterOid(
kEmbeddedSCTOid, sizeof(kEmbeddedSCTOid), kEmbeddedSCTDescription);
}
~CTInitSingleton() {}
SECOidTag RegisterOid(const unsigned char* oid,
unsigned int oid_len,
const char* description) {
SECOidData oid_data;
oid_data.oid.len = oid_len;
oid_data.oid.data = const_cast<unsigned char*>(oid);
oid_data.offset = SEC_OID_UNKNOWN;
oid_data.desc = description;
oid_data.mechanism = CKM_INVALID_MECHANISM;
// Setting this to SUPPORTED_CERT_EXTENSION ensures that if a certificate
// contains this extension with the critical bit set, NSS will not reject
// it. However, because verification of this extension happens after NSS,
// it is currently left as INVALID_CERT_EXTENSION.
oid_data.supportedExtension = INVALID_CERT_EXTENSION;
SECOidTag result = SECOID_AddEntry(&oid_data);
CHECK_NE(SEC_OID_UNKNOWN, result);
return result;
}
SECOidTag embedded_oid_;
DISALLOW_COPY_AND_ASSIGN(CTInitSingleton);
};
base::LazyInstance<CTInitSingleton>::Leaky g_ct_singleton =
LAZY_INSTANCE_INITIALIZER;
// Obtains the data for an X.509v3 certificate extension identified by |oid|
// and encoded as an OCTET STRING. Returns true if the extension was found in
// the certificate, updating |ext_data| to be the extension data after removing
// the DER encoding of OCTET STRING.
bool GetCertOctetStringExtension(CERTCertificate* cert,
SECOidTag oid,
std::string* extension_data) {
SECItem extension;
SECStatus rv = CERT_FindCertExtension(cert, oid, &extension);
if (rv != SECSuccess)
return false;
base::StringPiece raw_data(reinterpret_cast<char*>(extension.data),
extension.len);
base::StringPiece parsed_data;
if (!asn1::GetElement(&raw_data, asn1::kOCTETSTRING, &parsed_data) ||
raw_data.size() > 0) { // Decoding failure or raw data left
rv = SECFailure;
} else {
parsed_data.CopyToString(extension_data);
}
SECITEM_FreeItem(&extension, PR_FALSE);
return rv == SECSuccess;
}
// NSS offers CERT_FindCertExtension for certificates, but that only accepts
// CERTCertificate* inputs, so the method below extracts the SCT extension
// directly from the CERTCertExtension** of an OCSP response.
//
// Obtains the data for an OCSP extension identified by kOCSPExtensionOidItem
// and encoded as an OCTET STRING. Returns true if the extension was found in
// |extensions|, updating |extension_data| to be the extension data after
// removing the DER encoding of OCTET STRING.
bool GetSCTListFromOCSPExtension(PLArenaPool* arena,
const CERTCertExtension* const* extensions,
std::string* extension_data) {
if (!extensions)
return false;
const CERTCertExtension* match = NULL;
for (const CERTCertExtension* const* exts = extensions; *exts; ++exts) {
const CERTCertExtension* ext = *exts;
if (SECITEM_ItemsAreEqual(&kOCSPExtensionOidItem, &ext->id)) {
match = ext;
break;
}
}
if (!match)
return false;
SECItem contents;
// SEC_QuickDERDecodeItem sets |contents| to point to |match|, so it is not
// necessary to free the contents of |contents|.
SECStatus rv = SEC_QuickDERDecodeItem(arena, &contents,
SEC_ASN1_GET(SEC_OctetStringTemplate),
&match->value);
if (rv != SECSuccess)
return false;
base::StringPiece parsed_data(reinterpret_cast<char*>(contents.data),
contents.len);
parsed_data.CopyToString(extension_data);
return true;
}
// Given a |cert|, extract the TBSCertificate from this certificate, also
// removing the X.509 extension with OID 1.3.6.1.4.1.11129.2.4.2 (that is,
// the embedded SCT)
bool ExtractTBSCertWithoutSCTs(CERTCertificate* cert,
std::string* to_be_signed) {
SECOidData* oid = SECOID_FindOIDByTag(g_ct_singleton.Get().embedded_oid());
if (!oid)
return false;
// This is a giant hack, due to the fact that NSS does not expose a good API
// for simply removing certificate fields from existing certificates.
CERTCertificate temp_cert;
temp_cert = *cert;
temp_cert.extensions = NULL;
// Strip out the embedded SCT OID from the new certificate by directly
// mutating the extensions in place.
std::vector<CERTCertExtension*> new_extensions;
if (cert->extensions) {
for (CERTCertExtension** exts = cert->extensions; *exts; ++exts) {
CERTCertExtension* ext = *exts;
SECComparison result = SECITEM_CompareItem(&oid->oid, &ext->id);
if (result != SECEqual)
new_extensions.push_back(ext);
}
}
if (!new_extensions.empty()) {
new_extensions.push_back(NULL);
temp_cert.extensions = &new_extensions[0];
}
crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
SECItem tbs_data;
tbs_data.len = 0;
tbs_data.data = NULL;
void* result = SEC_ASN1EncodeItem(arena.get(),
&tbs_data,
&temp_cert,
SEC_ASN1_GET(CERT_CertificateTemplate));
if (!result)
return false;
to_be_signed->assign(reinterpret_cast<char*>(tbs_data.data), tbs_data.len);
return true;
}
// The following code is adapted from the NSS OCSP module, in order to expose
// the internal structure of an OCSP response.
// ResponseBytes ::= SEQUENCE {
// responseType OBJECT IDENTIFIER,
// response OCTET STRING }
struct ResponseBytes {
SECItem response_type;
SECItem der_response;
};
const SEC_ASN1Template kResponseBytesTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseBytes) },
{ SEC_ASN1_OBJECT_ID, offsetof(ResponseBytes, response_type) },
{ SEC_ASN1_OCTET_STRING, offsetof(ResponseBytes, der_response) },
{ 0 }
};
// OCSPResponse ::= SEQUENCE {
// responseStatus OCSPResponseStatus,
// responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
struct OCSPResponse {
SECItem response_status;
// This indirection is needed because |response_bytes| is an optional
// component and we need a way to determine if it is missing.
ResponseBytes* response_bytes;
};
const SEC_ASN1Template kPointerToResponseBytesTemplate[] = {
{ SEC_ASN1_POINTER, 0, kResponseBytesTemplate }
};
const SEC_ASN1Template kOCSPResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OCSPResponse) },
{ SEC_ASN1_ENUMERATED, offsetof(OCSPResponse, response_status) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(OCSPResponse, response_bytes),
kPointerToResponseBytesTemplate },
{ 0 }
};
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of Issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of Issuers public key
// serialNumber CertificateSerialNumber }
struct CertID {
SECAlgorithmID hash_algorithm;
SECItem issuer_name_hash;
SECItem issuer_key_hash;
SECItem serial_number;
};
const SEC_ASN1Template kCertIDTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CertID) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CertID, hash_algorithm),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_name_hash) },
{ SEC_ASN1_OCTET_STRING, offsetof(CertID, issuer_key_hash) },
{ SEC_ASN1_INTEGER, offsetof(CertID, serial_number) },
{ 0 }
};
// SingleResponse ::= SEQUENCE {
// certID CertID,
// certStatus CertStatus,
// thisUpdate GeneralizedTime,
// nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
// singleExtensions [1] EXPLICIT Extensions OPTIONAL }
struct SingleResponse {
CertID cert_id;
// The following three fields are not used.
SECItem der_cert_status;
SECItem this_update;
SECItem next_update;
CERTCertExtension** single_extensions;
};
const SEC_ASN1Template kSingleResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SingleResponse) },
{ SEC_ASN1_INLINE, offsetof(SingleResponse, cert_id), kCertIDTemplate },
// Really a CHOICE but we make it an ANY because we don't care about the
// contents of this field.
// TODO(ekasper): use SEC_ASN1_CHOICE.
{ SEC_ASN1_ANY, offsetof(SingleResponse, der_cert_status) },
{ SEC_ASN1_GENERALIZED_TIME, offsetof(SingleResponse, this_update) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
offsetof(SingleResponse, next_update),
SEC_ASN1_SUB(SEC_GeneralizedTimeTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
offsetof(SingleResponse, single_extensions),
SEC_ASN1_SUB(CERT_SequenceOfCertExtensionTemplate) },
{ 0 }
};
// ResponseData ::= SEQUENCE {
// version [0] EXPLICIT Version DEFAULT v1,
// responderID ResponderID,
// producedAt GeneralizedTime,
// responses SEQUENCE OF SingleResponse,
// responseExtensions [1] EXPLICIT Extensions OPTIONAL }
struct ResponseData {
// The first three fields are not used.
SECItem version;
SECItem der_responder_id;
SECItem produced_at;
SingleResponse** single_responses;
// Skip extensions.
};
const SEC_ASN1Template kResponseDataTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ResponseData) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
offsetof(ResponseData, version), SEC_ASN1_SUB(SEC_IntegerTemplate) },
// Really a CHOICE but we make it an ANY because we don't care about the
// contents of this field.
// TODO(ekasper): use SEC_ASN1_CHOICE.
{ SEC_ASN1_ANY, offsetof(ResponseData, der_responder_id) },
{ SEC_ASN1_GENERALIZED_TIME, offsetof(ResponseData, produced_at) },
{ SEC_ASN1_SEQUENCE_OF, offsetof(ResponseData, single_responses),
kSingleResponseTemplate },
{ SEC_ASN1_SKIP_REST },
{ 0 }
};
// BasicOCSPResponse ::= SEQUENCE {
// tbsResponseData ResponseData,
// signatureAlgorithm AlgorithmIdentifier,
// signature BIT STRING,
// certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
struct BasicOCSPResponse {
ResponseData tbs_response_data;
// We do not care about the rest.
};
const SEC_ASN1Template kBasicOCSPResponseTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(BasicOCSPResponse) },
{ SEC_ASN1_INLINE, offsetof(BasicOCSPResponse, tbs_response_data),
kResponseDataTemplate },
{ SEC_ASN1_SKIP_REST },
{ 0 }
};
bool StringEqualToSECItem(const std::string& value1, const SECItem& value2) {
if (value1.size() != value2.len)
return false;
return memcmp(value1.data(), value2.data, value2.len) == 0;
}
// TODO(ekasper): also use the issuer name hash in matching.
bool CertIDMatches(const CertID& cert_id,
const std::string& serial_number,
const std::string& issuer_key_sha1_hash,
const std::string& issuer_key_sha256_hash) {
if (!StringEqualToSECItem(serial_number, cert_id.serial_number))
return false;
SECOidTag hash_alg = SECOID_FindOIDTag(&cert_id.hash_algorithm.algorithm);
switch (hash_alg) {
case SEC_OID_SHA1:
return StringEqualToSECItem(issuer_key_sha1_hash,
cert_id.issuer_key_hash);
case SEC_OID_SHA256:
return StringEqualToSECItem(issuer_key_sha256_hash,
cert_id.issuer_key_hash);
default:
return false;
}
}
} // namespace
bool ExtractEmbeddedSCTList(X509Certificate::OSCertHandle cert,
std::string* sct_list) {
DCHECK(cert);
NSSCertWrapper leaf_cert(cert);
if (!leaf_cert.cert)
return false;
return GetCertOctetStringExtension(leaf_cert.cert.get(),
g_ct_singleton.Get().embedded_oid(),
sct_list);
}
bool GetPrecertLogEntry(X509Certificate::OSCertHandle leaf,
X509Certificate::OSCertHandle issuer,
LogEntry* result) {
DCHECK(leaf);
DCHECK(issuer);
NSSCertWrapper leaf_cert(leaf);
NSSCertWrapper issuer_cert(issuer);
result->Reset();
// XXX(rsleevi): This check may be overkill, since we should be able to
// generate precerts for certs without the extension. For now, just a sanity
// check to match the reference implementation.
SECItem extension;
SECStatus rv = CERT_FindCertExtension(
leaf_cert.cert.get(), g_ct_singleton.Get().embedded_oid(), &extension);
if (rv != SECSuccess)
return false;
SECITEM_FreeItem(&extension, PR_FALSE);
std::string to_be_signed;
if (!ExtractTBSCertWithoutSCTs(leaf_cert.cert.get(), &to_be_signed))
return false;
if (!issuer_cert.cert) {
// This can happen when the issuer and leaf certs share the same serial
// number and are from the same CA, which should never be the case
// (but happened with bad test certs).
VLOG(1) << "Issuer cert is null, cannot generate Precert entry.";
return false;
}
SECKEYPublicKey* issuer_pub_key =
SECKEY_ExtractPublicKey(&(issuer_cert.cert->subjectPublicKeyInfo));
if (!issuer_pub_key) {
VLOG(1) << "Could not extract issuer public key, "
<< "cannot generate Precert entry.";
return false;
}
SECItem* encoded_issuer_pubKey =
SECKEY_EncodeDERSubjectPublicKeyInfo(issuer_pub_key);
if (!encoded_issuer_pubKey) {
SECKEY_DestroyPublicKey(issuer_pub_key);
return false;
}
result->type = ct::LogEntry::LOG_ENTRY_TYPE_PRECERT;
result->tbs_certificate.swap(to_be_signed);
crypto::SHA256HashString(
base::StringPiece(reinterpret_cast<char*>(encoded_issuer_pubKey->data),
encoded_issuer_pubKey->len),
result->issuer_key_hash.data,
sizeof(result->issuer_key_hash.data));
SECITEM_FreeItem(encoded_issuer_pubKey, PR_TRUE);
SECKEY_DestroyPublicKey(issuer_pub_key);
return true;
}
bool GetX509LogEntry(X509Certificate::OSCertHandle leaf, LogEntry* result) {
DCHECK(leaf);
std::string encoded;
if (!X509Certificate::GetDEREncoded(leaf, &encoded))
return false;
result->Reset();
result->type = ct::LogEntry::LOG_ENTRY_TYPE_X509;
result->leaf_certificate.swap(encoded);
return true;
}
bool ExtractSCTListFromOCSPResponse(X509Certificate::OSCertHandle issuer,
const std::string& cert_serial_number,
const std::string& ocsp_response,
std::string* sct_list) {
DCHECK(issuer);
// Any OCSP response is unlikely to be even close to 2^24 bytes; further, CT
// only uses stapled OCSP responses which have this limit imposed by the TLS
// protocol.
if (ocsp_response.size() > 0xffffff)
return false;
crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
OCSPResponse response;
memset(&response, 0, sizeof(response));
SECItem src = { siBuffer,
reinterpret_cast<unsigned char*>(const_cast<char*>(
ocsp_response.data())),
static_cast<unsigned int>(ocsp_response.size()) };
// |response| will point directly into |src|, so it's not necessary to
// free the |response| contents, but they may only be used while |src|
// is valid (i.e., in this method).
SECStatus rv = SEC_QuickDERDecodeItem(arena.get(), &response,
kOCSPResponseTemplate, &src);
if (rv != SECSuccess)
return false;
if (!response.response_bytes)
return false;
if (!SECITEM_ItemsAreEqual(&kBasicOCSPResponseOidItem,
&response.response_bytes->response_type)) {
return false;
}
BasicOCSPResponse basic_response;
memset(&basic_response, 0, sizeof(basic_response));
rv = SEC_QuickDERDecodeItem(arena.get(), &basic_response,
kBasicOCSPResponseTemplate,
&response.response_bytes->der_response);
if (rv != SECSuccess)
return false;
SingleResponse** responses =
basic_response.tbs_response_data.single_responses;
if (!responses)
return false;
std::string issuer_der;
if (!X509Certificate::GetDEREncoded(issuer, &issuer_der))
return false;
base::StringPiece issuer_spki;
if (!asn1::ExtractSPKIFromDERCert(issuer_der, &issuer_spki))
return false;
// In OCSP, only the key itself is under hash.
base::StringPiece issuer_spk;
if (!asn1::ExtractSubjectPublicKeyFromSPKI(issuer_spki, &issuer_spk))
return false;
// ExtractSubjectPublicKey... does not remove the initial octet encoding the
// number of unused bits in the ASN.1 BIT STRING so we do it here. For public
// keys, the bitstring is in practice always byte-aligned.
if (issuer_spk.empty() || issuer_spk[0] != 0)
return false;
issuer_spk.remove_prefix(1);
// NSS OCSP lib recognizes SHA1, MD5 and MD2; MD5 and MD2 are dead but
// https://bugzilla.mozilla.org/show_bug.cgi?id=663315 will add SHA-256
// and SHA-384.
// TODO(ekasper): add SHA-384 to crypto/sha2.h and here if it proves
// necessary.
// TODO(ekasper): only compute the hashes on demand.
std::string issuer_key_sha256_hash = crypto::SHA256HashString(issuer_spk);
std::string issuer_key_sha1_hash = base::SHA1HashString(
issuer_spk.as_string());
const SingleResponse* match = NULL;
for (const SingleResponse* const* resps = responses; *resps; ++resps) {
const SingleResponse* resp = *resps;
if (CertIDMatches(resp->cert_id, cert_serial_number,
issuer_key_sha1_hash, issuer_key_sha256_hash)) {
match = resp;
break;
}
}
if (!match)
return false;
return GetSCTListFromOCSPExtension(arena.get(), match->single_extensions,
sct_list);
}
} // namespace ct
} // namespace net