// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/ct_log_verifier.h" #include <cryptohi.h> #include <keyhi.h> #include <nss.h> #include <pk11pub.h> #include <secitem.h> #include <secoid.h> #include "base/logging.h" #include "crypto/nss_util.h" #include "crypto/sha2.h" #include "net/cert/signed_certificate_timestamp.h" namespace net { namespace { SECOidTag GetNSSSigAlg(ct::DigitallySigned::SignatureAlgorithm alg) { switch (alg) { case ct::DigitallySigned::SIG_ALGO_RSA: return SEC_OID_PKCS1_RSA_ENCRYPTION; case ct::DigitallySigned::SIG_ALGO_DSA: return SEC_OID_ANSIX9_DSA_SIGNATURE; case ct::DigitallySigned::SIG_ALGO_ECDSA: return SEC_OID_ANSIX962_EC_PUBLIC_KEY; case ct::DigitallySigned::SIG_ALGO_ANONYMOUS: default: NOTREACHED(); return SEC_OID_UNKNOWN; } } SECOidTag GetNSSHashAlg(ct::DigitallySigned::HashAlgorithm alg) { switch (alg) { case ct::DigitallySigned::HASH_ALGO_MD5: return SEC_OID_MD5; case ct::DigitallySigned::HASH_ALGO_SHA1: return SEC_OID_SHA1; case ct::DigitallySigned::HASH_ALGO_SHA224: return SEC_OID_SHA224; case ct::DigitallySigned::HASH_ALGO_SHA256: return SEC_OID_SHA256; case ct::DigitallySigned::HASH_ALGO_SHA384: return SEC_OID_SHA384; case ct::DigitallySigned::HASH_ALGO_SHA512: return SEC_OID_SHA512; case ct::DigitallySigned::HASH_ALGO_NONE: default: NOTREACHED(); return SEC_OID_UNKNOWN; } } } // namespace CTLogVerifier::~CTLogVerifier() { if (public_key_) SECKEY_DestroyPublicKey(public_key_); } CTLogVerifier::CTLogVerifier() : hash_algorithm_(ct::DigitallySigned::HASH_ALGO_NONE), signature_algorithm_(ct::DigitallySigned::SIG_ALGO_ANONYMOUS), public_key_(NULL) {} bool CTLogVerifier::Init(const base::StringPiece& public_key, const base::StringPiece& description) { SECItem key_data; crypto::EnsureNSSInit(); key_data.data = reinterpret_cast<unsigned char*>( const_cast<char*>(public_key.data())); key_data.len = public_key.size(); CERTSubjectPublicKeyInfo* public_key_info = SECKEY_DecodeDERSubjectPublicKeyInfo(&key_data); if (!public_key_info) { DVLOG(1) << "Failed decoding public key."; return false; } public_key_ = SECKEY_ExtractPublicKey(public_key_info); SECKEY_DestroySubjectPublicKeyInfo(public_key_info); if (!public_key_) { DVLOG(1) << "Failed extracting public key."; return false; } key_id_ = crypto::SHA256HashString(public_key); description_ = description.as_string(); // Right now, only RSASSA-PKCS1v15 with SHA-256 and ECDSA with SHA-256 are // supported. switch (SECKEY_GetPublicKeyType(public_key_)) { case rsaKey: hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256; signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_RSA; break; case ecKey: hash_algorithm_ = ct::DigitallySigned::HASH_ALGO_SHA256; signature_algorithm_ = ct::DigitallySigned::SIG_ALGO_ECDSA; break; default: DVLOG(1) << "Unsupported key type: " << SECKEY_GetPublicKeyType(public_key_); return false; } // Extra sanity check: Require RSA keys of at least 2048 bits. if (signature_algorithm_ == ct::DigitallySigned::SIG_ALGO_RSA && SECKEY_PublicKeyStrengthInBits(public_key_) < 2048) { DVLOG(1) << "Too small a public key."; return false; } return true; } bool CTLogVerifier::VerifySignature(const base::StringPiece& data_to_sign, const base::StringPiece& signature) { SECItem sig_data; sig_data.data = reinterpret_cast<unsigned char*>(const_cast<char*>( signature.data())); sig_data.len = signature.size(); SECStatus rv = VFY_VerifyDataDirect( reinterpret_cast<const unsigned char*>(data_to_sign.data()), data_to_sign.size(), public_key_, &sig_data, GetNSSSigAlg(signature_algorithm_), GetNSSHashAlg(hash_algorithm_), NULL, NULL); DVLOG(1) << "Signature verification result: " << (rv == SECSuccess); return rv == SECSuccess; } } // namespace net