462 lines
14 KiB
C++
462 lines
14 KiB
C++
// Copyright 2012 The Chromium Authors
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "net/cert/crl_set.h"
|
|
|
|
#include <algorithm>
|
|
|
|
#include "base/base64.h"
|
|
#include "base/json/json_reader.h"
|
|
#include "base/strings/string_piece.h"
|
|
#include "base/time/time.h"
|
|
#include "base/values.h"
|
|
#include "crypto/sha2.h"
|
|
#include "net/base/trace_constants.h"
|
|
#include "net/base/tracing.h"
|
|
#include "third_party/boringssl/src/include/openssl/bytestring.h"
|
|
#include "third_party/boringssl/src/include/openssl/mem.h"
|
|
|
|
namespace net {
|
|
|
|
namespace {
|
|
|
|
// CRLSet format:
|
|
//
|
|
// uint16le header_len
|
|
// byte[header_len] header_bytes
|
|
// repeated {
|
|
// byte[32] parent_spki_sha256
|
|
// uint32le num_serials
|
|
// [num_serials] {
|
|
// uint8_t serial_length;
|
|
// byte[serial_length] serial;
|
|
// }
|
|
//
|
|
// header_bytes consists of a JSON dictionary with the following keys:
|
|
// Version (int): currently 0
|
|
// ContentType (string): "CRLSet" (magic value)
|
|
// Sequence (int32_t): the monotonic sequence number of this CRL set.
|
|
// NotAfter (optional) (double/int64_t): The number of seconds since the
|
|
// Unix epoch, after which, this CRLSet is expired.
|
|
// BlockedSPKIs (array of string): An array of Base64 encoded, SHA-256 hashed
|
|
// SubjectPublicKeyInfos that should be blocked.
|
|
// LimitedSubjects (object/map of string -> array of string): A map between
|
|
// the Base64-encoded SHA-256 hash of the DER-encoded Subject and the
|
|
// Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfos that are
|
|
// allowed for that subject.
|
|
// KnownInterceptionSPKIs (array of string): An array of Base64-encoded
|
|
// SHA-256 hashed SubjectPublicKeyInfos known to be used for interception.
|
|
// BlockedInterceptionSPKIs (array of string): An array of Base64-encoded
|
|
// SHA-256 hashed SubjectPublicKeyInfos known to be used for interception
|
|
// and that should be actively blocked.
|
|
//
|
|
// ReadHeader reads the header (including length prefix) from |data| and
|
|
// updates |data| to remove the header on return. Caller takes ownership of the
|
|
// returned pointer.
|
|
absl::optional<base::Value> ReadHeader(base::StringPiece* data) {
|
|
uint16_t header_len;
|
|
if (data->size() < sizeof(header_len)) {
|
|
return absl::nullopt;
|
|
}
|
|
// Assumes little-endian.
|
|
memcpy(&header_len, data->data(), sizeof(header_len));
|
|
data->remove_prefix(sizeof(header_len));
|
|
|
|
if (data->size() < header_len) {
|
|
return absl::nullopt;
|
|
}
|
|
|
|
const base::StringPiece header_bytes = data->substr(0, header_len);
|
|
data->remove_prefix(header_len);
|
|
|
|
absl::optional<base::Value> header =
|
|
base::JSONReader::Read(header_bytes, base::JSON_ALLOW_TRAILING_COMMAS);
|
|
if (!header || !header->is_dict()) {
|
|
return absl::nullopt;
|
|
}
|
|
|
|
return header;
|
|
}
|
|
|
|
// kCurrentFileVersion is the version of the CRLSet file format that we
|
|
// currently implement.
|
|
static const int kCurrentFileVersion = 0;
|
|
|
|
bool ReadCRL(base::StringPiece* data,
|
|
std::string* out_parent_spki_hash,
|
|
std::vector<std::string>* out_serials) {
|
|
if (data->size() < crypto::kSHA256Length)
|
|
return false;
|
|
*out_parent_spki_hash = std::string(data->substr(0, crypto::kSHA256Length));
|
|
data->remove_prefix(crypto::kSHA256Length);
|
|
|
|
uint32_t num_serials;
|
|
if (data->size() < sizeof(num_serials))
|
|
return false;
|
|
// Assumes little endian.
|
|
memcpy(&num_serials, data->data(), sizeof(num_serials));
|
|
data->remove_prefix(sizeof(num_serials));
|
|
|
|
if (num_serials > 32 * 1024 * 1024) // Sanity check.
|
|
return false;
|
|
|
|
out_serials->reserve(num_serials);
|
|
|
|
for (uint32_t i = 0; i < num_serials; ++i) {
|
|
if (data->size() < sizeof(uint8_t))
|
|
return false;
|
|
|
|
uint8_t serial_length = (*data)[0];
|
|
data->remove_prefix(sizeof(uint8_t));
|
|
|
|
if (data->size() < serial_length)
|
|
return false;
|
|
|
|
out_serials->push_back(std::string());
|
|
out_serials->back() = std::string(data->substr(0, serial_length));
|
|
data->remove_prefix(serial_length);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
// CopyHashListFromHeader parses a list of base64-encoded, SHA-256 hashes from
|
|
// the given |key| (without path expansion) in |header_dict| and sets |*out|
|
|
// to the decoded values. It's not an error if |key| is not found in
|
|
// |header_dict|.
|
|
bool CopyHashListFromHeader(const base::Value::Dict& header_dict,
|
|
const char* key,
|
|
std::vector<std::string>* out) {
|
|
const base::Value::List* list = header_dict.FindList(key);
|
|
if (!list) {
|
|
// Hash lists are optional so it's not an error if not present.
|
|
return true;
|
|
}
|
|
|
|
out->clear();
|
|
out->reserve(list->size());
|
|
|
|
std::string sha256_base64;
|
|
|
|
for (const base::Value& i : *list) {
|
|
sha256_base64.clear();
|
|
|
|
if (!i.is_string())
|
|
return false;
|
|
sha256_base64 = i.GetString();
|
|
|
|
out->push_back(std::string());
|
|
if (!base::Base64Decode(sha256_base64, &out->back())) {
|
|
out->pop_back();
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
// CopyHashToHashesMapFromHeader parse a map from base64-encoded, SHA-256
|
|
// hashes to lists of the same, from the given |key| in |header_dict|. It
|
|
// copies the map data into |out| (after base64-decoding).
|
|
bool CopyHashToHashesMapFromHeader(
|
|
const base::Value::Dict& header_dict,
|
|
const char* key,
|
|
std::unordered_map<std::string, std::vector<std::string>>* out) {
|
|
out->clear();
|
|
|
|
const base::Value::Dict* dict = header_dict.FindDict(key);
|
|
if (dict == nullptr) {
|
|
// Maps are optional so it's not an error if not present.
|
|
return true;
|
|
}
|
|
|
|
for (auto i : *dict) {
|
|
if (!i.second.is_list()) {
|
|
return false;
|
|
}
|
|
|
|
std::vector<std::string> allowed_spkis;
|
|
for (const auto& j : i.second.GetList()) {
|
|
allowed_spkis.emplace_back();
|
|
if (!j.is_string() ||
|
|
!base::Base64Decode(j.GetString(), &allowed_spkis.back())) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
std::string subject_hash;
|
|
if (!base::Base64Decode(i.first, &subject_hash)) {
|
|
return false;
|
|
}
|
|
|
|
(*out)[subject_hash] = allowed_spkis;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
CRLSet::CRLSet() = default;
|
|
|
|
CRLSet::~CRLSet() = default;
|
|
|
|
// static
|
|
bool CRLSet::Parse(base::StringPiece data, scoped_refptr<CRLSet>* out_crl_set) {
|
|
TRACE_EVENT0(NetTracingCategory(), "CRLSet::Parse");
|
|
// Other parts of Chrome assume that we're little endian, so we don't lose
|
|
// anything by doing this.
|
|
#if defined(__BYTE_ORDER)
|
|
// Linux check
|
|
static_assert(__BYTE_ORDER == __LITTLE_ENDIAN, "assumes little endian");
|
|
#elif defined(__BIG_ENDIAN__)
|
|
// Mac check
|
|
#error assumes little endian
|
|
#endif
|
|
|
|
absl::optional<base::Value> header_value = ReadHeader(&data);
|
|
if (!header_value) {
|
|
return false;
|
|
}
|
|
|
|
const base::Value::Dict& header_dict = header_value->GetDict();
|
|
|
|
const std::string* contents = header_dict.FindString("ContentType");
|
|
if (!contents || (*contents != "CRLSet"))
|
|
return false;
|
|
|
|
if (header_dict.FindInt("Version") != kCurrentFileVersion)
|
|
return false;
|
|
|
|
absl::optional<int> sequence = header_dict.FindInt("Sequence");
|
|
if (!sequence)
|
|
return false;
|
|
|
|
// NotAfter is optional for now.
|
|
double not_after = header_dict.FindDouble("NotAfter").value_or(0);
|
|
if (not_after < 0)
|
|
return false;
|
|
|
|
auto crl_set = base::WrapRefCounted(new CRLSet());
|
|
crl_set->sequence_ = static_cast<uint32_t>(*sequence);
|
|
crl_set->not_after_ = static_cast<uint64_t>(not_after);
|
|
crl_set->crls_.reserve(64); // Value observed experimentally.
|
|
|
|
while (!data.empty()) {
|
|
std::string spki_hash;
|
|
std::vector<std::string> blocked_serials;
|
|
|
|
if (!ReadCRL(&data, &spki_hash, &blocked_serials)) {
|
|
return false;
|
|
}
|
|
crl_set->crls_[std::move(spki_hash)] = std::move(blocked_serials);
|
|
}
|
|
|
|
std::vector<std::string> blocked_interception_spkis;
|
|
if (!CopyHashListFromHeader(header_dict, "BlockedSPKIs",
|
|
&crl_set->blocked_spkis_) ||
|
|
!CopyHashToHashesMapFromHeader(header_dict, "LimitedSubjects",
|
|
&crl_set->limited_subjects_) ||
|
|
!CopyHashListFromHeader(header_dict, "KnownInterceptionSPKIs",
|
|
&crl_set->known_interception_spkis_) ||
|
|
!CopyHashListFromHeader(header_dict, "BlockedInterceptionSPKIs",
|
|
&blocked_interception_spkis)) {
|
|
return false;
|
|
}
|
|
|
|
// Add the BlockedInterceptionSPKIs to both lists; these are provided as
|
|
// a separate list to allow less data to be sent over the wire, even though
|
|
// they are duplicated in-memory.
|
|
crl_set->blocked_spkis_.insert(crl_set->blocked_spkis_.end(),
|
|
blocked_interception_spkis.begin(),
|
|
blocked_interception_spkis.end());
|
|
crl_set->known_interception_spkis_.insert(
|
|
crl_set->known_interception_spkis_.end(),
|
|
blocked_interception_spkis.begin(), blocked_interception_spkis.end());
|
|
|
|
// Defines kSPKIBlockList and kKnownInterceptionList
|
|
#include "net/cert/cert_verify_proc_blocklist.inc"
|
|
for (const auto& hash : kSPKIBlockList) {
|
|
crl_set->blocked_spkis_.emplace_back(reinterpret_cast<const char*>(hash),
|
|
crypto::kSHA256Length);
|
|
}
|
|
|
|
for (const auto& hash : kKnownInterceptionList) {
|
|
crl_set->known_interception_spkis_.emplace_back(
|
|
reinterpret_cast<const char*>(hash), crypto::kSHA256Length);
|
|
}
|
|
|
|
// Sort, as these will be std::binary_search()'d.
|
|
std::sort(crl_set->blocked_spkis_.begin(), crl_set->blocked_spkis_.end());
|
|
std::sort(crl_set->known_interception_spkis_.begin(),
|
|
crl_set->known_interception_spkis_.end());
|
|
|
|
*out_crl_set = std::move(crl_set);
|
|
return true;
|
|
}
|
|
|
|
CRLSet::Result CRLSet::CheckSPKI(base::StringPiece spki_hash) const {
|
|
if (std::binary_search(blocked_spkis_.begin(), blocked_spkis_.end(),
|
|
spki_hash))
|
|
return REVOKED;
|
|
return GOOD;
|
|
}
|
|
|
|
CRLSet::Result CRLSet::CheckSubject(base::StringPiece encoded_subject,
|
|
base::StringPiece spki_hash) const {
|
|
const std::string digest(crypto::SHA256HashString(encoded_subject));
|
|
const auto i = limited_subjects_.find(digest);
|
|
if (i == limited_subjects_.end()) {
|
|
return GOOD;
|
|
}
|
|
|
|
for (const auto& j : i->second) {
|
|
if (spki_hash == j) {
|
|
return GOOD;
|
|
}
|
|
}
|
|
|
|
return REVOKED;
|
|
}
|
|
|
|
CRLSet::Result CRLSet::CheckSerial(base::StringPiece serial_number,
|
|
base::StringPiece issuer_spki_hash) const {
|
|
base::StringPiece serial(serial_number);
|
|
|
|
if (!serial.empty() && (serial[0] & 0x80) != 0) {
|
|
// This serial number is negative but the process which generates CRL sets
|
|
// will reject any certificates with negative serial numbers as invalid.
|
|
return UNKNOWN;
|
|
}
|
|
|
|
// Remove any leading zero bytes.
|
|
while (serial.size() > 1 && serial[0] == 0x00)
|
|
serial.remove_prefix(1);
|
|
|
|
auto it = crls_.find(std::string(issuer_spki_hash));
|
|
if (it == crls_.end())
|
|
return UNKNOWN;
|
|
|
|
for (const auto& issuer_serial : it->second) {
|
|
if (issuer_serial == serial)
|
|
return REVOKED;
|
|
}
|
|
|
|
return GOOD;
|
|
}
|
|
|
|
bool CRLSet::IsKnownInterceptionKey(base::StringPiece spki_hash) const {
|
|
return std::binary_search(known_interception_spkis_.begin(),
|
|
known_interception_spkis_.end(), spki_hash);
|
|
}
|
|
|
|
bool CRLSet::IsExpired() const {
|
|
if (not_after_ == 0)
|
|
return false;
|
|
|
|
uint64_t now = base::Time::Now().ToTimeT();
|
|
return now > not_after_;
|
|
}
|
|
|
|
uint32_t CRLSet::sequence() const {
|
|
return sequence_;
|
|
}
|
|
|
|
const CRLSet::CRLList& CRLSet::CrlsForTesting() const {
|
|
return crls_;
|
|
}
|
|
|
|
// static
|
|
scoped_refptr<CRLSet> CRLSet::BuiltinCRLSet() {
|
|
constexpr char kCRLSet[] =
|
|
"\x31\x00{\"ContentType\":\"CRLSet\",\"Sequence\":0,\"Version\":0}";
|
|
scoped_refptr<CRLSet> ret;
|
|
bool parsed = CRLSet::Parse({kCRLSet, sizeof(kCRLSet) - 1}, &ret);
|
|
DCHECK(parsed);
|
|
return ret;
|
|
}
|
|
|
|
// static
|
|
scoped_refptr<CRLSet> CRLSet::EmptyCRLSetForTesting() {
|
|
return ForTesting(false, nullptr, "", "", {});
|
|
}
|
|
|
|
// static
|
|
scoped_refptr<CRLSet> CRLSet::ExpiredCRLSetForTesting() {
|
|
return ForTesting(true, nullptr, "", "", {});
|
|
}
|
|
|
|
// static
|
|
scoped_refptr<CRLSet> CRLSet::ForTesting(
|
|
bool is_expired,
|
|
const SHA256HashValue* issuer_spki,
|
|
base::StringPiece serial_number,
|
|
base::StringPiece utf8_common_name,
|
|
const std::vector<std::string>& acceptable_spki_hashes_for_cn) {
|
|
std::string subject_hash;
|
|
if (!utf8_common_name.empty()) {
|
|
CBB cbb, top_level, set, inner_seq, oid, cn;
|
|
uint8_t* x501_data;
|
|
size_t x501_len;
|
|
static const uint8_t kCommonNameOID[] = {0x55, 0x04, 0x03}; // 2.5.4.3
|
|
|
|
CBB_zero(&cbb);
|
|
|
|
if (!CBB_init(&cbb, 32) ||
|
|
!CBB_add_asn1(&cbb, &top_level, CBS_ASN1_SEQUENCE) ||
|
|
!CBB_add_asn1(&top_level, &set, CBS_ASN1_SET) ||
|
|
!CBB_add_asn1(&set, &inner_seq, CBS_ASN1_SEQUENCE) ||
|
|
!CBB_add_asn1(&inner_seq, &oid, CBS_ASN1_OBJECT) ||
|
|
!CBB_add_bytes(&oid, kCommonNameOID, sizeof(kCommonNameOID)) ||
|
|
!CBB_add_asn1(&inner_seq, &cn, CBS_ASN1_UTF8STRING) ||
|
|
!CBB_add_bytes(
|
|
&cn, reinterpret_cast<const uint8_t*>(utf8_common_name.data()),
|
|
utf8_common_name.size()) ||
|
|
!CBB_finish(&cbb, &x501_data, &x501_len)) {
|
|
CBB_cleanup(&cbb);
|
|
return nullptr;
|
|
}
|
|
|
|
subject_hash.assign(crypto::SHA256HashString(
|
|
base::StringPiece(reinterpret_cast<char*>(x501_data), x501_len)));
|
|
OPENSSL_free(x501_data);
|
|
}
|
|
|
|
auto crl_set = base::WrapRefCounted(new CRLSet());
|
|
crl_set->sequence_ = 0;
|
|
if (is_expired)
|
|
crl_set->not_after_ = 1;
|
|
|
|
if (issuer_spki) {
|
|
const std::string spki(reinterpret_cast<const char*>(issuer_spki->data),
|
|
sizeof(issuer_spki->data));
|
|
std::vector<std::string> serials;
|
|
if (!serial_number.empty()) {
|
|
serials.push_back(std::string(serial_number));
|
|
// |serial_number| is in DER-encoded form, which means it may have a
|
|
// leading 0x00 to indicate it is a positive INTEGER. CRLSets are stored
|
|
// without these leading 0x00, as handled in CheckSerial(), so remove
|
|
// that here. As DER-encoding means that any sequences of leading zeroes
|
|
// should be omitted, except to indicate sign, there should only ever
|
|
// be one, and the next byte should have the high bit set.
|
|
DCHECK_EQ(serials[0][0] & 0x80, 0); // Negative serials are not allowed.
|
|
if (serials[0][0] == 0x00) {
|
|
serials[0].erase(0, 1);
|
|
// If there was a leading 0x00, then the high-bit of the next byte
|
|
// should have been set.
|
|
DCHECK(!serials[0].empty() && serials[0][0] & 0x80);
|
|
}
|
|
}
|
|
|
|
crl_set->crls_.emplace(std::move(spki), std::move(serials));
|
|
}
|
|
|
|
if (!subject_hash.empty())
|
|
crl_set->limited_subjects_[subject_hash] = acceptable_spki_hashes_for_cn;
|
|
|
|
return crl_set;
|
|
}
|
|
|
|
} // namespace net
|