src/net/cert/internal/verify_signed_data.cc - cobalt - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/internal/verify_signed_data.h"

 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/numerics/safe_math.h"
 #include "crypto/openssl_util.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
 #include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/digest.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/rsa.h"

 namespace net {

 namespace {

 // Converts a DigestAlgorithm to an equivalent EVP_MD*.
 WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) {
   *out = nullptr;

   switch (digest) {
     case DigestAlgorithm::Md2:
     case DigestAlgorithm::Md4:
     case DigestAlgorithm::Md5:
       // Unsupported.
       break;
     case DigestAlgorithm::Sha1:
       *out = EVP_sha1();
       break;
     case DigestAlgorithm::Sha256:
       *out = EVP_sha256();
       break;
     case DigestAlgorithm::Sha384:
       *out = EVP_sha384();
       break;
     case DigestAlgorithm::Sha512:
       *out = EVP_sha512();
       break;
   }

   return *out != nullptr;
 }

 // Sets the RSASSA-PSS parameters on |pctx|. Returns true on success.
 WARN_UNUSED_RESULT bool ApplyRsaPssOptions(const RsaPssParameters* params,
                                            EVP_PKEY_CTX* pctx) {
   // BoringSSL takes a signed int for the salt length, and interprets
   // negative values in a special manner. Make sure not to silently underflow.
   base::CheckedNumeric<int> salt_length_bytes_int(params->salt_length());
   if (!salt_length_bytes_int.IsValid())
     return false;

   const EVP_MD* mgf1_hash;
   if (!GetDigest(params->mgf1_hash(), &mgf1_hash))
     return false;

   return EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
          EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) &&
          EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
                                           salt_length_bytes_int.ValueOrDie());
 }

 }  // namespace

 // Parses an RSA public key or EC public key from SPKI to an EVP_PKEY. Returns
 // true on success.
 //
 // There are two flavors of RSA public key that this function should recognize
 // from RFC 5912 (however note that pk-rsaSSA-PSS is not supported in the
 // current implementation).
 // TODO(eroman): Support id-RSASSA-PSS and its associated parameters. See
 // https://crbug.com/522232
 //
 //     pk-rsa PUBLIC-KEY ::= {
 //      IDENTIFIER rsaEncryption
 //      KEY RSAPublicKey
 //      PARAMS TYPE NULL ARE absent
 //      -- Private key format not in this module --
 //      CERT-KEY-USAGE {digitalSignature, nonRepudiation,
 //      keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
 //     }
 //
 //  ...
 //
 //     pk-rsaSSA-PSS PUBLIC-KEY ::= {
 //         IDENTIFIER id-RSASSA-PSS
 //         KEY RSAPublicKey
 //         PARAMS TYPE RSASSA-PSS-params ARE optional
 //          -- Private key format not in this module --
 //         CERT-KEY-USAGE { nonRepudiation, digitalSignature,
 //                              keyCertSign, cRLSign }
 //     }
 //
 // Any RSA signature algorithm can accept a "pk-rsa" (rsaEncryption). However a
 // "pk-rsaSSA-PSS" key is only accepted if the signature algorithm was for PSS
 // mode:
 //
 //     sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= {
 //         IDENTIFIER id-RSASSA-PSS
 //         PARAMS TYPE RSASSA-PSS-params ARE required
 //         HASHES { mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384
 //                      | mda-sha512 }
 //         PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS }
 //         SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS }
 //     }
 //
 // Moreover, if a "pk-rsaSSA-PSS" key was used and it optionally provided
 // parameters for the algorithm, they must match those of the signature
 // algorithm.
 //
 // COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
 // of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
 // RFC 3279 says they must be NULL:
 //
 //     The rsaEncryption OID is intended to be used in the algorithm field
 //     of a value of type AlgorithmIdentifier.  The parameters field MUST
 //     have ASN.1 type NULL for this algorithm identifier.
 //
 // Following RFC 3279 in this case.
 //
 // In the case of parsing EC keys, RFC 5912 describes all the ECDSA
 // signature algorithms as requiring a public key of type "pk-ec":
 //
 //     pk-ec PUBLIC-KEY ::= {
 //      IDENTIFIER id-ecPublicKey
 //      KEY ECPoint
 //      PARAMS TYPE ECParameters ARE required
 //      -- Private key format not in this module --
 //      CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
 //                           keyCertSign, cRLSign }
 //     }
 //
 // Moreover RFC 5912 stipulates what curves are allowed. The ECParameters
 // MUST NOT use an implicitCurve or specificCurve for PKIX:
 //
 //     ECParameters ::= CHOICE {
 //      namedCurve      CURVE.&id({NamedCurve})
 //      -- implicitCurve   NULL
 //        -- implicitCurve MUST NOT be used in PKIX
 //      -- specifiedCurve  SpecifiedCurve
 //        -- specifiedCurve MUST NOT be used in PKIX
 //        -- Details for specifiedCurve can be found in [X9.62]
 //        -- Any future additions to this CHOICE should be coordinated
 //        -- with ANSI X.9.
 //     }
 //     -- If you need to be able to decode ANSI X.9 parameter structures,
 //     -- uncomment the implicitCurve and specifiedCurve above, and also
 //     -- uncomment the following:
 //     --(WITH COMPONENTS {namedCurve PRESENT})
 //
 // The namedCurves are extensible. The ones described by RFC 5912 are:
 //
 //     NamedCurve CURVE ::= {
 //     { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } |
 //     { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } |
 //     { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } |
 //     { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } |
 //     { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 },
 //     ... -- Extensible
 //     }
 bool ParsePublicKey(const der::Input& public_key_spki,
                     bssl::UniquePtr<EVP_PKEY>* public_key) {
   // Parse the SPKI to an EVP_PKEY.
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

   // TODO(eroman): This is not strict enough. It accepts BER, other RSA
   // OIDs, and does not check id-rsaEncryption parameters.
   // See https://crbug.com/522228 and https://crbug.com/522232
   CBS cbs;
   CBS_init(&cbs, public_key_spki.UnsafeData(), public_key_spki.Length());
   public_key->reset(EVP_parse_public_key(&cbs));
   if (!*public_key || CBS_len(&cbs) != 0) {
     public_key->reset();
     return false;
   }
   return true;
 }

 bool VerifySignedData(const SignatureAlgorithm& algorithm,
                       const der::Input& signed_data,
                       const der::BitString& signature_value,
                       EVP_PKEY* public_key) {
   // Check that the key type matches the signature algorithm.
   int expected_pkey_id = -1;
   switch (algorithm.algorithm()) {
     case SignatureAlgorithmId::Dsa:
       // DSA is not supported.
       return false;
     case SignatureAlgorithmId::RsaPkcs1:
     case SignatureAlgorithmId::RsaPss:
       expected_pkey_id = EVP_PKEY_RSA;
       break;
     case SignatureAlgorithmId::Ecdsa:
       expected_pkey_id = EVP_PKEY_EC;
       break;
   }

   if (expected_pkey_id != EVP_PKEY_id(public_key))
     return false;

   // For the supported algorithms the signature value must be a whole
   // number of bytes.
   if (signature_value.unused_bits() != 0)
     return false;
   const der::Input& signature_value_bytes = signature_value.bytes();

   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

   bssl::ScopedEVP_MD_CTX ctx;
   EVP_PKEY_CTX* pctx = nullptr;  // Owned by |ctx|.

   const EVP_MD* digest;
   if (!GetDigest(algorithm.digest(), &digest))
     return false;

   if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key))
     return false;

   // Set the RSASSA-PSS specific options.
   if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss &&
       !ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx)) {
     return false;
   }

   if (!EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(),
                               signed_data.Length())) {
     return false;
   }

   return 1 == EVP_DigestVerifyFinal(ctx.get(),
                                     signature_value_bytes.UnsafeData(),
                                     signature_value_bytes.Length());
 }

 bool VerifySignedData(const SignatureAlgorithm& algorithm,
                       const der::Input& signed_data,
                       const der::BitString& signature_value,
                       const der::Input& public_key_spki) {
   bssl::UniquePtr<EVP_PKEY> public_key;
   if (!ParsePublicKey(public_key_spki, &public_key))
     return false;
   return VerifySignedData(algorithm, signed_data, signature_value,
                           public_key.get());
 }

 }  // namespace net
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/internal/verify_signed_data.h"

	#include "base/compiler_specific.h"
	#include "base/logging.h"
	#include "base/numerics/safe_math.h"
	#include "crypto/openssl_util.h"
	#include "net/cert/internal/cert_errors.h"
	#include "net/cert/internal/signature_algorithm.h"
	#include "net/der/input.h"
	#include "net/der/parse_values.h"
	#include "net/der/parser.h"
	#include "third_party/boringssl/src/include/openssl/bytestring.h"
	#include "third_party/boringssl/src/include/openssl/digest.h"
	#include "third_party/boringssl/src/include/openssl/evp.h"
	#include "third_party/boringssl/src/include/openssl/rsa.h"

	namespace net {

	namespace {

	// Converts a DigestAlgorithm to an equivalent EVP_MD*.
	WARN_UNUSED_RESULT bool GetDigest(DigestAlgorithm digest, const EVP_MD** out) {
	*out = nullptr;

	switch (digest) {
	case DigestAlgorithm::Md2:
	case DigestAlgorithm::Md4:
	case DigestAlgorithm::Md5:
	// Unsupported.
	break;
	case DigestAlgorithm::Sha1:
	*out = EVP_sha1();
	break;
	case DigestAlgorithm::Sha256:
	*out = EVP_sha256();
	break;
	case DigestAlgorithm::Sha384:
	*out = EVP_sha384();
	break;
	case DigestAlgorithm::Sha512:
	*out = EVP_sha512();
	break;
	}

	return *out != nullptr;
	}

	// Sets the RSASSA-PSS parameters on \|pctx\|. Returns true on success.
	WARN_UNUSED_RESULT bool ApplyRsaPssOptions(const RsaPssParameters* params,
	EVP_PKEY_CTX* pctx) {
	// BoringSSL takes a signed int for the salt length, and interprets
	// negative values in a special manner. Make sure not to silently underflow.
	base::CheckedNumeric<int> salt_length_bytes_int(params->salt_length());
	if (!salt_length_bytes_int.IsValid())
	return false;

	const EVP_MD* mgf1_hash;
	if (!GetDigest(params->mgf1_hash(), &mgf1_hash))
	return false;

	return EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) &&
	EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1_hash) &&
	EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
	salt_length_bytes_int.ValueOrDie());
	}

	} // namespace

	// Parses an RSA public key or EC public key from SPKI to an EVP_PKEY. Returns
	// true on success.
	//
	// There are two flavors of RSA public key that this function should recognize
	// from RFC 5912 (however note that pk-rsaSSA-PSS is not supported in the
	// current implementation).
	// TODO(eroman): Support id-RSASSA-PSS and its associated parameters. See
	// https://crbug.com/522232
	//
	// pk-rsa PUBLIC-KEY ::= {
	// IDENTIFIER rsaEncryption
	// KEY RSAPublicKey
	// PARAMS TYPE NULL ARE absent
	// -- Private key format not in this module --
	// CERT-KEY-USAGE {digitalSignature, nonRepudiation,
	// keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
	// }
	//
	// ...
	//
	// pk-rsaSSA-PSS PUBLIC-KEY ::= {
	// IDENTIFIER id-RSASSA-PSS
	// KEY RSAPublicKey
	// PARAMS TYPE RSASSA-PSS-params ARE optional
	// -- Private key format not in this module --
	// CERT-KEY-USAGE { nonRepudiation, digitalSignature,
	// keyCertSign, cRLSign }
	// }
	//
	// Any RSA signature algorithm can accept a "pk-rsa" (rsaEncryption). However a
	// "pk-rsaSSA-PSS" key is only accepted if the signature algorithm was for PSS
	// mode:
	//
	// sa-rsaSSA-PSS SIGNATURE-ALGORITHM ::= {
	// IDENTIFIER id-RSASSA-PSS
	// PARAMS TYPE RSASSA-PSS-params ARE required
	// HASHES { mda-sha1 \| mda-sha224 \| mda-sha256 \| mda-sha384
	// \| mda-sha512 }
	// PUBLIC-KEYS { pk-rsa \| pk-rsaSSA-PSS }
	// SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS }
	// }
	//
	// Moreover, if a "pk-rsaSSA-PSS" key was used and it optionally provided
	// parameters for the algorithm, they must match those of the signature
	// algorithm.
	//
	// COMPATIBILITY NOTE: RFC 5912 and RFC 3279 are in disagreement on the value
	// of parameters for rsaEncryption. Whereas RFC 5912 says they must be absent,
	// RFC 3279 says they must be NULL:
	//
	// The rsaEncryption OID is intended to be used in the algorithm field
	// of a value of type AlgorithmIdentifier. The parameters field MUST
	// have ASN.1 type NULL for this algorithm identifier.
	//
	// Following RFC 3279 in this case.
	//
	// In the case of parsing EC keys, RFC 5912 describes all the ECDSA
	// signature algorithms as requiring a public key of type "pk-ec":
	//
	// pk-ec PUBLIC-KEY ::= {
	// IDENTIFIER id-ecPublicKey
	// KEY ECPoint
	// PARAMS TYPE ECParameters ARE required
	// -- Private key format not in this module --
	// CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement,
	// keyCertSign, cRLSign }
	// }
	//
	// Moreover RFC 5912 stipulates what curves are allowed. The ECParameters
	// MUST NOT use an implicitCurve or specificCurve for PKIX:
	//
	// ECParameters ::= CHOICE {
	// namedCurve CURVE.&id({NamedCurve})
	// -- implicitCurve NULL
	// -- implicitCurve MUST NOT be used in PKIX
	// -- specifiedCurve SpecifiedCurve
	// -- specifiedCurve MUST NOT be used in PKIX
	// -- Details for specifiedCurve can be found in [X9.62]
	// -- Any future additions to this CHOICE should be coordinated
	// -- with ANSI X.9.
	// }
	// -- If you need to be able to decode ANSI X.9 parameter structures,
	// -- uncomment the implicitCurve and specifiedCurve above, and also
	// -- uncomment the following:
	// --(WITH COMPONENTS {namedCurve PRESENT})
	//
	// The namedCurves are extensible. The ones described by RFC 5912 are:
	//
	// NamedCurve CURVE ::= {
	// { ID secp192r1 } \| { ID sect163k1 } \| { ID sect163r2 } \|
	// { ID secp224r1 } \| { ID sect233k1 } \| { ID sect233r1 } \|
	// { ID secp256r1 } \| { ID sect283k1 } \| { ID sect283r1 } \|
	// { ID secp384r1 } \| { ID sect409k1 } \| { ID sect409r1 } \|
	// { ID secp521r1 } \| { ID sect571k1 } \| { ID sect571r1 },
	// ... -- Extensible
	// }
	bool ParsePublicKey(const der::Input& public_key_spki,
	bssl::UniquePtr<EVP_PKEY>* public_key) {
	// Parse the SPKI to an EVP_PKEY.
	crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

	// TODO(eroman): This is not strict enough. It accepts BER, other RSA
	// OIDs, and does not check id-rsaEncryption parameters.
	// See https://crbug.com/522228 and https://crbug.com/522232
	CBS cbs;
	CBS_init(&cbs, public_key_spki.UnsafeData(), public_key_spki.Length());
	public_key->reset(EVP_parse_public_key(&cbs));
	if (!*public_key \|\| CBS_len(&cbs) != 0) {
	public_key->reset();
	return false;
	}
	return true;
	}

	bool VerifySignedData(const SignatureAlgorithm& algorithm,
	const der::Input& signed_data,
	const der::BitString& signature_value,
	EVP_PKEY* public_key) {
	// Check that the key type matches the signature algorithm.
	int expected_pkey_id = -1;
	switch (algorithm.algorithm()) {
	case SignatureAlgorithmId::Dsa:
	// DSA is not supported.
	return false;
	case SignatureAlgorithmId::RsaPkcs1:
	case SignatureAlgorithmId::RsaPss:
	expected_pkey_id = EVP_PKEY_RSA;
	break;
	case SignatureAlgorithmId::Ecdsa:
	expected_pkey_id = EVP_PKEY_EC;
	break;
	}

	if (expected_pkey_id != EVP_PKEY_id(public_key))
	return false;

	// For the supported algorithms the signature value must be a whole
	// number of bytes.
	if (signature_value.unused_bits() != 0)
	return false;
	const der::Input& signature_value_bytes = signature_value.bytes();

	crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);

	bssl::ScopedEVP_MD_CTX ctx;
	EVP_PKEY_CTX* pctx = nullptr; // Owned by \|ctx\|.

	const EVP_MD* digest;
	if (!GetDigest(algorithm.digest(), &digest))
	return false;

	if (!EVP_DigestVerifyInit(ctx.get(), &pctx, digest, nullptr, public_key))
	return false;

	// Set the RSASSA-PSS specific options.
	if (algorithm.algorithm() == SignatureAlgorithmId::RsaPss &&
	!ApplyRsaPssOptions(algorithm.ParamsForRsaPss(), pctx)) {
	return false;
	}

	if (!EVP_DigestVerifyUpdate(ctx.get(), signed_data.UnsafeData(),
	signed_data.Length())) {
	return false;
	}

	return 1 == EVP_DigestVerifyFinal(ctx.get(),
	signature_value_bytes.UnsafeData(),
	signature_value_bytes.Length());
	}

	bool VerifySignedData(const SignatureAlgorithm& algorithm,
	const der::Input& signed_data,
	const der::BitString& signature_value,
	const der::Input& public_key_spki) {
	bssl::UniquePtr<EVP_PKEY> public_key;
	if (!ParsePublicKey(public_key_spki, &public_key))
	return false;
	return VerifySignedData(algorithm, signed_data, signature_value,
	public_key.get());
	}

	} // namespace net