blob: e84f6ed6e74432353234062d8aaad953f43d4af3 [file] [log] [blame]
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/crl_set.h"
#include <algorithm>
#include "base/base64.h"
#include "base/json/json_reader.h"
#include "base/strings/string_piece.h"
#include "base/time/time.h"
#include "base/values.h"
#include "crypto/sha2.h"
#include "net/base/trace_constants.h"
#include "net/base/tracing.h"
#include "third_party/boringssl/src/include/openssl/bytestring.h"
#include "third_party/boringssl/src/include/openssl/mem.h"
namespace net {
namespace {
// CRLSet format:
//
// uint16le header_len
// byte[header_len] header_bytes
// repeated {
// byte[32] parent_spki_sha256
// uint32le num_serials
// [num_serials] {
// uint8_t serial_length;
// byte[serial_length] serial;
// }
//
// header_bytes consists of a JSON dictionary with the following keys:
// Version (int): currently 0
// ContentType (string): "CRLSet" (magic value)
// Sequence (int32_t): the monotonic sequence number of this CRL set.
// NotAfter (optional) (double/int64_t): The number of seconds since the
// Unix epoch, after which, this CRLSet is expired.
// BlockedSPKIs (array of string): An array of Base64 encoded, SHA-256 hashed
// SubjectPublicKeyInfos that should be blocked.
// LimitedSubjects (object/map of string -> array of string): A map between
// the Base64-encoded SHA-256 hash of the DER-encoded Subject and the
// Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfos that are
// allowed for that subject.
// KnownInterceptionSPKIs (array of string): An array of Base64-encoded
// SHA-256 hashed SubjectPublicKeyInfos known to be used for interception.
// BlockedInterceptionSPKIs (array of string): An array of Base64-encoded
// SHA-256 hashed SubjectPublicKeyInfos known to be used for interception
// and that should be actively blocked.
//
// ReadHeader reads the header (including length prefix) from |data| and
// updates |data| to remove the header on return. Caller takes ownership of the
// returned pointer.
absl::optional<base::Value> ReadHeader(base::StringPiece* data) {
uint16_t header_len;
if (data->size() < sizeof(header_len)) {
return absl::nullopt;
}
// Assumes little-endian.
memcpy(&header_len, data->data(), sizeof(header_len));
data->remove_prefix(sizeof(header_len));
if (data->size() < header_len) {
return absl::nullopt;
}
const base::StringPiece header_bytes = data->substr(0, header_len);
data->remove_prefix(header_len);
absl::optional<base::Value> header =
base::JSONReader::Read(header_bytes, base::JSON_ALLOW_TRAILING_COMMAS);
if (!header || !header->is_dict()) {
return absl::nullopt;
}
return header;
}
// kCurrentFileVersion is the version of the CRLSet file format that we
// currently implement.
static const int kCurrentFileVersion = 0;
bool ReadCRL(base::StringPiece* data,
std::string* out_parent_spki_hash,
std::vector<std::string>* out_serials) {
if (data->size() < crypto::kSHA256Length)
return false;
*out_parent_spki_hash = std::string(data->substr(0, crypto::kSHA256Length));
data->remove_prefix(crypto::kSHA256Length);
uint32_t num_serials;
if (data->size() < sizeof(num_serials))
return false;
// Assumes little endian.
memcpy(&num_serials, data->data(), sizeof(num_serials));
data->remove_prefix(sizeof(num_serials));
if (num_serials > 32 * 1024 * 1024) // Sanity check.
return false;
out_serials->reserve(num_serials);
for (uint32_t i = 0; i < num_serials; ++i) {
if (data->size() < sizeof(uint8_t))
return false;
uint8_t serial_length = (*data)[0];
data->remove_prefix(sizeof(uint8_t));
if (data->size() < serial_length)
return false;
out_serials->push_back(std::string());
out_serials->back() = std::string(data->substr(0, serial_length));
data->remove_prefix(serial_length);
}
return true;
}
// CopyHashListFromHeader parses a list of base64-encoded, SHA-256 hashes from
// the given |key| (without path expansion) in |header_dict| and sets |*out|
// to the decoded values. It's not an error if |key| is not found in
// |header_dict|.
bool CopyHashListFromHeader(const base::Value::Dict& header_dict,
const char* key,
std::vector<std::string>* out) {
const base::Value::List* list = header_dict.FindList(key);
if (!list) {
// Hash lists are optional so it's not an error if not present.
return true;
}
out->clear();
out->reserve(list->size());
std::string sha256_base64;
for (const base::Value& i : *list) {
sha256_base64.clear();
if (!i.is_string())
return false;
sha256_base64 = i.GetString();
out->push_back(std::string());
if (!base::Base64Decode(sha256_base64, &out->back())) {
out->pop_back();
return false;
}
}
return true;
}
// CopyHashToHashesMapFromHeader parse a map from base64-encoded, SHA-256
// hashes to lists of the same, from the given |key| in |header_dict|. It
// copies the map data into |out| (after base64-decoding).
bool CopyHashToHashesMapFromHeader(
const base::Value::Dict& header_dict,
const char* key,
std::unordered_map<std::string, std::vector<std::string>>* out) {
out->clear();
const base::Value::Dict* dict = header_dict.FindDict(key);
if (dict == nullptr) {
// Maps are optional so it's not an error if not present.
return true;
}
for (auto i : *dict) {
if (!i.second.is_list()) {
return false;
}
std::vector<std::string> allowed_spkis;
for (const auto& j : i.second.GetList()) {
allowed_spkis.emplace_back();
if (!j.is_string() ||
!base::Base64Decode(j.GetString(), &allowed_spkis.back())) {
return false;
}
}
std::string subject_hash;
if (!base::Base64Decode(i.first, &subject_hash)) {
return false;
}
(*out)[subject_hash] = allowed_spkis;
}
return true;
}
} // namespace
CRLSet::CRLSet() = default;
CRLSet::~CRLSet() = default;
// static
bool CRLSet::Parse(base::StringPiece data, scoped_refptr<CRLSet>* out_crl_set) {
TRACE_EVENT0(NetTracingCategory(), "CRLSet::Parse");
// Other parts of Chrome assume that we're little endian, so we don't lose
// anything by doing this.
#if defined(__BYTE_ORDER)
// Linux check
static_assert(__BYTE_ORDER == __LITTLE_ENDIAN, "assumes little endian");
#elif defined(__BIG_ENDIAN__)
// Mac check
#error assumes little endian
#endif
absl::optional<base::Value> header_value = ReadHeader(&data);
if (!header_value) {
return false;
}
const base::Value::Dict& header_dict = header_value->GetDict();
const std::string* contents = header_dict.FindString("ContentType");
if (!contents || (*contents != "CRLSet"))
return false;
if (header_dict.FindInt("Version") != kCurrentFileVersion)
return false;
absl::optional<int> sequence = header_dict.FindInt("Sequence");
if (!sequence)
return false;
// NotAfter is optional for now.
double not_after = header_dict.FindDouble("NotAfter").value_or(0);
if (not_after < 0)
return false;
auto crl_set = base::WrapRefCounted(new CRLSet());
crl_set->sequence_ = static_cast<uint32_t>(*sequence);
crl_set->not_after_ = static_cast<uint64_t>(not_after);
crl_set->crls_.reserve(64); // Value observed experimentally.
while (!data.empty()) {
std::string spki_hash;
std::vector<std::string> blocked_serials;
if (!ReadCRL(&data, &spki_hash, &blocked_serials)) {
return false;
}
crl_set->crls_[std::move(spki_hash)] = std::move(blocked_serials);
}
std::vector<std::string> blocked_interception_spkis;
if (!CopyHashListFromHeader(header_dict, "BlockedSPKIs",
&crl_set->blocked_spkis_) ||
!CopyHashToHashesMapFromHeader(header_dict, "LimitedSubjects",
&crl_set->limited_subjects_) ||
!CopyHashListFromHeader(header_dict, "KnownInterceptionSPKIs",
&crl_set->known_interception_spkis_) ||
!CopyHashListFromHeader(header_dict, "BlockedInterceptionSPKIs",
&blocked_interception_spkis)) {
return false;
}
// Add the BlockedInterceptionSPKIs to both lists; these are provided as
// a separate list to allow less data to be sent over the wire, even though
// they are duplicated in-memory.
crl_set->blocked_spkis_.insert(crl_set->blocked_spkis_.end(),
blocked_interception_spkis.begin(),
blocked_interception_spkis.end());
crl_set->known_interception_spkis_.insert(
crl_set->known_interception_spkis_.end(),
blocked_interception_spkis.begin(), blocked_interception_spkis.end());
// Defines kSPKIBlockList and kKnownInterceptionList
#include "net/cert/cert_verify_proc_blocklist.inc"
for (const auto& hash : kSPKIBlockList) {
crl_set->blocked_spkis_.emplace_back(reinterpret_cast<const char*>(hash),
crypto::kSHA256Length);
}
for (const auto& hash : kKnownInterceptionList) {
crl_set->known_interception_spkis_.emplace_back(
reinterpret_cast<const char*>(hash), crypto::kSHA256Length);
}
// Sort, as these will be std::binary_search()'d.
std::sort(crl_set->blocked_spkis_.begin(), crl_set->blocked_spkis_.end());
std::sort(crl_set->known_interception_spkis_.begin(),
crl_set->known_interception_spkis_.end());
*out_crl_set = std::move(crl_set);
return true;
}
CRLSet::Result CRLSet::CheckSPKI(base::StringPiece spki_hash) const {
if (std::binary_search(blocked_spkis_.begin(), blocked_spkis_.end(),
spki_hash))
return REVOKED;
return GOOD;
}
CRLSet::Result CRLSet::CheckSubject(base::StringPiece encoded_subject,
base::StringPiece spki_hash) const {
const std::string digest(crypto::SHA256HashString(encoded_subject));
const auto i = limited_subjects_.find(digest);
if (i == limited_subjects_.end()) {
return GOOD;
}
for (const auto& j : i->second) {
if (spki_hash == j) {
return GOOD;
}
}
return REVOKED;
}
CRLSet::Result CRLSet::CheckSerial(base::StringPiece serial_number,
base::StringPiece issuer_spki_hash) const {
base::StringPiece serial(serial_number);
if (!serial.empty() && (serial[0] & 0x80) != 0) {
// This serial number is negative but the process which generates CRL sets
// will reject any certificates with negative serial numbers as invalid.
return UNKNOWN;
}
// Remove any leading zero bytes.
while (serial.size() > 1 && serial[0] == 0x00)
serial.remove_prefix(1);
auto it = crls_.find(std::string(issuer_spki_hash));
if (it == crls_.end())
return UNKNOWN;
for (const auto& issuer_serial : it->second) {
if (issuer_serial == serial)
return REVOKED;
}
return GOOD;
}
bool CRLSet::IsKnownInterceptionKey(base::StringPiece spki_hash) const {
return std::binary_search(known_interception_spkis_.begin(),
known_interception_spkis_.end(), spki_hash);
}
bool CRLSet::IsExpired() const {
if (not_after_ == 0)
return false;
uint64_t now = base::Time::Now().ToTimeT();
return now > not_after_;
}
uint32_t CRLSet::sequence() const {
return sequence_;
}
const CRLSet::CRLList& CRLSet::CrlsForTesting() const {
return crls_;
}
// static
scoped_refptr<CRLSet> CRLSet::BuiltinCRLSet() {
constexpr char kCRLSet[] =
"\x31\x00{\"ContentType\":\"CRLSet\",\"Sequence\":0,\"Version\":0}";
scoped_refptr<CRLSet> ret;
bool parsed = CRLSet::Parse({kCRLSet, sizeof(kCRLSet) - 1}, &ret);
DCHECK(parsed);
return ret;
}
// static
scoped_refptr<CRLSet> CRLSet::EmptyCRLSetForTesting() {
return ForTesting(false, nullptr, "", "", {});
}
// static
scoped_refptr<CRLSet> CRLSet::ExpiredCRLSetForTesting() {
return ForTesting(true, nullptr, "", "", {});
}
// static
scoped_refptr<CRLSet> CRLSet::ForTesting(
bool is_expired,
const SHA256HashValue* issuer_spki,
base::StringPiece serial_number,
base::StringPiece utf8_common_name,
const std::vector<std::string>& acceptable_spki_hashes_for_cn) {
std::string subject_hash;
if (!utf8_common_name.empty()) {
CBB cbb, top_level, set, inner_seq, oid, cn;
uint8_t* x501_data;
size_t x501_len;
static const uint8_t kCommonNameOID[] = {0x55, 0x04, 0x03}; // 2.5.4.3
CBB_zero(&cbb);
if (!CBB_init(&cbb, 32) ||
!CBB_add_asn1(&cbb, &top_level, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&top_level, &set, CBS_ASN1_SET) ||
!CBB_add_asn1(&set, &inner_seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&inner_seq, &oid, CBS_ASN1_OBJECT) ||
!CBB_add_bytes(&oid, kCommonNameOID, sizeof(kCommonNameOID)) ||
!CBB_add_asn1(&inner_seq, &cn, CBS_ASN1_UTF8STRING) ||
!CBB_add_bytes(
&cn, reinterpret_cast<const uint8_t*>(utf8_common_name.data()),
utf8_common_name.size()) ||
!CBB_finish(&cbb, &x501_data, &x501_len)) {
CBB_cleanup(&cbb);
return nullptr;
}
subject_hash.assign(crypto::SHA256HashString(
base::StringPiece(reinterpret_cast<char*>(x501_data), x501_len)));
OPENSSL_free(x501_data);
}
auto crl_set = base::WrapRefCounted(new CRLSet());
crl_set->sequence_ = 0;
if (is_expired)
crl_set->not_after_ = 1;
if (issuer_spki) {
const std::string spki(reinterpret_cast<const char*>(issuer_spki->data),
sizeof(issuer_spki->data));
std::vector<std::string> serials;
if (!serial_number.empty()) {
serials.push_back(std::string(serial_number));
// |serial_number| is in DER-encoded form, which means it may have a
// leading 0x00 to indicate it is a positive INTEGER. CRLSets are stored
// without these leading 0x00, as handled in CheckSerial(), so remove
// that here. As DER-encoding means that any sequences of leading zeroes
// should be omitted, except to indicate sign, there should only ever
// be one, and the next byte should have the high bit set.
DCHECK_EQ(serials[0][0] & 0x80, 0); // Negative serials are not allowed.
if (serials[0][0] == 0x00) {
serials[0].erase(0, 1);
// If there was a leading 0x00, then the high-bit of the next byte
// should have been set.
DCHECK(!serials[0].empty() && serials[0][0] & 0x80);
}
}
crl_set->crls_.emplace(std::move(spki), std::move(serials));
}
if (!subject_hash.empty())
crl_set->limited_subjects_[subject_hash] = acceptable_spki_hashes_for_cn;
return crl_set;
}
} // namespace net