1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/cert/cert_verify_proc_nss.h" 6 7#include <string> 8#include <vector> 9 10#include <cert.h> 11#include <nss.h> 12#include <prerror.h> 13#include <secerr.h> 14#include <sechash.h> 15#include <sslerr.h> 16 17#include "base/logging.h" 18#include "crypto/nss_util.h" 19#include "crypto/scoped_nss_types.h" 20#include "crypto/sha2.h" 21#include "net/base/net_errors.h" 22#include "net/cert/asn1_util.h" 23#include "net/cert/cert_status_flags.h" 24#include "net/cert/cert_verifier.h" 25#include "net/cert/cert_verify_result.h" 26#include "net/cert/crl_set.h" 27#include "net/cert/ev_root_ca_metadata.h" 28#include "net/cert/x509_certificate.h" 29#include "net/cert/x509_util_nss.h" 30 31#if defined(OS_IOS) 32#include <CommonCrypto/CommonDigest.h> 33#include "net/cert/x509_util_ios.h" 34#endif // defined(OS_IOS) 35 36namespace net { 37 38namespace { 39 40typedef scoped_ptr< 41 CERTCertificatePolicies, 42 crypto::NSSDestroyer<CERTCertificatePolicies, 43 CERT_DestroyCertificatePoliciesExtension> > 44 ScopedCERTCertificatePolicies; 45 46typedef scoped_ptr< 47 CERTCertList, 48 crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> > 49 ScopedCERTCertList; 50 51// ScopedCERTValOutParam manages destruction of values in the CERTValOutParam 52// array that cvout points to. cvout must be initialized as passed to 53// CERT_PKIXVerifyCert, so that the array must be terminated with 54// cert_po_end type. 55// When it goes out of scope, it destroys values of cert_po_trustAnchor 56// and cert_po_certList types, but doesn't release the array itself. 57class ScopedCERTValOutParam { 58 public: 59 explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {} 60 61 ~ScopedCERTValOutParam() { 62 Clear(); 63 } 64 65 // Free the internal resources, but do not release the array itself. 66 void Clear() { 67 if (cvout_ == NULL) 68 return; 69 for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) { 70 switch (p->type) { 71 case cert_po_trustAnchor: 72 if (p->value.pointer.cert) { 73 CERT_DestroyCertificate(p->value.pointer.cert); 74 p->value.pointer.cert = NULL; 75 } 76 break; 77 case cert_po_certList: 78 if (p->value.pointer.chain) { 79 CERT_DestroyCertList(p->value.pointer.chain); 80 p->value.pointer.chain = NULL; 81 } 82 break; 83 default: 84 break; 85 } 86 } 87 } 88 89 private: 90 CERTValOutParam* cvout_; 91 92 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); 93}; 94 95// Map PORT_GetError() return values to our network error codes. 96int MapSecurityError(int err) { 97 switch (err) { 98 case PR_DIRECTORY_LOOKUP_ERROR: // DNS lookup error. 99 return ERR_NAME_NOT_RESOLVED; 100 case SEC_ERROR_INVALID_ARGS: 101 return ERR_INVALID_ARGUMENT; 102 case SSL_ERROR_BAD_CERT_DOMAIN: 103 return ERR_CERT_COMMON_NAME_INVALID; 104 case SEC_ERROR_INVALID_TIME: 105 case SEC_ERROR_EXPIRED_CERTIFICATE: 106 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 107 return ERR_CERT_DATE_INVALID; 108 case SEC_ERROR_UNKNOWN_ISSUER: 109 case SEC_ERROR_UNTRUSTED_ISSUER: 110 case SEC_ERROR_CA_CERT_INVALID: 111 case SEC_ERROR_APPLICATION_CALLBACK_ERROR: // Rejected by 112 // chain_verify_callback. 113 return ERR_CERT_AUTHORITY_INVALID; 114 // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM. 115 case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE: 116 case SEC_ERROR_OCSP_SERVER_ERROR: 117 return ERR_CERT_UNABLE_TO_CHECK_REVOCATION; 118 case SEC_ERROR_REVOKED_CERTIFICATE: 119 case SEC_ERROR_UNTRUSTED_CERT: // Treat as revoked. 120 return ERR_CERT_REVOKED; 121 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 122 return ERR_CERT_NAME_CONSTRAINT_VIOLATION; 123 case SEC_ERROR_BAD_DER: 124 case SEC_ERROR_BAD_SIGNATURE: 125 case SEC_ERROR_CERT_NOT_VALID: 126 // TODO(port): add an ERR_CERT_WRONG_USAGE error code. 127 case SEC_ERROR_CERT_USAGES_INVALID: 128 case SEC_ERROR_INADEQUATE_KEY_USAGE: // Key usage. 129 case SEC_ERROR_INADEQUATE_CERT_TYPE: // Extended key usage and whether 130 // the certificate is a CA. 131 case SEC_ERROR_POLICY_VALIDATION_FAILED: 132 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID: 133 case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: 134 case SEC_ERROR_EXTENSION_VALUE_INVALID: 135 return ERR_CERT_INVALID; 136 case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: 137 return ERR_CERT_WEAK_SIGNATURE_ALGORITHM; 138 default: 139 LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED"; 140 return ERR_FAILED; 141 } 142} 143 144// Map PORT_GetError() return values to our cert status flags. 145CertStatus MapCertErrorToCertStatus(int err) { 146 int net_error = MapSecurityError(err); 147 return MapNetErrorToCertStatus(net_error); 148} 149 150// Saves some information about the certificate chain cert_list in 151// *verify_result. The caller MUST initialize *verify_result before calling 152// this function. 153// Note that cert_list[0] is the end entity certificate. 154void GetCertChainInfo(CERTCertList* cert_list, 155 CERTCertificate* root_cert, 156 CertVerifyResult* verify_result) { 157 DCHECK(cert_list); 158 159 CERTCertificate* verified_cert = NULL; 160 std::vector<CERTCertificate*> verified_chain; 161 int i = 0; 162 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 163 !CERT_LIST_END(node, cert_list); 164 node = CERT_LIST_NEXT(node), ++i) { 165 if (i == 0) { 166 verified_cert = node->cert; 167 } else { 168 // Because of an NSS bug, CERT_PKIXVerifyCert may chain a self-signed 169 // certificate of a root CA to another certificate of the same root CA 170 // key. Detect that error and ignore the root CA certificate. 171 // See https://bugzilla.mozilla.org/show_bug.cgi?id=721288. 172 if (node->cert->isRoot) { 173 // NOTE: isRoot doesn't mean the certificate is a trust anchor. It 174 // means the certificate is self-signed. Here we assume isRoot only 175 // implies the certificate is self-issued. 176 CERTCertListNode* next_node = CERT_LIST_NEXT(node); 177 CERTCertificate* next_cert; 178 if (!CERT_LIST_END(next_node, cert_list)) { 179 next_cert = next_node->cert; 180 } else { 181 next_cert = root_cert; 182 } 183 // Test that |node->cert| is actually a self-signed certificate 184 // whose key is equal to |next_cert|, and not a self-issued 185 // certificate signed by another key of the same CA. 186 if (next_cert && SECITEM_ItemsAreEqual(&node->cert->derPublicKey, 187 &next_cert->derPublicKey)) { 188 continue; 189 } 190 } 191 verified_chain.push_back(node->cert); 192 } 193 194 SECAlgorithmID& signature = node->cert->signature; 195 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); 196 switch (oid_tag) { 197 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: 198 verify_result->has_md5 = true; 199 break; 200 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: 201 verify_result->has_md2 = true; 202 break; 203 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: 204 verify_result->has_md4 = true; 205 break; 206 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: 207 case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: 208 case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: 209 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: 210 verify_result->has_sha1 = true; 211 break; 212 default: 213 break; 214 } 215 } 216 217 if (root_cert) 218 verified_chain.push_back(root_cert); 219#if defined(OS_IOS) 220 verify_result->verified_cert = 221 x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain); 222#else 223 verify_result->verified_cert = 224 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 225#endif // defined(OS_IOS) 226} 227 228// IsKnownRoot returns true if the given certificate is one that we believe 229// is a standard (as opposed to user-installed) root. 230bool IsKnownRoot(CERTCertificate* root) { 231 if (!root || !root->slot) 232 return false; 233 234 // This magic name is taken from 235 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79 236 return 0 == strcmp(PK11_GetSlotName(root->slot), 237 "NSS Builtin Objects"); 238} 239 240// Returns true if the given certificate is one of the additional trust anchors. 241bool IsAdditionalTrustAnchor(CERTCertList* additional_trust_anchors, 242 CERTCertificate* root) { 243 if (!additional_trust_anchors || !root) 244 return false; 245 for (CERTCertListNode* node = CERT_LIST_HEAD(additional_trust_anchors); 246 !CERT_LIST_END(node, additional_trust_anchors); 247 node = CERT_LIST_NEXT(node)) { 248 if (CERT_CompareCerts(node->cert, root)) 249 return true; 250 } 251 return false; 252} 253 254enum CRLSetResult { 255 kCRLSetOk, 256 kCRLSetRevoked, 257 kCRLSetUnknown, 258}; 259 260// CheckRevocationWithCRLSet attempts to check each element of |cert_list| 261// against |crl_set|. It returns: 262// kCRLSetRevoked: if any element of the chain is known to have been revoked. 263// kCRLSetUnknown: if there is no fresh information about the leaf 264// certificate in the chain or if the CRLSet has expired. 265// 266// Only the leaf certificate is considered for coverage because some 267// intermediates have CRLs with no revocations (after filtering) and 268// those CRLs are pruned from the CRLSet at generation time. This means 269// that some EV sites would otherwise take the hit of an OCSP lookup for 270// no reason. 271// kCRLSetOk: otherwise. 272CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list, 273 CERTCertificate* root, 274 CRLSet* crl_set) { 275 std::vector<CERTCertificate*> certs; 276 277 if (cert_list) { 278 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 279 !CERT_LIST_END(node, cert_list); 280 node = CERT_LIST_NEXT(node)) { 281 certs.push_back(node->cert); 282 } 283 } 284 if (root) 285 certs.push_back(root); 286 287 // error is set to true if any errors are found. It causes such chains to be 288 // considered as not covered. 289 bool error = false; 290 // last_covered is set to the coverage state of the previous certificate. The 291 // certificates are iterated over backwards thus, after the iteration, 292 // |last_covered| contains the coverage state of the leaf certificate. 293 bool last_covered = false; 294 295 // We iterate from the root certificate down to the leaf, keeping track of 296 // the issuer's SPKI at each step. 297 std::string issuer_spki_hash; 298 for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin(); 299 i != certs.rend(); ++i) { 300 CERTCertificate* cert = *i; 301 302 base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), 303 cert->derCert.len); 304 305 base::StringPiece spki; 306 if (!asn1::ExtractSPKIFromDERCert(der, &spki)) { 307 NOTREACHED(); 308 error = true; 309 continue; 310 } 311 const std::string spki_hash = crypto::SHA256HashString(spki); 312 313 base::StringPiece serial_number = base::StringPiece( 314 reinterpret_cast<char*>(cert->serialNumber.data), 315 cert->serialNumber.len); 316 317 CRLSet::Result result = crl_set->CheckSPKI(spki_hash); 318 319 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) 320 result = crl_set->CheckSerial(serial_number, issuer_spki_hash); 321 322 issuer_spki_hash = spki_hash; 323 324 switch (result) { 325 case CRLSet::REVOKED: 326 return kCRLSetRevoked; 327 case CRLSet::UNKNOWN: 328 last_covered = false; 329 continue; 330 case CRLSet::GOOD: 331 last_covered = true; 332 continue; 333 default: 334 NOTREACHED(); 335 error = true; 336 continue; 337 } 338 } 339 340 if (error || !last_covered || crl_set->IsExpired()) 341 return kCRLSetUnknown; 342 return kCRLSetOk; 343} 344 345// Forward declarations. 346SECStatus RetryPKIXVerifyCertWithWorkarounds( 347 CERTCertificate* cert_handle, int num_policy_oids, 348 bool cert_io_enabled, std::vector<CERTValInParam>* cvin, 349 CERTValOutParam* cvout); 350SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle); 351 352// Call CERT_PKIXVerifyCert for the cert_handle. 353// Verification results are stored in an array of CERTValOutParam. 354// If |hard_fail| is true, and no policy_oids are supplied (eg: EV is NOT being 355// checked), then the failure to obtain valid CRL/OCSP information for all 356// certificates that contain CRL/OCSP URLs will cause the certificate to be 357// treated as if it was revoked. Since failures may be caused by transient 358// network failures or by malicious attackers, in general, hard_fail should be 359// false. 360// If policy_oids is not NULL and num_policy_oids is positive, policies 361// are also checked. 362// additional_trust_anchors is an optional list of certificates that can be 363// trusted as anchors when building a certificate chain. 364// Caller must initialize cvout before calling this function. 365SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, 366 bool check_revocation, 367 bool hard_fail, 368 bool cert_io_enabled, 369 const SECOidTag* policy_oids, 370 int num_policy_oids, 371 CERTCertList* additional_trust_anchors, 372 CERTChainVerifyCallback* chain_verify_callback, 373 CERTValOutParam* cvout) { 374 bool use_crl = check_revocation; 375 bool use_ocsp = check_revocation; 376 377 PRUint64 revocation_method_flags = 378 CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | 379 CERT_REV_M_ALLOW_NETWORK_FETCHING | 380 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | 381 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | 382 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; 383 PRUint64 revocation_method_independent_flags = 384 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; 385 if (check_revocation && policy_oids && num_policy_oids > 0) { 386 // EV verification requires revocation checking. Consider the certificate 387 // revoked if we don't have revocation info. 388 // TODO(wtc): Add a bool parameter to expressly specify we're doing EV 389 // verification or we want strict revocation flags. 390 revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; 391 revocation_method_independent_flags |= 392 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 393 } else if (check_revocation && hard_fail) { 394 revocation_method_flags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO; 395 revocation_method_independent_flags |= 396 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 397 } else { 398 revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE; 399 revocation_method_independent_flags |= 400 CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT; 401 } 402 PRUint64 method_flags[2]; 403 method_flags[cert_revocation_method_crl] = revocation_method_flags; 404 method_flags[cert_revocation_method_ocsp] = revocation_method_flags; 405 406 if (use_crl) { 407 method_flags[cert_revocation_method_crl] |= 408 CERT_REV_M_TEST_USING_THIS_METHOD; 409 } 410 if (use_ocsp) { 411 method_flags[cert_revocation_method_ocsp] |= 412 CERT_REV_M_TEST_USING_THIS_METHOD; 413 } 414 415 CERTRevocationMethodIndex preferred_revocation_methods[1]; 416 if (use_ocsp) { 417 preferred_revocation_methods[0] = cert_revocation_method_ocsp; 418 } else { 419 preferred_revocation_methods[0] = cert_revocation_method_crl; 420 } 421 422 CERTRevocationFlags revocation_flags; 423 revocation_flags.leafTests.number_of_defined_methods = 424 arraysize(method_flags); 425 revocation_flags.leafTests.cert_rev_flags_per_method = method_flags; 426 revocation_flags.leafTests.number_of_preferred_methods = 427 arraysize(preferred_revocation_methods); 428 revocation_flags.leafTests.preferred_methods = preferred_revocation_methods; 429 revocation_flags.leafTests.cert_rev_method_independent_flags = 430 revocation_method_independent_flags; 431 432 revocation_flags.chainTests.number_of_defined_methods = 433 arraysize(method_flags); 434 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; 435 revocation_flags.chainTests.number_of_preferred_methods = 436 arraysize(preferred_revocation_methods); 437 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; 438 revocation_flags.chainTests.cert_rev_method_independent_flags = 439 revocation_method_independent_flags; 440 441 442 std::vector<CERTValInParam> cvin; 443 cvin.reserve(7); 444 CERTValInParam in_param; 445 in_param.type = cert_pi_revocationFlags; 446 in_param.value.pointer.revocation = &revocation_flags; 447 cvin.push_back(in_param); 448 if (policy_oids && num_policy_oids > 0) { 449 in_param.type = cert_pi_policyOID; 450 in_param.value.arraySize = num_policy_oids; 451 in_param.value.array.oids = policy_oids; 452 cvin.push_back(in_param); 453 } 454 if (additional_trust_anchors) { 455 in_param.type = cert_pi_trustAnchors; 456 in_param.value.pointer.chain = additional_trust_anchors; 457 cvin.push_back(in_param); 458 in_param.type = cert_pi_useOnlyTrustAnchors; 459 in_param.value.scalar.b = PR_FALSE; 460 cvin.push_back(in_param); 461 } 462 if (chain_verify_callback) { 463 in_param.type = cert_pi_chainVerifyCallback; 464 in_param.value.pointer.chainVerifyCallback = chain_verify_callback; 465 cvin.push_back(in_param); 466 } 467 in_param.type = cert_pi_end; 468 cvin.push_back(in_param); 469 470 SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 471 &cvin[0], cvout, NULL); 472 if (rv != SECSuccess) { 473 rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids, 474 cert_io_enabled, &cvin, cvout); 475 } 476 return rv; 477} 478 479// PKIXVerifyCert calls this function to work around some bugs in 480// CERT_PKIXVerifyCert. All the arguments of this function are either the 481// arguments or local variables of PKIXVerifyCert. 482SECStatus RetryPKIXVerifyCertWithWorkarounds( 483 CERTCertificate* cert_handle, int num_policy_oids, 484 bool cert_io_enabled, std::vector<CERTValInParam>* cvin, 485 CERTValOutParam* cvout) { 486 // We call this function when the first CERT_PKIXVerifyCert call in 487 // PKIXVerifyCert failed, so we initialize |rv| to SECFailure. 488 SECStatus rv = SECFailure; 489 int nss_error = PORT_GetError(); 490 CERTValInParam in_param; 491 492 // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate 493 // CA certificate, so we retry with cert_pi_useAIACertFetch. 494 // cert_pi_useAIACertFetch has several bugs in its error handling and 495 // error reporting (NSS bug 528743), so we don't use it by default. 496 // Note: When building a certificate chain, CERT_PKIXVerifyCert may 497 // incorrectly pick a CA certificate with the same subject name as the 498 // missing intermediate CA certificate, and fail with the 499 // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with 500 // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE. 501 if (cert_io_enabled && 502 (nss_error == SEC_ERROR_UNKNOWN_ISSUER || 503 nss_error == SEC_ERROR_BAD_SIGNATURE)) { 504 DCHECK_EQ(cvin->back().type, cert_pi_end); 505 cvin->pop_back(); 506 in_param.type = cert_pi_useAIACertFetch; 507 in_param.value.scalar.b = PR_TRUE; 508 cvin->push_back(in_param); 509 in_param.type = cert_pi_end; 510 cvin->push_back(in_param); 511 rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 512 &(*cvin)[0], cvout, NULL); 513 if (rv == SECSuccess) 514 return rv; 515 int new_nss_error = PORT_GetError(); 516 if (new_nss_error == SEC_ERROR_INVALID_ARGS || 517 new_nss_error == SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE || 518 new_nss_error == SEC_ERROR_BAD_INFO_ACCESS_LOCATION || 519 new_nss_error == SEC_ERROR_BAD_HTTP_RESPONSE || 520 new_nss_error == SEC_ERROR_BAD_LDAP_RESPONSE || 521 !IS_SEC_ERROR(new_nss_error)) { 522 // Use the original error code because of cert_pi_useAIACertFetch's 523 // bad error reporting. 524 PORT_SetError(nss_error); 525 return rv; 526 } 527 nss_error = new_nss_error; 528 } 529 530 // If an intermediate CA certificate has requireExplicitPolicy in its 531 // policyConstraints extension, CERT_PKIXVerifyCert fails with 532 // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any 533 // certificate policy (NSS bug 552775). So we retry with the certificate 534 // policy found in the server certificate. 535 if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED && 536 num_policy_oids == 0) { 537 SECOidTag policy = GetFirstCertPolicy(cert_handle); 538 if (policy != SEC_OID_UNKNOWN) { 539 DCHECK_EQ(cvin->back().type, cert_pi_end); 540 cvin->pop_back(); 541 in_param.type = cert_pi_policyOID; 542 in_param.value.arraySize = 1; 543 in_param.value.array.oids = &policy; 544 cvin->push_back(in_param); 545 in_param.type = cert_pi_end; 546 cvin->push_back(in_param); 547 rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 548 &(*cvin)[0], cvout, NULL); 549 if (rv != SECSuccess) { 550 // Use the original error code. 551 PORT_SetError(nss_error); 552 } 553 } 554 } 555 556 return rv; 557} 558 559// Decodes the certificatePolicies extension of the certificate. Returns 560// NULL if the certificate doesn't have the extension or the extension can't 561// be decoded. The returned value must be freed with a 562// CERT_DestroyCertificatePoliciesExtension call. 563CERTCertificatePolicies* DecodeCertPolicies( 564 CERTCertificate* cert_handle) { 565 SECItem policy_ext; 566 SECStatus rv = CERT_FindCertExtension(cert_handle, 567 SEC_OID_X509_CERTIFICATE_POLICIES, 568 &policy_ext); 569 if (rv != SECSuccess) 570 return NULL; 571 CERTCertificatePolicies* policies = 572 CERT_DecodeCertificatePoliciesExtension(&policy_ext); 573 SECITEM_FreeItem(&policy_ext, PR_FALSE); 574 return policies; 575} 576 577// Returns the OID tag for the first certificate policy in the certificate's 578// certificatePolicies extension. Returns SEC_OID_UNKNOWN if the certificate 579// has no certificate policy. 580SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) { 581 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); 582 if (!policies.get()) 583 return SEC_OID_UNKNOWN; 584 585 CERTPolicyInfo* policy_info = policies->policyInfos[0]; 586 if (!policy_info) 587 return SEC_OID_UNKNOWN; 588 if (policy_info->oid != SEC_OID_UNKNOWN) 589 return policy_info->oid; 590 591 // The certificate policy is unknown to NSS. We need to create a dynamic 592 // OID tag for the policy. 593 SECOidData od; 594 od.oid.len = policy_info->policyID.len; 595 od.oid.data = policy_info->policyID.data; 596 od.offset = SEC_OID_UNKNOWN; 597 // NSS doesn't allow us to pass an empty description, so I use a hardcoded, 598 // default description here. The description doesn't need to be unique for 599 // each OID. 600 od.desc = "a certificate policy"; 601 od.mechanism = CKM_INVALID_MECHANISM; 602 od.supportedExtension = INVALID_CERT_EXTENSION; 603 return SECOID_AddEntry(&od); 604} 605 606HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) { 607 HashValue hash(HASH_VALUE_SHA1); 608#if defined(OS_IOS) 609 CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data()); 610#else 611 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(), 612 cert->derPublicKey.data, cert->derPublicKey.len); 613 DCHECK_EQ(SECSuccess, rv); 614#endif 615 return hash; 616} 617 618HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) { 619 HashValue hash(HASH_VALUE_SHA256); 620#if defined(OS_IOS) 621 CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data()); 622#else 623 SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(), 624 cert->derPublicKey.data, cert->derPublicKey.len); 625 DCHECK_EQ(rv, SECSuccess); 626#endif 627 return hash; 628} 629 630void AppendPublicKeyHashes(CERTCertList* cert_list, 631 CERTCertificate* root_cert, 632 HashValueVector* hashes) { 633 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 634 !CERT_LIST_END(node, cert_list); 635 node = CERT_LIST_NEXT(node)) { 636 hashes->push_back(CertPublicKeyHashSHA1(node->cert)); 637 hashes->push_back(CertPublicKeyHashSHA256(node->cert)); 638 } 639 if (root_cert) { 640 hashes->push_back(CertPublicKeyHashSHA1(root_cert)); 641 hashes->push_back(CertPublicKeyHashSHA256(root_cert)); 642 } 643} 644 645// Returns true if |cert_handle| contains a policy OID that is an EV policy 646// OID according to |metadata|, storing the resulting policy OID in 647// |*ev_policy_oid|. A true return is not sufficient to establish that a 648// certificate is EV, but a false return is sufficient to establish the 649// certificate cannot be EV. 650bool IsEVCandidate(EVRootCAMetadata* metadata, 651 CERTCertificate* cert_handle, 652 SECOidTag* ev_policy_oid) { 653 DCHECK(cert_handle); 654 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); 655 if (!policies.get()) 656 return false; 657 658 CERTPolicyInfo** policy_infos = policies->policyInfos; 659 while (*policy_infos != NULL) { 660 CERTPolicyInfo* policy_info = *policy_infos++; 661 // If the Policy OID is unknown, that implicitly means it has not been 662 // registered as an EV policy. 663 if (policy_info->oid == SEC_OID_UNKNOWN) 664 continue; 665 if (metadata->IsEVPolicyOID(policy_info->oid)) { 666 *ev_policy_oid = policy_info->oid; 667 return true; 668 } 669 } 670 671 return false; 672} 673 674// Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp 675// and nsNSSCertHelper.cpp) to learn how to verify EV certificate. 676// TODO(wtc): A possible optimization is that we get the trust anchor from 677// the first PKIXVerifyCert call. We look up the EV policy for the trust 678// anchor. If the trust anchor has no EV policy, we know the cert isn't EV. 679// Otherwise, we pass just that EV policy (as opposed to all the EV policies) 680// to the second PKIXVerifyCert call. 681bool VerifyEV(CERTCertificate* cert_handle, 682 int flags, 683 CRLSet* crl_set, 684 bool rev_checking_enabled, 685 EVRootCAMetadata* metadata, 686 SECOidTag ev_policy_oid, 687 CERTCertList* additional_trust_anchors, 688 CERTChainVerifyCallback* chain_verify_callback) { 689 CERTValOutParam cvout[3]; 690 int cvout_index = 0; 691 cvout[cvout_index].type = cert_po_certList; 692 cvout[cvout_index].value.pointer.chain = NULL; 693 int cvout_cert_list_index = cvout_index; 694 cvout_index++; 695 cvout[cvout_index].type = cert_po_trustAnchor; 696 cvout[cvout_index].value.pointer.cert = NULL; 697 int cvout_trust_anchor_index = cvout_index; 698 cvout_index++; 699 cvout[cvout_index].type = cert_po_end; 700 ScopedCERTValOutParam scoped_cvout(cvout); 701 702 SECStatus status = PKIXVerifyCert( 703 cert_handle, 704 rev_checking_enabled, 705 true, /* hard fail is implied in EV. */ 706 flags & CertVerifier::VERIFY_CERT_IO_ENABLED, 707 &ev_policy_oid, 708 1, 709 additional_trust_anchors, 710 chain_verify_callback, 711 cvout); 712 if (status != SECSuccess) 713 return false; 714 715 CERTCertificate* root_ca = 716 cvout[cvout_trust_anchor_index].value.pointer.cert; 717 if (root_ca == NULL) 718 return false; 719 720 // This second PKIXVerifyCert call could have found a different certification 721 // path and one or more of the certificates on this new path, that weren't on 722 // the old path, might have been revoked. 723 if (crl_set) { 724 CRLSetResult crl_set_result = CheckRevocationWithCRLSet( 725 cvout[cvout_cert_list_index].value.pointer.chain, 726 cvout[cvout_trust_anchor_index].value.pointer.cert, 727 crl_set); 728 if (crl_set_result == kCRLSetRevoked) 729 return false; 730 } 731 732#if defined(OS_IOS) 733 SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca); 734#else 735 SHA1HashValue fingerprint = 736 X509Certificate::CalculateFingerprint(root_ca); 737#endif 738 return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid); 739} 740 741CERTCertList* CertificateListToCERTCertList(const CertificateList& list) { 742 CERTCertList* result = CERT_NewCertList(); 743 for (size_t i = 0; i < list.size(); ++i) { 744#if defined(OS_IOS) 745 // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert 746 // it to an NSS CERTCertificate. 747 CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle( 748 list[i]->os_cert_handle()); 749#else 750 CERTCertificate* cert = list[i]->os_cert_handle(); 751#endif 752 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); 753 } 754 return result; 755} 756 757} // namespace 758 759CertVerifyProcNSS::CertVerifyProcNSS() {} 760 761CertVerifyProcNSS::~CertVerifyProcNSS() {} 762 763bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { 764 return true; 765} 766 767int CertVerifyProcNSS::VerifyInternalImpl( 768 X509Certificate* cert, 769 const std::string& hostname, 770 int flags, 771 CRLSet* crl_set, 772 const CertificateList& additional_trust_anchors, 773 CERTChainVerifyCallback* chain_verify_callback, 774 CertVerifyResult* verify_result) { 775#if defined(OS_IOS) 776 // For iOS, the entire chain must be loaded into NSS's in-memory certificate 777 // store. 778 x509_util_ios::NSSCertChain scoped_chain(cert); 779 CERTCertificate* cert_handle = scoped_chain.cert_handle(); 780#else 781 CERTCertificate* cert_handle = cert->os_cert_handle(); 782#endif // defined(OS_IOS) 783 784 if (!cert->VerifyNameMatch(hostname, 785 &verify_result->common_name_fallback_used)) { 786 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; 787 } 788 789 // Make sure that the cert is valid now. 790 SECCertTimeValidity validity = CERT_CheckCertValidTimes( 791 cert_handle, PR_Now(), PR_TRUE); 792 if (validity != secCertTimeValid) 793 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; 794 795 CERTValOutParam cvout[3]; 796 int cvout_index = 0; 797 cvout[cvout_index].type = cert_po_certList; 798 cvout[cvout_index].value.pointer.chain = NULL; 799 int cvout_cert_list_index = cvout_index; 800 cvout_index++; 801 cvout[cvout_index].type = cert_po_trustAnchor; 802 cvout[cvout_index].value.pointer.cert = NULL; 803 int cvout_trust_anchor_index = cvout_index; 804 cvout_index++; 805 cvout[cvout_index].type = cert_po_end; 806 ScopedCERTValOutParam scoped_cvout(cvout); 807 808 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); 809 SECOidTag ev_policy_oid = SEC_OID_UNKNOWN; 810 bool is_ev_candidate = 811 (flags & CertVerifier::VERIFY_EV_CERT) && 812 IsEVCandidate(metadata, cert_handle, &ev_policy_oid); 813 bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED; 814 bool check_revocation = 815 cert_io_enabled && 816 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); 817 if (check_revocation) 818 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 819 820 ScopedCERTCertList trust_anchors; 821 if (!additional_trust_anchors.empty()) { 822 trust_anchors.reset( 823 CertificateListToCERTCertList(additional_trust_anchors)); 824 } 825 826 SECStatus status = PKIXVerifyCert(cert_handle, 827 check_revocation, 828 false, 829 cert_io_enabled, 830 NULL, 831 0, 832 trust_anchors.get(), 833 chain_verify_callback, 834 cvout); 835 836 if (status == SECSuccess && 837 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) && 838 !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) { 839 // TODO(rsleevi): Optimize this by supplying the constructed chain to 840 // libpkix via cvin. Omitting for now, due to lack of coverage in upstream 841 // NSS tests for that feature. 842 scoped_cvout.Clear(); 843 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 844 status = PKIXVerifyCert(cert_handle, 845 true, 846 true, 847 cert_io_enabled, 848 NULL, 849 0, 850 trust_anchors.get(), 851 chain_verify_callback, 852 cvout); 853 } 854 855 if (status == SECSuccess) { 856 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, 857 cvout[cvout_trust_anchor_index].value.pointer.cert, 858 &verify_result->public_key_hashes); 859 860 verify_result->is_issued_by_known_root = 861 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); 862 verify_result->is_issued_by_additional_trust_anchor = 863 IsAdditionalTrustAnchor( 864 trust_anchors.get(), 865 cvout[cvout_trust_anchor_index].value.pointer.cert); 866 867 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, 868 cvout[cvout_trust_anchor_index].value.pointer.cert, 869 verify_result); 870 } 871 872 CRLSetResult crl_set_result = kCRLSetUnknown; 873 if (crl_set) { 874 crl_set_result = CheckRevocationWithCRLSet( 875 cvout[cvout_cert_list_index].value.pointer.chain, 876 cvout[cvout_trust_anchor_index].value.pointer.cert, 877 crl_set); 878 if (crl_set_result == kCRLSetRevoked) { 879 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); 880 status = SECFailure; 881 } 882 } 883 884 if (status != SECSuccess) { 885 int err = PORT_GetError(); 886 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname 887 << " failed err=" << err; 888 // CERT_PKIXVerifyCert rerports the wrong error code for 889 // expired certificates (NSS bug 491174) 890 if (err == SEC_ERROR_CERT_NOT_VALID && 891 (verify_result->cert_status & CERT_STATUS_DATE_INVALID)) 892 err = SEC_ERROR_EXPIRED_CERTIFICATE; 893 CertStatus cert_status = MapCertErrorToCertStatus(err); 894 if (cert_status) { 895 verify_result->cert_status |= cert_status; 896 return MapCertStatusToNetError(verify_result->cert_status); 897 } 898 // |err| is not a certificate error. 899 return MapSecurityError(err); 900 } 901 902 if (IsCertStatusError(verify_result->cert_status)) 903 return MapCertStatusToNetError(verify_result->cert_status); 904 905 if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) { 906 check_revocation |= 907 crl_set_result != kCRLSetOk && 908 cert_io_enabled && 909 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY); 910 if (check_revocation) 911 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 912 913 if (VerifyEV(cert_handle, 914 flags, 915 crl_set, 916 check_revocation, 917 metadata, 918 ev_policy_oid, 919 trust_anchors.get(), 920 chain_verify_callback)) { 921 verify_result->cert_status |= CERT_STATUS_IS_EV; 922 } 923 } 924 925 return OK; 926} 927 928int CertVerifyProcNSS::VerifyInternal( 929 X509Certificate* cert, 930 const std::string& hostname, 931 int flags, 932 CRLSet* crl_set, 933 const CertificateList& additional_trust_anchors, 934 CertVerifyResult* verify_result) { 935 return VerifyInternalImpl(cert, 936 hostname, 937 flags, 938 crl_set, 939 additional_trust_anchors, 940 NULL, // chain_verify_callback 941 verify_result); 942} 943 944} // namespace net 945