cert_verify_proc_nss.cc revision 116680a4aac90f2aa7413d9095a592090648e557
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/cert/cert_verify_proc_nss.h" 6 7#include <string> 8#include <vector> 9 10#include <cert.h> 11#include <nss.h> 12#include <prerror.h> 13#include <secerr.h> 14#include <sechash.h> 15#include <sslerr.h> 16 17#include "base/logging.h" 18#include "crypto/nss_util.h" 19#include "crypto/scoped_nss_types.h" 20#include "crypto/sha2.h" 21#include "net/base/net_errors.h" 22#include "net/cert/asn1_util.h" 23#include "net/cert/cert_status_flags.h" 24#include "net/cert/cert_verifier.h" 25#include "net/cert/cert_verify_result.h" 26#include "net/cert/crl_set.h" 27#include "net/cert/ev_root_ca_metadata.h" 28#include "net/cert/x509_certificate.h" 29#include "net/cert/x509_util_nss.h" 30 31#if defined(OS_IOS) 32#include <CommonCrypto/CommonDigest.h> 33#include "net/cert/x509_util_ios.h" 34#endif // defined(OS_IOS) 35 36namespace net { 37 38namespace { 39 40typedef scoped_ptr< 41 CERTCertificatePolicies, 42 crypto::NSSDestroyer<CERTCertificatePolicies, 43 CERT_DestroyCertificatePoliciesExtension> > 44 ScopedCERTCertificatePolicies; 45 46typedef scoped_ptr< 47 CERTCertList, 48 crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> > 49 ScopedCERTCertList; 50 51// ScopedCERTValOutParam manages destruction of values in the CERTValOutParam 52// array that cvout points to. cvout must be initialized as passed to 53// CERT_PKIXVerifyCert, so that the array must be terminated with 54// cert_po_end type. 55// When it goes out of scope, it destroys values of cert_po_trustAnchor 56// and cert_po_certList types, but doesn't release the array itself. 57class ScopedCERTValOutParam { 58 public: 59 explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {} 60 61 ~ScopedCERTValOutParam() { 62 Clear(); 63 } 64 65 // Free the internal resources, but do not release the array itself. 66 void Clear() { 67 if (cvout_ == NULL) 68 return; 69 for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) { 70 switch (p->type) { 71 case cert_po_trustAnchor: 72 if (p->value.pointer.cert) { 73 CERT_DestroyCertificate(p->value.pointer.cert); 74 p->value.pointer.cert = NULL; 75 } 76 break; 77 case cert_po_certList: 78 if (p->value.pointer.chain) { 79 CERT_DestroyCertList(p->value.pointer.chain); 80 p->value.pointer.chain = NULL; 81 } 82 break; 83 default: 84 break; 85 } 86 } 87 } 88 89 private: 90 CERTValOutParam* cvout_; 91 92 DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam); 93}; 94 95// Map PORT_GetError() return values to our network error codes. 96int MapSecurityError(int err) { 97 switch (err) { 98 case PR_DIRECTORY_LOOKUP_ERROR: // DNS lookup error. 99 return ERR_NAME_NOT_RESOLVED; 100 case SEC_ERROR_INVALID_ARGS: 101 return ERR_INVALID_ARGUMENT; 102 case SSL_ERROR_BAD_CERT_DOMAIN: 103 return ERR_CERT_COMMON_NAME_INVALID; 104 case SEC_ERROR_INVALID_TIME: 105 case SEC_ERROR_EXPIRED_CERTIFICATE: 106 case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: 107 return ERR_CERT_DATE_INVALID; 108 case SEC_ERROR_UNKNOWN_ISSUER: 109 case SEC_ERROR_UNTRUSTED_ISSUER: 110 case SEC_ERROR_CA_CERT_INVALID: 111 case SEC_ERROR_APPLICATION_CALLBACK_ERROR: // Rejected by 112 // chain_verify_callback. 113 return ERR_CERT_AUTHORITY_INVALID; 114 // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM. 115 case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE: 116 case SEC_ERROR_OCSP_SERVER_ERROR: 117 return ERR_CERT_UNABLE_TO_CHECK_REVOCATION; 118 case SEC_ERROR_REVOKED_CERTIFICATE: 119 case SEC_ERROR_UNTRUSTED_CERT: // Treat as revoked. 120 return ERR_CERT_REVOKED; 121 case SEC_ERROR_CERT_NOT_IN_NAME_SPACE: 122 return ERR_CERT_NAME_CONSTRAINT_VIOLATION; 123 case SEC_ERROR_BAD_DER: 124 case SEC_ERROR_BAD_SIGNATURE: 125 case SEC_ERROR_CERT_NOT_VALID: 126 // TODO(port): add an ERR_CERT_WRONG_USAGE error code. 127 case SEC_ERROR_CERT_USAGES_INVALID: 128 case SEC_ERROR_INADEQUATE_KEY_USAGE: // Key usage. 129 case SEC_ERROR_INADEQUATE_CERT_TYPE: // Extended key usage and whether 130 // the certificate is a CA. 131 case SEC_ERROR_POLICY_VALIDATION_FAILED: 132 case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID: 133 case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: 134 case SEC_ERROR_EXTENSION_VALUE_INVALID: 135 return ERR_CERT_INVALID; 136 case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: 137 return ERR_CERT_WEAK_SIGNATURE_ALGORITHM; 138 default: 139 LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED"; 140 return ERR_FAILED; 141 } 142} 143 144// Map PORT_GetError() return values to our cert status flags. 145CertStatus MapCertErrorToCertStatus(int err) { 146 int net_error = MapSecurityError(err); 147 return MapNetErrorToCertStatus(net_error); 148} 149 150// Saves some information about the certificate chain cert_list in 151// *verify_result. The caller MUST initialize *verify_result before calling 152// this function. 153// Note that cert_list[0] is the end entity certificate. 154void GetCertChainInfo(CERTCertList* cert_list, 155 CERTCertificate* root_cert, 156 CertVerifyResult* verify_result) { 157 DCHECK(cert_list); 158 159 CERTCertificate* verified_cert = NULL; 160 std::vector<CERTCertificate*> verified_chain; 161 int i = 0; 162 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 163 !CERT_LIST_END(node, cert_list); 164 node = CERT_LIST_NEXT(node), ++i) { 165 if (i == 0) { 166 verified_cert = node->cert; 167 } else { 168 // Because of an NSS bug, CERT_PKIXVerifyCert may chain a self-signed 169 // certificate of a root CA to another certificate of the same root CA 170 // key. Detect that error and ignore the root CA certificate. 171 // See https://bugzilla.mozilla.org/show_bug.cgi?id=721288. 172 if (node->cert->isRoot) { 173 // NOTE: isRoot doesn't mean the certificate is a trust anchor. It 174 // means the certificate is self-signed. Here we assume isRoot only 175 // implies the certificate is self-issued. 176 CERTCertListNode* next_node = CERT_LIST_NEXT(node); 177 CERTCertificate* next_cert; 178 if (!CERT_LIST_END(next_node, cert_list)) { 179 next_cert = next_node->cert; 180 } else { 181 next_cert = root_cert; 182 } 183 // Test that |node->cert| is actually a self-signed certificate 184 // whose key is equal to |next_cert|, and not a self-issued 185 // certificate signed by another key of the same CA. 186 if (next_cert && SECITEM_ItemsAreEqual(&node->cert->derPublicKey, 187 &next_cert->derPublicKey)) { 188 continue; 189 } 190 } 191 verified_chain.push_back(node->cert); 192 } 193 194 SECAlgorithmID& signature = node->cert->signature; 195 SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm); 196 switch (oid_tag) { 197 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: 198 verify_result->has_md5 = true; 199 break; 200 case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: 201 verify_result->has_md2 = true; 202 break; 203 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: 204 verify_result->has_md4 = true; 205 break; 206 default: 207 break; 208 } 209 } 210 211 if (root_cert) 212 verified_chain.push_back(root_cert); 213#if defined(OS_IOS) 214 verify_result->verified_cert = 215 x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain); 216#else 217 verify_result->verified_cert = 218 X509Certificate::CreateFromHandle(verified_cert, verified_chain); 219#endif // defined(OS_IOS) 220} 221 222// IsKnownRoot returns true if the given certificate is one that we believe 223// is a standard (as opposed to user-installed) root. 224bool IsKnownRoot(CERTCertificate* root) { 225 if (!root || !root->slot) 226 return false; 227 228 // This magic name is taken from 229 // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79 230 return 0 == strcmp(PK11_GetSlotName(root->slot), 231 "NSS Builtin Objects"); 232} 233 234// Returns true if the given certificate is one of the additional trust anchors. 235bool IsAdditionalTrustAnchor(CERTCertList* additional_trust_anchors, 236 CERTCertificate* root) { 237 if (!additional_trust_anchors || !root) 238 return false; 239 for (CERTCertListNode* node = CERT_LIST_HEAD(additional_trust_anchors); 240 !CERT_LIST_END(node, additional_trust_anchors); 241 node = CERT_LIST_NEXT(node)) { 242 if (CERT_CompareCerts(node->cert, root)) 243 return true; 244 } 245 return false; 246} 247 248enum CRLSetResult { 249 kCRLSetOk, 250 kCRLSetRevoked, 251 kCRLSetUnknown, 252}; 253 254// CheckRevocationWithCRLSet attempts to check each element of |cert_list| 255// against |crl_set|. It returns: 256// kCRLSetRevoked: if any element of the chain is known to have been revoked. 257// kCRLSetUnknown: if there is no fresh information about the leaf 258// certificate in the chain or if the CRLSet has expired. 259// 260// Only the leaf certificate is considered for coverage because some 261// intermediates have CRLs with no revocations (after filtering) and 262// those CRLs are pruned from the CRLSet at generation time. This means 263// that some EV sites would otherwise take the hit of an OCSP lookup for 264// no reason. 265// kCRLSetOk: otherwise. 266CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list, 267 CERTCertificate* root, 268 CRLSet* crl_set) { 269 std::vector<CERTCertificate*> certs; 270 271 if (cert_list) { 272 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 273 !CERT_LIST_END(node, cert_list); 274 node = CERT_LIST_NEXT(node)) { 275 certs.push_back(node->cert); 276 } 277 } 278 if (root) 279 certs.push_back(root); 280 281 // error is set to true if any errors are found. It causes such chains to be 282 // considered as not covered. 283 bool error = false; 284 // last_covered is set to the coverage state of the previous certificate. The 285 // certificates are iterated over backwards thus, after the iteration, 286 // |last_covered| contains the coverage state of the leaf certificate. 287 bool last_covered = false; 288 289 // We iterate from the root certificate down to the leaf, keeping track of 290 // the issuer's SPKI at each step. 291 std::string issuer_spki_hash; 292 for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin(); 293 i != certs.rend(); ++i) { 294 CERTCertificate* cert = *i; 295 296 base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data), 297 cert->derCert.len); 298 299 base::StringPiece spki; 300 if (!asn1::ExtractSPKIFromDERCert(der, &spki)) { 301 NOTREACHED(); 302 error = true; 303 continue; 304 } 305 const std::string spki_hash = crypto::SHA256HashString(spki); 306 307 base::StringPiece serial_number = base::StringPiece( 308 reinterpret_cast<char*>(cert->serialNumber.data), 309 cert->serialNumber.len); 310 311 CRLSet::Result result = crl_set->CheckSPKI(spki_hash); 312 313 if (result != CRLSet::REVOKED && !issuer_spki_hash.empty()) 314 result = crl_set->CheckSerial(serial_number, issuer_spki_hash); 315 316 issuer_spki_hash = spki_hash; 317 318 switch (result) { 319 case CRLSet::REVOKED: 320 return kCRLSetRevoked; 321 case CRLSet::UNKNOWN: 322 last_covered = false; 323 continue; 324 case CRLSet::GOOD: 325 last_covered = true; 326 continue; 327 default: 328 NOTREACHED(); 329 error = true; 330 continue; 331 } 332 } 333 334 if (error || !last_covered || crl_set->IsExpired()) 335 return kCRLSetUnknown; 336 return kCRLSetOk; 337} 338 339// Forward declarations. 340SECStatus RetryPKIXVerifyCertWithWorkarounds( 341 CERTCertificate* cert_handle, int num_policy_oids, 342 bool cert_io_enabled, std::vector<CERTValInParam>* cvin, 343 CERTValOutParam* cvout); 344SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle); 345 346// Call CERT_PKIXVerifyCert for the cert_handle. 347// Verification results are stored in an array of CERTValOutParam. 348// If |hard_fail| is true, and no policy_oids are supplied (eg: EV is NOT being 349// checked), then the failure to obtain valid CRL/OCSP information for all 350// certificates that contain CRL/OCSP URLs will cause the certificate to be 351// treated as if it was revoked. Since failures may be caused by transient 352// network failures or by malicious attackers, in general, hard_fail should be 353// false. 354// If policy_oids is not NULL and num_policy_oids is positive, policies 355// are also checked. 356// additional_trust_anchors is an optional list of certificates that can be 357// trusted as anchors when building a certificate chain. 358// Caller must initialize cvout before calling this function. 359SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, 360 bool check_revocation, 361 bool hard_fail, 362 bool cert_io_enabled, 363 const SECOidTag* policy_oids, 364 int num_policy_oids, 365 CERTCertList* additional_trust_anchors, 366 CERTChainVerifyCallback* chain_verify_callback, 367 CERTValOutParam* cvout) { 368 bool use_crl = check_revocation; 369 bool use_ocsp = check_revocation; 370 371 PRUint64 revocation_method_flags = 372 CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | 373 CERT_REV_M_ALLOW_NETWORK_FETCHING | 374 CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE | 375 CERT_REV_M_IGNORE_MISSING_FRESH_INFO | 376 CERT_REV_M_STOP_TESTING_ON_FRESH_INFO; 377 PRUint64 revocation_method_independent_flags = 378 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; 379 if (check_revocation && policy_oids && num_policy_oids > 0) { 380 // EV verification requires revocation checking. Consider the certificate 381 // revoked if we don't have revocation info. 382 // TODO(wtc): Add a bool parameter to expressly specify we're doing EV 383 // verification or we want strict revocation flags. 384 revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; 385 revocation_method_independent_flags |= 386 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 387 } else if (check_revocation && hard_fail) { 388 revocation_method_flags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO; 389 revocation_method_independent_flags |= 390 CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 391 } else { 392 revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE; 393 revocation_method_independent_flags |= 394 CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT; 395 } 396 PRUint64 method_flags[2]; 397 method_flags[cert_revocation_method_crl] = revocation_method_flags; 398 method_flags[cert_revocation_method_ocsp] = revocation_method_flags; 399 400 if (use_crl) { 401 method_flags[cert_revocation_method_crl] |= 402 CERT_REV_M_TEST_USING_THIS_METHOD; 403 } 404 if (use_ocsp) { 405 method_flags[cert_revocation_method_ocsp] |= 406 CERT_REV_M_TEST_USING_THIS_METHOD; 407 } 408 409 CERTRevocationMethodIndex preferred_revocation_methods[1]; 410 if (use_ocsp) { 411 preferred_revocation_methods[0] = cert_revocation_method_ocsp; 412 } else { 413 preferred_revocation_methods[0] = cert_revocation_method_crl; 414 } 415 416 CERTRevocationFlags revocation_flags; 417 revocation_flags.leafTests.number_of_defined_methods = 418 arraysize(method_flags); 419 revocation_flags.leafTests.cert_rev_flags_per_method = method_flags; 420 revocation_flags.leafTests.number_of_preferred_methods = 421 arraysize(preferred_revocation_methods); 422 revocation_flags.leafTests.preferred_methods = preferred_revocation_methods; 423 revocation_flags.leafTests.cert_rev_method_independent_flags = 424 revocation_method_independent_flags; 425 426 revocation_flags.chainTests.number_of_defined_methods = 427 arraysize(method_flags); 428 revocation_flags.chainTests.cert_rev_flags_per_method = method_flags; 429 revocation_flags.chainTests.number_of_preferred_methods = 430 arraysize(preferred_revocation_methods); 431 revocation_flags.chainTests.preferred_methods = preferred_revocation_methods; 432 revocation_flags.chainTests.cert_rev_method_independent_flags = 433 revocation_method_independent_flags; 434 435 436 std::vector<CERTValInParam> cvin; 437 cvin.reserve(7); 438 CERTValInParam in_param; 439 in_param.type = cert_pi_revocationFlags; 440 in_param.value.pointer.revocation = &revocation_flags; 441 cvin.push_back(in_param); 442 if (policy_oids && num_policy_oids > 0) { 443 in_param.type = cert_pi_policyOID; 444 in_param.value.arraySize = num_policy_oids; 445 in_param.value.array.oids = policy_oids; 446 cvin.push_back(in_param); 447 } 448 if (additional_trust_anchors) { 449 in_param.type = cert_pi_trustAnchors; 450 in_param.value.pointer.chain = additional_trust_anchors; 451 cvin.push_back(in_param); 452 in_param.type = cert_pi_useOnlyTrustAnchors; 453 in_param.value.scalar.b = PR_FALSE; 454 cvin.push_back(in_param); 455 } 456 if (chain_verify_callback) { 457 in_param.type = cert_pi_chainVerifyCallback; 458 in_param.value.pointer.chainVerifyCallback = chain_verify_callback; 459 cvin.push_back(in_param); 460 } 461 in_param.type = cert_pi_end; 462 cvin.push_back(in_param); 463 464 SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 465 &cvin[0], cvout, NULL); 466 if (rv != SECSuccess) { 467 rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids, 468 cert_io_enabled, &cvin, cvout); 469 } 470 return rv; 471} 472 473// PKIXVerifyCert calls this function to work around some bugs in 474// CERT_PKIXVerifyCert. All the arguments of this function are either the 475// arguments or local variables of PKIXVerifyCert. 476SECStatus RetryPKIXVerifyCertWithWorkarounds( 477 CERTCertificate* cert_handle, int num_policy_oids, 478 bool cert_io_enabled, std::vector<CERTValInParam>* cvin, 479 CERTValOutParam* cvout) { 480 // We call this function when the first CERT_PKIXVerifyCert call in 481 // PKIXVerifyCert failed, so we initialize |rv| to SECFailure. 482 SECStatus rv = SECFailure; 483 int nss_error = PORT_GetError(); 484 CERTValInParam in_param; 485 486 // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate 487 // CA certificate, so we retry with cert_pi_useAIACertFetch. 488 // cert_pi_useAIACertFetch has several bugs in its error handling and 489 // error reporting (NSS bug 528743), so we don't use it by default. 490 // Note: When building a certificate chain, CERT_PKIXVerifyCert may 491 // incorrectly pick a CA certificate with the same subject name as the 492 // missing intermediate CA certificate, and fail with the 493 // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with 494 // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE. 495 if (cert_io_enabled && 496 (nss_error == SEC_ERROR_UNKNOWN_ISSUER || 497 nss_error == SEC_ERROR_BAD_SIGNATURE)) { 498 DCHECK_EQ(cvin->back().type, cert_pi_end); 499 cvin->pop_back(); 500 in_param.type = cert_pi_useAIACertFetch; 501 in_param.value.scalar.b = PR_TRUE; 502 cvin->push_back(in_param); 503 in_param.type = cert_pi_end; 504 cvin->push_back(in_param); 505 rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 506 &(*cvin)[0], cvout, NULL); 507 if (rv == SECSuccess) 508 return rv; 509 int new_nss_error = PORT_GetError(); 510 if (new_nss_error == SEC_ERROR_INVALID_ARGS || 511 new_nss_error == SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE || 512 new_nss_error == SEC_ERROR_BAD_INFO_ACCESS_LOCATION || 513 new_nss_error == SEC_ERROR_BAD_HTTP_RESPONSE || 514 new_nss_error == SEC_ERROR_BAD_LDAP_RESPONSE || 515 !IS_SEC_ERROR(new_nss_error)) { 516 // Use the original error code because of cert_pi_useAIACertFetch's 517 // bad error reporting. 518 PORT_SetError(nss_error); 519 return rv; 520 } 521 nss_error = new_nss_error; 522 } 523 524 // If an intermediate CA certificate has requireExplicitPolicy in its 525 // policyConstraints extension, CERT_PKIXVerifyCert fails with 526 // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any 527 // certificate policy (NSS bug 552775). So we retry with the certificate 528 // policy found in the server certificate. 529 if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED && 530 num_policy_oids == 0) { 531 SECOidTag policy = GetFirstCertPolicy(cert_handle); 532 if (policy != SEC_OID_UNKNOWN) { 533 DCHECK_EQ(cvin->back().type, cert_pi_end); 534 cvin->pop_back(); 535 in_param.type = cert_pi_policyOID; 536 in_param.value.arraySize = 1; 537 in_param.value.array.oids = &policy; 538 cvin->push_back(in_param); 539 in_param.type = cert_pi_end; 540 cvin->push_back(in_param); 541 rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer, 542 &(*cvin)[0], cvout, NULL); 543 if (rv != SECSuccess) { 544 // Use the original error code. 545 PORT_SetError(nss_error); 546 } 547 } 548 } 549 550 return rv; 551} 552 553// Decodes the certificatePolicies extension of the certificate. Returns 554// NULL if the certificate doesn't have the extension or the extension can't 555// be decoded. The returned value must be freed with a 556// CERT_DestroyCertificatePoliciesExtension call. 557CERTCertificatePolicies* DecodeCertPolicies( 558 CERTCertificate* cert_handle) { 559 SECItem policy_ext; 560 SECStatus rv = CERT_FindCertExtension(cert_handle, 561 SEC_OID_X509_CERTIFICATE_POLICIES, 562 &policy_ext); 563 if (rv != SECSuccess) 564 return NULL; 565 CERTCertificatePolicies* policies = 566 CERT_DecodeCertificatePoliciesExtension(&policy_ext); 567 SECITEM_FreeItem(&policy_ext, PR_FALSE); 568 return policies; 569} 570 571// Returns the OID tag for the first certificate policy in the certificate's 572// certificatePolicies extension. Returns SEC_OID_UNKNOWN if the certificate 573// has no certificate policy. 574SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) { 575 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); 576 if (!policies.get()) 577 return SEC_OID_UNKNOWN; 578 579 CERTPolicyInfo* policy_info = policies->policyInfos[0]; 580 if (!policy_info) 581 return SEC_OID_UNKNOWN; 582 if (policy_info->oid != SEC_OID_UNKNOWN) 583 return policy_info->oid; 584 585 // The certificate policy is unknown to NSS. We need to create a dynamic 586 // OID tag for the policy. 587 SECOidData od; 588 od.oid.len = policy_info->policyID.len; 589 od.oid.data = policy_info->policyID.data; 590 od.offset = SEC_OID_UNKNOWN; 591 // NSS doesn't allow us to pass an empty description, so I use a hardcoded, 592 // default description here. The description doesn't need to be unique for 593 // each OID. 594 od.desc = "a certificate policy"; 595 od.mechanism = CKM_INVALID_MECHANISM; 596 od.supportedExtension = INVALID_CERT_EXTENSION; 597 return SECOID_AddEntry(&od); 598} 599 600HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) { 601 HashValue hash(HASH_VALUE_SHA1); 602#if defined(OS_IOS) 603 CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data()); 604#else 605 SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(), 606 cert->derPublicKey.data, cert->derPublicKey.len); 607 DCHECK_EQ(SECSuccess, rv); 608#endif 609 return hash; 610} 611 612HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) { 613 HashValue hash(HASH_VALUE_SHA256); 614#if defined(OS_IOS) 615 CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data()); 616#else 617 SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(), 618 cert->derPublicKey.data, cert->derPublicKey.len); 619 DCHECK_EQ(rv, SECSuccess); 620#endif 621 return hash; 622} 623 624void AppendPublicKeyHashes(CERTCertList* cert_list, 625 CERTCertificate* root_cert, 626 HashValueVector* hashes) { 627 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 628 !CERT_LIST_END(node, cert_list); 629 node = CERT_LIST_NEXT(node)) { 630 hashes->push_back(CertPublicKeyHashSHA1(node->cert)); 631 hashes->push_back(CertPublicKeyHashSHA256(node->cert)); 632 } 633 if (root_cert) { 634 hashes->push_back(CertPublicKeyHashSHA1(root_cert)); 635 hashes->push_back(CertPublicKeyHashSHA256(root_cert)); 636 } 637} 638 639// Returns true if |cert_handle| contains a policy OID that is an EV policy 640// OID according to |metadata|, storing the resulting policy OID in 641// |*ev_policy_oid|. A true return is not sufficient to establish that a 642// certificate is EV, but a false return is sufficient to establish the 643// certificate cannot be EV. 644bool IsEVCandidate(EVRootCAMetadata* metadata, 645 CERTCertificate* cert_handle, 646 SECOidTag* ev_policy_oid) { 647 DCHECK(cert_handle); 648 ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle)); 649 if (!policies.get()) 650 return false; 651 652 CERTPolicyInfo** policy_infos = policies->policyInfos; 653 while (*policy_infos != NULL) { 654 CERTPolicyInfo* policy_info = *policy_infos++; 655 // If the Policy OID is unknown, that implicitly means it has not been 656 // registered as an EV policy. 657 if (policy_info->oid == SEC_OID_UNKNOWN) 658 continue; 659 if (metadata->IsEVPolicyOID(policy_info->oid)) { 660 *ev_policy_oid = policy_info->oid; 661 return true; 662 } 663 } 664 665 return false; 666} 667 668// Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp 669// and nsNSSCertHelper.cpp) to learn how to verify EV certificate. 670// TODO(wtc): A possible optimization is that we get the trust anchor from 671// the first PKIXVerifyCert call. We look up the EV policy for the trust 672// anchor. If the trust anchor has no EV policy, we know the cert isn't EV. 673// Otherwise, we pass just that EV policy (as opposed to all the EV policies) 674// to the second PKIXVerifyCert call. 675bool VerifyEV(CERTCertificate* cert_handle, 676 int flags, 677 CRLSet* crl_set, 678 bool rev_checking_enabled, 679 EVRootCAMetadata* metadata, 680 SECOidTag ev_policy_oid, 681 CERTCertList* additional_trust_anchors, 682 CERTChainVerifyCallback* chain_verify_callback) { 683 CERTValOutParam cvout[3]; 684 int cvout_index = 0; 685 cvout[cvout_index].type = cert_po_certList; 686 cvout[cvout_index].value.pointer.chain = NULL; 687 int cvout_cert_list_index = cvout_index; 688 cvout_index++; 689 cvout[cvout_index].type = cert_po_trustAnchor; 690 cvout[cvout_index].value.pointer.cert = NULL; 691 int cvout_trust_anchor_index = cvout_index; 692 cvout_index++; 693 cvout[cvout_index].type = cert_po_end; 694 ScopedCERTValOutParam scoped_cvout(cvout); 695 696 SECStatus status = PKIXVerifyCert( 697 cert_handle, 698 rev_checking_enabled, 699 true, /* hard fail is implied in EV. */ 700 flags & CertVerifier::VERIFY_CERT_IO_ENABLED, 701 &ev_policy_oid, 702 1, 703 additional_trust_anchors, 704 chain_verify_callback, 705 cvout); 706 if (status != SECSuccess) 707 return false; 708 709 CERTCertificate* root_ca = 710 cvout[cvout_trust_anchor_index].value.pointer.cert; 711 if (root_ca == NULL) 712 return false; 713 714 // This second PKIXVerifyCert call could have found a different certification 715 // path and one or more of the certificates on this new path, that weren't on 716 // the old path, might have been revoked. 717 if (crl_set) { 718 CRLSetResult crl_set_result = CheckRevocationWithCRLSet( 719 cvout[cvout_cert_list_index].value.pointer.chain, 720 cvout[cvout_trust_anchor_index].value.pointer.cert, 721 crl_set); 722 if (crl_set_result == kCRLSetRevoked) 723 return false; 724 } 725 726#if defined(OS_IOS) 727 SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca); 728#else 729 SHA1HashValue fingerprint = 730 X509Certificate::CalculateFingerprint(root_ca); 731#endif 732 return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid); 733} 734 735CERTCertList* CertificateListToCERTCertList(const CertificateList& list) { 736 CERTCertList* result = CERT_NewCertList(); 737 for (size_t i = 0; i < list.size(); ++i) { 738#if defined(OS_IOS) 739 // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert 740 // it to an NSS CERTCertificate. 741 CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle( 742 list[i]->os_cert_handle()); 743#else 744 CERTCertificate* cert = list[i]->os_cert_handle(); 745#endif 746 CERT_AddCertToListTail(result, CERT_DupCertificate(cert)); 747 } 748 return result; 749} 750 751} // namespace 752 753CertVerifyProcNSS::CertVerifyProcNSS() {} 754 755CertVerifyProcNSS::~CertVerifyProcNSS() {} 756 757bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { 758 return true; 759} 760 761int CertVerifyProcNSS::VerifyInternalImpl( 762 X509Certificate* cert, 763 const std::string& hostname, 764 int flags, 765 CRLSet* crl_set, 766 const CertificateList& additional_trust_anchors, 767 CERTChainVerifyCallback* chain_verify_callback, 768 CertVerifyResult* verify_result) { 769#if defined(OS_IOS) 770 // For iOS, the entire chain must be loaded into NSS's in-memory certificate 771 // store. 772 x509_util_ios::NSSCertChain scoped_chain(cert); 773 CERTCertificate* cert_handle = scoped_chain.cert_handle(); 774#else 775 CERTCertificate* cert_handle = cert->os_cert_handle(); 776#endif // defined(OS_IOS) 777 778 if (!cert->VerifyNameMatch(hostname, 779 &verify_result->common_name_fallback_used)) { 780 verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; 781 } 782 783 // Make sure that the cert is valid now. 784 SECCertTimeValidity validity = CERT_CheckCertValidTimes( 785 cert_handle, PR_Now(), PR_TRUE); 786 if (validity != secCertTimeValid) 787 verify_result->cert_status |= CERT_STATUS_DATE_INVALID; 788 789 CERTValOutParam cvout[3]; 790 int cvout_index = 0; 791 cvout[cvout_index].type = cert_po_certList; 792 cvout[cvout_index].value.pointer.chain = NULL; 793 int cvout_cert_list_index = cvout_index; 794 cvout_index++; 795 cvout[cvout_index].type = cert_po_trustAnchor; 796 cvout[cvout_index].value.pointer.cert = NULL; 797 int cvout_trust_anchor_index = cvout_index; 798 cvout_index++; 799 cvout[cvout_index].type = cert_po_end; 800 ScopedCERTValOutParam scoped_cvout(cvout); 801 802 EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance(); 803 SECOidTag ev_policy_oid = SEC_OID_UNKNOWN; 804 bool is_ev_candidate = 805 (flags & CertVerifier::VERIFY_EV_CERT) && 806 IsEVCandidate(metadata, cert_handle, &ev_policy_oid); 807 bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED; 808 bool check_revocation = 809 cert_io_enabled && 810 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); 811 if (check_revocation) 812 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 813 814 ScopedCERTCertList trust_anchors; 815 if (!additional_trust_anchors.empty()) { 816 trust_anchors.reset( 817 CertificateListToCERTCertList(additional_trust_anchors)); 818 } 819 820 SECStatus status = PKIXVerifyCert(cert_handle, 821 check_revocation, 822 false, 823 cert_io_enabled, 824 NULL, 825 0, 826 trust_anchors.get(), 827 chain_verify_callback, 828 cvout); 829 830 if (status == SECSuccess && 831 (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) && 832 !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) { 833 // TODO(rsleevi): Optimize this by supplying the constructed chain to 834 // libpkix via cvin. Omitting for now, due to lack of coverage in upstream 835 // NSS tests for that feature. 836 scoped_cvout.Clear(); 837 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 838 status = PKIXVerifyCert(cert_handle, 839 true, 840 true, 841 cert_io_enabled, 842 NULL, 843 0, 844 trust_anchors.get(), 845 chain_verify_callback, 846 cvout); 847 } 848 849 if (status == SECSuccess) { 850 AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain, 851 cvout[cvout_trust_anchor_index].value.pointer.cert, 852 &verify_result->public_key_hashes); 853 854 verify_result->is_issued_by_known_root = 855 IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert); 856 verify_result->is_issued_by_additional_trust_anchor = 857 IsAdditionalTrustAnchor( 858 trust_anchors.get(), 859 cvout[cvout_trust_anchor_index].value.pointer.cert); 860 861 GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain, 862 cvout[cvout_trust_anchor_index].value.pointer.cert, 863 verify_result); 864 } 865 866 CRLSetResult crl_set_result = kCRLSetUnknown; 867 if (crl_set) { 868 crl_set_result = CheckRevocationWithCRLSet( 869 cvout[cvout_cert_list_index].value.pointer.chain, 870 cvout[cvout_trust_anchor_index].value.pointer.cert, 871 crl_set); 872 if (crl_set_result == kCRLSetRevoked) { 873 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); 874 status = SECFailure; 875 } 876 } 877 878 if (status != SECSuccess) { 879 int err = PORT_GetError(); 880 LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname 881 << " failed err=" << err; 882 // CERT_PKIXVerifyCert rerports the wrong error code for 883 // expired certificates (NSS bug 491174) 884 if (err == SEC_ERROR_CERT_NOT_VALID && 885 (verify_result->cert_status & CERT_STATUS_DATE_INVALID)) 886 err = SEC_ERROR_EXPIRED_CERTIFICATE; 887 CertStatus cert_status = MapCertErrorToCertStatus(err); 888 if (cert_status) { 889 verify_result->cert_status |= cert_status; 890 return MapCertStatusToNetError(verify_result->cert_status); 891 } 892 // |err| is not a certificate error. 893 return MapSecurityError(err); 894 } 895 896 if (IsCertStatusError(verify_result->cert_status)) 897 return MapCertStatusToNetError(verify_result->cert_status); 898 899 if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) { 900 check_revocation |= 901 crl_set_result != kCRLSetOk && 902 cert_io_enabled && 903 (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY); 904 if (check_revocation) 905 verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; 906 907 if (VerifyEV(cert_handle, 908 flags, 909 crl_set, 910 check_revocation, 911 metadata, 912 ev_policy_oid, 913 trust_anchors.get(), 914 chain_verify_callback)) { 915 verify_result->cert_status |= CERT_STATUS_IS_EV; 916 } 917 } 918 919 return OK; 920} 921 922int CertVerifyProcNSS::VerifyInternal( 923 X509Certificate* cert, 924 const std::string& hostname, 925 int flags, 926 CRLSet* crl_set, 927 const CertificateList& additional_trust_anchors, 928 CertVerifyResult* verify_result) { 929 return VerifyInternalImpl(cert, 930 hostname, 931 flags, 932 crl_set, 933 additional_trust_anchors, 934 NULL, // chain_verify_callback 935 verify_result); 936} 937 938} // namespace net 939