cert_verify_proc_nss.cc revision 34680572440d7894ef8dafce81d8039ed80726a2
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/cert/cert_verify_proc_nss.h"
6
7#include <string>
8#include <vector>
9
10#include <cert.h>
11#include <nss.h>
12#include <prerror.h>
13#include <secerr.h>
14#include <sechash.h>
15#include <sslerr.h>
16
17#include "base/logging.h"
18#include "crypto/nss_util.h"
19#include "crypto/scoped_nss_types.h"
20#include "crypto/sha2.h"
21#include "net/base/net_errors.h"
22#include "net/cert/asn1_util.h"
23#include "net/cert/cert_status_flags.h"
24#include "net/cert/cert_verifier.h"
25#include "net/cert/cert_verify_result.h"
26#include "net/cert/crl_set.h"
27#include "net/cert/ev_root_ca_metadata.h"
28#include "net/cert/x509_certificate.h"
29#include "net/cert/x509_util_nss.h"
30
31#if defined(OS_IOS)
32#include <CommonCrypto/CommonDigest.h>
33#include "net/cert/x509_util_ios.h"
34#endif  // defined(OS_IOS)
35
36namespace net {
37
38namespace {
39
40typedef scoped_ptr<
41    CERTCertificatePolicies,
42    crypto::NSSDestroyer<CERTCertificatePolicies,
43                         CERT_DestroyCertificatePoliciesExtension> >
44    ScopedCERTCertificatePolicies;
45
46typedef scoped_ptr<
47    CERTCertList,
48    crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
49    ScopedCERTCertList;
50
51// ScopedCERTValOutParam manages destruction of values in the CERTValOutParam
52// array that cvout points to.  cvout must be initialized as passed to
53// CERT_PKIXVerifyCert, so that the array must be terminated with
54// cert_po_end type.
55// When it goes out of scope, it destroys values of cert_po_trustAnchor
56// and cert_po_certList types, but doesn't release the array itself.
57class ScopedCERTValOutParam {
58 public:
59  explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {}
60
61  ~ScopedCERTValOutParam() {
62    Clear();
63  }
64
65  // Free the internal resources, but do not release the array itself.
66  void Clear() {
67    if (cvout_ == NULL)
68      return;
69    for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) {
70      switch (p->type) {
71        case cert_po_trustAnchor:
72          if (p->value.pointer.cert) {
73            CERT_DestroyCertificate(p->value.pointer.cert);
74            p->value.pointer.cert = NULL;
75          }
76          break;
77        case cert_po_certList:
78          if (p->value.pointer.chain) {
79            CERT_DestroyCertList(p->value.pointer.chain);
80            p->value.pointer.chain = NULL;
81          }
82          break;
83        default:
84          break;
85      }
86    }
87  }
88
89 private:
90  CERTValOutParam* cvout_;
91
92  DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam);
93};
94
95// Map PORT_GetError() return values to our network error codes.
96int MapSecurityError(int err) {
97  switch (err) {
98    case PR_DIRECTORY_LOOKUP_ERROR:  // DNS lookup error.
99      return ERR_NAME_NOT_RESOLVED;
100    case SEC_ERROR_INVALID_ARGS:
101      return ERR_INVALID_ARGUMENT;
102    case SSL_ERROR_BAD_CERT_DOMAIN:
103      return ERR_CERT_COMMON_NAME_INVALID;
104    case SEC_ERROR_INVALID_TIME:
105    case SEC_ERROR_EXPIRED_CERTIFICATE:
106    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
107      return ERR_CERT_DATE_INVALID;
108    case SEC_ERROR_UNKNOWN_ISSUER:
109    case SEC_ERROR_UNTRUSTED_ISSUER:
110    case SEC_ERROR_CA_CERT_INVALID:
111    case SEC_ERROR_APPLICATION_CALLBACK_ERROR:  // Rejected by
112                                                // chain_verify_callback.
113      return ERR_CERT_AUTHORITY_INVALID;
114    // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM.
115    case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE:
116    case SEC_ERROR_OCSP_SERVER_ERROR:
117      return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
118    case SEC_ERROR_REVOKED_CERTIFICATE:
119    case SEC_ERROR_UNTRUSTED_CERT:  // Treat as revoked.
120      return ERR_CERT_REVOKED;
121    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
122      return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
123    case SEC_ERROR_BAD_DER:
124    case SEC_ERROR_BAD_SIGNATURE:
125    case SEC_ERROR_CERT_NOT_VALID:
126    // TODO(port): add an ERR_CERT_WRONG_USAGE error code.
127    case SEC_ERROR_CERT_USAGES_INVALID:
128    case SEC_ERROR_INADEQUATE_KEY_USAGE:  // Key usage.
129    case SEC_ERROR_INADEQUATE_CERT_TYPE:  // Extended key usage and whether
130                                          // the certificate is a CA.
131    case SEC_ERROR_POLICY_VALIDATION_FAILED:
132    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
133    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
134    case SEC_ERROR_EXTENSION_VALUE_INVALID:
135      return ERR_CERT_INVALID;
136    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
137      return ERR_CERT_WEAK_SIGNATURE_ALGORITHM;
138    default:
139      LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
140      return ERR_FAILED;
141  }
142}
143
144// Map PORT_GetError() return values to our cert status flags.
145CertStatus MapCertErrorToCertStatus(int err) {
146  int net_error = MapSecurityError(err);
147  return MapNetErrorToCertStatus(net_error);
148}
149
150// Saves some information about the certificate chain cert_list in
151// *verify_result.  The caller MUST initialize *verify_result before calling
152// this function.
153// Note that cert_list[0] is the end entity certificate.
154void GetCertChainInfo(CERTCertList* cert_list,
155                      CERTCertificate* root_cert,
156                      CertVerifyResult* verify_result) {
157  DCHECK(cert_list);
158
159  CERTCertificate* verified_cert = NULL;
160  std::vector<CERTCertificate*> verified_chain;
161  int i = 0;
162  for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
163       !CERT_LIST_END(node, cert_list);
164       node = CERT_LIST_NEXT(node), ++i) {
165    if (i == 0) {
166      verified_cert = node->cert;
167    } else {
168      // Because of an NSS bug, CERT_PKIXVerifyCert may chain a self-signed
169      // certificate of a root CA to another certificate of the same root CA
170      // key.  Detect that error and ignore the root CA certificate.
171      // See https://bugzilla.mozilla.org/show_bug.cgi?id=721288.
172      if (node->cert->isRoot) {
173        // NOTE: isRoot doesn't mean the certificate is a trust anchor.  It
174        // means the certificate is self-signed.  Here we assume isRoot only
175        // implies the certificate is self-issued.
176        CERTCertListNode* next_node = CERT_LIST_NEXT(node);
177        CERTCertificate* next_cert;
178        if (!CERT_LIST_END(next_node, cert_list)) {
179          next_cert = next_node->cert;
180        } else {
181          next_cert = root_cert;
182        }
183        // Test that |node->cert| is actually a self-signed certificate
184        // whose key is equal to |next_cert|, and not a self-issued
185        // certificate signed by another key of the same CA.
186        if (next_cert && SECITEM_ItemsAreEqual(&node->cert->derPublicKey,
187                                               &next_cert->derPublicKey)) {
188          continue;
189        }
190      }
191      verified_chain.push_back(node->cert);
192    }
193
194    SECAlgorithmID& signature = node->cert->signature;
195    SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm);
196    switch (oid_tag) {
197      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
198        verify_result->has_md5 = true;
199        break;
200      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
201        verify_result->has_md2 = true;
202        break;
203      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
204        verify_result->has_md4 = true;
205        break;
206      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
207      case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
208      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
209      case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
210        verify_result->has_sha1 = true;
211        break;
212      default:
213        break;
214    }
215  }
216
217  if (root_cert)
218    verified_chain.push_back(root_cert);
219#if defined(OS_IOS)
220  verify_result->verified_cert =
221      x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain);
222#else
223  verify_result->verified_cert =
224      X509Certificate::CreateFromHandle(verified_cert, verified_chain);
225#endif  // defined(OS_IOS)
226}
227
228// IsKnownRoot returns true if the given certificate is one that we believe
229// is a standard (as opposed to user-installed) root.
230bool IsKnownRoot(CERTCertificate* root) {
231  if (!root || !root->slot)
232    return false;
233
234  // This magic name is taken from
235  // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
236  return 0 == strcmp(PK11_GetSlotName(root->slot),
237                     "NSS Builtin Objects");
238}
239
240// Returns true if the given certificate is one of the additional trust anchors.
241bool IsAdditionalTrustAnchor(CERTCertList* additional_trust_anchors,
242                             CERTCertificate* root) {
243  if (!additional_trust_anchors || !root)
244    return false;
245  for (CERTCertListNode* node = CERT_LIST_HEAD(additional_trust_anchors);
246       !CERT_LIST_END(node, additional_trust_anchors);
247       node = CERT_LIST_NEXT(node)) {
248    if (CERT_CompareCerts(node->cert, root))
249      return true;
250  }
251  return false;
252}
253
254enum CRLSetResult {
255  kCRLSetOk,
256  kCRLSetRevoked,
257  kCRLSetUnknown,
258};
259
260// CheckRevocationWithCRLSet attempts to check each element of |cert_list|
261// against |crl_set|. It returns:
262//   kCRLSetRevoked: if any element of the chain is known to have been revoked.
263//   kCRLSetUnknown: if there is no fresh information about the leaf
264//       certificate in the chain or if the CRLSet has expired.
265//
266//       Only the leaf certificate is considered for coverage because some
267//       intermediates have CRLs with no revocations (after filtering) and
268//       those CRLs are pruned from the CRLSet at generation time. This means
269//       that some EV sites would otherwise take the hit of an OCSP lookup for
270//       no reason.
271//   kCRLSetOk: otherwise.
272CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
273                                       CERTCertificate* root,
274                                       CRLSet* crl_set) {
275  std::vector<CERTCertificate*> certs;
276
277  if (cert_list) {
278    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
279         !CERT_LIST_END(node, cert_list);
280         node = CERT_LIST_NEXT(node)) {
281      certs.push_back(node->cert);
282    }
283  }
284  if (root)
285    certs.push_back(root);
286
287  // error is set to true if any errors are found. It causes such chains to be
288  // considered as not covered.
289  bool error = false;
290  // last_covered is set to the coverage state of the previous certificate. The
291  // certificates are iterated over backwards thus, after the iteration,
292  // |last_covered| contains the coverage state of the leaf certificate.
293  bool last_covered = false;
294
295  // We iterate from the root certificate down to the leaf, keeping track of
296  // the issuer's SPKI at each step.
297  std::string issuer_spki_hash;
298  for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();
299       i != certs.rend(); ++i) {
300    CERTCertificate* cert = *i;
301
302    base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),
303                          cert->derCert.len);
304
305    base::StringPiece spki;
306    if (!asn1::ExtractSPKIFromDERCert(der, &spki)) {
307      NOTREACHED();
308      error = true;
309      continue;
310    }
311    const std::string spki_hash = crypto::SHA256HashString(spki);
312
313    base::StringPiece serial_number = base::StringPiece(
314        reinterpret_cast<char*>(cert->serialNumber.data),
315        cert->serialNumber.len);
316
317    CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
318
319    if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
320      result = crl_set->CheckSerial(serial_number, issuer_spki_hash);
321
322    issuer_spki_hash = spki_hash;
323
324    switch (result) {
325      case CRLSet::REVOKED:
326        return kCRLSetRevoked;
327      case CRLSet::UNKNOWN:
328        last_covered = false;
329        continue;
330      case CRLSet::GOOD:
331        last_covered = true;
332        continue;
333      default:
334        NOTREACHED();
335        error = true;
336        continue;
337    }
338  }
339
340  if (error || !last_covered || crl_set->IsExpired())
341    return kCRLSetUnknown;
342  return kCRLSetOk;
343}
344
345// Forward declarations.
346SECStatus RetryPKIXVerifyCertWithWorkarounds(
347    CERTCertificate* cert_handle, int num_policy_oids,
348    bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
349    CERTValOutParam* cvout);
350SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
351
352// Call CERT_PKIXVerifyCert for the cert_handle.
353// Verification results are stored in an array of CERTValOutParam.
354// If |hard_fail| is true, and no policy_oids are supplied (eg: EV is NOT being
355// checked), then the failure to obtain valid CRL/OCSP information for all
356// certificates that contain CRL/OCSP URLs will cause the certificate to be
357// treated as if it was revoked. Since failures may be caused by transient
358// network failures or by malicious attackers, in general, hard_fail should be
359// false.
360// If policy_oids is not NULL and num_policy_oids is positive, policies
361// are also checked.
362// additional_trust_anchors is an optional list of certificates that can be
363// trusted as anchors when building a certificate chain.
364// Caller must initialize cvout before calling this function.
365SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
366                         bool check_revocation,
367                         bool hard_fail,
368                         bool cert_io_enabled,
369                         const SECOidTag* policy_oids,
370                         int num_policy_oids,
371                         CERTCertList* additional_trust_anchors,
372                         CERTChainVerifyCallback* chain_verify_callback,
373                         CERTValOutParam* cvout) {
374  bool use_crl = check_revocation;
375  bool use_ocsp = check_revocation;
376
377  PRUint64 revocation_method_flags =
378      CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
379      CERT_REV_M_ALLOW_NETWORK_FETCHING |
380      CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
381      CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
382      CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
383  PRUint64 revocation_method_independent_flags =
384      CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
385  if (check_revocation && policy_oids && num_policy_oids > 0) {
386    // EV verification requires revocation checking.  Consider the certificate
387    // revoked if we don't have revocation info.
388    // TODO(wtc): Add a bool parameter to expressly specify we're doing EV
389    // verification or we want strict revocation flags.
390    revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
391    revocation_method_independent_flags |=
392        CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
393  } else if (check_revocation && hard_fail) {
394    revocation_method_flags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO;
395    revocation_method_independent_flags |=
396        CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
397  } else {
398    revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE;
399    revocation_method_independent_flags |=
400        CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;
401  }
402  PRUint64 method_flags[2];
403  method_flags[cert_revocation_method_crl] = revocation_method_flags;
404  method_flags[cert_revocation_method_ocsp] = revocation_method_flags;
405
406  if (use_crl) {
407    method_flags[cert_revocation_method_crl] |=
408        CERT_REV_M_TEST_USING_THIS_METHOD;
409  }
410  if (use_ocsp) {
411    method_flags[cert_revocation_method_ocsp] |=
412        CERT_REV_M_TEST_USING_THIS_METHOD;
413  }
414
415  CERTRevocationMethodIndex preferred_revocation_methods[1];
416  if (use_ocsp) {
417    preferred_revocation_methods[0] = cert_revocation_method_ocsp;
418  } else {
419    preferred_revocation_methods[0] = cert_revocation_method_crl;
420  }
421
422  CERTRevocationFlags revocation_flags;
423  revocation_flags.leafTests.number_of_defined_methods =
424      arraysize(method_flags);
425  revocation_flags.leafTests.cert_rev_flags_per_method = method_flags;
426  revocation_flags.leafTests.number_of_preferred_methods =
427      arraysize(preferred_revocation_methods);
428  revocation_flags.leafTests.preferred_methods = preferred_revocation_methods;
429  revocation_flags.leafTests.cert_rev_method_independent_flags =
430      revocation_method_independent_flags;
431
432  revocation_flags.chainTests.number_of_defined_methods =
433      arraysize(method_flags);
434  revocation_flags.chainTests.cert_rev_flags_per_method = method_flags;
435  revocation_flags.chainTests.number_of_preferred_methods =
436      arraysize(preferred_revocation_methods);
437  revocation_flags.chainTests.preferred_methods = preferred_revocation_methods;
438  revocation_flags.chainTests.cert_rev_method_independent_flags =
439      revocation_method_independent_flags;
440
441
442  std::vector<CERTValInParam> cvin;
443  cvin.reserve(7);
444  CERTValInParam in_param;
445  in_param.type = cert_pi_revocationFlags;
446  in_param.value.pointer.revocation = &revocation_flags;
447  cvin.push_back(in_param);
448  if (policy_oids && num_policy_oids > 0) {
449    in_param.type = cert_pi_policyOID;
450    in_param.value.arraySize = num_policy_oids;
451    in_param.value.array.oids = policy_oids;
452    cvin.push_back(in_param);
453  }
454  if (additional_trust_anchors) {
455    in_param.type = cert_pi_trustAnchors;
456    in_param.value.pointer.chain = additional_trust_anchors;
457    cvin.push_back(in_param);
458    in_param.type = cert_pi_useOnlyTrustAnchors;
459    in_param.value.scalar.b = PR_FALSE;
460    cvin.push_back(in_param);
461  }
462  if (chain_verify_callback) {
463    in_param.type = cert_pi_chainVerifyCallback;
464    in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
465    cvin.push_back(in_param);
466  }
467  in_param.type = cert_pi_end;
468  cvin.push_back(in_param);
469
470  SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
471                                     &cvin[0], cvout, NULL);
472  if (rv != SECSuccess) {
473    rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
474                                            cert_io_enabled, &cvin, cvout);
475  }
476  return rv;
477}
478
479// PKIXVerifyCert calls this function to work around some bugs in
480// CERT_PKIXVerifyCert.  All the arguments of this function are either the
481// arguments or local variables of PKIXVerifyCert.
482SECStatus RetryPKIXVerifyCertWithWorkarounds(
483    CERTCertificate* cert_handle, int num_policy_oids,
484    bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
485    CERTValOutParam* cvout) {
486  // We call this function when the first CERT_PKIXVerifyCert call in
487  // PKIXVerifyCert failed,  so we initialize |rv| to SECFailure.
488  SECStatus rv = SECFailure;
489  int nss_error = PORT_GetError();
490  CERTValInParam in_param;
491
492  // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate
493  // CA certificate, so we retry with cert_pi_useAIACertFetch.
494  // cert_pi_useAIACertFetch has several bugs in its error handling and
495  // error reporting (NSS bug 528743), so we don't use it by default.
496  // Note: When building a certificate chain, CERT_PKIXVerifyCert may
497  // incorrectly pick a CA certificate with the same subject name as the
498  // missing intermediate CA certificate, and  fail with the
499  // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with
500  // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE.
501  if (cert_io_enabled &&
502      (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
503       nss_error == SEC_ERROR_BAD_SIGNATURE)) {
504    DCHECK_EQ(cvin->back().type,  cert_pi_end);
505    cvin->pop_back();
506    in_param.type = cert_pi_useAIACertFetch;
507    in_param.value.scalar.b = PR_TRUE;
508    cvin->push_back(in_param);
509    in_param.type = cert_pi_end;
510    cvin->push_back(in_param);
511    rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
512                             &(*cvin)[0], cvout, NULL);
513    if (rv == SECSuccess)
514      return rv;
515    int new_nss_error = PORT_GetError();
516    if (new_nss_error == SEC_ERROR_INVALID_ARGS ||
517        new_nss_error == SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE ||
518        new_nss_error == SEC_ERROR_BAD_INFO_ACCESS_LOCATION ||
519        new_nss_error == SEC_ERROR_BAD_HTTP_RESPONSE ||
520        new_nss_error == SEC_ERROR_BAD_LDAP_RESPONSE ||
521        !IS_SEC_ERROR(new_nss_error)) {
522      // Use the original error code because of cert_pi_useAIACertFetch's
523      // bad error reporting.
524      PORT_SetError(nss_error);
525      return rv;
526    }
527    nss_error = new_nss_error;
528  }
529
530  // If an intermediate CA certificate has requireExplicitPolicy in its
531  // policyConstraints extension, CERT_PKIXVerifyCert fails with
532  // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any
533  // certificate policy (NSS bug 552775).  So we retry with the certificate
534  // policy found in the server certificate.
535  if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED &&
536      num_policy_oids == 0) {
537    SECOidTag policy = GetFirstCertPolicy(cert_handle);
538    if (policy != SEC_OID_UNKNOWN) {
539      DCHECK_EQ(cvin->back().type,  cert_pi_end);
540      cvin->pop_back();
541      in_param.type = cert_pi_policyOID;
542      in_param.value.arraySize = 1;
543      in_param.value.array.oids = &policy;
544      cvin->push_back(in_param);
545      in_param.type = cert_pi_end;
546      cvin->push_back(in_param);
547      rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
548                               &(*cvin)[0], cvout, NULL);
549      if (rv != SECSuccess) {
550        // Use the original error code.
551        PORT_SetError(nss_error);
552      }
553    }
554  }
555
556  return rv;
557}
558
559// Decodes the certificatePolicies extension of the certificate.  Returns
560// NULL if the certificate doesn't have the extension or the extension can't
561// be decoded.  The returned value must be freed with a
562// CERT_DestroyCertificatePoliciesExtension call.
563CERTCertificatePolicies* DecodeCertPolicies(
564    CERTCertificate* cert_handle) {
565  SECItem policy_ext;
566  SECStatus rv = CERT_FindCertExtension(cert_handle,
567                                        SEC_OID_X509_CERTIFICATE_POLICIES,
568                                        &policy_ext);
569  if (rv != SECSuccess)
570    return NULL;
571  CERTCertificatePolicies* policies =
572      CERT_DecodeCertificatePoliciesExtension(&policy_ext);
573  SECITEM_FreeItem(&policy_ext, PR_FALSE);
574  return policies;
575}
576
577// Returns the OID tag for the first certificate policy in the certificate's
578// certificatePolicies extension.  Returns SEC_OID_UNKNOWN if the certificate
579// has no certificate policy.
580SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) {
581  ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
582  if (!policies.get())
583    return SEC_OID_UNKNOWN;
584
585  CERTPolicyInfo* policy_info = policies->policyInfos[0];
586  if (!policy_info)
587    return SEC_OID_UNKNOWN;
588  if (policy_info->oid != SEC_OID_UNKNOWN)
589    return policy_info->oid;
590
591  // The certificate policy is unknown to NSS.  We need to create a dynamic
592  // OID tag for the policy.
593  SECOidData od;
594  od.oid.len = policy_info->policyID.len;
595  od.oid.data = policy_info->policyID.data;
596  od.offset = SEC_OID_UNKNOWN;
597  // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
598  // default description here.  The description doesn't need to be unique for
599  // each OID.
600  od.desc = "a certificate policy";
601  od.mechanism = CKM_INVALID_MECHANISM;
602  od.supportedExtension = INVALID_CERT_EXTENSION;
603  return SECOID_AddEntry(&od);
604}
605
606HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
607  HashValue hash(HASH_VALUE_SHA1);
608#if defined(OS_IOS)
609  CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
610#else
611  SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
612                              cert->derPublicKey.data, cert->derPublicKey.len);
613  DCHECK_EQ(SECSuccess, rv);
614#endif
615  return hash;
616}
617
618HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
619  HashValue hash(HASH_VALUE_SHA256);
620#if defined(OS_IOS)
621  CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
622#else
623  SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
624                              cert->derPublicKey.data, cert->derPublicKey.len);
625  DCHECK_EQ(rv, SECSuccess);
626#endif
627  return hash;
628}
629
630void AppendPublicKeyHashes(CERTCertList* cert_list,
631                           CERTCertificate* root_cert,
632                           HashValueVector* hashes) {
633  for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
634       !CERT_LIST_END(node, cert_list);
635       node = CERT_LIST_NEXT(node)) {
636    hashes->push_back(CertPublicKeyHashSHA1(node->cert));
637    hashes->push_back(CertPublicKeyHashSHA256(node->cert));
638  }
639  if (root_cert) {
640    hashes->push_back(CertPublicKeyHashSHA1(root_cert));
641    hashes->push_back(CertPublicKeyHashSHA256(root_cert));
642  }
643}
644
645// Returns true if |cert_handle| contains a policy OID that is an EV policy
646// OID according to |metadata|, storing the resulting policy OID in
647// |*ev_policy_oid|. A true return is not sufficient to establish that a
648// certificate is EV, but a false return is sufficient to establish the
649// certificate cannot be EV.
650bool IsEVCandidate(EVRootCAMetadata* metadata,
651                   CERTCertificate* cert_handle,
652                   SECOidTag* ev_policy_oid) {
653  DCHECK(cert_handle);
654  ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
655  if (!policies.get())
656    return false;
657
658  CERTPolicyInfo** policy_infos = policies->policyInfos;
659  while (*policy_infos != NULL) {
660    CERTPolicyInfo* policy_info = *policy_infos++;
661    // If the Policy OID is unknown, that implicitly means it has not been
662    // registered as an EV policy.
663    if (policy_info->oid == SEC_OID_UNKNOWN)
664      continue;
665    if (metadata->IsEVPolicyOID(policy_info->oid)) {
666      *ev_policy_oid = policy_info->oid;
667      return true;
668    }
669  }
670
671  return false;
672}
673
674// Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
675// and nsNSSCertHelper.cpp) to learn how to verify EV certificate.
676// TODO(wtc): A possible optimization is that we get the trust anchor from
677// the first PKIXVerifyCert call.  We look up the EV policy for the trust
678// anchor.  If the trust anchor has no EV policy, we know the cert isn't EV.
679// Otherwise, we pass just that EV policy (as opposed to all the EV policies)
680// to the second PKIXVerifyCert call.
681bool VerifyEV(CERTCertificate* cert_handle,
682              int flags,
683              CRLSet* crl_set,
684              bool rev_checking_enabled,
685              EVRootCAMetadata* metadata,
686              SECOidTag ev_policy_oid,
687              CERTCertList* additional_trust_anchors,
688              CERTChainVerifyCallback* chain_verify_callback) {
689  CERTValOutParam cvout[3];
690  int cvout_index = 0;
691  cvout[cvout_index].type = cert_po_certList;
692  cvout[cvout_index].value.pointer.chain = NULL;
693  int cvout_cert_list_index = cvout_index;
694  cvout_index++;
695  cvout[cvout_index].type = cert_po_trustAnchor;
696  cvout[cvout_index].value.pointer.cert = NULL;
697  int cvout_trust_anchor_index = cvout_index;
698  cvout_index++;
699  cvout[cvout_index].type = cert_po_end;
700  ScopedCERTValOutParam scoped_cvout(cvout);
701
702  SECStatus status = PKIXVerifyCert(
703      cert_handle,
704      rev_checking_enabled,
705      true, /* hard fail is implied in EV. */
706      flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
707      &ev_policy_oid,
708      1,
709      additional_trust_anchors,
710      chain_verify_callback,
711      cvout);
712  if (status != SECSuccess)
713    return false;
714
715  CERTCertificate* root_ca =
716      cvout[cvout_trust_anchor_index].value.pointer.cert;
717  if (root_ca == NULL)
718    return false;
719
720  // This second PKIXVerifyCert call could have found a different certification
721  // path and one or more of the certificates on this new path, that weren't on
722  // the old path, might have been revoked.
723  if (crl_set) {
724    CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
725        cvout[cvout_cert_list_index].value.pointer.chain,
726        cvout[cvout_trust_anchor_index].value.pointer.cert,
727        crl_set);
728    if (crl_set_result == kCRLSetRevoked)
729      return false;
730  }
731
732#if defined(OS_IOS)
733  SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
734#else
735  SHA1HashValue fingerprint =
736      X509Certificate::CalculateFingerprint(root_ca);
737#endif
738  return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
739}
740
741CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
742  CERTCertList* result = CERT_NewCertList();
743  for (size_t i = 0; i < list.size(); ++i) {
744#if defined(OS_IOS)
745    // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert
746    // it to an NSS CERTCertificate.
747    CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle(
748        list[i]->os_cert_handle());
749#else
750    CERTCertificate* cert = list[i]->os_cert_handle();
751#endif
752    CERT_AddCertToListTail(result, CERT_DupCertificate(cert));
753  }
754  return result;
755}
756
757}  // namespace
758
759CertVerifyProcNSS::CertVerifyProcNSS() {}
760
761CertVerifyProcNSS::~CertVerifyProcNSS() {}
762
763bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
764  return true;
765}
766
767int CertVerifyProcNSS::VerifyInternalImpl(
768    X509Certificate* cert,
769    const std::string& hostname,
770    int flags,
771    CRLSet* crl_set,
772    const CertificateList& additional_trust_anchors,
773    CERTChainVerifyCallback* chain_verify_callback,
774    CertVerifyResult* verify_result) {
775#if defined(OS_IOS)
776  // For iOS, the entire chain must be loaded into NSS's in-memory certificate
777  // store.
778  x509_util_ios::NSSCertChain scoped_chain(cert);
779  CERTCertificate* cert_handle = scoped_chain.cert_handle();
780#else
781  CERTCertificate* cert_handle = cert->os_cert_handle();
782#endif  // defined(OS_IOS)
783
784  if (!cert->VerifyNameMatch(hostname,
785                             &verify_result->common_name_fallback_used)) {
786    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
787  }
788
789  // Make sure that the cert is valid now.
790  SECCertTimeValidity validity = CERT_CheckCertValidTimes(
791      cert_handle, PR_Now(), PR_TRUE);
792  if (validity != secCertTimeValid)
793    verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
794
795  CERTValOutParam cvout[3];
796  int cvout_index = 0;
797  cvout[cvout_index].type = cert_po_certList;
798  cvout[cvout_index].value.pointer.chain = NULL;
799  int cvout_cert_list_index = cvout_index;
800  cvout_index++;
801  cvout[cvout_index].type = cert_po_trustAnchor;
802  cvout[cvout_index].value.pointer.cert = NULL;
803  int cvout_trust_anchor_index = cvout_index;
804  cvout_index++;
805  cvout[cvout_index].type = cert_po_end;
806  ScopedCERTValOutParam scoped_cvout(cvout);
807
808  EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
809  SECOidTag ev_policy_oid = SEC_OID_UNKNOWN;
810  bool is_ev_candidate =
811      (flags & CertVerifier::VERIFY_EV_CERT) &&
812      IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
813  bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED;
814  bool check_revocation =
815      cert_io_enabled &&
816      (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
817  if (check_revocation)
818    verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
819
820  ScopedCERTCertList trust_anchors;
821  if (!additional_trust_anchors.empty()) {
822    trust_anchors.reset(
823        CertificateListToCERTCertList(additional_trust_anchors));
824  }
825
826  SECStatus status = PKIXVerifyCert(cert_handle,
827                                    check_revocation,
828                                    false,
829                                    cert_io_enabled,
830                                    NULL,
831                                    0,
832                                    trust_anchors.get(),
833                                    chain_verify_callback,
834                                    cvout);
835
836  if (status == SECSuccess &&
837      (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
838      !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) {
839    // TODO(rsleevi): Optimize this by supplying the constructed chain to
840    // libpkix via cvin. Omitting for now, due to lack of coverage in upstream
841    // NSS tests for that feature.
842    scoped_cvout.Clear();
843    verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
844    status = PKIXVerifyCert(cert_handle,
845                            true,
846                            true,
847                            cert_io_enabled,
848                            NULL,
849                            0,
850                            trust_anchors.get(),
851                            chain_verify_callback,
852                            cvout);
853  }
854
855  if (status == SECSuccess) {
856    AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
857                          cvout[cvout_trust_anchor_index].value.pointer.cert,
858                          &verify_result->public_key_hashes);
859
860    verify_result->is_issued_by_known_root =
861        IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
862    verify_result->is_issued_by_additional_trust_anchor =
863        IsAdditionalTrustAnchor(
864            trust_anchors.get(),
865            cvout[cvout_trust_anchor_index].value.pointer.cert);
866
867    GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
868                     cvout[cvout_trust_anchor_index].value.pointer.cert,
869                     verify_result);
870  }
871
872  CRLSetResult crl_set_result = kCRLSetUnknown;
873  if (crl_set) {
874    crl_set_result = CheckRevocationWithCRLSet(
875        cvout[cvout_cert_list_index].value.pointer.chain,
876        cvout[cvout_trust_anchor_index].value.pointer.cert,
877        crl_set);
878    if (crl_set_result == kCRLSetRevoked) {
879      PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
880      status = SECFailure;
881    }
882  }
883
884  if (status != SECSuccess) {
885    int err = PORT_GetError();
886    LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname
887               << " failed err=" << err;
888    // CERT_PKIXVerifyCert rerports the wrong error code for
889    // expired certificates (NSS bug 491174)
890    if (err == SEC_ERROR_CERT_NOT_VALID &&
891        (verify_result->cert_status & CERT_STATUS_DATE_INVALID))
892      err = SEC_ERROR_EXPIRED_CERTIFICATE;
893    CertStatus cert_status = MapCertErrorToCertStatus(err);
894    if (cert_status) {
895      verify_result->cert_status |= cert_status;
896      return MapCertStatusToNetError(verify_result->cert_status);
897    }
898    // |err| is not a certificate error.
899    return MapSecurityError(err);
900  }
901
902  if (IsCertStatusError(verify_result->cert_status))
903    return MapCertStatusToNetError(verify_result->cert_status);
904
905  if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) {
906    check_revocation |=
907        crl_set_result != kCRLSetOk &&
908        cert_io_enabled &&
909        (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
910    if (check_revocation)
911      verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
912
913    if (VerifyEV(cert_handle,
914                 flags,
915                 crl_set,
916                 check_revocation,
917                 metadata,
918                 ev_policy_oid,
919                 trust_anchors.get(),
920                 chain_verify_callback)) {
921      verify_result->cert_status |= CERT_STATUS_IS_EV;
922    }
923  }
924
925  return OK;
926}
927
928int CertVerifyProcNSS::VerifyInternal(
929    X509Certificate* cert,
930    const std::string& hostname,
931    int flags,
932    CRLSet* crl_set,
933    const CertificateList& additional_trust_anchors,
934    CertVerifyResult* verify_result) {
935  return VerifyInternalImpl(cert,
936                            hostname,
937                            flags,
938                            crl_set,
939                            additional_trust_anchors,
940                            NULL,  // chain_verify_callback
941                            verify_result);
942}
943
944}  // namespace net
945