mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-12-01 01:36:09 +03:00
320 lines
12 KiB
C++
320 lines
12 KiB
C++
|
// Copyright (c) 2016 The Chromium Authors. All rights reserved.
|
||
|
// Use of this source code is governed by a BSD-style license that can be
|
||
|
// found in the LICENSE file.
|
||
|
|
||
|
#include "net/cert/cert_verify_proc_ios.h"
|
||
|
|
||
|
#include <CommonCrypto/CommonDigest.h>
|
||
|
|
||
|
#include "base/logging.h"
|
||
|
#include "base/mac/scoped_cftyperef.h"
|
||
|
#include "crypto/sha2.h"
|
||
|
#include "net/base/net_errors.h"
|
||
|
#include "net/cert/asn1_util.h"
|
||
|
#include "net/cert/cert_verify_result.h"
|
||
|
#include "net/cert/known_roots.h"
|
||
|
#include "net/cert/test_root_certs.h"
|
||
|
#include "net/cert/x509_certificate.h"
|
||
|
#include "net/cert/x509_util_ios.h"
|
||
|
#include "net/cert/x509_util_ios_and_mac.h"
|
||
|
|
||
|
using base::ScopedCFTypeRef;
|
||
|
|
||
|
namespace net {
|
||
|
|
||
|
namespace {
|
||
|
|
||
|
int NetErrorFromOSStatus(OSStatus status) {
|
||
|
switch (status) {
|
||
|
case noErr:
|
||
|
return OK;
|
||
|
case errSecNotAvailable:
|
||
|
return ERR_NOT_IMPLEMENTED;
|
||
|
case errSecAuthFailed:
|
||
|
return ERR_ACCESS_DENIED;
|
||
|
default:
|
||
|
return ERR_FAILED;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
|
||
|
// validate a certificate for an SSL server. |hostname| contains the name of
|
||
|
// the SSL server that the certificate should be verified against. If
|
||
|
// successful, returns noErr, and stores the resultant array of SecPolicyRefs
|
||
|
// in |policies|.
|
||
|
OSStatus CreateTrustPolicies(ScopedCFTypeRef<CFArrayRef>* policies) {
|
||
|
ScopedCFTypeRef<CFMutableArrayRef> local_policies(
|
||
|
CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
|
||
|
if (!local_policies)
|
||
|
return errSecAllocate;
|
||
|
|
||
|
SecPolicyRef ssl_policy = SecPolicyCreateBasicX509();
|
||
|
CFArrayAppendValue(local_policies, ssl_policy);
|
||
|
CFRelease(ssl_policy);
|
||
|
ssl_policy = SecPolicyCreateSSL(true, nullptr);
|
||
|
CFArrayAppendValue(local_policies, ssl_policy);
|
||
|
CFRelease(ssl_policy);
|
||
|
|
||
|
policies->reset(local_policies.release());
|
||
|
return noErr;
|
||
|
}
|
||
|
|
||
|
// Builds and evaluates a SecTrustRef for the certificate chain contained
|
||
|
// in |cert_array|, using the verification policies in |trust_policies|. On
|
||
|
// success, returns OK, and updates |trust_ref| and |trust_result|. On failure,
|
||
|
// no output parameters are modified.
|
||
|
//
|
||
|
// Note: An OK return does not mean that |cert_array| is trusted, merely that
|
||
|
// verification was performed successfully.
|
||
|
int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
|
||
|
CFArrayRef trust_policies,
|
||
|
ScopedCFTypeRef<SecTrustRef>* trust_ref,
|
||
|
ScopedCFTypeRef<CFArrayRef>* verified_chain,
|
||
|
SecTrustResultType* trust_result) {
|
||
|
SecTrustRef tmp_trust = nullptr;
|
||
|
OSStatus status =
|
||
|
SecTrustCreateWithCertificates(cert_array, trust_policies, &tmp_trust);
|
||
|
if (status)
|
||
|
return NetErrorFromOSStatus(status);
|
||
|
ScopedCFTypeRef<SecTrustRef> scoped_tmp_trust(tmp_trust);
|
||
|
|
||
|
if (TestRootCerts::HasInstance()) {
|
||
|
status = TestRootCerts::GetInstance()->FixupSecTrustRef(tmp_trust);
|
||
|
if (status)
|
||
|
return NetErrorFromOSStatus(status);
|
||
|
}
|
||
|
|
||
|
SecTrustResultType tmp_trust_result;
|
||
|
status = SecTrustEvaluate(tmp_trust, &tmp_trust_result);
|
||
|
if (status)
|
||
|
return NetErrorFromOSStatus(status);
|
||
|
|
||
|
ScopedCFTypeRef<CFMutableArrayRef> tmp_verified_chain(
|
||
|
CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
|
||
|
const CFIndex chain_length = SecTrustGetCertificateCount(tmp_trust);
|
||
|
for (CFIndex i = 0; i < chain_length; ++i) {
|
||
|
SecCertificateRef chain_cert = SecTrustGetCertificateAtIndex(tmp_trust, i);
|
||
|
CFArrayAppendValue(tmp_verified_chain, chain_cert);
|
||
|
}
|
||
|
|
||
|
trust_ref->swap(scoped_tmp_trust);
|
||
|
*trust_result = tmp_trust_result;
|
||
|
verified_chain->reset(tmp_verified_chain.release());
|
||
|
return OK;
|
||
|
}
|
||
|
|
||
|
void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
|
||
|
DCHECK_LT(0, CFArrayGetCount(cert_chain));
|
||
|
|
||
|
SecCertificateRef verified_cert = nullptr;
|
||
|
std::vector<SecCertificateRef> verified_chain;
|
||
|
for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) {
|
||
|
SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>(
|
||
|
const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i)));
|
||
|
if (i == 0) {
|
||
|
verified_cert = chain_cert;
|
||
|
} else {
|
||
|
verified_chain.push_back(chain_cert);
|
||
|
}
|
||
|
|
||
|
base::ScopedCFTypeRef<CFDataRef> der_data(
|
||
|
SecCertificateCopyData(chain_cert));
|
||
|
if (!der_data) {
|
||
|
verify_result->cert_status |= CERT_STATUS_INVALID;
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
base::StringPiece spki_bytes;
|
||
|
if (!asn1::ExtractSPKIFromDERCert(
|
||
|
base::StringPiece(
|
||
|
reinterpret_cast<const char*>(CFDataGetBytePtr(der_data)),
|
||
|
CFDataGetLength(der_data)),
|
||
|
&spki_bytes)) {
|
||
|
verify_result->cert_status |= CERT_STATUS_INVALID;
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
HashValue sha256(HASH_VALUE_SHA256);
|
||
|
CC_SHA256(spki_bytes.data(), spki_bytes.size(), sha256.data());
|
||
|
verify_result->public_key_hashes.push_back(sha256);
|
||
|
|
||
|
// Ignore the signature algorithm for the trust anchor.
|
||
|
if ((verify_result->cert_status & CERT_STATUS_AUTHORITY_INVALID) == 0 &&
|
||
|
i == count - 1) {
|
||
|
continue;
|
||
|
}
|
||
|
}
|
||
|
if (!verified_cert) {
|
||
|
NOTREACHED();
|
||
|
verify_result->cert_status |= CERT_STATUS_INVALID;
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
scoped_refptr<X509Certificate> verified_cert_with_chain =
|
||
|
x509_util::CreateX509CertificateFromSecCertificate(verified_cert,
|
||
|
verified_chain);
|
||
|
if (verified_cert_with_chain)
|
||
|
verify_result->verified_cert = std::move(verified_cert_with_chain);
|
||
|
else
|
||
|
verify_result->cert_status |= CERT_STATUS_INVALID;
|
||
|
}
|
||
|
|
||
|
} // namespace
|
||
|
|
||
|
CertVerifyProcIOS::CertVerifyProcIOS() {}
|
||
|
|
||
|
// The iOS APIs don't expose an API-stable set of reasons for certificate
|
||
|
// validation failures. However, internally, the reason is tracked, and it's
|
||
|
// converted to user-facing localized strings.
|
||
|
//
|
||
|
// In the absence of a consistent API, convert the English strings to their
|
||
|
// localized counterpart, and then compare that with the error properties. If
|
||
|
// they're equal, it's a strong sign that this was the cause for the error.
|
||
|
// While this will break if/when iOS changes the contents of these strings,
|
||
|
// it's sufficient enough for now.
|
||
|
//
|
||
|
// TODO(rsleevi): https://crbug.com/601915 - Use a less brittle solution when
|
||
|
// possible.
|
||
|
// static
|
||
|
CertStatus CertVerifyProcIOS::GetCertFailureStatusFromTrust(SecTrustRef trust) {
|
||
|
CertStatus reason = 0;
|
||
|
|
||
|
base::ScopedCFTypeRef<CFArrayRef> properties(SecTrustCopyProperties(trust));
|
||
|
if (!properties)
|
||
|
return CERT_STATUS_INVALID;
|
||
|
|
||
|
const CFIndex properties_length = CFArrayGetCount(properties);
|
||
|
if (properties_length == 0)
|
||
|
return CERT_STATUS_INVALID;
|
||
|
|
||
|
CFBundleRef bundle =
|
||
|
CFBundleGetBundleWithIdentifier(CFSTR("com.apple.Security"));
|
||
|
CFStringRef date_string =
|
||
|
CFSTR("One or more certificates have expired or are not valid yet.");
|
||
|
ScopedCFTypeRef<CFStringRef> date_error(CFBundleCopyLocalizedString(
|
||
|
bundle, date_string, date_string, CFSTR("SecCertificate")));
|
||
|
CFStringRef trust_string = CFSTR("Root certificate is not trusted.");
|
||
|
ScopedCFTypeRef<CFStringRef> trust_error(CFBundleCopyLocalizedString(
|
||
|
bundle, trust_string, trust_string, CFSTR("SecCertificate")));
|
||
|
CFStringRef weak_string =
|
||
|
CFSTR("One or more certificates is using a weak key size.");
|
||
|
ScopedCFTypeRef<CFStringRef> weak_error(CFBundleCopyLocalizedString(
|
||
|
bundle, weak_string, weak_string, CFSTR("SecCertificate")));
|
||
|
CFStringRef hostname_mismatch_string = CFSTR("Hostname mismatch.");
|
||
|
ScopedCFTypeRef<CFStringRef> hostname_mismatch_error(
|
||
|
CFBundleCopyLocalizedString(bundle, hostname_mismatch_string,
|
||
|
hostname_mismatch_string,
|
||
|
CFSTR("SecCertificate")));
|
||
|
CFStringRef root_certificate_string =
|
||
|
CFSTR("Unable to build chain to root certificate.");
|
||
|
ScopedCFTypeRef<CFStringRef> root_certificate_error(
|
||
|
CFBundleCopyLocalizedString(bundle, root_certificate_string,
|
||
|
root_certificate_string,
|
||
|
CFSTR("SecCertificate")));
|
||
|
CFStringRef policy_requirements_not_met_string =
|
||
|
CFSTR("Policy requirements not met.");
|
||
|
ScopedCFTypeRef<CFStringRef> policy_requirements_not_met_error(
|
||
|
CFBundleCopyLocalizedString(bundle, policy_requirements_not_met_string,
|
||
|
policy_requirements_not_met_string,
|
||
|
CFSTR("SecCertificate")));
|
||
|
|
||
|
for (CFIndex i = 0; i < properties_length; ++i) {
|
||
|
CFDictionaryRef dict = reinterpret_cast<CFDictionaryRef>(
|
||
|
const_cast<void*>(CFArrayGetValueAtIndex(properties, i)));
|
||
|
CFStringRef error = reinterpret_cast<CFStringRef>(
|
||
|
const_cast<void*>(CFDictionaryGetValue(dict, CFSTR("value"))));
|
||
|
|
||
|
if (CFEqual(error, date_error)) {
|
||
|
reason |= CERT_STATUS_DATE_INVALID;
|
||
|
} else if (CFEqual(error, trust_error)) {
|
||
|
reason |= CERT_STATUS_AUTHORITY_INVALID;
|
||
|
} else if (CFEqual(error, weak_error)) {
|
||
|
reason |= CERT_STATUS_WEAK_KEY;
|
||
|
} else if (CFEqual(error, hostname_mismatch_error)) {
|
||
|
reason |= CERT_STATUS_COMMON_NAME_INVALID;
|
||
|
} else if (CFEqual(error, policy_requirements_not_met_error)) {
|
||
|
reason |= CERT_STATUS_INVALID | CERT_STATUS_AUTHORITY_INVALID;
|
||
|
} else if (CFEqual(error, root_certificate_error)) {
|
||
|
reason |= CERT_STATUS_AUTHORITY_INVALID;
|
||
|
} else {
|
||
|
reason |= CERT_STATUS_INVALID;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return reason;
|
||
|
}
|
||
|
|
||
|
bool CertVerifyProcIOS::SupportsAdditionalTrustAnchors() const {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
CertVerifyProcIOS::~CertVerifyProcIOS() = default;
|
||
|
|
||
|
int CertVerifyProcIOS::VerifyInternal(
|
||
|
X509Certificate* cert,
|
||
|
const std::string& hostname,
|
||
|
const std::string& ocsp_response,
|
||
|
int flags,
|
||
|
CRLSet* crl_set,
|
||
|
const CertificateList& additional_trust_anchors,
|
||
|
CertVerifyResult* verify_result) {
|
||
|
ScopedCFTypeRef<CFArrayRef> trust_policies;
|
||
|
OSStatus status = CreateTrustPolicies(&trust_policies);
|
||
|
if (status)
|
||
|
return NetErrorFromOSStatus(status);
|
||
|
|
||
|
ScopedCFTypeRef<CFMutableArrayRef> cert_array(
|
||
|
x509_util::CreateSecCertificateArrayForX509Certificate(
|
||
|
cert, x509_util::InvalidIntermediateBehavior::kIgnore));
|
||
|
if (!cert_array) {
|
||
|
verify_result->cert_status |= CERT_STATUS_INVALID;
|
||
|
return ERR_CERT_INVALID;
|
||
|
}
|
||
|
|
||
|
ScopedCFTypeRef<SecTrustRef> trust_ref;
|
||
|
SecTrustResultType trust_result = kSecTrustResultDeny;
|
||
|
ScopedCFTypeRef<CFArrayRef> final_chain;
|
||
|
|
||
|
status = BuildAndEvaluateSecTrustRef(cert_array, trust_policies, &trust_ref,
|
||
|
&final_chain, &trust_result);
|
||
|
if (status)
|
||
|
return NetErrorFromOSStatus(status);
|
||
|
|
||
|
if (CFArrayGetCount(final_chain) == 0)
|
||
|
return ERR_FAILED;
|
||
|
|
||
|
// TODO(rsleevi): Support CRLSet revocation.
|
||
|
switch (trust_result) {
|
||
|
case kSecTrustResultUnspecified:
|
||
|
case kSecTrustResultProceed:
|
||
|
break;
|
||
|
case kSecTrustResultDeny:
|
||
|
verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
|
||
|
break;
|
||
|
default:
|
||
|
verify_result->cert_status |= GetCertFailureStatusFromTrust(trust_ref);
|
||
|
}
|
||
|
|
||
|
GetCertChainInfo(final_chain, verify_result);
|
||
|
|
||
|
// While iOS lacks the ability to distinguish system-trusted versus
|
||
|
// user-installed roots, the set of roots that are expected to comply with
|
||
|
// the Baseline Requirements can be determined by
|
||
|
// GetNetTrustAnchorHistogramForSPKI() - a non-zero value means that it is
|
||
|
// known as a publicly trusted, and therefore subject to the BRs, cert.
|
||
|
for (auto it = verify_result->public_key_hashes.rbegin();
|
||
|
it != verify_result->public_key_hashes.rend() &&
|
||
|
!verify_result->is_issued_by_known_root;
|
||
|
++it) {
|
||
|
verify_result->is_issued_by_known_root =
|
||
|
GetNetTrustAnchorHistogramIdForSPKI(*it) != 0;
|
||
|
}
|
||
|
|
||
|
if (IsCertStatusError(verify_result->cert_status))
|
||
|
return MapCertStatusToNetError(verify_result->cert_status);
|
||
|
|
||
|
return OK;
|
||
|
}
|
||
|
|
||
|
} // namespace net
|