/* * libjingle * Copyright 2012, Google Inc. * Copyright 2012, RTFM, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #if HAVE_CONFIG_H #include "config.h" #endif // HAVE_CONFIG_H #if HAVE_NSS_SSL_H #include "talk/base/nssidentity.h" #include "cert.h" #include "cryptohi.h" #include "keyhi.h" #include "nss.h" #include "pk11pub.h" #include "sechash.h" #include "talk/base/logging.h" #include "talk/base/helpers.h" #include "talk/base/nssstreamadapter.h" #include "talk/base/safe_conversions.h" namespace talk_base { // Certificate validity lifetime in seconds. static const int CERTIFICATE_LIFETIME = 60*60*24*30; // 30 days, arbitrarily // Certificate validity window in seconds. // This is to compensate for slightly incorrect system clocks. static const int CERTIFICATE_WINDOW = -60*60*24; NSSKeyPair::~NSSKeyPair() { if (privkey_) SECKEY_DestroyPrivateKey(privkey_); if (pubkey_) SECKEY_DestroyPublicKey(pubkey_); } NSSKeyPair *NSSKeyPair::Generate() { SECKEYPrivateKey *privkey = NULL; SECKEYPublicKey *pubkey = NULL; PK11RSAGenParams rsaparams; rsaparams.keySizeInBits = 1024; rsaparams.pe = 0x010001; // 65537 -- a common RSA public exponent. privkey = PK11_GenerateKeyPair(NSSContext::GetSlot(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaparams, &pubkey, PR_FALSE /*permanent*/, PR_FALSE /*sensitive*/, NULL); if (!privkey) { LOG(LS_ERROR) << "Couldn't generate key pair"; return NULL; } return new NSSKeyPair(privkey, pubkey); } // Just make a copy. NSSKeyPair *NSSKeyPair::GetReference() { SECKEYPrivateKey *privkey = SECKEY_CopyPrivateKey(privkey_); if (!privkey) return NULL; SECKEYPublicKey *pubkey = SECKEY_CopyPublicKey(pubkey_); if (!pubkey) { SECKEY_DestroyPrivateKey(privkey); return NULL; } return new NSSKeyPair(privkey, pubkey); } NSSCertificate::NSSCertificate(CERTCertificate* cert) : certificate_(CERT_DupCertificate(cert)) { ASSERT(certificate_ != NULL); } static void DeleteCert(SSLCertificate* cert) { delete cert; } NSSCertificate::NSSCertificate(CERTCertList* cert_list) { // Copy the first cert into certificate_. CERTCertListNode* node = CERT_LIST_HEAD(cert_list); certificate_ = CERT_DupCertificate(node->cert); // Put any remaining certificates into the chain. node = CERT_LIST_NEXT(node); std::vector certs; for (; !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) { certs.push_back(new NSSCertificate(node->cert)); } if (!certs.empty()) chain_.reset(new SSLCertChain(certs)); // The SSLCertChain constructor copies its input, so now we have to delete // the originals. std::for_each(certs.begin(), certs.end(), DeleteCert); } NSSCertificate::NSSCertificate(CERTCertificate* cert, SSLCertChain* chain) : certificate_(CERT_DupCertificate(cert)) { ASSERT(certificate_ != NULL); if (chain) chain_.reset(chain->Copy()); } NSSCertificate *NSSCertificate::FromPEMString(const std::string &pem_string) { std::string der; if (!SSLIdentity::PemToDer(kPemTypeCertificate, pem_string, &der)) return NULL; SECItem der_cert; der_cert.data = reinterpret_cast(const_cast( der.data())); der_cert.len = checked_cast(der.size()); CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE); if (!cert) return NULL; NSSCertificate* ret = new NSSCertificate(cert); CERT_DestroyCertificate(cert); return ret; } NSSCertificate *NSSCertificate::GetReference() const { return new NSSCertificate(certificate_, chain_.get()); } std::string NSSCertificate::ToPEMString() const { return SSLIdentity::DerToPem(kPemTypeCertificate, certificate_->derCert.data, certificate_->derCert.len); } void NSSCertificate::ToDER(Buffer* der_buffer) const { der_buffer->SetData(certificate_->derCert.data, certificate_->derCert.len); } static bool Certifies(CERTCertificate* parent, CERTCertificate* child) { // TODO(bemasc): Identify stricter validation checks to use here. In the // context of some future identity standard, it might make sense to check // the certificates' roles, expiration dates, self-signatures (if // self-signed), certificate transparency logging, or many other attributes. // NOTE: Future changes to this validation may reject some previously allowed // certificate chains. Users should be advised not to deploy chained // certificates except in controlled environments until the validity // requirements are finalized. // Check that the parent's name is the same as the child's claimed issuer. SECComparison name_status = CERT_CompareName(&child->issuer, &parent->subject); if (name_status != SECEqual) return false; // Extract the parent's public key, or fail if the key could not be read // (e.g. certificate is corrupted). SECKEYPublicKey* parent_key = CERT_ExtractPublicKey(parent); if (!parent_key) return false; // Check that the parent's privkey was actually used to generate the child's // signature. SECStatus verified = CERT_VerifySignedDataWithPublicKey( &child->signatureWrap, parent_key, NULL); SECKEY_DestroyPublicKey(parent_key); return verified == SECSuccess; } bool NSSCertificate::IsValidChain(const CERTCertList* cert_list) { CERTCertListNode* child = CERT_LIST_HEAD(cert_list); for (CERTCertListNode* parent = CERT_LIST_NEXT(child); !CERT_LIST_END(parent, cert_list); child = parent, parent = CERT_LIST_NEXT(parent)) { if (!Certifies(parent->cert, child->cert)) return false; } return true; } bool NSSCertificate::GetDigestLength(const std::string& algorithm, size_t* length) { const SECHashObject *ho; if (!GetDigestObject(algorithm, &ho)) return false; *length = ho->length; return true; } bool NSSCertificate::GetSignatureDigestAlgorithm(std::string* algorithm) const { // The function sec_DecodeSigAlg in NSS provides this mapping functionality. // Unfortunately it is private, so the functionality must be duplicated here. // See https://bugzilla.mozilla.org/show_bug.cgi?id=925165 . SECOidTag sig_alg = SECOID_GetAlgorithmTag(&certificate_->signature); switch (sig_alg) { case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: *algorithm = DIGEST_MD5; break; case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: case SEC_OID_MISSI_DSS: case SEC_OID_MISSI_KEA_DSS: case SEC_OID_MISSI_KEA_DSS_OLD: case SEC_OID_MISSI_DSS_OLD: *algorithm = DIGEST_SHA_1; break; case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: *algorithm = DIGEST_SHA_224; break; case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: *algorithm = DIGEST_SHA_256; break; case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: *algorithm = DIGEST_SHA_384; break; case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: *algorithm = DIGEST_SHA_512; break; default: // Unknown algorithm. There are several unhandled options that are less // common and more complex. algorithm->clear(); return false; } return true; } bool NSSCertificate::ComputeDigest(const std::string& algorithm, unsigned char* digest, size_t size, size_t* length) const { const SECHashObject *ho; if (!GetDigestObject(algorithm, &ho)) return false; if (size < ho->length) // Sanity check for fit return false; SECStatus rv = HASH_HashBuf(ho->type, digest, certificate_->derCert.data, certificate_->derCert.len); if (rv != SECSuccess) return false; *length = ho->length; return true; } bool NSSCertificate::GetChain(SSLCertChain** chain) const { if (!chain_) return false; *chain = chain_->Copy(); return true; } bool NSSCertificate::Equals(const NSSCertificate *tocompare) const { if (!certificate_->derCert.len) return false; if (!tocompare->certificate_->derCert.len) return false; if (certificate_->derCert.len != tocompare->certificate_->derCert.len) return false; return memcmp(certificate_->derCert.data, tocompare->certificate_->derCert.data, certificate_->derCert.len) == 0; } bool NSSCertificate::GetDigestObject(const std::string &algorithm, const SECHashObject **hop) { const SECHashObject *ho; HASH_HashType hash_type; if (algorithm == DIGEST_SHA_1) { hash_type = HASH_AlgSHA1; // HASH_AlgSHA224 is not supported in the chromium linux build system. #if 0 } else if (algorithm == DIGEST_SHA_224) { hash_type = HASH_AlgSHA224; #endif } else if (algorithm == DIGEST_SHA_256) { hash_type = HASH_AlgSHA256; } else if (algorithm == DIGEST_SHA_384) { hash_type = HASH_AlgSHA384; } else if (algorithm == DIGEST_SHA_512) { hash_type = HASH_AlgSHA512; } else { return false; } ho = HASH_GetHashObject(hash_type); ASSERT(ho->length >= 20); // Can't happen *hop = ho; return true; } NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) { std::string subject_name_string = "CN=" + params.common_name; CERTName *subject_name = CERT_AsciiToName( const_cast(subject_name_string.c_str())); NSSIdentity *identity = NULL; CERTSubjectPublicKeyInfo *spki = NULL; CERTCertificateRequest *certreq = NULL; CERTValidity *validity = NULL; CERTCertificate *certificate = NULL; NSSKeyPair *keypair = NSSKeyPair::Generate(); SECItem inner_der; SECStatus rv; PLArenaPool* arena; SECItem signed_cert; PRTime now = PR_Now(); PRTime not_before = now + static_cast(params.not_before) * PR_USEC_PER_SEC; PRTime not_after = now + static_cast(params.not_after) * PR_USEC_PER_SEC; inner_der.len = 0; inner_der.data = NULL; if (!keypair) { LOG(LS_ERROR) << "Couldn't generate key pair"; goto fail; } if (!subject_name) { LOG(LS_ERROR) << "Couldn't convert subject name " << subject_name; goto fail; } spki = SECKEY_CreateSubjectPublicKeyInfo(keypair->pubkey()); if (!spki) { LOG(LS_ERROR) << "Couldn't create SPKI"; goto fail; } certreq = CERT_CreateCertificateRequest(subject_name, spki, NULL); if (!certreq) { LOG(LS_ERROR) << "Couldn't create certificate signing request"; goto fail; } validity = CERT_CreateValidity(not_before, not_after); if (!validity) { LOG(LS_ERROR) << "Couldn't create validity"; goto fail; } unsigned long serial; // Note: This serial in principle could collide, but it's unlikely rv = PK11_GenerateRandom(reinterpret_cast(&serial), sizeof(serial)); if (rv != SECSuccess) { LOG(LS_ERROR) << "Couldn't generate random serial"; goto fail; } certificate = CERT_CreateCertificate(serial, subject_name, validity, certreq); if (!certificate) { LOG(LS_ERROR) << "Couldn't create certificate"; goto fail; } arena = certificate->arena; rv = SECOID_SetAlgorithmID(arena, &certificate->signature, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL); if (rv != SECSuccess) goto fail; // Set version to X509v3. *(certificate->version.data) = 2; certificate->version.len = 1; if (!SEC_ASN1EncodeItem(arena, &inner_der, certificate, SEC_ASN1_GET(CERT_CertificateTemplate))) goto fail; rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len, keypair->privkey(), SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION); if (rv != SECSuccess) { LOG(LS_ERROR) << "Couldn't sign certificate"; goto fail; } certificate->derCert = signed_cert; identity = new NSSIdentity(keypair, new NSSCertificate(certificate)); goto done; fail: delete keypair; done: if (certificate) CERT_DestroyCertificate(certificate); if (subject_name) CERT_DestroyName(subject_name); if (spki) SECKEY_DestroySubjectPublicKeyInfo(spki); if (certreq) CERT_DestroyCertificateRequest(certreq); if (validity) CERT_DestroyValidity(validity); return identity; } NSSIdentity* NSSIdentity::Generate(const std::string &common_name) { SSLIdentityParams params; params.common_name = common_name; params.not_before = CERTIFICATE_WINDOW; params.not_after = CERTIFICATE_LIFETIME; return GenerateInternal(params); } NSSIdentity* NSSIdentity::GenerateForTest(const SSLIdentityParams& params) { return GenerateInternal(params); } SSLIdentity* NSSIdentity::FromPEMStrings(const std::string& private_key, const std::string& certificate) { std::string private_key_der; if (!SSLIdentity::PemToDer( kPemTypeRsaPrivateKey, private_key, &private_key_der)) return NULL; SECItem private_key_item; private_key_item.data = reinterpret_cast( const_cast(private_key_der.c_str())); private_key_item.len = checked_cast(private_key_der.size()); const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT | KU_DIGITAL_SIGNATURE; SECKEYPrivateKey* privkey = NULL; SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(NSSContext::GetSlot(), &private_key_item, NULL, NULL, PR_FALSE, PR_FALSE, key_usage, &privkey, NULL); if (rv != SECSuccess) { LOG(LS_ERROR) << "Couldn't import private key"; return NULL; } SECKEYPublicKey *pubkey = SECKEY_ConvertToPublicKey(privkey); if (rv != SECSuccess) { SECKEY_DestroyPrivateKey(privkey); LOG(LS_ERROR) << "Couldn't convert private key to public key"; return NULL; } // Assign to a scoped_ptr so we don't leak on error. scoped_ptr keypair(new NSSKeyPair(privkey, pubkey)); scoped_ptr cert(NSSCertificate::FromPEMString(certificate)); if (!cert) { LOG(LS_ERROR) << "Couldn't parse certificate"; return NULL; } // TODO(ekr@rtfm.com): Check the public key against the certificate. return new NSSIdentity(keypair.release(), cert.release()); } NSSIdentity *NSSIdentity::GetReference() const { NSSKeyPair *keypair = keypair_->GetReference(); if (!keypair) return NULL; NSSCertificate *certificate = certificate_->GetReference(); if (!certificate) { delete keypair; return NULL; } return new NSSIdentity(keypair, certificate); } NSSCertificate &NSSIdentity::certificate() const { return *certificate_; } } // talk_base namespace #endif // HAVE_NSS_SSL_H