src/net/cert/cert_verify_proc_nss.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/cert_verify_proc_nss.h"
   6
   7 #include <string>
   8 #include <vector>
   9
  10 #include <cert.h>
  11 #include <nss.h>
  12 #include <prerror.h>
  13 #include <secerr.h>
  14 #include <sechash.h>
  15 #include <sslerr.h>
  16
  17 #include "base/logging.h"
  18 #include "crypto/nss_util.h"
  19 #include "crypto/scoped_nss_types.h"
  20 #include "crypto/sha2.h"
  21 #include "net/base/net_errors.h"
  22 #include "net/cert/asn1_util.h"
  23 #include "net/cert/cert_status_flags.h"
  24 #include "net/cert/cert_verifier.h"
  25 #include "net/cert/cert_verify_result.h"
  26 #include "net/cert/crl_set.h"
  27 #include "net/cert/ev_root_ca_metadata.h"
  28 #include "net/cert/x509_certificate.h"
  29 #include "net/cert/x509_util_nss.h"
  30
  31 #if defined(OS_IOS)
  32 #include <CommonCrypto/CommonDigest.h>
  33 #include "net/cert/x509_util_ios.h"
  34 #endif  // defined(OS_IOS)
  35
  36 namespace net {
  37
  38 namespace {
  39
  40 typedef scoped_ptr<
  41     CERTCertificatePolicies,
  42     crypto::NSSDestroyer<CERTCertificatePolicies,
  43                          CERT_DestroyCertificatePoliciesExtension> >
  44     ScopedCERTCertificatePolicies;
  45
  46 typedef scoped_ptr<
  47     CERTCertList,
  48     crypto::NSSDestroyer<CERTCertList, CERT_DestroyCertList> >
  49     ScopedCERTCertList;
  50
  51 // ScopedCERTValOutParam manages destruction of values in the CERTValOutParam
  52 // array that cvout points to.  cvout must be initialized as passed to
  53 // CERT_PKIXVerifyCert, so that the array must be terminated with
  54 // cert_po_end type.
  55 // When it goes out of scope, it destroys values of cert_po_trustAnchor
  56 // and cert_po_certList types, but doesn't release the array itself.
  57 class ScopedCERTValOutParam {
  58  public:
  59   explicit ScopedCERTValOutParam(CERTValOutParam* cvout) : cvout_(cvout) {}
  60
  61   ~ScopedCERTValOutParam() {
  62     Clear();
  63   }
  64
  65   // Free the internal resources, but do not release the array itself.
  66   void Clear() {
  67     if (cvout_ == NULL)
  68       return;
  69     for (CERTValOutParam *p = cvout_; p->type != cert_po_end; p++) {
  70       switch (p->type) {
  71         case cert_po_trustAnchor:
  72           if (p->value.pointer.cert) {
  73             CERT_DestroyCertificate(p->value.pointer.cert);
  74             p->value.pointer.cert = NULL;
  75           }
  76           break;
  77         case cert_po_certList:
  78           if (p->value.pointer.chain) {
  79             CERT_DestroyCertList(p->value.pointer.chain);
  80             p->value.pointer.chain = NULL;
  81           }
  82           break;
  83         default:
  84           break;
  85       }
  86     }
  87   }
  88
  89  private:
  90   CERTValOutParam* cvout_;
  91
  92   DISALLOW_COPY_AND_ASSIGN(ScopedCERTValOutParam);
  93 };
  94
  95 // Map PORT_GetError() return values to our network error codes.
  96 int MapSecurityError(int err) {
  97   switch (err) {
  98     case PR_DIRECTORY_LOOKUP_ERROR:  // DNS lookup error.
  99       return ERR_NAME_NOT_RESOLVED;
 100     case SEC_ERROR_INVALID_ARGS:
 101       return ERR_INVALID_ARGUMENT;
 102     case SSL_ERROR_BAD_CERT_DOMAIN:
 103       return ERR_CERT_COMMON_NAME_INVALID;
 104     case SEC_ERROR_INVALID_TIME:
 105     case SEC_ERROR_EXPIRED_CERTIFICATE:
 106     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 107       return ERR_CERT_DATE_INVALID;
 108     case SEC_ERROR_UNKNOWN_ISSUER:
 109     case SEC_ERROR_UNTRUSTED_ISSUER:
 110     case SEC_ERROR_CA_CERT_INVALID:
 111     case SEC_ERROR_APPLICATION_CALLBACK_ERROR:  // Rejected by
 112                                                 // chain_verify_callback.
 113       return ERR_CERT_AUTHORITY_INVALID;
 114     // TODO(port): map ERR_CERT_NO_REVOCATION_MECHANISM.
 115     case SEC_ERROR_OCSP_BAD_HTTP_RESPONSE:
 116     case SEC_ERROR_OCSP_SERVER_ERROR:
 117       return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
 118     case SEC_ERROR_REVOKED_CERTIFICATE:
 119     case SEC_ERROR_UNTRUSTED_CERT:  // Treat as revoked.
 120       return ERR_CERT_REVOKED;
 121     case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
 122       return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
 123     case SEC_ERROR_BAD_DER:
 124     case SEC_ERROR_BAD_SIGNATURE:
 125     case SEC_ERROR_CERT_NOT_VALID:
 126     // TODO(port): add an ERR_CERT_WRONG_USAGE error code.
 127     case SEC_ERROR_CERT_USAGES_INVALID:
 128     case SEC_ERROR_INADEQUATE_KEY_USAGE:  // Key usage.
 129     case SEC_ERROR_INADEQUATE_CERT_TYPE:  // Extended key usage and whether
 130                                           // the certificate is a CA.
 131     case SEC_ERROR_POLICY_VALIDATION_FAILED:
 132     case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
 133     case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
 134     case SEC_ERROR_EXTENSION_VALUE_INVALID:
 135       return ERR_CERT_INVALID;
 136     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
 137       return ERR_CERT_WEAK_SIGNATURE_ALGORITHM;
 138     default:
 139       LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
 140       return ERR_FAILED;
 141   }
 142 }
 143
 144 // Map PORT_GetError() return values to our cert status flags.
 145 CertStatus MapCertErrorToCertStatus(int err) {
 146   int net_error = MapSecurityError(err);
 147   return MapNetErrorToCertStatus(net_error);
 148 }
 149
 150 // Saves some information about the certificate chain cert_list in
 151 // *verify_result.  The caller MUST initialize *verify_result before calling
 152 // this function.
 153 // Note that cert_list[0] is the end entity certificate.
 154 void GetCertChainInfo(CERTCertList* cert_list,
 155                       CERTCertificate* root_cert,
 156                       CertVerifyResult* verify_result) {
 157   DCHECK(cert_list);
 158
 159   CERTCertificate* verified_cert = NULL;
 160   std::vector<CERTCertificate*> verified_chain;
 161   int i = 0;
 162   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
 163        !CERT_LIST_END(node, cert_list);
 164        node = CERT_LIST_NEXT(node), ++i) {
 165     if (i == 0) {
 166       verified_cert = node->cert;
 167     } else {
 168       // Because of an NSS bug, CERT_PKIXVerifyCert may chain a self-signed
 169       // certificate of a root CA to another certificate of the same root CA
 170       // key.  Detect that error and ignore the root CA certificate.
 171       // See https://bugzilla.mozilla.org/show_bug.cgi?id=721288.
 172       if (node->cert->isRoot) {
 173         // NOTE: isRoot doesn't mean the certificate is a trust anchor.  It
 174         // means the certificate is self-signed.  Here we assume isRoot only
 175         // implies the certificate is self-issued.
 176         CERTCertListNode* next_node = CERT_LIST_NEXT(node);
 177         CERTCertificate* next_cert;
 178         if (!CERT_LIST_END(next_node, cert_list)) {
 179           next_cert = next_node->cert;
 180         } else {
 181           next_cert = root_cert;
 182         }
 183         // Test that |node->cert| is actually a self-signed certificate
 184         // whose key is equal to |next_cert|, and not a self-issued
 185         // certificate signed by another key of the same CA.
 186         if (next_cert && SECITEM_ItemsAreEqual(&node->cert->derPublicKey,
 187                                                &next_cert->derPublicKey)) {
 188           continue;
 189         }
 190       }
 191       verified_chain.push_back(node->cert);
 192     }
 193
 194     SECAlgorithmID& signature = node->cert->signature;
 195     SECOidTag oid_tag = SECOID_FindOIDTag(&signature.algorithm);
 196     switch (oid_tag) {
 197       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
 198         verify_result->has_md5 = true;
 199         break;
 200       case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
 201         verify_result->has_md2 = true;
 202         break;
 203       case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
 204         verify_result->has_md4 = true;
 205         break;
 206       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
 207       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
 208       case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
 209       case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
 210         verify_result->has_sha1 = true;
 211         break;
 212       default:
 213         break;
 214     }
 215   }
 216
 217   if (root_cert)
 218     verified_chain.push_back(root_cert);
 219 #if defined(OS_IOS)
 220   verify_result->verified_cert =
 221       x509_util_ios::CreateCertFromNSSHandles(verified_cert, verified_chain);
 222 #else
 223   verify_result->verified_cert =
 224       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
 225 #endif  // defined(OS_IOS)
 226 }
 227
 228 // IsKnownRoot returns true if the given certificate is one that we believe
 229 // is a standard (as opposed to user-installed) root.
 230 bool IsKnownRoot(CERTCertificate* root) {
 231   if (!root || !root->slot)
 232     return false;
 233
 234   // This magic name is taken from
 235   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
 236   return 0 == strcmp(PK11_GetSlotName(root->slot),
 237                      "NSS Builtin Objects");
 238 }
 239
 240 // Returns true if the given certificate is one of the additional trust anchors.
 241 bool IsAdditionalTrustAnchor(CERTCertList* additional_trust_anchors,
 242                              CERTCertificate* root) {
 243   if (!additional_trust_anchors || !root)
 244     return false;
 245   for (CERTCertListNode* node = CERT_LIST_HEAD(additional_trust_anchors);
 246        !CERT_LIST_END(node, additional_trust_anchors);
 247        node = CERT_LIST_NEXT(node)) {
 248     if (CERT_CompareCerts(node->cert, root))
 249       return true;
 250   }
 251   return false;
 252 }
 253
 254 enum CRLSetResult {
 255   kCRLSetOk,
 256   kCRLSetRevoked,
 257   kCRLSetUnknown,
 258 };
 259
 260 // CheckRevocationWithCRLSet attempts to check each element of |cert_list|
 261 // against |crl_set|. It returns:
 262 //   kCRLSetRevoked: if any element of the chain is known to have been revoked.
 263 //   kCRLSetUnknown: if there is no fresh information about the leaf
 264 //       certificate in the chain or if the CRLSet has expired.
 265 //
 266 //       Only the leaf certificate is considered for coverage because some
 267 //       intermediates have CRLs with no revocations (after filtering) and
 268 //       those CRLs are pruned from the CRLSet at generation time. This means
 269 //       that some EV sites would otherwise take the hit of an OCSP lookup for
 270 //       no reason.
 271 //   kCRLSetOk: otherwise.
 272 CRLSetResult CheckRevocationWithCRLSet(CERTCertList* cert_list,
 273                                        CERTCertificate* root,
 274                                        CRLSet* crl_set) {
 275   std::vector<CERTCertificate*> certs;
 276
 277   if (cert_list) {
 278     for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
 279          !CERT_LIST_END(node, cert_list);
 280          node = CERT_LIST_NEXT(node)) {
 281       certs.push_back(node->cert);
 282     }
 283   }
 284   if (root)
 285     certs.push_back(root);
 286
 287   // error is set to true if any errors are found. It causes such chains to be
 288   // considered as not covered.
 289   bool error = false;
 290   // last_covered is set to the coverage state of the previous certificate. The
 291   // certificates are iterated over backwards thus, after the iteration,
 292   // |last_covered| contains the coverage state of the leaf certificate.
 293   bool last_covered = false;
 294
 295   // We iterate from the root certificate down to the leaf, keeping track of
 296   // the issuer's SPKI at each step.
 297   std::string issuer_spki_hash;
 298   for (std::vector<CERTCertificate*>::reverse_iterator i = certs.rbegin();
 299        i != certs.rend(); ++i) {
 300     CERTCertificate* cert = *i;
 301
 302     base::StringPiece der(reinterpret_cast<char*>(cert->derCert.data),
 303                           cert->derCert.len);
 304
 305     base::StringPiece spki;
 306     if (!asn1::ExtractSPKIFromDERCert(der, &spki)) {
 307       NOTREACHED();
 308       error = true;
 309       continue;
 310     }
 311     const std::string spki_hash = crypto::SHA256HashString(spki);
 312
 313     base::StringPiece serial_number = base::StringPiece(
 314         reinterpret_cast<char*>(cert->serialNumber.data),
 315         cert->serialNumber.len);
 316
 317     CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
 318
 319     if (result != CRLSet::REVOKED && !issuer_spki_hash.empty())
 320       result = crl_set->CheckSerial(serial_number, issuer_spki_hash);
 321
 322     issuer_spki_hash = spki_hash;
 323
 324     switch (result) {
 325       case CRLSet::REVOKED:
 326         return kCRLSetRevoked;
 327       case CRLSet::UNKNOWN:
 328         last_covered = false;
 329         continue;
 330       case CRLSet::GOOD:
 331         last_covered = true;
 332         continue;
 333       default:
 334         NOTREACHED();
 335         error = true;
 336         continue;
 337     }
 338   }
 339
 340   if (error || !last_covered || crl_set->IsExpired())
 341     return kCRLSetUnknown;
 342   return kCRLSetOk;
 343 }
 344
 345 // Forward declarations.
 346 SECStatus RetryPKIXVerifyCertWithWorkarounds(
 347     CERTCertificate* cert_handle, int num_policy_oids,
 348     bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
 349     CERTValOutParam* cvout);
 350 SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle);
 351
 352 // Call CERT_PKIXVerifyCert for the cert_handle.
 353 // Verification results are stored in an array of CERTValOutParam.
 354 // If |hard_fail| is true, and no policy_oids are supplied (eg: EV is NOT being
 355 // checked), then the failure to obtain valid CRL/OCSP information for all
 356 // certificates that contain CRL/OCSP URLs will cause the certificate to be
 357 // treated as if it was revoked. Since failures may be caused by transient
 358 // network failures or by malicious attackers, in general, hard_fail should be
 359 // false.
 360 // If policy_oids is not NULL and num_policy_oids is positive, policies
 361 // are also checked.
 362 // additional_trust_anchors is an optional list of certificates that can be
 363 // trusted as anchors when building a certificate chain.
 364 // Caller must initialize cvout before calling this function.
 365 SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
 366                          bool check_revocation,
 367                          bool hard_fail,
 368                          bool cert_io_enabled,
 369                          const SECOidTag* policy_oids,
 370                          int num_policy_oids,
 371                          CERTCertList* additional_trust_anchors,
 372                          CERTChainVerifyCallback* chain_verify_callback,
 373                          CERTValOutParam* cvout) {
 374   bool use_crl = check_revocation;
 375   bool use_ocsp = check_revocation;
 376
 377   PRUint64 revocation_method_flags =
 378       CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
 379       CERT_REV_M_ALLOW_NETWORK_FETCHING |
 380       CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE |
 381       CERT_REV_M_IGNORE_MISSING_FRESH_INFO |
 382       CERT_REV_M_STOP_TESTING_ON_FRESH_INFO;
 383   PRUint64 revocation_method_independent_flags =
 384       CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
 385   if (check_revocation && policy_oids && num_policy_oids > 0) {
 386     // EV verification requires revocation checking.  Consider the certificate
 387     // revoked if we don't have revocation info.
 388     // TODO(wtc): Add a bool parameter to expressly specify we're doing EV
 389     // verification or we want strict revocation flags.
 390     revocation_method_flags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE;
 391     revocation_method_independent_flags |=
 392         CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
 393   } else if (check_revocation && hard_fail) {
 394     revocation_method_flags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO;
 395     revocation_method_independent_flags |=
 396         CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
 397   } else {
 398     revocation_method_flags |= CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE;
 399     revocation_method_independent_flags |=
 400         CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT;
 401   }
 402   PRUint64 method_flags[2];
 403   method_flags[cert_revocation_method_crl] = revocation_method_flags;
 404   method_flags[cert_revocation_method_ocsp] = revocation_method_flags;
 405
 406   if (use_crl) {
 407     method_flags[cert_revocation_method_crl] |=
 408         CERT_REV_M_TEST_USING_THIS_METHOD;
 409   }
 410   if (use_ocsp) {
 411     method_flags[cert_revocation_method_ocsp] |=
 412         CERT_REV_M_TEST_USING_THIS_METHOD;
 413   }
 414
 415   CERTRevocationMethodIndex preferred_revocation_methods[1];
 416   if (use_ocsp) {
 417     preferred_revocation_methods[0] = cert_revocation_method_ocsp;
 418   } else {
 419     preferred_revocation_methods[0] = cert_revocation_method_crl;
 420   }
 421
 422   CERTRevocationFlags revocation_flags;
 423   revocation_flags.leafTests.number_of_defined_methods =
 424       arraysize(method_flags);
 425   revocation_flags.leafTests.cert_rev_flags_per_method = method_flags;
 426   revocation_flags.leafTests.number_of_preferred_methods =
 427       arraysize(preferred_revocation_methods);
 428   revocation_flags.leafTests.preferred_methods = preferred_revocation_methods;
 429   revocation_flags.leafTests.cert_rev_method_independent_flags =
 430       revocation_method_independent_flags;
 431
 432   revocation_flags.chainTests.number_of_defined_methods =
 433       arraysize(method_flags);
 434   revocation_flags.chainTests.cert_rev_flags_per_method = method_flags;
 435   revocation_flags.chainTests.number_of_preferred_methods =
 436       arraysize(preferred_revocation_methods);
 437   revocation_flags.chainTests.preferred_methods = preferred_revocation_methods;
 438   revocation_flags.chainTests.cert_rev_method_independent_flags =
 439       revocation_method_independent_flags;
 440
 441
 442   std::vector<CERTValInParam> cvin;
 443   cvin.reserve(7);
 444   CERTValInParam in_param;
 445   in_param.type = cert_pi_revocationFlags;
 446   in_param.value.pointer.revocation = &revocation_flags;
 447   cvin.push_back(in_param);
 448   if (policy_oids && num_policy_oids > 0) {
 449     in_param.type = cert_pi_policyOID;
 450     in_param.value.arraySize = num_policy_oids;
 451     in_param.value.array.oids = policy_oids;
 452     cvin.push_back(in_param);
 453   }
 454   if (additional_trust_anchors) {
 455     in_param.type = cert_pi_trustAnchors;
 456     in_param.value.pointer.chain = additional_trust_anchors;
 457     cvin.push_back(in_param);
 458     in_param.type = cert_pi_useOnlyTrustAnchors;
 459     in_param.value.scalar.b = PR_FALSE;
 460     cvin.push_back(in_param);
 461   }
 462   if (chain_verify_callback) {
 463     in_param.type = cert_pi_chainVerifyCallback;
 464     in_param.value.pointer.chainVerifyCallback = chain_verify_callback;
 465     cvin.push_back(in_param);
 466   }
 467   in_param.type = cert_pi_end;
 468   cvin.push_back(in_param);
 469
 470   SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
 471                                      &cvin[0], cvout, NULL);
 472   if (rv != SECSuccess) {
 473     rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids,
 474                                             cert_io_enabled, &cvin, cvout);
 475   }
 476   return rv;
 477 }
 478
 479 // PKIXVerifyCert calls this function to work around some bugs in
 480 // CERT_PKIXVerifyCert.  All the arguments of this function are either the
 481 // arguments or local variables of PKIXVerifyCert.
 482 SECStatus RetryPKIXVerifyCertWithWorkarounds(
 483     CERTCertificate* cert_handle, int num_policy_oids,
 484     bool cert_io_enabled, std::vector<CERTValInParam>* cvin,
 485     CERTValOutParam* cvout) {
 486   // We call this function when the first CERT_PKIXVerifyCert call in
 487   // PKIXVerifyCert failed,  so we initialize |rv| to SECFailure.
 488   SECStatus rv = SECFailure;
 489   int nss_error = PORT_GetError();
 490   CERTValInParam in_param;
 491
 492   // If we get SEC_ERROR_UNKNOWN_ISSUER, we may be missing an intermediate
 493   // CA certificate, so we retry with cert_pi_useAIACertFetch.
 494   // cert_pi_useAIACertFetch has several bugs in its error handling and
 495   // error reporting (NSS bug 528743), so we don't use it by default.
 496   // Note: When building a certificate chain, CERT_PKIXVerifyCert may
 497   // incorrectly pick a CA certificate with the same subject name as the
 498   // missing intermediate CA certificate, and  fail with the
 499   // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with
 500   // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE.
 501   if (cert_io_enabled &&
 502       (nss_error == SEC_ERROR_UNKNOWN_ISSUER ||
 503        nss_error == SEC_ERROR_BAD_SIGNATURE)) {
 504     DCHECK_EQ(cvin->back().type,  cert_pi_end);
 505     cvin->pop_back();
 506     in_param.type = cert_pi_useAIACertFetch;
 507     in_param.value.scalar.b = PR_TRUE;
 508     cvin->push_back(in_param);
 509     in_param.type = cert_pi_end;
 510     cvin->push_back(in_param);
 511     rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
 512                              &(*cvin)[0], cvout, NULL);
 513     if (rv == SECSuccess)
 514       return rv;
 515     int new_nss_error = PORT_GetError();
 516     if (new_nss_error == SEC_ERROR_INVALID_ARGS ||
 517         new_nss_error == SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE ||
 518         new_nss_error == SEC_ERROR_BAD_INFO_ACCESS_LOCATION ||
 519         new_nss_error == SEC_ERROR_BAD_HTTP_RESPONSE ||
 520         new_nss_error == SEC_ERROR_BAD_LDAP_RESPONSE ||
 521         !IS_SEC_ERROR(new_nss_error)) {
 522       // Use the original error code because of cert_pi_useAIACertFetch's
 523       // bad error reporting.
 524       PORT_SetError(nss_error);
 525       return rv;
 526     }
 527     nss_error = new_nss_error;
 528   }
 529
 530   // If an intermediate CA certificate has requireExplicitPolicy in its
 531   // policyConstraints extension, CERT_PKIXVerifyCert fails with
 532   // SEC_ERROR_POLICY_VALIDATION_FAILED because we didn't specify any
 533   // certificate policy (NSS bug 552775).  So we retry with the certificate
 534   // policy found in the server certificate.
 535   if (nss_error == SEC_ERROR_POLICY_VALIDATION_FAILED &&
 536       num_policy_oids == 0) {
 537     SECOidTag policy = GetFirstCertPolicy(cert_handle);
 538     if (policy != SEC_OID_UNKNOWN) {
 539       DCHECK_EQ(cvin->back().type,  cert_pi_end);
 540       cvin->pop_back();
 541       in_param.type = cert_pi_policyOID;
 542       in_param.value.arraySize = 1;
 543       in_param.value.array.oids = &policy;
 544       cvin->push_back(in_param);
 545       in_param.type = cert_pi_end;
 546       cvin->push_back(in_param);
 547       rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
 548                                &(*cvin)[0], cvout, NULL);
 549       if (rv != SECSuccess) {
 550         // Use the original error code.
 551         PORT_SetError(nss_error);
 552       }
 553     }
 554   }
 555
 556   return rv;
 557 }
 558
 559 // Decodes the certificatePolicies extension of the certificate.  Returns
 560 // NULL if the certificate doesn't have the extension or the extension can't
 561 // be decoded.  The returned value must be freed with a
 562 // CERT_DestroyCertificatePoliciesExtension call.
 563 CERTCertificatePolicies* DecodeCertPolicies(
 564     CERTCertificate* cert_handle) {
 565   SECItem policy_ext;
 566   SECStatus rv = CERT_FindCertExtension(cert_handle,
 567                                         SEC_OID_X509_CERTIFICATE_POLICIES,
 568                                         &policy_ext);
 569   if (rv != SECSuccess)
 570     return NULL;
 571   CERTCertificatePolicies* policies =
 572       CERT_DecodeCertificatePoliciesExtension(&policy_ext);
 573   SECITEM_FreeItem(&policy_ext, PR_FALSE);
 574   return policies;
 575 }
 576
 577 // Returns the OID tag for the first certificate policy in the certificate's
 578 // certificatePolicies extension.  Returns SEC_OID_UNKNOWN if the certificate
 579 // has no certificate policy.
 580 SECOidTag GetFirstCertPolicy(CERTCertificate* cert_handle) {
 581   ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
 582   if (!policies.get())
 583     return SEC_OID_UNKNOWN;
 584
 585   CERTPolicyInfo* policy_info = policies->policyInfos[0];
 586   if (!policy_info)
 587     return SEC_OID_UNKNOWN;
 588   if (policy_info->oid != SEC_OID_UNKNOWN)
 589     return policy_info->oid;
 590
 591   // The certificate policy is unknown to NSS.  We need to create a dynamic
 592   // OID tag for the policy.
 593   SECOidData od;
 594   od.oid.len = policy_info->policyID.len;
 595   od.oid.data = policy_info->policyID.data;
 596   od.offset = SEC_OID_UNKNOWN;
 597   // NSS doesn't allow us to pass an empty description, so I use a hardcoded,
 598   // default description here.  The description doesn't need to be unique for
 599   // each OID.
 600   od.desc = "a certificate policy";
 601   od.mechanism = CKM_INVALID_MECHANISM;
 602   od.supportedExtension = INVALID_CERT_EXTENSION;
 603   return SECOID_AddEntry(&od);
 604 }
 605
 606 HashValue CertPublicKeyHashSHA1(CERTCertificate* cert) {
 607   HashValue hash(HASH_VALUE_SHA1);
 608 #if defined(OS_IOS)
 609   CC_SHA1(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
 610 #else
 611   SECStatus rv = HASH_HashBuf(HASH_AlgSHA1, hash.data(),
 612                               cert->derPublicKey.data, cert->derPublicKey.len);
 613   DCHECK_EQ(SECSuccess, rv);
 614 #endif
 615   return hash;
 616 }
 617
 618 HashValue CertPublicKeyHashSHA256(CERTCertificate* cert) {
 619   HashValue hash(HASH_VALUE_SHA256);
 620 #if defined(OS_IOS)
 621   CC_SHA256(cert->derPublicKey.data, cert->derPublicKey.len, hash.data());
 622 #else
 623   SECStatus rv = HASH_HashBuf(HASH_AlgSHA256, hash.data(),
 624                               cert->derPublicKey.data, cert->derPublicKey.len);
 625   DCHECK_EQ(rv, SECSuccess);
 626 #endif
 627   return hash;
 628 }
 629
 630 void AppendPublicKeyHashes(CERTCertList* cert_list,
 631                            CERTCertificate* root_cert,
 632                            HashValueVector* hashes) {
 633   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
 634        !CERT_LIST_END(node, cert_list);
 635        node = CERT_LIST_NEXT(node)) {
 636     hashes->push_back(CertPublicKeyHashSHA1(node->cert));
 637     hashes->push_back(CertPublicKeyHashSHA256(node->cert));
 638   }
 639   if (root_cert) {
 640     hashes->push_back(CertPublicKeyHashSHA1(root_cert));
 641     hashes->push_back(CertPublicKeyHashSHA256(root_cert));
 642   }
 643 }
 644
 645 // Returns true if |cert_handle| contains a policy OID that is an EV policy
 646 // OID according to |metadata|, storing the resulting policy OID in
 647 // |*ev_policy_oid|. A true return is not sufficient to establish that a
 648 // certificate is EV, but a false return is sufficient to establish the
 649 // certificate cannot be EV.
 650 bool IsEVCandidate(EVRootCAMetadata* metadata,
 651                    CERTCertificate* cert_handle,
 652                    SECOidTag* ev_policy_oid) {
 653   DCHECK(cert_handle);
 654   ScopedCERTCertificatePolicies policies(DecodeCertPolicies(cert_handle));
 655   if (!policies.get())
 656     return false;
 657
 658   CERTPolicyInfo** policy_infos = policies->policyInfos;
 659   while (*policy_infos != NULL) {
 660     CERTPolicyInfo* policy_info = *policy_infos++;
 661     // If the Policy OID is unknown, that implicitly means it has not been
 662     // registered as an EV policy.
 663     if (policy_info->oid == SEC_OID_UNKNOWN)
 664       continue;
 665     if (metadata->IsEVPolicyOID(policy_info->oid)) {
 666       *ev_policy_oid = policy_info->oid;
 667       return true;
 668     }
 669   }
 670
 671   return false;
 672 }
 673
 674 // Studied Mozilla's code (esp. security/manager/ssl/src/nsIdentityChecking.cpp
 675 // and nsNSSCertHelper.cpp) to learn how to verify EV certificate.
 676 // TODO(wtc): A possible optimization is that we get the trust anchor from
 677 // the first PKIXVerifyCert call.  We look up the EV policy for the trust
 678 // anchor.  If the trust anchor has no EV policy, we know the cert isn't EV.
 679 // Otherwise, we pass just that EV policy (as opposed to all the EV policies)
 680 // to the second PKIXVerifyCert call.
 681 bool VerifyEV(CERTCertificate* cert_handle,
 682               int flags,
 683               CRLSet* crl_set,
 684               bool rev_checking_enabled,
 685               EVRootCAMetadata* metadata,
 686               SECOidTag ev_policy_oid,
 687               CERTCertList* additional_trust_anchors,
 688               CERTChainVerifyCallback* chain_verify_callback) {
 689   CERTValOutParam cvout[3];
 690   int cvout_index = 0;
 691   cvout[cvout_index].type = cert_po_certList;
 692   cvout[cvout_index].value.pointer.chain = NULL;
 693   int cvout_cert_list_index = cvout_index;
 694   cvout_index++;
 695   cvout[cvout_index].type = cert_po_trustAnchor;
 696   cvout[cvout_index].value.pointer.cert = NULL;
 697   int cvout_trust_anchor_index = cvout_index;
 698   cvout_index++;
 699   cvout[cvout_index].type = cert_po_end;
 700   ScopedCERTValOutParam scoped_cvout(cvout);
 701
 702   SECStatus status = PKIXVerifyCert(
 703       cert_handle,
 704       rev_checking_enabled,
 705       true, /* hard fail is implied in EV. */
 706       flags & CertVerifier::VERIFY_CERT_IO_ENABLED,
 707       &ev_policy_oid,
 708       1,
 709       additional_trust_anchors,
 710       chain_verify_callback,
 711       cvout);
 712   if (status != SECSuccess)
 713     return false;
 714
 715   CERTCertificate* root_ca =
 716       cvout[cvout_trust_anchor_index].value.pointer.cert;
 717   if (root_ca == NULL)
 718     return false;
 719
 720   // This second PKIXVerifyCert call could have found a different certification
 721   // path and one or more of the certificates on this new path, that weren't on
 722   // the old path, might have been revoked.
 723   if (crl_set) {
 724     CRLSetResult crl_set_result = CheckRevocationWithCRLSet(
 725         cvout[cvout_cert_list_index].value.pointer.chain,
 726         cvout[cvout_trust_anchor_index].value.pointer.cert,
 727         crl_set);
 728     if (crl_set_result == kCRLSetRevoked)
 729       return false;
 730   }
 731
 732 #if defined(OS_IOS)
 733   SHA1HashValue fingerprint = x509_util_ios::CalculateFingerprintNSS(root_ca);
 734 #else
 735   SHA1HashValue fingerprint =
 736       X509Certificate::CalculateFingerprint(root_ca);
 737 #endif
 738   return metadata->HasEVPolicyOID(fingerprint, ev_policy_oid);
 739 }
 740
 741 CERTCertList* CertificateListToCERTCertList(const CertificateList& list) {
 742   CERTCertList* result = CERT_NewCertList();
 743   for (size_t i = 0; i < list.size(); ++i) {
 744 #if defined(OS_IOS)
 745     // X509Certificate::os_cert_handle() on iOS is a SecCertificateRef; convert
 746     // it to an NSS CERTCertificate.
 747     CERTCertificate* cert = x509_util_ios::CreateNSSCertHandleFromOSHandle(
 748         list[i]->os_cert_handle());
 749 #else
 750     CERTCertificate* cert = list[i]->os_cert_handle();
 751 #endif
 752     CERT_AddCertToListTail(result, CERT_DupCertificate(cert));
 753   }
 754   return result;
 755 }
 756
 757 }  // namespace
 758
 759 CertVerifyProcNSS::CertVerifyProcNSS() {}
 760
 761 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 762
 763 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
 764   return true;
 765 }
 766
 767 int CertVerifyProcNSS::VerifyInternalImpl(
 768     X509Certificate* cert,
 769     const std::string& hostname,
 770     int flags,
 771     CRLSet* crl_set,
 772     const CertificateList& additional_trust_anchors,
 773     CERTChainVerifyCallback* chain_verify_callback,
 774     CertVerifyResult* verify_result) {
 775 #if defined(OS_IOS)
 776   // For iOS, the entire chain must be loaded into NSS's in-memory certificate
 777   // store.
 778   x509_util_ios::NSSCertChain scoped_chain(cert);
 779   CERTCertificate* cert_handle = scoped_chain.cert_handle();
 780 #else
 781   CERTCertificate* cert_handle = cert->os_cert_handle();
 782 #endif  // defined(OS_IOS)
 783
 784   if (!cert->VerifyNameMatch(hostname,
 785                              &verify_result->common_name_fallback_used)) {
 786     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
 787   }
 788
 789   // Make sure that the cert is valid now.
 790   SECCertTimeValidity validity = CERT_CheckCertValidTimes(
 791       cert_handle, PR_Now(), PR_TRUE);
 792   if (validity != secCertTimeValid)
 793     verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
 794
 795   CERTValOutParam cvout[3];
 796   int cvout_index = 0;
 797   cvout[cvout_index].type = cert_po_certList;
 798   cvout[cvout_index].value.pointer.chain = NULL;
 799   int cvout_cert_list_index = cvout_index;
 800   cvout_index++;
 801   cvout[cvout_index].type = cert_po_trustAnchor;
 802   cvout[cvout_index].value.pointer.cert = NULL;
 803   int cvout_trust_anchor_index = cvout_index;
 804   cvout_index++;
 805   cvout[cvout_index].type = cert_po_end;
 806   ScopedCERTValOutParam scoped_cvout(cvout);
 807
 808   EVRootCAMetadata* metadata = EVRootCAMetadata::GetInstance();
 809   SECOidTag ev_policy_oid = SEC_OID_UNKNOWN;
 810   bool is_ev_candidate =
 811       (flags & CertVerifier::VERIFY_EV_CERT) &&
 812       IsEVCandidate(metadata, cert_handle, &ev_policy_oid);
 813   bool cert_io_enabled = flags & CertVerifier::VERIFY_CERT_IO_ENABLED;
 814   bool check_revocation =
 815       cert_io_enabled &&
 816       (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
 817   if (check_revocation)
 818     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 819
 820   ScopedCERTCertList trust_anchors;
 821   if (!additional_trust_anchors.empty()) {
 822     trust_anchors.reset(
 823         CertificateListToCERTCertList(additional_trust_anchors));
 824   }
 825
 826   SECStatus status = PKIXVerifyCert(cert_handle,
 827                                     check_revocation,
 828                                     false,
 829                                     cert_io_enabled,
 830                                     NULL,
 831                                     0,
 832                                     trust_anchors.get(),
 833                                     chain_verify_callback,
 834                                     cvout);
 835
 836   if (status == SECSuccess &&
 837       (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&
 838       !IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert)) {
 839     // TODO(rsleevi): Optimize this by supplying the constructed chain to
 840     // libpkix via cvin. Omitting for now, due to lack of coverage in upstream
 841     // NSS tests for that feature.
 842     scoped_cvout.Clear();
 843     verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 844     status = PKIXVerifyCert(cert_handle,
 845                             true,
 846                             true,
 847                             cert_io_enabled,
 848                             NULL,
 849                             0,
 850                             trust_anchors.get(),
 851                             chain_verify_callback,
 852                             cvout);
 853   }
 854
 855   if (status == SECSuccess) {
 856     AppendPublicKeyHashes(cvout[cvout_cert_list_index].value.pointer.chain,
 857                           cvout[cvout_trust_anchor_index].value.pointer.cert,
 858                           &verify_result->public_key_hashes);
 859
 860     verify_result->is_issued_by_known_root =
 861         IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
 862     verify_result->is_issued_by_additional_trust_anchor =
 863         IsAdditionalTrustAnchor(
 864             trust_anchors.get(),
 865             cvout[cvout_trust_anchor_index].value.pointer.cert);
 866
 867     GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
 868                      cvout[cvout_trust_anchor_index].value.pointer.cert,
 869                      verify_result);
 870   }
 871
 872   CRLSetResult crl_set_result = kCRLSetUnknown;
 873   if (crl_set) {
 874     crl_set_result = CheckRevocationWithCRLSet(
 875         cvout[cvout_cert_list_index].value.pointer.chain,
 876         cvout[cvout_trust_anchor_index].value.pointer.cert,
 877         crl_set);
 878     if (crl_set_result == kCRLSetRevoked) {
 879       PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
 880       status = SECFailure;
 881     }
 882   }
 883
 884   if (status != SECSuccess) {
 885     int err = PORT_GetError();
 886     LOG(ERROR) << "CERT_PKIXVerifyCert for " << hostname
 887                << " failed err=" << err;
 888     // CERT_PKIXVerifyCert rerports the wrong error code for
 889     // expired certificates (NSS bug 491174)
 890     if (err == SEC_ERROR_CERT_NOT_VALID &&
 891         (verify_result->cert_status & CERT_STATUS_DATE_INVALID))
 892       err = SEC_ERROR_EXPIRED_CERTIFICATE;
 893     CertStatus cert_status = MapCertErrorToCertStatus(err);
 894     if (cert_status) {
 895       verify_result->cert_status |= cert_status;
 896       return MapCertStatusToNetError(verify_result->cert_status);
 897     }
 898     // |err| is not a certificate error.
 899     return MapSecurityError(err);
 900   }
 901
 902   if (IsCertStatusError(verify_result->cert_status))
 903     return MapCertStatusToNetError(verify_result->cert_status);
 904
 905   if ((flags & CertVerifier::VERIFY_EV_CERT) && is_ev_candidate) {
 906     check_revocation |=
 907         crl_set_result != kCRLSetOk &&
 908         cert_io_enabled &&
 909         (flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY);
 910     if (check_revocation)
 911       verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
 912
 913     if (VerifyEV(cert_handle,
 914                  flags,
 915                  crl_set,
 916                  check_revocation,
 917                  metadata,
 918                  ev_policy_oid,
 919                  trust_anchors.get(),
 920                  chain_verify_callback)) {
 921       verify_result->cert_status |= CERT_STATUS_IS_EV;
 922     }
 923   }
 924
 925   return OK;
 926 }
 927
 928 int CertVerifyProcNSS::VerifyInternal(
 929     X509Certificate* cert,
 930     const std::string& hostname,
 931     int flags,
 932     CRLSet* crl_set,
 933     const CertificateList& additional_trust_anchors,
 934     CertVerifyResult* verify_result) {
 935   return VerifyInternalImpl(cert,
 936                             hostname,
 937                             flags,
 938                             crl_set,
 939                             additional_trust_anchors,
 940                             NULL,  // chain_verify_callback
 941                             verify_result);
 942 }
 943
 944 }  // namespace net