src/net/cert/cert_verify_proc.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/cert_verify_proc.h"
   6
   7 #include "base/metrics/histogram.h"
   8 #include "base/sha1.h"
   9 #include "base/strings/stringprintf.h"
  10 #include "build/build_config.h"
  11 #include "net/base/net_errors.h"
  12 #include "net/base/net_util.h"
  13 #include "net/cert/cert_status_flags.h"
  14 #include "net/cert/cert_verifier.h"
  15 #include "net/cert/cert_verify_result.h"
  16 #include "net/cert/crl_set.h"
  17 #include "net/cert/x509_certificate.h"
  18
  19 #if defined(USE_NSS) || defined(OS_IOS)
  20 #include "net/cert/cert_verify_proc_nss.h"
  21 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
  22 #include "net/cert/cert_verify_proc_openssl.h"
  23 #elif defined(OS_ANDROID)
  24 #include "net/cert/cert_verify_proc_android.h"
  25 #elif defined(OS_MACOSX)
  26 #include "net/cert/cert_verify_proc_mac.h"
  27 #elif defined(OS_WIN)
  28 #include "net/cert/cert_verify_proc_win.h"
  29 #else
  30 #error Implement certificate verification.
  31 #endif
  32
  33
  34 namespace net {
  35
  36 namespace {
  37
  38 // Constants used to build histogram names
  39 const char kLeafCert[] = "Leaf";
  40 const char kIntermediateCert[] = "Intermediate";
  41 const char kRootCert[] = "Root";
  42 // Matches the order of X509Certificate::PublicKeyType
  43 const char* const kCertTypeStrings[] = {
  44     "Unknown",
  45     "RSA",
  46     "DSA",
  47     "ECDSA",
  48     "DH",
  49     "ECDH"
  50 };
  51 // Histogram buckets for RSA/DSA/DH key sizes.
  52 const int kRsaDsaKeySizes[] = {512, 768, 1024, 1536, 2048, 3072, 4096, 8192,
  53                                16384};
  54 // Histogram buckets for ECDSA/ECDH key sizes. The list is based upon the FIPS
  55 // 186-4 approved curves.
  56 const int kEccKeySizes[] = {163, 192, 224, 233, 256, 283, 384, 409, 521, 571};
  57
  58 const char* CertTypeToString(int cert_type) {
  59   if (cert_type < 0 ||
  60       static_cast<size_t>(cert_type) >= arraysize(kCertTypeStrings)) {
  61     return "Unsupported";
  62   }
  63   return kCertTypeStrings[cert_type];
  64 }
  65
  66 void RecordPublicKeyHistogram(const char* chain_position,
  67                               bool baseline_keysize_applies,
  68                               size_t size_bits,
  69                               X509Certificate::PublicKeyType cert_type) {
  70   std::string histogram_name =
  71       base::StringPrintf("CertificateType2.%s.%s.%s",
  72                          baseline_keysize_applies ? "BR" : "NonBR",
  73                          chain_position,
  74                          CertTypeToString(cert_type));
  75   // Do not use UMA_HISTOGRAM_... macros here, as it caches the Histogram
  76   // instance and thus only works if |histogram_name| is constant.
  77   base::HistogramBase* counter = NULL;
  78
  79   // Histogram buckets are contingent upon the underlying algorithm being used.
  80   if (cert_type == X509Certificate::kPublicKeyTypeECDH ||
  81       cert_type == X509Certificate::kPublicKeyTypeECDSA) {
  82     // Typical key sizes match SECP/FIPS 186-3 recommendations for prime and
  83     // binary curves - which range from 163 bits to 571 bits.
  84     counter = base::CustomHistogram::FactoryGet(
  85         histogram_name,
  86         base::CustomHistogram::ArrayToCustomRanges(kEccKeySizes,
  87                                                    arraysize(kEccKeySizes)),
  88         base::HistogramBase::kUmaTargetedHistogramFlag);
  89   } else {
  90     // Key sizes < 1024 bits should cause errors, while key sizes > 16K are not
  91     // uniformly supported by the underlying cryptographic libraries.
  92     counter = base::CustomHistogram::FactoryGet(
  93         histogram_name,
  94         base::CustomHistogram::ArrayToCustomRanges(kRsaDsaKeySizes,
  95                                                    arraysize(kRsaDsaKeySizes)),
  96         base::HistogramBase::kUmaTargetedHistogramFlag);
  97   }
  98   counter->Add(size_bits);
  99 }
 100
 101 // Returns true if |type| is |kPublicKeyTypeRSA| or |kPublicKeyTypeDSA|, and
 102 // if |size_bits| is < 1024. Note that this means there may be false
 103 // negatives: keys for other algorithms and which are weak will pass this
 104 // test.
 105 bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) {
 106   switch (type) {
 107     case X509Certificate::kPublicKeyTypeRSA:
 108     case X509Certificate::kPublicKeyTypeDSA:
 109       return size_bits < 1024;
 110     default:
 111       return false;
 112   }
 113 }
 114
 115 // Returns true if |cert| contains a known-weak key. Additionally, histograms
 116 // the observed keys for future tightening of the definition of what
 117 // constitutes a weak key.
 118 bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert,
 119                        bool should_histogram) {
 120   // The effective date of the CA/Browser Forum's Baseline Requirements -
 121   // 2012-07-01 00:00:00 UTC.
 122   const base::Time kBaselineEffectiveDate =
 123       base::Time::FromInternalValue(GG_INT64_C(12985574400000000));
 124   // The effective date of the key size requirements from Appendix A, v1.1.5
 125   // 2014-01-01 00:00:00 UTC.
 126   const base::Time kBaselineKeysizeEffectiveDate =
 127       base::Time::FromInternalValue(GG_INT64_C(13033008000000000));
 128
 129   size_t size_bits = 0;
 130   X509Certificate::PublicKeyType type = X509Certificate::kPublicKeyTypeUnknown;
 131   bool weak_key = false;
 132   bool baseline_keysize_applies =
 133       cert->valid_start() >= kBaselineEffectiveDate &&
 134       cert->valid_expiry() >= kBaselineKeysizeEffectiveDate;
 135
 136   X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), &size_bits, &type);
 137   if (should_histogram) {
 138     RecordPublicKeyHistogram(kLeafCert, baseline_keysize_applies, size_bits,
 139                              type);
 140   }
 141   if (IsWeakKey(type, size_bits))
 142     weak_key = true;
 143
 144   const X509Certificate::OSCertHandles& intermediates =
 145       cert->GetIntermediateCertificates();
 146   for (size_t i = 0; i < intermediates.size(); ++i) {
 147     X509Certificate::GetPublicKeyInfo(intermediates[i], &size_bits, &type);
 148     if (should_histogram) {
 149       RecordPublicKeyHistogram(
 150           (i < intermediates.size() - 1) ? kIntermediateCert : kRootCert,
 151           baseline_keysize_applies,
 152           size_bits,
 153           type);
 154     }
 155     if (!weak_key && IsWeakKey(type, size_bits))
 156       weak_key = true;
 157   }
 158
 159   return weak_key;
 160 }
 161
 162 }  // namespace
 163
 164 // static
 165 CertVerifyProc* CertVerifyProc::CreateDefault() {
 166 #if defined(USE_NSS) || defined(OS_IOS)
 167   return new CertVerifyProcNSS();
 168 #elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
 169   return new CertVerifyProcOpenSSL();
 170 #elif defined(OS_ANDROID)
 171   return new CertVerifyProcAndroid();
 172 #elif defined(OS_MACOSX)
 173   return new CertVerifyProcMac();
 174 #elif defined(OS_WIN)
 175   return new CertVerifyProcWin();
 176 #else
 177   return NULL;
 178 #endif
 179 }
 180
 181 CertVerifyProc::CertVerifyProc() {}
 182
 183 CertVerifyProc::~CertVerifyProc() {}
 184
 185 int CertVerifyProc::Verify(X509Certificate* cert,
 186                            const std::string& hostname,
 187                            int flags,
 188                            CRLSet* crl_set,
 189                            const CertificateList& additional_trust_anchors,
 190                            CertVerifyResult* verify_result) {
 191   verify_result->Reset();
 192   verify_result->verified_cert = cert;
 193
 194   if (IsBlacklisted(cert)) {
 195     verify_result->cert_status |= CERT_STATUS_REVOKED;
 196     return ERR_CERT_REVOKED;
 197   }
 198
 199   // We do online revocation checking for EV certificates that aren't covered
 200   // by a fresh CRLSet.
 201   // TODO(rsleevi): http://crbug.com/142974 - Allow preferences to fully
 202   // disable revocation checking.
 203   if (flags & CertVerifier::VERIFY_EV_CERT)
 204     flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED_EV_ONLY;
 205
 206   int rv = VerifyInternal(cert, hostname, flags, crl_set,
 207                           additional_trust_anchors, verify_result);
 208
 209   UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
 210                         verify_result->common_name_fallback_used);
 211   if (!verify_result->is_issued_by_known_root) {
 212     UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",
 213                           verify_result->common_name_fallback_used);
 214   }
 215
 216   // This check is done after VerifyInternal so that VerifyInternal can fill
 217   // in the list of public key hashes.
 218   if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
 219     verify_result->cert_status |= CERT_STATUS_REVOKED;
 220     rv = MapCertStatusToNetError(verify_result->cert_status);
 221   }
 222
 223   // Check for weak keys in the entire verified chain.
 224   bool weak_key = ExaminePublicKeys(verify_result->verified_cert,
 225                                     verify_result->is_issued_by_known_root);
 226
 227   if (weak_key) {
 228     verify_result->cert_status |= CERT_STATUS_WEAK_KEY;
 229     // Avoid replacing a more serious error, such as an OS/library failure,
 230     // by ensuring that if verification failed, it failed with a certificate
 231     // error.
 232     if (rv == OK || IsCertificateError(rv))
 233       rv = MapCertStatusToNetError(verify_result->cert_status);
 234   }
 235
 236   // Treat certificates signed using broken signature algorithms as invalid.
 237   if (verify_result->has_md2 || verify_result->has_md4) {
 238     verify_result->cert_status |= CERT_STATUS_INVALID;
 239     rv = MapCertStatusToNetError(verify_result->cert_status);
 240   }
 241
 242   // Flag certificates using weak signature algorithms.
 243   if (verify_result->has_md5) {
 244     verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
 245     // Avoid replacing a more serious error, such as an OS/library failure,
 246     // by ensuring that if verification failed, it failed with a certificate
 247     // error.
 248     if (rv == OK || IsCertificateError(rv))
 249       rv = MapCertStatusToNetError(verify_result->cert_status);
 250   }
 251
 252 #if !defined(OS_ANDROID)
 253   // Flag certificates from publicly-trusted CAs that are issued to intranet
 254   // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
 255   // these to be issued until 1 November 2015, they represent a real risk for
 256   // the deployment of gTLDs and are being phased out ahead of the hard
 257   // deadline.
 258   //
 259   // TODO(ppi): is_issued_by_known_root is incorrect on Android. Once this is
 260   // fixed, re-enable this check for Android. crbug.com/116838
 261   if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {
 262     verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME;
 263   }
 264 #endif
 265
 266   return rv;
 267 }
 268
 269 // static
 270 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) {
 271   static const unsigned kComodoSerialBytes = 16;
 272   static const uint8 kComodoSerials[][kComodoSerialBytes] = {
 273     // Not a real certificate. For testing only.
 274     {0x07,0x7a,0x59,0xbc,0xd5,0x34,0x59,0x60,0x1c,0xa6,0x90,0x72,0x67,0xa6,0xdd,0x1c},
 275
 276     // The next nine certificates all expire on Fri Mar 14 23:59:59 2014.
 277     // Some serial numbers actually have a leading 0x00 byte required to
 278     // encode a positive integer in DER if the most significant bit is 0.
 279     // We omit the leading 0x00 bytes to make all serial numbers 16 bytes.
 280
 281     // Subject: CN=mail.google.com
 282     // subjectAltName dNSName: mail.google.com, www.mail.google.com
 283     {0x04,0x7e,0xcb,0xe9,0xfc,0xa5,0x5f,0x7b,0xd0,0x9e,0xae,0x36,0xe1,0x0c,0xae,0x1e},
 284     // Subject: CN=global trustee
 285     // subjectAltName dNSName: global trustee
 286     // Note: not a CA certificate.
 287     {0xd8,0xf3,0x5f,0x4e,0xb7,0x87,0x2b,0x2d,0xab,0x06,0x92,0xe3,0x15,0x38,0x2f,0xb0},
 288     // Subject: CN=login.live.com
 289     // subjectAltName dNSName: login.live.com, www.login.live.com
 290     {0xb0,0xb7,0x13,0x3e,0xd0,0x96,0xf9,0xb5,0x6f,0xae,0x91,0xc8,0x74,0xbd,0x3a,0xc0},
 291     // Subject: CN=addons.mozilla.org
 292     // subjectAltName dNSName: addons.mozilla.org, www.addons.mozilla.org
 293     {0x92,0x39,0xd5,0x34,0x8f,0x40,0xd1,0x69,0x5a,0x74,0x54,0x70,0xe1,0xf2,0x3f,0x43},
 294     // Subject: CN=login.skype.com
 295     // subjectAltName dNSName: login.skype.com, www.login.skype.com
 296     {0xe9,0x02,0x8b,0x95,0x78,0xe4,0x15,0xdc,0x1a,0x71,0x0a,0x2b,0x88,0x15,0x44,0x47},
 297     // Subject: CN=login.yahoo.com
 298     // subjectAltName dNSName: login.yahoo.com, www.login.yahoo.com
 299     {0xd7,0x55,0x8f,0xda,0xf5,0xf1,0x10,0x5b,0xb2,0x13,0x28,0x2b,0x70,0x77,0x29,0xa3},
 300     // Subject: CN=www.google.com
 301     // subjectAltName dNSName: www.google.com, google.com
 302     {0xf5,0xc8,0x6a,0xf3,0x61,0x62,0xf1,0x3a,0x64,0xf5,0x4f,0x6d,0xc9,0x58,0x7c,0x06},
 303     // Subject: CN=login.yahoo.com
 304     // subjectAltName dNSName: login.yahoo.com
 305     {0x39,0x2a,0x43,0x4f,0x0e,0x07,0xdf,0x1f,0x8a,0xa3,0x05,0xde,0x34,0xe0,0xc2,0x29},
 306     // Subject: CN=login.yahoo.com
 307     // subjectAltName dNSName: login.yahoo.com
 308     {0x3e,0x75,0xce,0xd4,0x6b,0x69,0x30,0x21,0x21,0x88,0x30,0xae,0x86,0xa8,0x2a,0x71},
 309   };
 310
 311   const std::string& serial_number = cert->serial_number();
 312   if (!serial_number.empty() && (serial_number[0] & 0x80) != 0) {
 313     // This is a negative serial number, which isn't technically allowed but
 314     // which probably happens. In order to avoid confusing a negative serial
 315     // number with a positive one once the leading zeros have been removed, we
 316     // disregard it.
 317     return false;
 318   }
 319
 320   base::StringPiece serial(serial_number);
 321   // Remove leading zeros.
 322   while (serial.size() > 1 && serial[0] == 0)
 323     serial.remove_prefix(1);
 324
 325   if (serial.size() == kComodoSerialBytes) {
 326     for (unsigned i = 0; i < arraysize(kComodoSerials); i++) {
 327       if (memcmp(kComodoSerials[i], serial.data(), kComodoSerialBytes) == 0) {
 328         UMA_HISTOGRAM_ENUMERATION("Net.SSLCertBlacklisted", i,
 329                                   arraysize(kComodoSerials) + 1);
 330         return true;
 331       }
 332     }
 333   }
 334
 335   return false;
 336 }
 337
 338 // static
 339 // NOTE: This implementation assumes and enforces that the hashes are SHA1.
 340 bool CertVerifyProc::IsPublicKeyBlacklisted(
 341     const HashValueVector& public_key_hashes) {
 342   static const unsigned kNumHashes = 10;
 343   static const uint8 kHashes[kNumHashes][base::kSHA1Length] = {
 344     // Subject: CN=DigiNotar Root CA
 345     // Issuer: CN=Entrust.net x2 and self-signed
 346     {0x41, 0x0f, 0x36, 0x36, 0x32, 0x58, 0xf3, 0x0b, 0x34, 0x7d,
 347      0x12, 0xce, 0x48, 0x63, 0xe4, 0x33, 0x43, 0x78, 0x06, 0xa8},
 348     // Subject: CN=DigiNotar Cyber CA
 349     // Issuer: CN=GTE CyberTrust Global Root
 350     {0xc4, 0xf9, 0x66, 0x37, 0x16, 0xcd, 0x5e, 0x71, 0xd6, 0x95,
 351      0x0b, 0x5f, 0x33, 0xce, 0x04, 0x1c, 0x95, 0xb4, 0x35, 0xd1},
 352     // Subject: CN=DigiNotar Services 1024 CA
 353     // Issuer: CN=Entrust.net
 354     {0xe2, 0x3b, 0x8d, 0x10, 0x5f, 0x87, 0x71, 0x0a, 0x68, 0xd9,
 355      0x24, 0x80, 0x50, 0xeb, 0xef, 0xc6, 0x27, 0xbe, 0x4c, 0xa6},
 356     // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2
 357     // Issuer: CN=Staat der Nederlanden Organisatie CA - G2
 358     {0x7b, 0x2e, 0x16, 0xbc, 0x39, 0xbc, 0xd7, 0x2b, 0x45, 0x6e,
 359      0x9f, 0x05, 0x5d, 0x1d, 0xe6, 0x15, 0xb7, 0x49, 0x45, 0xdb},
 360     // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
 361     // Issuer: CN=Staat der Nederlanden Overheid CA
 362     {0xe8, 0xf9, 0x12, 0x00, 0xc6, 0x5c, 0xee, 0x16, 0xe0, 0x39,
 363      0xb9, 0xf8, 0x83, 0x84, 0x16, 0x61, 0x63, 0x5f, 0x81, 0xc5},
 364     // Subject: O=Digicert Sdn. Bhd.
 365     // Issuer: CN=GTE CyberTrust Global Root
 366     // Expires: Jul 17 15:16:54 2012 GMT
 367     {0x01, 0x29, 0xbc, 0xd5, 0xb4, 0x48, 0xae, 0x8d, 0x24, 0x96,
 368      0xd1, 0xc3, 0xe1, 0x97, 0x23, 0x91, 0x90, 0x88, 0xe1, 0x52},
 369     // Subject: O=Digicert Sdn. Bhd.
 370     // Issuer: CN=Entrust.net Certification Authority (2048)
 371     // Expires: Jul 16 17:53:37 2015 GMT
 372     {0xd3, 0x3c, 0x5b, 0x41, 0xe4, 0x5c, 0xc4, 0xb3, 0xbe, 0x9a,
 373      0xd6, 0x95, 0x2c, 0x4e, 0xcc, 0x25, 0x28, 0x03, 0x29, 0x81},
 374     // Issuer: CN=Trustwave Organization Issuing CA, Level 2
 375     // Covers two certificates, the latter of which expires Apr 15 21:09:30
 376     // 2021 GMT.
 377     {0xe1, 0x2d, 0x89, 0xf5, 0x6d, 0x22, 0x76, 0xf8, 0x30, 0xe6,
 378      0xce, 0xaf, 0xa6, 0x6c, 0x72, 0x5c, 0x0b, 0x41, 0xa9, 0x32},
 379     // Cyberoam CA certificate. Private key leaked, but this certificate would
 380     // only have been installed by Cyberoam customers. The certificate expires
 381     // in 2036, but we can probably remove in a couple of years (2014).
 382     {0xd9, 0xf5, 0xc6, 0xce, 0x57, 0xff, 0xaa, 0x39, 0xcc, 0x7e,
 383      0xd1, 0x72, 0xbd, 0x53, 0xe0, 0xd3, 0x07, 0x83, 0x4b, 0xd1},
 384     // Win32/Sirefef.gen!C generates fake certificates with this public key.
 385     {0xa4, 0xf5, 0x6e, 0x9e, 0x1d, 0x9a, 0x3b, 0x7b, 0x1a, 0xc3,
 386      0x31, 0xcf, 0x64, 0xfc, 0x76, 0x2c, 0xd0, 0x51, 0xfb, 0xa4},
 387   };
 388
 389   for (unsigned i = 0; i < kNumHashes; i++) {
 390     for (HashValueVector::const_iterator j = public_key_hashes.begin();
 391          j != public_key_hashes.end(); ++j) {
 392       if (j->tag == HASH_VALUE_SHA1 &&
 393           memcmp(j->data(), kHashes[i], base::kSHA1Length) == 0) {
 394         return true;
 395       }
 396     }
 397   }
 398
 399   return false;
 400 }
 401
 402 }  // namespace net