gecko-dev/security/ct/MultiLogCTVerifier.cpp

183 строки
5.8 KiB
C++

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "MultiLogCTVerifier.h"
#include "CTObjectsExtractor.h"
#include "CTSerialization.h"
namespace mozilla {
namespace ct {
using namespace mozilla::pkix;
// Note: this moves |verifiedSct| to the target list in |result|.
static void StoreVerifiedSct(CTVerifyResult& result, VerifiedSCT&& verifiedSct,
VerifiedSCT::Status status) {
verifiedSct.status = status;
result.verifiedScts.push_back(std::move(verifiedSct));
}
void MultiLogCTVerifier::AddLog(CTLogVerifier&& log) {
mLogs.push_back(std::move(log));
}
Result MultiLogCTVerifier::Verify(Input cert, Input issuerSubjectPublicKeyInfo,
Input sctListFromCert,
Input sctListFromOCSPResponse,
Input sctListFromTLSExtension, Time time,
CTVerifyResult& result) {
assert(cert.GetLength() > 0);
result.Reset();
Result rv;
// Verify embedded SCTs
if (issuerSubjectPublicKeyInfo.GetLength() > 0 &&
sctListFromCert.GetLength() > 0) {
LogEntry precertEntry;
rv = GetPrecertLogEntry(cert, issuerSubjectPublicKeyInfo, precertEntry);
if (rv != Success) {
return rv;
}
rv = VerifySCTs(sctListFromCert, precertEntry,
VerifiedSCT::Origin::Embedded, time, result);
if (rv != Success) {
return rv;
}
}
LogEntry x509Entry;
GetX509LogEntry(cert, x509Entry);
// Verify SCTs from a stapled OCSP response
if (sctListFromOCSPResponse.GetLength() > 0) {
rv = VerifySCTs(sctListFromOCSPResponse, x509Entry,
VerifiedSCT::Origin::OCSPResponse, time, result);
if (rv != Success) {
return rv;
}
}
// Verify SCTs from a TLS extension
if (sctListFromTLSExtension.GetLength() > 0) {
rv = VerifySCTs(sctListFromTLSExtension, x509Entry,
VerifiedSCT::Origin::TLSExtension, time, result);
if (rv != Success) {
return rv;
}
}
return Success;
}
Result MultiLogCTVerifier::VerifySCTs(Input encodedSctList,
const LogEntry& expectedEntry,
VerifiedSCT::Origin origin, Time time,
CTVerifyResult& result) {
Reader listReader;
Result rv = DecodeSCTList(encodedSctList, listReader);
if (rv != Success) {
result.decodingErrors++;
return Success;
}
while (!listReader.AtEnd()) {
Input encodedSct;
rv = ReadSCTListItem(listReader, encodedSct);
if (rv != Success) {
result.decodingErrors++;
return Success;
}
Reader encodedSctReader(encodedSct);
SignedCertificateTimestamp sct;
rv = DecodeSignedCertificateTimestamp(encodedSctReader, sct);
if (rv != Success) {
result.decodingErrors++;
continue;
}
rv = VerifySingleSCT(std::move(sct), expectedEntry, origin, time, result);
if (rv != Success) {
return rv;
}
}
return Success;
}
Result MultiLogCTVerifier::VerifySingleSCT(SignedCertificateTimestamp&& sct,
const LogEntry& expectedEntry,
VerifiedSCT::Origin origin,
Time time, CTVerifyResult& result) {
VerifiedSCT verifiedSct;
verifiedSct.origin = origin;
verifiedSct.sct = std::move(sct);
CTLogVerifier* matchingLog = nullptr;
for (auto& log : mLogs) {
if (log.keyId() == verifiedSct.sct.logId) {
matchingLog = &log;
break;
}
}
if (!matchingLog) {
// SCT does not match any known log.
StoreVerifiedSct(result, std::move(verifiedSct),
VerifiedSCT::Status::UnknownLog);
return Success;
}
verifiedSct.logOperatorId = matchingLog->operatorId();
if (!matchingLog->SignatureParametersMatch(verifiedSct.sct.signature)) {
// SCT signature parameters do not match the log's.
StoreVerifiedSct(result, std::move(verifiedSct),
VerifiedSCT::Status::InvalidSignature);
return Success;
}
Result rv = matchingLog->Verify(expectedEntry, verifiedSct.sct);
if (rv != Success) {
if (rv == Result::ERROR_BAD_SIGNATURE) {
StoreVerifiedSct(result, std::move(verifiedSct),
VerifiedSCT::Status::InvalidSignature);
return Success;
}
return rv;
}
// Make sure the timestamp is legitimate (not in the future).
// SCT's |timestamp| is measured in milliseconds since the epoch,
// ignoring leap seconds. When converting it to a second-level precision
// pkix::Time, we need to round it either up or down. In our case, rounding up
// (towards the future) is more "secure", although practically
// it does not matter.
Time sctTime =
TimeFromEpochInSeconds((verifiedSct.sct.timestamp + 999u) / 1000u);
if (sctTime > time) {
StoreVerifiedSct(result, std::move(verifiedSct),
VerifiedSCT::Status::InvalidTimestamp);
return Success;
}
// SCT verified ok, see if the log is qualified. Since SCTs from
// disqualified logs are treated as valid under certain circumstances (see
// the CT Policy), the log qualification check must be the last one we do.
if (matchingLog->isDisqualified()) {
verifiedSct.logDisqualificationTime = matchingLog->disqualificationTime();
StoreVerifiedSct(result, std::move(verifiedSct),
VerifiedSCT::Status::ValidFromDisqualifiedLog);
return Success;
}
StoreVerifiedSct(result, std::move(verifiedSct), VerifiedSCT::Status::Valid);
return Success;
}
} // namespace ct
} // namespace mozilla