Google Git
Sign in
chromium / chromium / src / 51.0.2663.1 / . / components / update_client / client_update_protocol_ecdsa.cc
blob: 8479ceb03fb64a89ebaa324f7a18e63ac89f24ba [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/update_client/client_update_protocol_ecdsa.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_piece.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "crypto/random.h"
#include "crypto/sha2.h"
#include "crypto/signature_verifier.h"
namespace update_client {
namespace {
// This is the algorithm ID for ECDSA with SHA-256. Parameters are ABSENT.
// RFC 5758:
// ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
// us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
// ...
// When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
// ecdsa-with-SHA512 algorithm identifier appears in the algorithm field
// as an AlgorithmIdentifier, the encoding MUST omit the parameters
// field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one
// component, the OID ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-
// SHA384, or ecdsa-with-SHA512.
// See also RFC 5480, Appendix A.
static const uint8_t kECDSAWithSHA256AlgorithmID[] = {
0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
};
std::vector<uint8_t> SHA256HashStr(const base::StringPiece& str) {
std::vector<uint8_t> result(crypto::kSHA256Length);
crypto::SHA256HashString(str, &result.front(), result.size());
return result;
}
std::vector<uint8_t> SHA256HashVec(const std::vector<uint8_t>& vec) {
if (vec.empty())
return SHA256HashStr(base::StringPiece());
return SHA256HashStr(base::StringPiece(
reinterpret_cast<const char*>(&vec.front()), vec.size()));
}
bool ParseETagHeader(const base::StringPiece& etag_header_value_in,
std::vector<uint8_t>* ecdsa_signature_out,
std::vector<uint8_t>* request_hash_out) {
DCHECK(ecdsa_signature_out);
DCHECK(request_hash_out);
// The ETag value is a UTF-8 string, formatted as "S:H", where:
// * S is the ECDSA signature in DER-encoded ASN.1 form, converted to hex.
// * H is the SHA-256 hash of the observed request body, standard hex format.
// A Weak ETag is formatted as W/"S:H". This function treats it the same as a
// strong ETag.
base::StringPiece etag_header_value(etag_header_value_in);
// Remove the weak prefix, then remove the begin and the end quotes.
const char kWeakETagPrefix[] = "W/";
if (etag_header_value.starts_with(kWeakETagPrefix))
etag_header_value.remove_prefix(arraysize(kWeakETagPrefix) - 1);
if (etag_header_value.size() >= 2 && etag_header_value.starts_with("\"") &&
etag_header_value.ends_with("\"")) {
etag_header_value.remove_prefix(1);
etag_header_value.remove_suffix(1);
}
const base::StringPiece::size_type delim_pos = etag_header_value.find(':');
if (delim_pos == base::StringPiece::npos || delim_pos == 0 ||
delim_pos == etag_header_value.size() - 1)
return false;
const base::StringPiece sig_hex = etag_header_value.substr(0, delim_pos);
const base::StringPiece hash_hex = etag_header_value.substr(delim_pos + 1);
// Decode the ECDSA signature. Don't bother validating the contents of it;
// the SignatureValidator class will handle the actual DER decoding and
// ASN.1 parsing. Check for an expected size range only -- valid ECDSA
// signatures are between 8 and 72 bytes.
if (!base::HexStringToBytes(sig_hex.as_string(), ecdsa_signature_out))
return false;
if (ecdsa_signature_out->size() < 8 || ecdsa_signature_out->size() > 72)
return false;
// Decode the SHA-256 hash; it should be exactly 32 bytes, no more or less.
if (!base::HexStringToBytes(hash_hex.as_string(), request_hash_out))
return false;
if (request_hash_out->size() != crypto::kSHA256Length)
return false;
return true;
}
} // namespace
ClientUpdateProtocolEcdsa::ClientUpdateProtocolEcdsa(
int key_version,
const base::StringPiece& public_key)
: pub_key_version_(key_version),
public_key_(public_key.begin(), public_key.end()) {}
ClientUpdateProtocolEcdsa::~ClientUpdateProtocolEcdsa() {}
scoped_ptr<ClientUpdateProtocolEcdsa> ClientUpdateProtocolEcdsa::Create(
int key_version,
const base::StringPiece& public_key) {
DCHECK_GT(key_version, 0);
DCHECK(!public_key.empty());
return make_scoped_ptr(
new ClientUpdateProtocolEcdsa(key_version, public_key));
}
void ClientUpdateProtocolEcdsa::SignRequest(
const base::StringPiece& request_body,
std::string* query_params) {
DCHECK(!request_body.empty());
DCHECK(query_params);
// Generate a random nonce to use for freshness, build the cup2key query
// string, and compute the SHA-256 hash of the request body. Set these
// two pieces of data aside to use during ValidateResponse().
uint32_t nonce = 0;
crypto::RandBytes(&nonce, sizeof(nonce));
request_query_cup2key_ = base::StringPrintf("%d:%u", pub_key_version_, nonce);
request_hash_ = SHA256HashStr(request_body);
// Return the query string for the user to send with the request.
std::string request_hash_hex =
base::HexEncode(&request_hash_.front(), request_hash_.size());
request_hash_hex = base::ToLowerASCII(request_hash_hex);
*query_params = base::StringPrintf("cup2key=%s&cup2hreq=%s",
request_query_cup2key_.c_str(),
request_hash_hex.c_str());
}
bool ClientUpdateProtocolEcdsa::ValidateResponse(
const base::StringPiece& response_body,
const base::StringPiece& server_etag) {
DCHECK(!request_hash_.empty());
DCHECK(!request_query_cup2key_.empty());
if (response_body.empty() || server_etag.empty())
return false;
// Break the ETag into its two components (the ECDSA signature, and the
// hash of the request that the server observed) and decode to byte buffers.
std::vector<uint8_t> signature;
std::vector<uint8_t> observed_request_hash;
if (!ParseETagHeader(server_etag, &signature, &observed_request_hash))
return false;
// Check that the server's observed request hash is equal to the original
// request hash. (This is a quick rejection test; the signature test is
// authoritative, but slower.)
DCHECK_EQ(request_hash_.size(), crypto::kSHA256Length);
if (observed_request_hash.size() != crypto::kSHA256Length)
return false;
if (!std::equal(observed_request_hash.begin(), observed_request_hash.end(),
request_hash_.begin()))
return false;
// Next, build the buffer that the server will have signed on its end:
// hash( hash(request) | hash(response) | cup2key_query_string )
// When building the client's version of the buffer, it's important to use
// the original request hash that it attempted to send, and not the observed
// request hash that the server sent back to us.
const std::vector<uint8_t> response_hash = SHA256HashStr(response_body);
std::vector<uint8_t> signed_message;
signed_message.insert(signed_message.end(), request_hash_.begin(),
request_hash_.end());
signed_message.insert(signed_message.end(), response_hash.begin(),
response_hash.end());
signed_message.insert(signed_message.end(), request_query_cup2key_.begin(),
request_query_cup2key_.end());
const std::vector<uint8_t> signed_message_hash =
SHA256HashVec(signed_message);
// Initialize the signature verifier.
crypto::SignatureVerifier verifier;
if (!verifier.VerifyInit(
kECDSAWithSHA256AlgorithmID, sizeof(kECDSAWithSHA256AlgorithmID),
&signature.front(), static_cast<int>(signature.size()),
&public_key_.front(), static_cast<int>(public_key_.size()))) {
DVLOG(1) << "Couldn't init SignatureVerifier.";
return false;
}
// If the verification fails, that implies one of two outcomes:
// * The signature was modified
// * The buffer that the server signed does not match the buffer that the
// client assembled -- implying that either request body or response body
// was modified, or a different nonce value was used.
verifier.VerifyUpdate(&signed_message_hash.front(),
static_cast<int>(signed_message_hash.size()));
return verifier.VerifyFinal();
}
} // namespace update_client