|  | // Copyright 2013 The Chromium Authors. All rights reserved. | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #include "net/cert/ct_serialization.h" | 
|  |  | 
|  | #include <stdint.h> | 
|  |  | 
|  | #include <algorithm> | 
|  | #include <limits> | 
|  |  | 
|  | #include "base/logging.h" | 
|  | #include "base/numerics/safe_math.h" | 
|  | #include "crypto/sha2.h" | 
|  | #include "net/cert/merkle_tree_leaf.h" | 
|  | #include "net/cert/signed_certificate_timestamp.h" | 
|  | #include "net/cert/signed_tree_head.h" | 
|  |  | 
|  | namespace net { | 
|  |  | 
|  | namespace ct { | 
|  |  | 
|  | namespace { | 
|  |  | 
|  | // Note: length is always specified in bytes. | 
|  | // CT protocol version length | 
|  | const size_t kVersionLength = 1; | 
|  |  | 
|  | // Common V1 struct members | 
|  | const size_t kTimestampLength = 8; | 
|  | const size_t kSignedEntryTypeLength = 2; | 
|  | const size_t kAsn1CertificateLengthBytes = 3; | 
|  | const size_t kTbsCertificateLengthBytes = 3; | 
|  | const size_t kExtensionsLengthBytes = 2; | 
|  |  | 
|  | // Members of a V1 SCT | 
|  | const size_t kLogIdLength = crypto::kSHA256Length; | 
|  | const size_t kHashAlgorithmLength = 1; | 
|  | const size_t kSigAlgorithmLength = 1; | 
|  | const size_t kSignatureLengthBytes = 2; | 
|  |  | 
|  | // Members of the digitally-signed struct of a V1 SCT | 
|  | const size_t kSignatureTypeLength = 1; | 
|  |  | 
|  | const size_t kSCTListLengthBytes = 2; | 
|  | const size_t kSerializedSCTLengthBytes = 2; | 
|  |  | 
|  | // Members of digitally-signed struct of a STH | 
|  | const size_t kTreeSizeLength = 8; | 
|  |  | 
|  | // Members of a V1 MerkleTreeLeaf | 
|  | const size_t kMerkleLeafTypeLength = 1; | 
|  | const size_t kIssuerKeyHashLength = crypto::kSHA256Length; | 
|  |  | 
|  | enum SignatureType { | 
|  | SIGNATURE_TYPE_CERTIFICATE_TIMESTAMP = 0, | 
|  | TREE_HASH = 1, | 
|  | }; | 
|  |  | 
|  | // Reads a TLS-encoded variable length unsigned integer from |in|. | 
|  | // The integer is expected to be in big-endian order, which is used by TLS. | 
|  | // The bytes read from |in| are discarded (i.e. |in|'s prefix removed) | 
|  | // |length| indicates the size (in bytes) of the integer. On success, returns | 
|  | // true and stores the result in |*out|. | 
|  | template <typename T> | 
|  | bool ReadUint(size_t length, base::StringPiece* in, T* out) { | 
|  | if (in->size() < length) | 
|  | return false; | 
|  | DCHECK_NE(length, 0u); | 
|  | DCHECK_LE(length, sizeof(T)); | 
|  |  | 
|  | T result = static_cast<uint8_t>((*in)[0]); | 
|  | // This loop only executes if sizeof(T) > 1, because the first operation is | 
|  | // to shift left by 1 byte, which is undefined behaviour if T is a 1 byte | 
|  | // integer. | 
|  | for (size_t i = 1; i < length; ++i) { | 
|  | result = (result << 8) | static_cast<uint8_t>((*in)[i]); | 
|  | } | 
|  | in->remove_prefix(length); | 
|  | *out = result; | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Reads a TLS-encoded field length from |in|. | 
|  | // The bytes read from |in| are discarded (i.e. |in|'s prefix removed). | 
|  | // |prefix_length| indicates the bytes needed to represent the length (e.g. 3). | 
|  | // Max |prefix_length| is 8. | 
|  | // success, returns true and stores the result in |*out|. | 
|  | bool ReadLength(size_t prefix_length, base::StringPiece* in, size_t* out) { | 
|  | uint64_t length = 0; | 
|  | if (!ReadUint(prefix_length, in, &length)) | 
|  | return false; | 
|  | base::CheckedNumeric<size_t> checked_length = length; | 
|  | if (!checked_length.IsValid()) | 
|  | return false; | 
|  | *out = checked_length.ValueOrDie(); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Reads |length| bytes from |*in|. If |*in| is too small, returns false. | 
|  | // The bytes read from |in| are discarded (i.e. |in|'s prefix removed) | 
|  | bool ReadFixedBytes(size_t length, | 
|  | base::StringPiece* in, | 
|  | base::StringPiece* out) { | 
|  | if (in->length() < length) | 
|  | return false; | 
|  | out->set(in->data(), length); | 
|  | in->remove_prefix(length); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Reads a length-prefixed variable amount of bytes from |in|, updating |out| | 
|  | // on success. |prefix_length| indicates the number of bytes needed to represent | 
|  | // the length. | 
|  | // The bytes read from |in| are discarded (i.e. |in|'s prefix removed) | 
|  | bool ReadVariableBytes(size_t prefix_length, | 
|  | base::StringPiece* in, | 
|  | base::StringPiece* out) { | 
|  | size_t length = 0; | 
|  | if (!ReadLength(prefix_length, in, &length)) | 
|  | return false; | 
|  | return ReadFixedBytes(length, in, out); | 
|  | } | 
|  |  | 
|  | // Reads a variable-length list that has been TLS encoded. | 
|  | // The bytes read from |in| are discarded (i.e. |in|'s prefix removed) | 
|  | // |max_list_length| contains the overall length of the encoded list. | 
|  | // |max_item_length| contains the maximum length of a single item. | 
|  | // On success, returns true and updates |*out| with the encoded list. | 
|  | bool ReadList(size_t max_list_length, | 
|  | size_t max_item_length, | 
|  | base::StringPiece* in, | 
|  | std::vector<base::StringPiece>* out) { | 
|  | std::vector<base::StringPiece> result; | 
|  |  | 
|  | base::StringPiece list_data; | 
|  | if (!ReadVariableBytes(max_list_length, in, &list_data)) | 
|  | return false; | 
|  |  | 
|  | while (!list_data.empty()) { | 
|  | base::StringPiece list_item; | 
|  | if (!ReadVariableBytes(max_item_length, &list_data, &list_item)) { | 
|  | DVLOG(1) << "Failed to read item in list."; | 
|  | return false; | 
|  | } | 
|  | if (list_item.empty()) { | 
|  | DVLOG(1) << "Empty item in list"; | 
|  | return false; | 
|  | } | 
|  | result.push_back(list_item); | 
|  | } | 
|  |  | 
|  | result.swap(*out); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Checks and converts a hash algorithm. | 
|  | // |in| is the numeric representation of the algorithm. | 
|  | // If the hash algorithm value is in a set of known values, fills in |out| and | 
|  | // returns true. Otherwise, returns false. | 
|  | bool ConvertHashAlgorithm(unsigned in, DigitallySigned::HashAlgorithm* out) { | 
|  | switch (in) { | 
|  | case DigitallySigned::HASH_ALGO_NONE: | 
|  | case DigitallySigned::HASH_ALGO_MD5: | 
|  | case DigitallySigned::HASH_ALGO_SHA1: | 
|  | case DigitallySigned::HASH_ALGO_SHA224: | 
|  | case DigitallySigned::HASH_ALGO_SHA256: | 
|  | case DigitallySigned::HASH_ALGO_SHA384: | 
|  | case DigitallySigned::HASH_ALGO_SHA512: | 
|  | break; | 
|  | default: | 
|  | return false; | 
|  | } | 
|  | *out = static_cast<DigitallySigned::HashAlgorithm>(in); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Checks and converts a signing algorithm. | 
|  | // |in| is the numeric representation of the algorithm. | 
|  | // If the signing algorithm value is in a set of known values, fills in |out| | 
|  | // and returns true. Otherwise, returns false. | 
|  | bool ConvertSignatureAlgorithm( | 
|  | unsigned in, | 
|  | DigitallySigned::SignatureAlgorithm* out) { | 
|  | switch (in) { | 
|  | case DigitallySigned::SIG_ALGO_ANONYMOUS: | 
|  | case DigitallySigned::SIG_ALGO_RSA: | 
|  | case DigitallySigned::SIG_ALGO_DSA: | 
|  | case DigitallySigned::SIG_ALGO_ECDSA: | 
|  | break; | 
|  | default: | 
|  | return false; | 
|  | } | 
|  | *out = static_cast<DigitallySigned::SignatureAlgorithm>(in); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Writes a TLS-encoded variable length unsigned integer to |output|. | 
|  | // |length| indicates the size (in bytes) of the integer. This must be able to | 
|  | // accomodate |value|. | 
|  | // |value| the value itself to be written. | 
|  | void WriteUint(size_t length, uint64_t value, std::string* output) { | 
|  | // Check that |value| fits into |length| bytes. | 
|  | DCHECK(length >= sizeof(value) || value >> (length * 8) == 0); | 
|  |  | 
|  | for (; length > 0; --length) { | 
|  | output->push_back((value >> ((length - 1) * 8)) & 0xFF); | 
|  | } | 
|  | } | 
|  |  | 
|  | // Writes an array to |output| from |input|. | 
|  | // Should be used in one of two cases: | 
|  | // * The length of |input| has already been encoded into the |output| stream. | 
|  | // * The length of |input| is fixed and the reader is expected to specify that | 
|  | // length when reading. | 
|  | // If the length of |input| is dynamic and data is expected to follow it, | 
|  | // WriteVariableBytes must be used. | 
|  | // Returns the number of bytes written (the length of |input|). | 
|  | size_t WriteEncodedBytes(const base::StringPiece& input, std::string* output) { | 
|  | input.AppendToString(output); | 
|  | return input.size(); | 
|  | } | 
|  |  | 
|  | // Writes a variable-length array to |output|. | 
|  | // |prefix_length| indicates the number of bytes needed to represent the length. | 
|  | // |input| is the array itself. | 
|  | // If 1 <= |prefix_length| <= 8 and the size of |input| is less than | 
|  | // 2^|prefix_length| - 1, encode the length and data and return true. | 
|  | // Otherwise, return false. | 
|  | bool WriteVariableBytes(size_t prefix_length, | 
|  | const base::StringPiece& input, | 
|  | std::string* output) { | 
|  | DCHECK_GE(prefix_length, 1u); | 
|  | DCHECK_LE(prefix_length, 8u); | 
|  |  | 
|  | uint64_t input_size = input.size(); | 
|  | uint64_t max_input_size = (prefix_length == 8) | 
|  | ? UINT64_MAX | 
|  | : ((UINT64_C(1) << (prefix_length * 8)) - 1); | 
|  |  | 
|  | if (input_size > max_input_size) | 
|  | return false; | 
|  |  | 
|  | WriteUint(prefix_length, input_size, output); | 
|  | WriteEncodedBytes(input, output); | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | // Writes a SignedEntryData of type X.509 cert to |output|. | 
|  | // |input| is the SignedEntryData containing the certificate. | 
|  | // Returns true if the leaf_certificate in the SignedEntryData does not exceed | 
|  | // kMaxAsn1CertificateLength and so can be written to |output|. | 
|  | bool EncodeAsn1CertSignedEntry(const SignedEntryData& input, | 
|  | std::string* output) { | 
|  | return WriteVariableBytes(kAsn1CertificateLengthBytes, | 
|  | input.leaf_certificate, output); | 
|  | } | 
|  |  | 
|  | // Writes a SignedEntryData of type PreCertificate to |output|. | 
|  | // |input| is the SignedEntryData containing the TBSCertificate and issuer key | 
|  | // hash. Returns true if the TBSCertificate component in the SignedEntryData | 
|  | // does not exceed kMaxTbsCertificateLength and so can be written to |output|. | 
|  | bool EncodePrecertSignedEntry(const SignedEntryData& input, | 
|  | std::string* output) { | 
|  | WriteEncodedBytes( | 
|  | base::StringPiece( | 
|  | reinterpret_cast<const char*>(input.issuer_key_hash.data), | 
|  | kIssuerKeyHashLength), | 
|  | output); | 
|  | return WriteVariableBytes(kTbsCertificateLengthBytes, | 
|  | input.tbs_certificate, output); | 
|  | } | 
|  |  | 
|  | }  // namespace | 
|  |  | 
|  | bool EncodeDigitallySigned(const DigitallySigned& input, | 
|  | std::string* output) { | 
|  | WriteUint(kHashAlgorithmLength, input.hash_algorithm, output); | 
|  | WriteUint(kSigAlgorithmLength, input.signature_algorithm, | 
|  | output); | 
|  | return WriteVariableBytes(kSignatureLengthBytes, input.signature_data, | 
|  | output); | 
|  | } | 
|  |  | 
|  | bool DecodeDigitallySigned(base::StringPiece* input, | 
|  | DigitallySigned* output) { | 
|  | unsigned hash_algo; | 
|  | unsigned sig_algo; | 
|  | base::StringPiece sig_data; | 
|  |  | 
|  | if (!ReadUint(kHashAlgorithmLength, input, &hash_algo) || | 
|  | !ReadUint(kSigAlgorithmLength, input, &sig_algo) || | 
|  | !ReadVariableBytes(kSignatureLengthBytes, input, &sig_data)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | DigitallySigned result; | 
|  | if (!ConvertHashAlgorithm(hash_algo, &result.hash_algorithm)) { | 
|  | DVLOG(1) << "Invalid hash algorithm " << hash_algo; | 
|  | return false; | 
|  | } | 
|  | if (!ConvertSignatureAlgorithm(sig_algo, &result.signature_algorithm)) { | 
|  | DVLOG(1) << "Invalid signature algorithm " << sig_algo; | 
|  | return false; | 
|  | } | 
|  | sig_data.CopyToString(&result.signature_data); | 
|  |  | 
|  | *output = result; | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool EncodeSignedEntry(const SignedEntryData& input, std::string* output) { | 
|  | WriteUint(kSignedEntryTypeLength, input.type, output); | 
|  | switch (input.type) { | 
|  | case SignedEntryData::LOG_ENTRY_TYPE_X509: | 
|  | return EncodeAsn1CertSignedEntry(input, output); | 
|  | case SignedEntryData::LOG_ENTRY_TYPE_PRECERT: | 
|  | return EncodePrecertSignedEntry(input, output); | 
|  | } | 
|  | return false; | 
|  | } | 
|  |  | 
|  | static bool ReadTimeSinceEpoch(base::StringPiece* input, base::Time* output) { | 
|  | uint64_t time_since_epoch = 0; | 
|  | if (!ReadUint(kTimestampLength, input, &time_since_epoch)) | 
|  | return false; | 
|  |  | 
|  | base::CheckedNumeric<int64_t> time_since_epoch_signed = time_since_epoch; | 
|  |  | 
|  | if (!time_since_epoch_signed.IsValid()) { | 
|  | DVLOG(1) << "Timestamp value too big to cast to int64_t: " | 
|  | << time_since_epoch; | 
|  | return false; | 
|  | } | 
|  |  | 
|  | *output = | 
|  | base::Time::UnixEpoch() + | 
|  | base::TimeDelta::FromMilliseconds(time_since_epoch_signed.ValueOrDie()); | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | static void WriteTimeSinceEpoch(const base::Time& timestamp, | 
|  | std::string* output) { | 
|  | base::TimeDelta time_since_epoch = timestamp - base::Time::UnixEpoch(); | 
|  | WriteUint(kTimestampLength, time_since_epoch.InMilliseconds(), output); | 
|  | } | 
|  |  | 
|  | bool EncodeTreeLeaf(const MerkleTreeLeaf& leaf, std::string* output) { | 
|  | WriteUint(kVersionLength, 0, output);         // version: 1 | 
|  | WriteUint(kMerkleLeafTypeLength, 0, output);  // type: timestamped entry | 
|  | WriteTimeSinceEpoch(leaf.timestamp, output); | 
|  | if (!EncodeSignedEntry(leaf.signed_entry, output)) | 
|  | return false; | 
|  | if (!WriteVariableBytes(kExtensionsLengthBytes, leaf.extensions, output)) | 
|  | return false; | 
|  |  | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool EncodeV1SCTSignedData(const base::Time& timestamp, | 
|  | const std::string& serialized_log_entry, | 
|  | const std::string& extensions, | 
|  | std::string* output) { | 
|  | WriteUint(kVersionLength, SignedCertificateTimestamp::V1, | 
|  | output); | 
|  | WriteUint(kSignatureTypeLength, SIGNATURE_TYPE_CERTIFICATE_TIMESTAMP, | 
|  | output); | 
|  | WriteTimeSinceEpoch(timestamp, output); | 
|  | // NOTE: serialized_log_entry must already be serialized and contain the | 
|  | // length as the prefix. | 
|  | WriteEncodedBytes(serialized_log_entry, output); | 
|  | return WriteVariableBytes(kExtensionsLengthBytes, extensions, output); | 
|  | } | 
|  |  | 
|  | void EncodeTreeHeadSignature(const SignedTreeHead& signed_tree_head, | 
|  | std::string* output) { | 
|  | WriteUint(kVersionLength, signed_tree_head.version, output); | 
|  | WriteUint(kSignatureTypeLength, TREE_HASH, output); | 
|  | WriteTimeSinceEpoch(signed_tree_head.timestamp, output); | 
|  | WriteUint(kTreeSizeLength, signed_tree_head.tree_size, output); | 
|  | WriteEncodedBytes( | 
|  | base::StringPiece(signed_tree_head.sha256_root_hash, kSthRootHashLength), | 
|  | output); | 
|  | } | 
|  |  | 
|  | bool DecodeSCTList(base::StringPiece input, | 
|  | std::vector<base::StringPiece>* output) { | 
|  | std::vector<base::StringPiece> result; | 
|  | if (!ReadList(kSCTListLengthBytes, kSerializedSCTLengthBytes, &input, | 
|  | &result)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | if (!input.empty() || result.empty()) | 
|  | return false; | 
|  | output->swap(result); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | bool DecodeSignedCertificateTimestamp( | 
|  | base::StringPiece* input, | 
|  | scoped_refptr<SignedCertificateTimestamp>* output) { | 
|  | scoped_refptr<SignedCertificateTimestamp> result( | 
|  | new SignedCertificateTimestamp()); | 
|  | unsigned version; | 
|  | if (!ReadUint(kVersionLength, input, &version)) | 
|  | return false; | 
|  | if (version != SignedCertificateTimestamp::V1) { | 
|  | DVLOG(1) << "Unsupported/invalid version " << version; | 
|  | return false; | 
|  | } | 
|  |  | 
|  | result->version = SignedCertificateTimestamp::V1; | 
|  | base::StringPiece log_id; | 
|  | base::StringPiece extensions; | 
|  | if (!ReadFixedBytes(kLogIdLength, input, &log_id) || | 
|  | !ReadTimeSinceEpoch(input, &result->timestamp) || | 
|  | !ReadVariableBytes(kExtensionsLengthBytes, input, &extensions) || | 
|  | !DecodeDigitallySigned(input, &result->signature)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | log_id.CopyToString(&result->log_id); | 
|  | extensions.CopyToString(&result->extensions); | 
|  | output->swap(result); | 
|  | return true; | 
|  | } | 
|  |  | 
|  | void EncodeSignedCertificateTimestamp( | 
|  | const scoped_refptr<ct::SignedCertificateTimestamp>& input, | 
|  | std::string* output) { | 
|  | // This function only supports serialization of V1 SCTs. | 
|  | DCHECK_EQ(SignedCertificateTimestamp::V1, input->version); | 
|  | WriteUint(kVersionLength, input->version, output); | 
|  | DCHECK_EQ(kLogIdLength, input->log_id.size()); | 
|  | WriteEncodedBytes( | 
|  | base::StringPiece(reinterpret_cast<const char*>(input->log_id.data()), | 
|  | kLogIdLength), | 
|  | output); | 
|  | WriteTimeSinceEpoch(input->timestamp, output); | 
|  | WriteVariableBytes(kExtensionsLengthBytes, input->extensions, output); | 
|  | EncodeDigitallySigned(input->signature, output); | 
|  | } | 
|  |  | 
|  | bool EncodeSCTListForTesting(const base::StringPiece& sct, | 
|  | std::string* output) { | 
|  | std::string encoded_sct; | 
|  | return WriteVariableBytes(kSerializedSCTLengthBytes, sct, &encoded_sct) && | 
|  | WriteVariableBytes(kSCTListLengthBytes, encoded_sct, output); | 
|  | } | 
|  |  | 
|  | }  // namespace ct | 
|  |  | 
|  | }  // namespace net |