blob: 2f3e7c6764ca5883e802fa7822795e808fc0677b [file] [log] [blame]
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/ssl/ssl_platform_key.h"
#include <windows.h>
#include <NCrypt.h>
#include <algorithm>
#include <string>
#include <vector>
#include <openssl/bn.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/sequenced_task_runner.h"
#include "base/win/windows_version.h"
#include "crypto/openssl_util.h"
#include "crypto/scoped_capi_types.h"
#include "crypto/wincrypt_shim.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/scoped_openssl_types.h"
#include "net/ssl/ssl_platform_key_task_runner.h"
#include "net/ssl/ssl_private_key.h"
#include "net/ssl/threaded_ssl_private_key.h"
namespace net {
namespace {
using NCryptFreeObjectFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_HANDLE);
using NCryptSignHashFunc = SECURITY_STATUS(WINAPI*)(NCRYPT_KEY_HANDLE, // hKey
VOID*, // pPaddingInfo
BYTE*, // pbHashValue
DWORD, // cbHashValue
BYTE*, // pbSignature
DWORD, // cbSignature
DWORD*, // pcbResult
DWORD); // dwFlags
class CNGFunctions {
public:
CNGFunctions() : ncrypt_free_object_(nullptr), ncrypt_sign_hash_(nullptr) {
HMODULE ncrypt = GetModuleHandle(L"ncrypt.dll");
if (ncrypt != nullptr) {
ncrypt_free_object_ = reinterpret_cast<NCryptFreeObjectFunc>(
GetProcAddress(ncrypt, "NCryptFreeObject"));
ncrypt_sign_hash_ = reinterpret_cast<NCryptSignHashFunc>(
GetProcAddress(ncrypt, "NCryptSignHash"));
}
}
NCryptFreeObjectFunc ncrypt_free_object() const {
return ncrypt_free_object_;
}
NCryptSignHashFunc ncrypt_sign_hash() const { return ncrypt_sign_hash_; }
private:
NCryptFreeObjectFunc ncrypt_free_object_;
NCryptSignHashFunc ncrypt_sign_hash_;
};
base::LazyInstance<CNGFunctions>::Leaky g_cng_functions =
LAZY_INSTANCE_INITIALIZER;
class SSLPlatformKeyCAPI : public ThreadedSSLPrivateKey::Delegate {
public:
// Takes ownership of |provider|.
SSLPlatformKeyCAPI(HCRYPTPROV provider, DWORD key_spec, size_t max_length)
: provider_(provider), key_spec_(key_spec), max_length_(max_length) {}
~SSLPlatformKeyCAPI() override {}
SSLPrivateKey::Type GetType() override { return SSLPrivateKey::Type::RSA; }
std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
// If the key is in CAPI, assume conservatively that the CAPI service
// provider may only be able to sign pre-TLS-1.2 and SHA-1 hashes.
static const SSLPrivateKey::Hash kHashes[] = {
SSLPrivateKey::Hash::SHA1, SSLPrivateKey::Hash::SHA512,
SSLPrivateKey::Hash::SHA384, SSLPrivateKey::Hash::SHA256};
return std::vector<SSLPrivateKey::Hash>(kHashes,
kHashes + arraysize(kHashes));
}
size_t GetMaxSignatureLengthInBytes() override { return max_length_; }
Error SignDigest(SSLPrivateKey::Hash hash,
const base::StringPiece& input,
std::vector<uint8_t>* signature) override {
ALG_ID hash_alg = 0;
switch (hash) {
case SSLPrivateKey::Hash::MD5_SHA1:
hash_alg = CALG_SSL3_SHAMD5;
break;
case SSLPrivateKey::Hash::SHA1:
hash_alg = CALG_SHA1;
break;
case SSLPrivateKey::Hash::SHA256:
hash_alg = CALG_SHA_256;
break;
case SSLPrivateKey::Hash::SHA384:
hash_alg = CALG_SHA_384;
break;
case SSLPrivateKey::Hash::SHA512:
hash_alg = CALG_SHA_512;
break;
}
DCHECK_NE(static_cast<ALG_ID>(0), hash_alg);
crypto::ScopedHCRYPTHASH hash_handle;
if (!CryptCreateHash(provider_, hash_alg, 0, 0, hash_handle.receive())) {
PLOG(ERROR) << "CreateCreateHash failed";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
DWORD hash_len;
DWORD arg_len = sizeof(hash_len);
if (!CryptGetHashParam(hash_handle.get(), HP_HASHSIZE,
reinterpret_cast<BYTE*>(&hash_len), &arg_len, 0)) {
PLOG(ERROR) << "CryptGetHashParam HP_HASHSIZE failed";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
if (hash_len != input.size())
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
if (!CryptSetHashParam(
hash_handle.get(), HP_HASHVAL,
const_cast<BYTE*>(reinterpret_cast<const BYTE*>(input.data())),
0)) {
PLOG(ERROR) << "CryptSetHashParam HP_HASHVAL failed";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
DWORD signature_len = 0;
if (!CryptSignHash(hash_handle.get(), key_spec_, nullptr, 0, nullptr,
&signature_len)) {
PLOG(ERROR) << "CryptSignHash failed";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
signature->resize(signature_len);
if (!CryptSignHash(hash_handle.get(), key_spec_, nullptr, 0,
signature->data(), &signature_len)) {
PLOG(ERROR) << "CryptSignHash failed";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
signature->resize(signature_len);
// CryptoAPI signs in little-endian, so reverse it.
std::reverse(signature->begin(), signature->end());
return OK;
}
private:
crypto::ScopedHCRYPTPROV provider_;
DWORD key_spec_;
size_t max_length_;
DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCAPI);
};
class SSLPlatformKeyCNG : public ThreadedSSLPrivateKey::Delegate {
public:
// Takes ownership of |key|.
SSLPlatformKeyCNG(NCRYPT_KEY_HANDLE key,
SSLPrivateKey::Type type,
size_t max_length)
: key_(key), type_(type), max_length_(max_length) {}
~SSLPlatformKeyCNG() override {
g_cng_functions.Get().ncrypt_free_object()(key_);
}
SSLPrivateKey::Type GetType() override { return type_; }
std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override {
// If this is an under 1024-bit RSA key, conservatively prefer to sign
// SHA-1 hashes. Older Estonian ID cards can only sign SHA-1 hashes.
// However, if the server doesn't advertise SHA-1, the remaining hashes
// might still be supported.
if (type_ == SSLPrivateKey::Type::RSA && max_length_ <= 1024 / 8) {
static const SSLPrivateKey::Hash kHashesSpecial[] = {
SSLPrivateKey::Hash::SHA1, SSLPrivateKey::Hash::SHA512,
SSLPrivateKey::Hash::SHA384, SSLPrivateKey::Hash::SHA256};
return std::vector<SSLPrivateKey::Hash>(
kHashesSpecial, kHashesSpecial + arraysize(kHashesSpecial));
}
static const SSLPrivateKey::Hash kHashes[] = {
SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384,
SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1};
return std::vector<SSLPrivateKey::Hash>(kHashes,
kHashes + arraysize(kHashes));
}
size_t GetMaxSignatureLengthInBytes() override { return max_length_; }
Error SignDigest(SSLPrivateKey::Hash hash,
const base::StringPiece& input,
std::vector<uint8_t>* signature) override {
crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
BCRYPT_PKCS1_PADDING_INFO rsa_padding_info = {0};
void* padding_info = nullptr;
DWORD flags = 0;
if (type_ == SSLPrivateKey::Type::RSA) {
switch (hash) {
case SSLPrivateKey::Hash::MD5_SHA1:
rsa_padding_info.pszAlgId = nullptr;
break;
case SSLPrivateKey::Hash::SHA1:
rsa_padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM;
break;
case SSLPrivateKey::Hash::SHA256:
rsa_padding_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
break;
case SSLPrivateKey::Hash::SHA384:
rsa_padding_info.pszAlgId = BCRYPT_SHA384_ALGORITHM;
break;
case SSLPrivateKey::Hash::SHA512:
rsa_padding_info.pszAlgId = BCRYPT_SHA512_ALGORITHM;
break;
}
padding_info = &rsa_padding_info;
flags |= BCRYPT_PAD_PKCS1;
}
DWORD signature_len;
SECURITY_STATUS status = g_cng_functions.Get().ncrypt_sign_hash()(
key_, padding_info,
const_cast<BYTE*>(reinterpret_cast<const BYTE*>(input.data())),
input.size(), nullptr, 0, &signature_len, flags);
if (FAILED(status)) {
LOG(ERROR) << "NCryptSignHash failed: " << status;
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
signature->resize(signature_len);
status = g_cng_functions.Get().ncrypt_sign_hash()(
key_, padding_info,
const_cast<BYTE*>(reinterpret_cast<const BYTE*>(input.data())),
input.size(), signature->data(), signature_len, &signature_len, flags);
if (FAILED(status)) {
LOG(ERROR) << "NCryptSignHash failed: " << status;
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
signature->resize(signature_len);
// CNG emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
// ECDSA-Sig-Value.
if (type_ == SSLPrivateKey::Type::ECDSA) {
if (signature->size() % 2 != 0) {
LOG(ERROR) << "Bad signature length";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
size_t order_len = signature->size() / 2;
// Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
crypto::ScopedECDSA_SIG sig(ECDSA_SIG_new());
if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
!BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}
int len = i2d_ECDSA_SIG(sig.get(), nullptr);
if (len <= 0)
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
signature->resize(len);
uint8_t* ptr = signature->data();
len = i2d_ECDSA_SIG(sig.get(), &ptr);
if (len <= 0)
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
signature->resize(len);
}
return OK;
}
private:
NCRYPT_KEY_HANDLE key_;
SSLPrivateKey::Type type_;
size_t max_length_;
DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCNG);
};
// Determines the key type and maximum signature length of |certificate|'s
// public key.
bool GetKeyInfo(const X509Certificate* certificate,
SSLPrivateKey::Type* out_type,
size_t* out_max_length) {
crypto::OpenSSLErrStackTracer tracker(FROM_HERE);
std::string der_encoded;
if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
&der_encoded))
return false;
const uint8_t* bytes = reinterpret_cast<const uint8_t*>(der_encoded.data());
ScopedX509 x509(d2i_X509(nullptr, &bytes, der_encoded.size()));
if (!x509)
return false;
crypto::ScopedEVP_PKEY key(X509_get_pubkey(x509.get()));
if (!key)
return false;
switch (EVP_PKEY_id(key.get())) {
case EVP_PKEY_RSA:
*out_type = SSLPrivateKey::Type::RSA;
break;
case EVP_PKEY_EC:
*out_type = SSLPrivateKey::Type::ECDSA;
break;
default:
return false;
}
*out_max_length = EVP_PKEY_size(key.get());
return true;
}
} // namespace
scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
X509Certificate* certificate) {
// Rather than query the private key for metadata, extract the public key from
// the certificate without using Windows APIs. CAPI and CNG do not
// consistently work depending on the system. See https://crbug.com/468345.
SSLPrivateKey::Type key_type;
size_t max_length;
if (!GetKeyInfo(certificate, &key_type, &max_length))
return nullptr;
PCCERT_CONTEXT cert_context = certificate->os_cert_handle();
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE prov_or_key = 0;
DWORD key_spec = 0;
BOOL must_free = FALSE;
DWORD flags = 0;
if (base::win::GetVersion() >= base::win::VERSION_VISTA)
flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
&prov_or_key, &key_spec, &must_free)) {
PLOG(WARNING) << "Could not acquire private key";
return nullptr;
}
// Should never get a cached handle back - ownership must always be
// transferred.
CHECK_EQ(must_free, TRUE);
scoped_ptr<ThreadedSSLPrivateKey::Delegate> delegate;
if (key_spec == CERT_NCRYPT_KEY_SPEC) {
delegate.reset(new SSLPlatformKeyCNG(prov_or_key, key_type, max_length));
} else {
DCHECK(SSLPrivateKey::Type::RSA == key_type);
delegate.reset(new SSLPlatformKeyCAPI(prov_or_key, key_spec, max_length));
}
return make_scoped_refptr(new ThreadedSSLPrivateKey(
delegate.Pass(), GetSSLPlatformKeyTaskRunner()));
}
} // namespace net