// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/base/dnssec_keyset.h"
#include <cryptohi.h>
#include <cryptoht.h>
#include <keyhi.h>
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/time.h"
#include "crypto/nss_util.h"
#include "net/base/dns_util.h"
namespace {
// These are encoded AlgorithmIdentifiers for the given signature algorithm.
const unsigned char kRSAWithSHA1[] = {
0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 5, 0
};
const unsigned char kRSAWithSHA256[] = {
0x30, 0xd, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 5, 0
};
} // namespace
namespace net {
DNSSECKeySet::DNSSECKeySet()
: ignore_timestamps_(false) {
}
DNSSECKeySet::~DNSSECKeySet() {
}
bool DNSSECKeySet::AddKey(const base::StringPiece& dnskey) {
uint16 keyid = DNSKEYToKeyID(dnskey);
std::string der_encoded = ASN1WrapDNSKEY(dnskey);
if (der_encoded.empty())
return false;
keyids_.push_back(keyid);
public_keys_.push_back(der_encoded);
return true;
}
bool DNSSECKeySet::CheckSignature(
const base::StringPiece& name,
const base::StringPiece& zone,
const base::StringPiece& signature,
uint16 rrtype,
const std::vector<base::StringPiece>& rrdatas) {
// signature has this format:
// algorithm uint8
// labels uint8
// ttl uint32
// expires uint32
// begins uint32
// keyid uint16
//
// followed by the actual signature.
if (signature.size() < 16)
return false;
const unsigned char* sigdata =
reinterpret_cast<const unsigned char*>(signature.data());
uint8 algorithm = sigdata[0];
uint32 expires = static_cast<uint32>(sigdata[6]) << 24 |
static_cast<uint32>(sigdata[7]) << 16 |
static_cast<uint32>(sigdata[8]) << 8 |
static_cast<uint32>(sigdata[9]);
uint32 begins = static_cast<uint32>(sigdata[10]) << 24 |
static_cast<uint32>(sigdata[11]) << 16 |
static_cast<uint32>(sigdata[12]) << 8 |
static_cast<uint32>(sigdata[13]);
uint16 keyid = static_cast<uint16>(sigdata[14]) << 8 |
static_cast<uint16>(sigdata[15]);
if (!ignore_timestamps_) {
uint32 now = static_cast<uint32>(base::Time::Now().ToTimeT());
if (now < begins || now >= expires)
return false;
}
base::StringPiece sig(signature.data() + 16, signature.size() - 16);
// You should have RFC 4034, 3.1.8.1 open when reading this code.
unsigned signed_data_len = 0;
signed_data_len += 2; // rrtype
signed_data_len += 16; // (see signature format, above)
signed_data_len += zone.size();
for (std::vector<base::StringPiece>::const_iterator
i = rrdatas.begin(); i != rrdatas.end(); i++) {
signed_data_len += name.size();
signed_data_len += 2; // rrtype
signed_data_len += 2; // class
signed_data_len += 4; // ttl
signed_data_len += 2; // RRDATA length
signed_data_len += i->size();
}
scoped_array<unsigned char> signed_data(new unsigned char[signed_data_len]);
unsigned j = 0;
signed_data[j++] = static_cast<uint8>(rrtype >> 8);
signed_data[j++] = static_cast<uint8>(rrtype);
memcpy(&signed_data[j], sigdata, 16);
j += 16;
memcpy(&signed_data[j], zone.data(), zone.size());
j += zone.size();
for (std::vector<base::StringPiece>::const_iterator
i = rrdatas.begin(); i != rrdatas.end(); i++) {
memcpy(&signed_data[j], name.data(), name.size());
j += name.size();
signed_data[j++] = static_cast<uint8>(rrtype >> 8);
signed_data[j++] = static_cast<uint8>(rrtype);
signed_data[j++] = 0; // CLASS (always IN = 1)
signed_data[j++] = 1;
// Copy the TTL from |signature|.
memcpy(&signed_data[j], signature.data() + 2, sizeof(uint32));
j += sizeof(uint32);
unsigned rrdata_len = i->size();
signed_data[j++] = rrdata_len >> 8;
signed_data[j++] = rrdata_len;
memcpy(&signed_data[j], i->data(), i->size());
j += i->size();
}
DCHECK_EQ(j, signed_data_len);
base::StringPiece signature_algorithm;
if (algorithm == kDNSSEC_RSA_SHA1 ||
algorithm == kDNSSEC_RSA_SHA1_NSEC3) {
signature_algorithm = base::StringPiece(
reinterpret_cast<const char*>(kRSAWithSHA1),
sizeof(kRSAWithSHA1));
} else if (algorithm == kDNSSEC_RSA_SHA256) {
signature_algorithm = base::StringPiece(
reinterpret_cast<const char*>(kRSAWithSHA256),
sizeof(kRSAWithSHA256));
} else {
// Unknown algorithm.
return false;
}
// Check the signature with each trusted key which has a matching keyid.
DCHECK_EQ(public_keys_.size(), keyids_.size());
for (unsigned i = 0; i < public_keys_.size(); i++) {
if (keyids_[i] != keyid)
continue;
if (VerifySignature(
signature_algorithm, sig, public_keys_[i],
base::StringPiece(reinterpret_cast<const char*>(signed_data.get()),
signed_data_len))) {
return true;
}
}
return false;
}
// static
uint16 DNSSECKeySet::DNSKEYToKeyID(const base::StringPiece& dnskey) {
const unsigned char* data =
reinterpret_cast<const unsigned char*>(dnskey.data());
// RFC 4043: App B
uint32 ac = 0;
for (unsigned i = 0; i < dnskey.size(); i++) {
if (i & 1) {
ac += data[i];
} else {
ac += static_cast<uint32>(data[i]) << 8;
}
}
ac += (ac >> 16) & 0xffff;
return ac;
}
void DNSSECKeySet::IgnoreTimestamps() {
ignore_timestamps_ = true;
}
bool DNSSECKeySet::VerifySignature(
base::StringPiece signature_algorithm,
base::StringPiece signature,
base::StringPiece public_key,
base::StringPiece signed_data) {
// This code is largely a copy-and-paste from
// crypto/signature_verifier_nss.cc. We can't change
// crypto::SignatureVerifier to always use NSS because we want the ability to
// be FIPS 140-2 compliant. However, we can't use crypto::SignatureVerifier
// here because some platforms don't support SHA256 signatures. Therefore, we
// use NSS directly.
crypto::EnsureNSSInit();
CERTSubjectPublicKeyInfo* spki = NULL;
SECItem spki_der;
spki_der.type = siBuffer;
spki_der.data = (uint8*) public_key.data();
spki_der.len = public_key.size();
spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_der);
if (!spki)
return false;
SECKEYPublicKey* pub_key = SECKEY_ExtractPublicKey(spki);
SECKEY_DestroySubjectPublicKeyInfo(spki); // Done with spki.
if (!pub_key)
return false;
PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECKEY_DestroyPublicKey(pub_key);
return false;
}
SECItem sig_alg_der;
sig_alg_der.type = siBuffer;
sig_alg_der.data = (uint8*) signature_algorithm.data();
sig_alg_der.len = signature_algorithm.size();
SECAlgorithmID sig_alg_id;
SECStatus rv;
rv = SEC_QuickDERDecodeItem(arena, &sig_alg_id, SECOID_AlgorithmIDTemplate,
&sig_alg_der);
if (rv != SECSuccess) {
SECKEY_DestroyPublicKey(pub_key);
PORT_FreeArena(arena, PR_TRUE);
return false;
}
SECItem sig;
sig.type = siBuffer;
sig.data = (uint8*) signature.data();
sig.len = signature.size();
SECOidTag hash_alg_tag;
VFYContext* vfy_context =
VFY_CreateContextWithAlgorithmID(pub_key, &sig,
&sig_alg_id, &hash_alg_tag,
NULL);
SECKEY_DestroyPublicKey(pub_key);
PORT_FreeArena(arena, PR_TRUE); // Done with sig_alg_id.
if (!vfy_context) {
// A corrupted RSA signature could be detected without the data, so
// VFY_CreateContextWithAlgorithmID may fail with SEC_ERROR_BAD_SIGNATURE
// (-8182).
return false;
}
rv = VFY_Begin(vfy_context);
if (rv != SECSuccess) {
NOTREACHED();
return false;
}
rv = VFY_Update(vfy_context, (uint8*) signed_data.data(), signed_data.size());
if (rv != SECSuccess) {
NOTREACHED();
return false;
}
rv = VFY_End(vfy_context);
VFY_DestroyContext(vfy_context, PR_TRUE);
return rv == SECSuccess;
}
// This is an ASN.1 encoded AlgorithmIdentifier for RSA
static const unsigned char kASN1AlgorithmIdentifierRSA[] = {
0x30, // SEQUENCE
0x0d, // length (11 bytes)
0x06, // OBJECT IDENTIFER
0x09, // length (9 bytes)
// OID 1.2.840.113549.1.1.1 (RSA)
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
// NULL of length 0
0x05, 0x00,
};
// EncodeASN1Length assumes that |*length| contains the number of DER-encoded,
// length-prefixed ASN.1 bytes to follow and serialises the length to |out[*j]|
// and updates |j| and |length| accordingly.
static void EncodeASN1Length(unsigned char* out, unsigned* j,
unsigned* length) {
if ((*length - 1) < 128) {
(*length) -= 1;
out[(*j)++] = *length;
} else if ((*length - 2) < 256) {
(*length) -= 2;
out[(*j)++] = 0x80 | 1;
out[(*j)++] = *length;
} else {
(*length) -= 3;
out[(*j)++] = 0x80 | 2;
out[(*j)++] = *length >> 8;
out[(*j)++] = *length;
}
}
// AdvanceForASN1Length returns the number of bytes required to encode a ASN1
// DER length value of |remaining|.
static unsigned AdvanceForASN1Length(unsigned remaining) {
if (remaining < 128) {
return 1;
} else if (remaining < 256) {
return 2;
} else if (remaining < 65536) {
return 3;
} else {
NOTREACHED();
return 3;
}
}
// ASN1WrapDNSKEY converts the DNSKEY RDATA in |dnskey| into the ASN.1 wrapped
// format expected by NSS. To wit:
// SubjectPublicKeyInfo ::= SEQUENCE {
// algorithm AlgorithmIdentifier,
// subjectPublicKey BIT STRING }
std::string DNSSECKeySet::ASN1WrapDNSKEY(const base::StringPiece& dnskey) {
const unsigned char* data =
reinterpret_cast<const unsigned char*>(dnskey.data());
if (dnskey.size() < 5 || dnskey.size() > 32767)
return "";
const uint8 algorithm = data[3];
if (algorithm != kDNSSEC_RSA_SHA1 &&
algorithm != kDNSSEC_RSA_SHA1_NSEC3 &&
algorithm != kDNSSEC_RSA_SHA256) {
return "";
}
unsigned exp_length;
unsigned exp_offset;
// First we extract the public exponent.
if (data[4] == 0) {
if (dnskey.size() < 7)
return "";
exp_length = static_cast<unsigned>(data[5]) << 8 |
static_cast<unsigned>(data[6]);
exp_offset = 7;
} else {
exp_length = static_cast<unsigned>(data[4]);
exp_offset = 5;
}
// We refuse to deal with large public exponents.
if (exp_length > 3)
return "";
if (dnskey.size() < exp_offset + exp_length)
return "";
unsigned exp = 0;
for (unsigned i = 0; i < exp_length; i++) {
exp <<= 8;
exp |= static_cast<unsigned>(data[exp_offset + i]);
}
unsigned n_offset = exp_offset + exp_length;
unsigned n_length = dnskey.size() - n_offset;
// Anything smaller than 512 bits is too weak to be trusted.
if (n_length < 64)
return "";
// If the MSB of exp is true then we need to prefix a zero byte to stop the
// ASN.1 encoding from being negative.
if (exp & (1 << ((8 * exp_length) - 1)))
exp_length++;
// Likewise with the modulus
unsigned n_padding = data[n_offset] & 0x80 ? 1 : 0;
// We now calculate the length of the full ASN.1 encoded public key. We're
// working backwards from the end of the structure. Keep in mind that it's:
// SEQUENCE
// AlgorithmIdentifier
// BITSTRING
// SEQUENCE
// INTEGER
// INTEGER
unsigned length = 0;
length += exp_length; // exponent data
length++; // we know that |exp_length| < 128
length++; // INTEGER tag for exponent
length += n_length + n_padding;
length += AdvanceForASN1Length(n_length + n_padding);
length++; // INTEGER tag for modulus
length += AdvanceForASN1Length(length); // SEQUENCE length
length++; // SEQUENCE tag
length++; // BITSTRING unused bits
length += AdvanceForASN1Length(length); // BITSTRING length
length++; // BITSTRING tag
length += sizeof(kASN1AlgorithmIdentifierRSA);
length += AdvanceForASN1Length(length); // SEQUENCE length
length++; // SEQUENCE tag
scoped_array<unsigned char> out(new unsigned char[length]);
// Now we walk forwards and serialise the ASN.1, undoing the steps above.
unsigned j = 0;
out[j++] = 0x30; // SEQUENCE
length--;
EncodeASN1Length(out.get(), &j, &length);
memcpy(&out[j], kASN1AlgorithmIdentifierRSA,
sizeof(kASN1AlgorithmIdentifierRSA));
j += sizeof(kASN1AlgorithmIdentifierRSA);
length -= sizeof(kASN1AlgorithmIdentifierRSA);
out[j++] = 3; // BITSTRING tag
length--;
EncodeASN1Length(out.get(), &j, &length);
out[j++] = 0; // BITSTRING unused bits
length--;
out[j++] = 0x30; // SEQUENCE
length--;
EncodeASN1Length(out.get(), &j, &length);
out[j++] = 2; // INTEGER
length--;
unsigned l = n_length + n_padding;
if (l < 128) {
out[j++] = l;
length--;
} else if (l < 256) {
out[j++] = 0x80 | 1;
out[j++] = l;
length -= 2;
} else if (l < 65536) {
out[j++] = 0x80 | 2;
out[j++] = l >> 8;
out[j++] = l;
length -= 3;
} else {
NOTREACHED();
}
if (n_padding) {
out[j++] = 0;
length--;
}
memcpy(&out[j], &data[n_offset], n_length);
j += n_length;
length -= n_length;
out[j++] = 2; // INTEGER
length--;
out[j++] = exp_length;
length--;
for (unsigned i = exp_length - 1; i < exp_length; i--) {
out[j++] = exp >> (8 * i);
length--;
}
DCHECK_EQ(0u, length);
return std::string(reinterpret_cast<char*>(out.get()), j);
}
} // namespace net