1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include <grpc/support/port_platform.h>
18 #include <openssl/bio.h>
19 #include <openssl/crypto.h>
20 #include <openssl/evp.h>
21 #include <openssl/pem.h>
22 #include <openssl/x509.h>
23
24 #include "absl/status/status.h"
25 #include "absl/status/statusor.h"
26 #include "absl/strings/string_view.h"
27 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
28
29 namespace grpc_core {
30
PrivateKeyAndCertificateMatch(absl::string_view private_key,absl::string_view cert_chain)31 absl::StatusOr<bool> PrivateKeyAndCertificateMatch(
32 absl::string_view private_key, absl::string_view cert_chain) {
33 if (private_key.empty()) {
34 return absl::InvalidArgumentError("Private key string is empty.");
35 }
36 if (cert_chain.empty()) {
37 return absl::InvalidArgumentError("Certificate string is empty.");
38 }
39 BIO* cert_bio =
40 BIO_new_mem_buf(cert_chain.data(), static_cast<int>(cert_chain.size()));
41 if (cert_bio == nullptr) {
42 return absl::InvalidArgumentError(
43 "Conversion from certificate string to BIO failed.");
44 }
45 // Reads the first cert from the cert_chain which is expected to be the leaf
46 // cert
47 X509* x509 = PEM_read_bio_X509(cert_bio, nullptr, nullptr, nullptr);
48 BIO_free(cert_bio);
49 if (x509 == nullptr) {
50 return absl::InvalidArgumentError(
51 "Conversion from PEM string to X509 failed.");
52 }
53 EVP_PKEY* public_evp_pkey = X509_get_pubkey(x509);
54 X509_free(x509);
55 if (public_evp_pkey == nullptr) {
56 return absl::InvalidArgumentError(
57 "Extraction of public key from x.509 certificate failed.");
58 }
59 BIO* private_key_bio =
60 BIO_new_mem_buf(private_key.data(), static_cast<int>(private_key.size()));
61 if (private_key_bio == nullptr) {
62 EVP_PKEY_free(public_evp_pkey);
63 return absl::InvalidArgumentError(
64 "Conversion from private key string to BIO failed.");
65 }
66 EVP_PKEY* private_evp_pkey =
67 PEM_read_bio_PrivateKey(private_key_bio, nullptr, nullptr, nullptr);
68 BIO_free(private_key_bio);
69 if (private_evp_pkey == nullptr) {
70 EVP_PKEY_free(public_evp_pkey);
71 return absl::InvalidArgumentError(
72 "Conversion from PEM string to EVP_PKEY failed.");
73 }
74 #if OPENSSL_VERSION_NUMBER < 0x30000000L
75 bool result = EVP_PKEY_cmp(private_evp_pkey, public_evp_pkey) == 1;
76 #else
77 bool result = EVP_PKEY_eq(private_evp_pkey, public_evp_pkey) == 1;
78 #endif
79 EVP_PKEY_free(private_evp_pkey);
80 EVP_PKEY_free(public_evp_pkey);
81 return result;
82 }
83
84 } // namespace grpc_core
85