1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/internal/cert_issuer_source_aia.h"
6
7 #include "base/containers/span.h"
8 #include "base/logging.h"
9 #include "base/strings/string_piece.h"
10 #include "net/cert/cert_net_fetcher.h"
11 #include "net/cert/pem.h"
12 #include "net/cert/pki/cert_errors.h"
13 #include "net/cert/x509_util.h"
14 #include "url/gurl.h"
15
16 namespace net {
17
18 namespace {
19
20 // TODO(mattm): These are arbitrary choices. Re-evaluate.
21 const int kTimeoutMilliseconds = 10000;
22 const int kMaxResponseBytes = 65536;
23 const int kMaxFetchesPerCert = 5;
24
ParseCertFromDer(base::span<const uint8_t> data,ParsedCertificateList * results)25 bool ParseCertFromDer(base::span<const uint8_t> data,
26 ParsedCertificateList* results) {
27 CertErrors errors;
28 if (!ParsedCertificate::CreateAndAddToVector(
29 x509_util::CreateCryptoBuffer(data),
30 x509_util::DefaultParseCertificateOptions(), results, &errors)) {
31 // TODO(crbug.com/634443): propagate error info.
32 // TODO(mattm): this creates misleading log spam if one of the other Parse*
33 // methods is actually able to parse the data.
34 LOG(ERROR) << "Error parsing cert retrieved from AIA (as DER):\n"
35 << errors.ToDebugString();
36
37 return false;
38 }
39
40 return true;
41 }
42
ParseCertsFromCms(base::span<const uint8_t> data,ParsedCertificateList * results)43 bool ParseCertsFromCms(base::span<const uint8_t> data,
44 ParsedCertificateList* results) {
45 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> cert_buffers;
46 // A "certs-only CMS message" is a PKCS#7 SignedData structure with no signed
47 // inner content. See RFC 3851 section 3.2.2 and RFC 2315 section 9.1.
48 // Note: RFC 5280 section 4.2.2.1 says that the data should be a certs-only
49 // CMS message, however this will actually allow a SignedData which
50 // contains CRLs and/or inner content, ignoring them.
51 if (!x509_util::CreateCertBuffersFromPKCS7Bytes(data, &cert_buffers)) {
52 return false;
53 }
54 bool any_succeeded = false;
55 for (auto& cert_buffer : cert_buffers) {
56 CertErrors errors;
57 if (!ParsedCertificate::CreateAndAddToVector(
58 std::move(cert_buffer), x509_util::DefaultParseCertificateOptions(),
59 results, &errors)) {
60 // TODO(crbug.com/634443): propagate error info.
61 LOG(ERROR) << "Error parsing cert extracted from AIA PKCS7:\n"
62 << errors.ToDebugString();
63 continue;
64 }
65 any_succeeded = true;
66 }
67 return any_succeeded;
68 }
69
ParseCertFromPem(const uint8_t * data,size_t length,ParsedCertificateList * results)70 bool ParseCertFromPem(const uint8_t* data,
71 size_t length,
72 ParsedCertificateList* results) {
73 base::StringPiece data_strpiece(reinterpret_cast<const char*>(data), length);
74
75 PEMTokenizer pem_tokenizer(data_strpiece, {"CERTIFICATE"});
76 if (!pem_tokenizer.GetNext())
77 return false;
78
79 return ParseCertFromDer(base::as_bytes(base::make_span(pem_tokenizer.data())),
80 results);
81 }
82
83 class AiaRequest : public CertIssuerSource::Request {
84 public:
85 AiaRequest() = default;
86
87 AiaRequest(const AiaRequest&) = delete;
88 AiaRequest& operator=(const AiaRequest&) = delete;
89
90 ~AiaRequest() override;
91
92 // CertIssuerSource::Request implementation.
93 void GetNext(ParsedCertificateList* issuers) override;
94
95 void AddCertFetcherRequest(
96 std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request);
97
98 bool AddCompletedFetchToResults(Error error,
99 std::vector<uint8_t> fetched_bytes,
100 ParsedCertificateList* results);
101
102 private:
103 std::vector<std::unique_ptr<CertNetFetcher::Request>> cert_fetcher_requests_;
104 size_t current_request_ = 0;
105 };
106
107 AiaRequest::~AiaRequest() = default;
108
GetNext(ParsedCertificateList * out_certs)109 void AiaRequest::GetNext(ParsedCertificateList* out_certs) {
110 // TODO(eroman): Rather than blocking in FIFO order, select the one that
111 // completes first.
112 while (current_request_ < cert_fetcher_requests_.size()) {
113 Error error;
114 std::vector<uint8_t> bytes;
115 auto req = std::move(cert_fetcher_requests_[current_request_++]);
116 req->WaitForResult(&error, &bytes);
117
118 if (AddCompletedFetchToResults(error, std::move(bytes), out_certs))
119 return;
120 }
121 }
122
AddCertFetcherRequest(std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request)123 void AiaRequest::AddCertFetcherRequest(
124 std::unique_ptr<CertNetFetcher::Request> cert_fetcher_request) {
125 DCHECK(cert_fetcher_request);
126 cert_fetcher_requests_.push_back(std::move(cert_fetcher_request));
127 }
128
AddCompletedFetchToResults(Error error,std::vector<uint8_t> fetched_bytes,ParsedCertificateList * results)129 bool AiaRequest::AddCompletedFetchToResults(Error error,
130 std::vector<uint8_t> fetched_bytes,
131 ParsedCertificateList* results) {
132 if (error != OK) {
133 // TODO(mattm): propagate error info.
134 LOG(ERROR) << "AiaRequest::OnFetchCompleted got error " << error;
135 return false;
136 }
137
138 // RFC 5280 section 4.2.2.1:
139 //
140 // Conforming applications that support HTTP or FTP for accessing
141 // certificates MUST be able to accept individual DER encoded
142 // certificates and SHOULD be able to accept "certs-only" CMS messages.
143
144 // TODO(https://crbug.com/870359): Some AIA responses are served as PEM, which
145 // is not part of RFC 5280's profile.
146 return ParseCertFromDer(fetched_bytes, results) ||
147 ParseCertsFromCms(fetched_bytes, results) ||
148 ParseCertFromPem(fetched_bytes.data(), fetched_bytes.size(), results);
149 }
150
151 } // namespace
152
CertIssuerSourceAia(scoped_refptr<CertNetFetcher> cert_fetcher)153 CertIssuerSourceAia::CertIssuerSourceAia(
154 scoped_refptr<CertNetFetcher> cert_fetcher)
155 : cert_fetcher_(std::move(cert_fetcher)) {}
156
157 CertIssuerSourceAia::~CertIssuerSourceAia() = default;
158
SyncGetIssuersOf(const ParsedCertificate * cert,ParsedCertificateList * issuers)159 void CertIssuerSourceAia::SyncGetIssuersOf(const ParsedCertificate* cert,
160 ParsedCertificateList* issuers) {
161 // CertIssuerSourceAia never returns synchronous results.
162 }
163
AsyncGetIssuersOf(const ParsedCertificate * cert,std::unique_ptr<Request> * out_req)164 void CertIssuerSourceAia::AsyncGetIssuersOf(const ParsedCertificate* cert,
165 std::unique_ptr<Request>* out_req) {
166 out_req->reset();
167
168 if (!cert->has_authority_info_access())
169 return;
170
171 // RFC 5280 section 4.2.2.1:
172 //
173 // An authorityInfoAccess extension may include multiple instances of
174 // the id-ad-caIssuers accessMethod. The different instances may
175 // specify different methods for accessing the same information or may
176 // point to different information.
177
178 std::vector<GURL> urls;
179 for (const auto& uri : cert->ca_issuers_uris()) {
180 GURL url(uri);
181 if (url.is_valid()) {
182 // TODO(mattm): do the kMaxFetchesPerCert check only on the number of
183 // supported URL schemes, not all the URLs.
184 if (urls.size() < kMaxFetchesPerCert) {
185 urls.push_back(url);
186 } else {
187 // TODO(mattm): propagate error info.
188 LOG(ERROR) << "kMaxFetchesPerCert exceeded, skipping";
189 }
190 } else {
191 // TODO(mattm): propagate error info.
192 LOG(ERROR) << "invalid AIA URL: " << uri;
193 }
194 }
195 if (urls.empty())
196 return;
197
198 auto aia_request = std::make_unique<AiaRequest>();
199
200 for (const auto& url : urls) {
201 // TODO(mattm): add synchronous failure mode to FetchCaIssuers interface so
202 // that this doesn't need to wait for async callback just to tell that an
203 // URL has an unsupported scheme?
204 aia_request->AddCertFetcherRequest(cert_fetcher_->FetchCaIssuers(
205 url, kTimeoutMilliseconds, kMaxResponseBytes));
206 }
207
208 *out_req = std::move(aia_request);
209 }
210
211 } // namespace net
212