1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_ 6 #define NET_CERT_CERT_VERIFY_PROC_H_ 7 8 #include <string> 9 #include <vector> 10 11 #include "base/feature_list.h" 12 #include "base/gtest_prod_util.h" 13 #include "base/memory/ref_counted.h" 14 #include "build/build_config.h" 15 #include "components/network_time/time_tracker/time_tracker.h" 16 #include "crypto/crypto_buildflags.h" 17 #include "net/base/hash_value.h" 18 #include "net/base/ip_address.h" 19 #include "net/base/net_export.h" 20 #include "net/cert/ct_log_verifier.h" 21 #include "net/cert/ct_policy_enforcer.h" 22 #include "net/cert/ct_verifier.h" 23 #include "net/net_buildflags.h" 24 #include "third_party/boringssl/src/pki/parsed_certificate.h" 25 26 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 27 #include "net/cert/internal/trust_store_chrome.h" 28 #endif 29 30 namespace net { 31 32 class CertNetFetcher; 33 class CertVerifyResult; 34 class CRLSet; 35 class NetLogWithSource; 36 class X509Certificate; 37 typedef std::vector<scoped_refptr<X509Certificate>> CertificateList; 38 39 // Class to perform certificate path building and verification for various 40 // certificate uses. All methods of this class must be thread-safe, as they 41 // may be called from various non-joinable worker threads. 42 class NET_EXPORT CertVerifyProc 43 : public base::RefCountedThreadSafe<CertVerifyProc> { 44 public: 45 enum VerifyFlags { 46 // If set, enables online revocation checking via CRLs and OCSP for the 47 // certificate chain. 48 // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set. 49 VERIFY_REV_CHECKING_ENABLED = 1 << 0, 50 51 // If set, this is equivalent to VERIFY_REV_CHECKING_ENABLED, in that it 52 // enables online revocation checking via CRLs or OCSP, but only 53 // for certificates issued by non-public trust anchors. Failure to check 54 // revocation is treated as a hard failure. 55 // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set. 56 VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 1, 57 58 // If set, certificates with SHA-1 signatures will be allowed, but only if 59 // they are issued by non-public trust anchors. 60 VERIFY_ENABLE_SHA1_LOCAL_ANCHORS = 1 << 2, 61 62 // If set, disables the policy enforcement described at 63 // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html 64 VERIFY_DISABLE_SYMANTEC_ENFORCEMENT = 1 << 3, 65 66 // Disable network fetches during verification. This will override 67 // VERIFY_REV_CHECKING_ENABLED and 68 // VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS if they are also specified. 69 // (Note that this entirely disables the online revocation/AIA code paths. 70 // Theoretically we could still check for cached results.) 71 VERIFY_DISABLE_NETWORK_FETCHES = 1 << 4, 72 73 // Also update GetNetConstants() in net/log/net_log_util.cc when updating 74 // this enum. 75 VERIFY_FLAGS_LAST = VERIFY_DISABLE_NETWORK_FETCHES 76 }; 77 78 // The set factory parameters that are variable over time, but are expected to 79 // be consistent between multiple verifiers that are created. For example, 80 // CertNetFetcher is not in this struct as it is expected that different 81 // verifiers will have different net fetchers. (There is no technical 82 // restriction against creating different verifiers with different ImplParams, 83 // structuring the parameters this way just makes some APIs more convenient 84 // for the common case.) 85 struct NET_EXPORT ImplParams { 86 ImplParams(); 87 ~ImplParams(); 88 ImplParams(const ImplParams&); 89 ImplParams& operator=(const ImplParams& other); 90 ImplParams(ImplParams&&); 91 ImplParams& operator=(ImplParams&& other); 92 93 scoped_refptr<CRLSet> crl_set; 94 std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs; 95 scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer; 96 std::optional<network_time::TimeTracker> time_tracker; 97 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 98 std::optional<net::ChromeRootStoreData> root_store_data; 99 #endif 100 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL) 101 bool use_chrome_root_store; 102 #endif 103 }; 104 105 // CIDR, consisting of an IP and a netmask. 106 struct NET_EXPORT CIDR { 107 net::IPAddress ip; 108 net::IPAddress mask; 109 }; 110 111 // Single certificate, with constraints. 112 struct NET_EXPORT CertificateWithConstraints { 113 CertificateWithConstraints(); 114 ~CertificateWithConstraints(); 115 CertificateWithConstraints(const CertificateWithConstraints&); 116 CertificateWithConstraints& operator=( 117 const CertificateWithConstraints& other); 118 CertificateWithConstraints(CertificateWithConstraints&&); 119 CertificateWithConstraints& operator=(CertificateWithConstraints&& other); 120 121 std::shared_ptr<const bssl::ParsedCertificate> certificate; 122 123 std::vector<std::string> permitted_dns_names; 124 125 std::vector<CIDR> permitted_cidrs; 126 }; 127 128 // The set of parameters that are variable over time and can differ between 129 // different verifiers created by a CertVerifierProcFactory. 130 struct NET_EXPORT InstanceParams { 131 InstanceParams(); 132 ~InstanceParams(); 133 InstanceParams(const InstanceParams&); 134 InstanceParams& operator=(const InstanceParams& other); 135 InstanceParams(InstanceParams&&); 136 InstanceParams& operator=(InstanceParams&& other); 137 138 // Additional trust anchors to consider during path validation. Ordinarily, 139 // implementations of CertVerifier use trust anchors from the configured 140 // system store. This is implementation-specific plumbing for passing 141 // additional anchors through. 142 bssl::ParsedCertificateList additional_trust_anchors; 143 144 // Same as additional_trust_anchors, but embedded anchor constraints and 145 // NotBefore/NotAfter are enforced. 146 bssl::ParsedCertificateList 147 additional_trust_anchors_with_enforced_constraints; 148 149 // Additional trust anchors to consider during path validation, but with 150 // name constraints specified outside of the certificate. 151 std::vector<CertificateWithConstraints> 152 additional_trust_anchors_with_constraints; 153 154 // Additional trust leafs to consider during path validation, possibly with 155 // name constraints specified outside of the certificate. 156 std::vector<CertificateWithConstraints> additional_trust_leafs; 157 158 // Additional trust anchors/leafs to consider during path validation, 159 // possibly with name constraints specified outside of the certificate. 160 std::vector<CertificateWithConstraints> additional_trust_anchors_and_leafs; 161 162 // Additional temporary certs to consider as intermediates during path 163 // validation. Ordinarily, implementations of CertVerifier use intermediate 164 // certs from the configured system store. This is implementation-specific 165 // plumbing for passing additional intermediates through. 166 bssl::ParsedCertificateList additional_untrusted_authorities; 167 168 // Additional SPKIs to consider as distrusted during path validation. 169 std::vector<std::vector<uint8_t>> additional_distrusted_spkis; 170 171 #if !BUILDFLAG(IS_CHROMEOS) 172 // If true, use the user-added certs in the system trust store for path 173 // validation. 174 // This only has an impact if the Chrome Root Store is being used. 175 bool include_system_trust_store = true; 176 #endif 177 }; 178 179 // These values are persisted to logs. Entries should not be renumbered and 180 // numeric values should never be reused. 181 enum class NameNormalizationResult { 182 kError = 0, 183 kByteEqual = 1, 184 kNormalized = 2, 185 kChainLengthOne = 3, 186 kMaxValue = kChainLengthOne 187 }; 188 189 #if !(BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || \ 190 BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(CHROME_ROOT_STORE_ONLY)) 191 // Creates and returns a CertVerifyProc that uses the system verifier. 192 // |cert_net_fetcher| may not be used, depending on the implementation. 193 static scoped_refptr<CertVerifyProc> CreateSystemVerifyProc( 194 scoped_refptr<CertNetFetcher> cert_net_fetcher, 195 scoped_refptr<CRLSet> crl_set); 196 #endif 197 198 #if BUILDFLAG(IS_FUCHSIA) 199 // Creates and returns a CertVerifyProcBuiltin using the SSL SystemTrustStore. 200 static scoped_refptr<CertVerifyProc> CreateBuiltinVerifyProc( 201 scoped_refptr<CertNetFetcher> cert_net_fetcher, 202 scoped_refptr<CRLSet> crl_set, 203 std::unique_ptr<CTVerifier> ct_verifier, 204 scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer, 205 const InstanceParams instance_params, 206 std::optional<network_time::TimeTracker> time_tracker); 207 #endif 208 209 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 210 // Creates and returns a CertVerifyProcBuiltin using the Chrome Root Store 211 // SystemTrustStore and the given |root_store_data|, which may be nullptr to 212 // use the default. 213 static scoped_refptr<CertVerifyProc> CreateBuiltinWithChromeRootStore( 214 scoped_refptr<CertNetFetcher> cert_net_fetcher, 215 scoped_refptr<CRLSet> crl_set, 216 std::unique_ptr<CTVerifier> ct_verifier, 217 scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer, 218 const ChromeRootStoreData* root_store_data, 219 const InstanceParams instance_params, 220 std::optional<network_time::TimeTracker> time_tracker); 221 #endif 222 223 CertVerifyProc(const CertVerifyProc&) = delete; 224 CertVerifyProc& operator=(const CertVerifyProc&) = delete; 225 226 // Verifies the certificate against the given hostname as an SSL server 227 // certificate. Returns OK if successful or an error code upon failure. 228 // 229 // The |*verify_result| structure, including the |verify_result->cert_status| 230 // bitmask, is always filled out regardless of the return value. If the 231 // certificate has multiple errors, the corresponding status flags are set in 232 // |verify_result->cert_status|, and the error code for the most serious 233 // error is returned. 234 // 235 // |ocsp_response|, if non-empty, is a stapled OCSP response to use. 236 // 237 // |sct_list|, if non-empty, is a SignedCertificateTimestampList from the TLS 238 // extension as described in RFC6962 section 3.3.1. 239 // 240 // |flags| is bitwise OR'd of VerifyFlags: 241 // 242 // If |time_now| is set it will be used as the current time, otherwise the 243 // system time will be used. 244 // 245 // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate 246 // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet 247 // based revocation checking is always enabled, regardless of this flag. 248 int Verify(X509Certificate* cert, 249 const std::string& hostname, 250 const std::string& ocsp_response, 251 const std::string& sct_list, 252 int flags, 253 CertVerifyResult* verify_result, 254 const NetLogWithSource& net_log); 255 256 protected: 257 explicit CertVerifyProc(scoped_refptr<CRLSet> crl_set); 258 virtual ~CertVerifyProc(); 259 crl_set()260 CRLSet* crl_set() const { return crl_set_.get(); } 261 262 // Record a histogram of whether Name normalization was used in verifying the 263 // chain. This should only be called for successfully validated chains. 264 static void LogNameNormalizationResult(const std::string& histogram_suffix, 265 NameNormalizationResult result); 266 267 // Record a histogram of whether Name normalization was used in verifying the 268 // chain. This should only be called for successfully validated chains. 269 static void LogNameNormalizationMetrics(const std::string& histogram_suffix, 270 X509Certificate* verified_cert, 271 bool is_issued_by_known_root); 272 273 private: 274 friend class base::RefCountedThreadSafe<CertVerifyProc>; 275 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); 276 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); 277 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, 278 VerifyRejectsSHA1AfterDeprecationLegacyMode); 279 FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, SymantecCertsRejected); 280 281 // Performs the actual verification using the desired underlying 282 // 283 // On entry, |verify_result| will be default-initialized as a successful 284 // validation, with |verify_result->verified_cert| set to |cert|. 285 // 286 // Implementations are expected to fill in all applicable fields, excluding: 287 // 288 // * ocsp_result 289 // * has_sha1 290 // 291 // which will be filled in by |Verify()|. If an error code is returned, 292 // |verify_result->cert_status| should be non-zero, indicating an 293 // error occurred. 294 // 295 // If |time_now| is not nullopt, it will be used as the current time for 296 // certificate verification, if it is nullopt, the system time will be used 297 // instead. If a certificate verification fails with a NotBefore/NotAfter 298 // error when |time_now| is set, it will be retried with the system time. 299 // 300 // On success, net::OK should be returned, with |verify_result| updated to 301 // reflect the successfully verified chain. 302 virtual int VerifyInternal(X509Certificate* cert, 303 const std::string& hostname, 304 const std::string& ocsp_response, 305 const std::string& sct_list, 306 int flags, 307 CertVerifyResult* verify_result, 308 const NetLogWithSource& net_log) = 0; 309 310 // HasNameConstraintsViolation returns true iff one of |public_key_hashes| 311 // (which are hashes of SubjectPublicKeyInfo structures) has name constraints 312 // imposed on it and the names in |dns_names| are not permitted. 313 static bool HasNameConstraintsViolation( 314 const HashValueVector& public_key_hashes, 315 const std::string& common_name, 316 const std::vector<std::string>& dns_names, 317 const std::vector<std::string>& ip_addrs); 318 319 // Checks the validity period of the certificate against the maximum 320 // allowable validity period for publicly trusted certificates. Returns true 321 // if the validity period is too long. 322 static bool HasTooLongValidity(const X509Certificate& cert); 323 324 const scoped_refptr<CRLSet> crl_set_; 325 }; 326 327 // Factory for creating new CertVerifyProcs when they need to be updated. 328 class NET_EXPORT CertVerifyProcFactory 329 : public base::RefCountedThreadSafe<CertVerifyProcFactory> { 330 public: 331 332 // Create a new CertVerifyProc that uses the passed in CRLSet and 333 // ChromeRootStoreData. 334 virtual scoped_refptr<CertVerifyProc> CreateCertVerifyProc( 335 scoped_refptr<CertNetFetcher> cert_net_fetcher, 336 const CertVerifyProc::ImplParams& impl_params, 337 const CertVerifyProc::InstanceParams& instance_params) = 0; 338 339 protected: 340 virtual ~CertVerifyProcFactory() = default; 341 342 private: 343 friend class base::RefCountedThreadSafe<CertVerifyProcFactory>; 344 }; 345 346 } // namespace net 347 348 #endif // NET_CERT_CERT_VERIFY_PROC_H_ 349