• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2015 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifdef UNSAFE_BUFFERS_BUILD
6 // TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
7 #pragma allow_unsafe_buffers
8 #endif
9 
10 #include "net/ssl/ssl_platform_key_nss.h"
11 
12 #include <cert.h>
13 #include <keyhi.h>
14 #include <pk11pub.h>
15 #include <prerror.h>
16 #include <secmodt.h>
17 
18 #include <memory>
19 #include <utility>
20 
21 #include "base/logging.h"
22 #include "base/strings/stringprintf.h"
23 #include "base/threading/scoped_blocking_call.h"
24 #include "crypto/nss_crypto_module_delegate.h"
25 #include "crypto/scoped_nss_types.h"
26 #include "net/cert/x509_certificate.h"
27 #include "net/ssl/ssl_platform_key_util.h"
28 #include "net/ssl/ssl_private_key.h"
29 #include "net/ssl/threaded_ssl_private_key.h"
30 #include "third_party/boringssl/src/include/openssl/bn.h"
31 #include "third_party/boringssl/src/include/openssl/bytestring.h"
32 #include "third_party/boringssl/src/include/openssl/ec.h"
33 #include "third_party/boringssl/src/include/openssl/ec_key.h"
34 #include "third_party/boringssl/src/include/openssl/ecdsa.h"
35 #include "third_party/boringssl/src/include/openssl/evp.h"
36 #include "third_party/boringssl/src/include/openssl/mem.h"
37 #include "third_party/boringssl/src/include/openssl/nid.h"
38 #include "third_party/boringssl/src/include/openssl/rsa.h"
39 #include "third_party/boringssl/src/include/openssl/ssl.h"
40 
41 namespace net {
42 
43 namespace {
44 
LogPRError(const char * message)45 void LogPRError(const char* message) {
46   PRErrorCode err = PR_GetError();
47   const char* err_name = PR_ErrorToName(err);
48   if (err_name == nullptr)
49     err_name = "";
50   LOG(ERROR) << message << ": " << err << " (" << err_name << ")";
51 }
52 
53 class SSLPlatformKeyNSS : public ThreadedSSLPrivateKey::Delegate {
54  public:
SSLPlatformKeyNSS(int type,scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate,crypto::ScopedSECKEYPrivateKey key)55   SSLPlatformKeyNSS(int type,
56                     scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
57                         password_delegate,
58                     crypto::ScopedSECKEYPrivateKey key)
59       : type_(type),
60         password_delegate_(std::move(password_delegate)),
61         key_(std::move(key)),
62         supports_pss_(PK11_DoesMechanism(key_->pkcs11Slot, CKM_RSA_PKCS_PSS)) {}
63 
64   SSLPlatformKeyNSS(const SSLPlatformKeyNSS&) = delete;
65   SSLPlatformKeyNSS& operator=(const SSLPlatformKeyNSS&) = delete;
66 
67   ~SSLPlatformKeyNSS() override = default;
68 
GetProviderName()69   std::string GetProviderName() override {
70     // This logic accesses fields directly on the struct, so it may run on any
71     // thread without caching.
72     return base::StringPrintf("%s, %s",
73                               PK11_GetModule(key_->pkcs11Slot)->commonName,
74                               PK11_GetSlotName(key_->pkcs11Slot));
75   }
76 
GetAlgorithmPreferences()77   std::vector<uint16_t> GetAlgorithmPreferences() override {
78     return SSLPrivateKey::DefaultAlgorithmPreferences(type_, supports_pss_);
79   }
80 
Sign(uint16_t algorithm,base::span<const uint8_t> input,std::vector<uint8_t> * signature)81   Error Sign(uint16_t algorithm,
82              base::span<const uint8_t> input,
83              std::vector<uint8_t>* signature) override {
84     const EVP_MD* md = SSL_get_signature_algorithm_digest(algorithm);
85     uint8_t digest[EVP_MAX_MD_SIZE];
86     unsigned digest_len;
87     if (!md || !EVP_Digest(input.data(), input.size(), digest, &digest_len, md,
88                            nullptr)) {
89       return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
90     }
91     SECItem digest_item;
92     digest_item.data = digest;
93     digest_item.len = digest_len;
94 
95     CK_MECHANISM_TYPE mechanism = PK11_MapSignKeyType(key_->keyType);
96     SECItem param = {siBuffer, nullptr, 0};
97     CK_RSA_PKCS_PSS_PARAMS pss_params;
98     bssl::UniquePtr<uint8_t> free_digest_info;
99     if (SSL_is_signature_algorithm_rsa_pss(algorithm)) {
100       switch (EVP_MD_type(md)) {
101         case NID_sha256:
102           pss_params.hashAlg = CKM_SHA256;
103           pss_params.mgf = CKG_MGF1_SHA256;
104           break;
105         case NID_sha384:
106           pss_params.hashAlg = CKM_SHA384;
107           pss_params.mgf = CKG_MGF1_SHA384;
108           break;
109         case NID_sha512:
110           pss_params.hashAlg = CKM_SHA512;
111           pss_params.mgf = CKG_MGF1_SHA512;
112           break;
113         default:
114           LOG(ERROR) << "Unexpected hash algorithm";
115           return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
116       }
117       // Use the hash length for the salt length.
118       pss_params.sLen = EVP_MD_size(md);
119       mechanism = CKM_RSA_PKCS_PSS;
120       param.data = reinterpret_cast<unsigned char*>(&pss_params);
121       param.len = sizeof(pss_params);
122     } else if (SSL_get_signature_algorithm_key_type(algorithm) ==
123                EVP_PKEY_RSA) {
124       // PK11_SignWithMechanism expects the caller to prepend the DigestInfo for
125       // PKCS #1.
126       int hash_nid = EVP_MD_type(SSL_get_signature_algorithm_digest(algorithm));
127       int is_alloced;
128       size_t prefix_len;
129       if (!RSA_add_pkcs1_prefix(&digest_item.data, &prefix_len, &is_alloced,
130                                 hash_nid, digest_item.data, digest_item.len)) {
131         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
132       }
133       digest_item.len = prefix_len;
134       if (is_alloced)
135         free_digest_info.reset(digest_item.data);
136     }
137 
138     {
139       const int len = PK11_SignatureLen(key_.get());
140       if (len <= 0) {
141         LogPRError("PK11_SignatureLen failed");
142         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
143       }
144       signature->resize(len);
145       SECItem signature_item;
146       signature_item.data = signature->data();
147       signature_item.len = signature->size();
148 
149       SECStatus rv = PK11_SignWithMechanism(key_.get(), mechanism, &param,
150                                             &signature_item, &digest_item);
151       if (rv != SECSuccess) {
152         LogPRError("PK11_SignWithMechanism failed");
153         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
154       }
155       signature->resize(signature_item.len);
156     }
157 
158     // NSS emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
159     // ECDSA-Sig-Value.
160     if (SSL_get_signature_algorithm_key_type(algorithm) == EVP_PKEY_EC) {
161       if (signature->size() % 2 != 0) {
162         LOG(ERROR) << "Bad signature length";
163         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
164       }
165       size_t order_len = signature->size() / 2;
166 
167       // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
168       bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
169       if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
170           !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
171         return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
172       }
173 
174       {
175         const int len = i2d_ECDSA_SIG(sig.get(), nullptr);
176         if (len <= 0)
177           return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
178         signature->resize(len);
179       }
180 
181       {
182         uint8_t* ptr = signature->data();
183         const int len = i2d_ECDSA_SIG(sig.get(), &ptr);
184         if (len <= 0)
185           return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
186         signature->resize(len);
187       }
188     }
189 
190     return OK;
191   }
192 
193  private:
194   int type_;
195   // NSS retains a pointer to the password delegate, so retain a reference here
196   // to ensure the lifetimes are correct.
197   scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
198       password_delegate_;
199   crypto::ScopedSECKEYPrivateKey key_;
200   bool supports_pss_;
201 };
202 
203 }  // namespace
204 
FetchClientCertPrivateKey(const X509Certificate * certificate,CERTCertificate * cert_certificate,scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate> password_delegate)205 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
206     const X509Certificate* certificate,
207     CERTCertificate* cert_certificate,
208     scoped_refptr<crypto::CryptoModuleBlockingPasswordDelegate>
209         password_delegate) {
210   // This function may acquire the NSS lock or reenter this code via extension
211   // hooks (such as smart card UI). To ensure threads are not starved or
212   // deadlocked, the base::ScopedBlockingCall below increments the thread pool
213   // capacity if this method takes too much time to run.
214   base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
215                                                 base::BlockingType::MAY_BLOCK);
216 
217   void* wincx = password_delegate ? password_delegate->wincx() : nullptr;
218   crypto::ScopedSECKEYPrivateKey key(
219       PK11_FindKeyByAnyCert(cert_certificate, wincx));
220   if (!key)
221     return nullptr;
222 
223   int type;
224   size_t max_length;
225   if (!GetClientCertInfo(certificate, &type, &max_length))
226     return nullptr;
227 
228   // Note that key contains a reference to password_delegate->wincx() and may
229   // use it in PK11_Sign. Thus password_delegate must outlive key. We pass it
230   // into SSLPlatformKeyNSS to tie the lifetimes together. See
231   // https://crbug.com/779090.
232   return base::MakeRefCounted<ThreadedSSLPrivateKey>(
233       std::make_unique<SSLPlatformKeyNSS>(type, std::move(password_delegate),
234                                           std::move(key)),
235       GetSSLPlatformKeyTaskRunner());
236 }
237 
238 }  // namespace net
239