1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/dns_cert_provenance_checker.h"
6
7 #if !defined(USE_OPENSSL)
8
9 #include <nspr.h>
10
11 #include <hasht.h>
12 #include <keyhi.h>
13 #include <pk11pub.h>
14 #include <sechash.h>
15
16 #include <set>
17 #include <string>
18
19 #include "base/base64.h"
20 #include "base/basictypes.h"
21 #include "base/lazy_instance.h"
22 #include "base/memory/scoped_ptr.h"
23 #include "base/pickle.h"
24 #include "base/threading/non_thread_safe.h"
25 #include "crypto/encryptor.h"
26 #include "crypto/symmetric_key.h"
27 #include "net/base/completion_callback.h"
28 #include "net/base/dns_util.h"
29 #include "net/base/dnsrr_resolver.h"
30 #include "net/base/net_errors.h"
31 #include "net/base/net_log.h"
32
33 namespace net {
34
35 namespace {
36
37 // A DER encoded SubjectPublicKeyInfo structure containing the server's public
38 // key.
39 const uint8 kServerPublicKey[] = {
40 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01,
41 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
42 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4,
43 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0,
44 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66,
45 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04,
46 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1,
47 };
48
49 const unsigned kMaxUploadsPerSession = 10;
50
51 // DnsCertLimits is a singleton class which keeps track of which hosts we have
52 // uploaded reports for in this session. Since some users will be behind MITM
53 // proxies, they would otherwise upload for every host and we don't wish to
54 // spam the upload server.
55 class DnsCertLimits {
56 public:
DnsCertLimits()57 DnsCertLimits() { }
58
59 // HaveReachedMaxUploads returns true iff we have uploaded the maximum number
60 // of DNS certificate reports for this session.
HaveReachedMaxUploads()61 bool HaveReachedMaxUploads() {
62 return uploaded_hostnames_.size() >= kMaxUploadsPerSession;
63 }
64
65 // HaveReachedMaxUploads returns true iff we have already uploaded a report
66 // about the given hostname in this session.
HaveUploadedForHostname(const std::string & hostname)67 bool HaveUploadedForHostname(const std::string& hostname) {
68 return uploaded_hostnames_.count(hostname) > 0;
69 }
70
DidUpload(const std::string & hostname)71 void DidUpload(const std::string& hostname) {
72 uploaded_hostnames_.insert(hostname);
73 }
74
75 private:
76 friend struct base::DefaultLazyInstanceTraits<DnsCertLimits>;
77
78 std::set<std::string> uploaded_hostnames_;
79
80 DISALLOW_COPY_AND_ASSIGN(DnsCertLimits);
81 };
82
83 static base::LazyInstance<DnsCertLimits> g_dns_cert_limits(
84 base::LINKER_INITIALIZED);
85
86 // DnsCertProvenanceCheck performs the DNS lookup of the certificate. This
87 // class is self-deleting.
88 class DnsCertProvenanceCheck : public base::NonThreadSafe {
89 public:
DnsCertProvenanceCheck(const std::string & hostname,DnsRRResolver * dnsrr_resolver,DnsCertProvenanceChecker::Delegate * delegate,const std::vector<base::StringPiece> & der_certs)90 DnsCertProvenanceCheck(
91 const std::string& hostname,
92 DnsRRResolver* dnsrr_resolver,
93 DnsCertProvenanceChecker::Delegate* delegate,
94 const std::vector<base::StringPiece>& der_certs)
95 : hostname_(hostname),
96 dnsrr_resolver_(dnsrr_resolver),
97 delegate_(delegate),
98 der_certs_(der_certs.size()),
99 handle_(DnsRRResolver::kInvalidHandle),
100 ALLOW_THIS_IN_INITIALIZER_LIST(callback_(
101 this, &DnsCertProvenanceCheck::ResolutionComplete)) {
102 for (size_t i = 0; i < der_certs.size(); i++)
103 der_certs_[i] = der_certs[i].as_string();
104 }
105
Start()106 void Start() {
107 DCHECK(CalledOnValidThread());
108
109 if (der_certs_.empty())
110 return;
111
112 DnsCertLimits* const limits = g_dns_cert_limits.Pointer();
113 if (limits->HaveReachedMaxUploads() ||
114 limits->HaveUploadedForHostname(hostname_)) {
115 return;
116 }
117
118 uint8 fingerprint[SHA1_LENGTH];
119 SECStatus rv = HASH_HashBuf(
120 HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(),
121 der_certs_[0].size());
122 DCHECK_EQ(SECSuccess, rv);
123 char fingerprint_hex[SHA1_LENGTH * 2 + 1];
124 for (unsigned i = 0; i < sizeof(fingerprint); i++) {
125 static const char hextable[] = "0123456789abcdef";
126 fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4];
127 fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15];
128 }
129 fingerprint_hex[SHA1_LENGTH * 2] = 0;
130
131 static const char kBaseCertName[] = ".certs.googlednstest.com";
132 domain_.assign(fingerprint_hex);
133 domain_.append(kBaseCertName);
134
135 handle_ = dnsrr_resolver_->Resolve(
136 domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_,
137 0 /* priority */, BoundNetLog());
138 if (handle_ == DnsRRResolver::kInvalidHandle) {
139 LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_;
140 delete this;
141 }
142 }
143
144 private:
ResolutionComplete(int status)145 void ResolutionComplete(int status) {
146 DCHECK(CalledOnValidThread());
147
148 if (status == ERR_NAME_NOT_RESOLVED ||
149 (status == OK && response_.rrdatas.empty())) {
150 LOG(ERROR) << "FAILED"
151 << " hostname:" << hostname_
152 << " domain:" << domain_;
153 g_dns_cert_limits.Get().DidUpload(hostname_);
154 LogCertificates(der_certs_);
155 delegate_->OnDnsCertLookupFailed(hostname_, der_certs_);
156 } else if (status == OK) {
157 LOG(ERROR) << "GOOD"
158 << " hostname:" << hostname_
159 << " resp:" << response_.rrdatas[0];
160 } else {
161 LOG(ERROR) << "Unknown error " << status << " for " << domain_;
162 }
163
164 delete this;
165 }
166
167 // LogCertificates writes a certificate chain, in PEM format, to LOG(ERROR).
LogCertificates(const std::vector<std::string> & der_certs)168 static void LogCertificates(
169 const std::vector<std::string>& der_certs) {
170 std::string dump;
171 bool first = true;
172
173 for (std::vector<std::string>::const_iterator
174 i = der_certs.begin(); i != der_certs.end(); i++) {
175 if (!first)
176 dump += "\n";
177 first = false;
178
179 dump += "-----BEGIN CERTIFICATE-----\n";
180 std::string b64_encoded;
181 base::Base64Encode(*i, &b64_encoded);
182 for (size_t i = 0; i < b64_encoded.size();) {
183 size_t todo = b64_encoded.size() - i;
184 if (todo > 64)
185 todo = 64;
186 dump += b64_encoded.substr(i, todo);
187 dump += "\n";
188 i += todo;
189 }
190 dump += "-----END CERTIFICATE-----";
191 }
192
193 LOG(ERROR) << "Offending certificates:\n" << dump;
194 }
195
196 const std::string hostname_;
197 std::string domain_;
198 DnsRRResolver* dnsrr_resolver_;
199 DnsCertProvenanceChecker::Delegate* const delegate_;
200 std::vector<std::string> der_certs_;
201 RRResponse response_;
202 DnsRRResolver::Handle handle_;
203 CompletionCallbackImpl<DnsCertProvenanceCheck> callback_;
204 };
205
GetServerPubKey()206 SECKEYPublicKey* GetServerPubKey() {
207 SECItem der;
208 memset(&der, 0, sizeof(der));
209 der.data = const_cast<uint8*>(kServerPublicKey);
210 der.len = sizeof(kServerPublicKey);
211
212 CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
213 SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki);
214 SECKEY_DestroySubjectPublicKeyInfo(spki);
215
216 return public_key;
217 }
218
219 } // namespace
220
~Delegate()221 DnsCertProvenanceChecker::Delegate::~Delegate() {
222 }
223
~DnsCertProvenanceChecker()224 DnsCertProvenanceChecker::~DnsCertProvenanceChecker() {
225 }
226
DoAsyncLookup(const std::string & hostname,const std::vector<base::StringPiece> & der_certs,DnsRRResolver * dnsrr_resolver,Delegate * delegate)227 void DnsCertProvenanceChecker::DoAsyncLookup(
228 const std::string& hostname,
229 const std::vector<base::StringPiece>& der_certs,
230 DnsRRResolver* dnsrr_resolver,
231 Delegate* delegate) {
232 DnsCertProvenanceCheck* check = new DnsCertProvenanceCheck(
233 hostname, dnsrr_resolver, delegate, der_certs);
234 check->Start();
235 }
236
237 // static
BuildEncryptedReport(const std::string & hostname,const std::vector<std::string> & der_certs)238 std::string DnsCertProvenanceChecker::BuildEncryptedReport(
239 const std::string& hostname,
240 const std::vector<std::string>& der_certs) {
241 static const int kVersion = 0;
242 static const unsigned kKeySizeInBytes = 16; // AES-128
243 static const unsigned kIVSizeInBytes = 16; // AES's block size
244 static const unsigned kPadSize = 4096; // we pad up to 4KB,
245 // This is a DER encoded, ANSI X9.62 CurveParams object which simply
246 // specifies P256.
247 static const uint8 kANSIX962CurveParams[] = {
248 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
249 };
250
251 Pickle p;
252 p.WriteString(hostname);
253 p.WriteInt(der_certs.size());
254 for (std::vector<std::string>::const_iterator
255 i = der_certs.begin(); i != der_certs.end(); i++) {
256 p.WriteString(*i);
257 }
258 // We pad to eliminate the possibility that someone could see the size of
259 // an upload and use that information to reduce the anonymity set of the
260 // certificate chain.
261 // The "2*sizeof(uint32)" here covers the padding length which we add next
262 // and Pickle's internal length which it includes at the beginning of the
263 // data.
264 unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize);
265 p.WriteUInt32(pad_bytes);
266 char* padding = new char[pad_bytes];
267 memset(padding, 0, pad_bytes);
268 p.WriteData(padding, pad_bytes);
269 delete[] padding;
270
271 // We generate a random public value and perform a DH key agreement with
272 // the server's fixed value.
273 SECKEYPublicKey* pub_key = NULL;
274 SECKEYPrivateKey* priv_key = NULL;
275 SECItem ec_der_params;
276 memset(&ec_der_params, 0, sizeof(ec_der_params));
277 ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams);
278 ec_der_params.len = sizeof(kANSIX962CurveParams);
279 priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL);
280 SECKEYPublicKey* server_pub_key = GetServerPubKey();
281
282 // This extracts the big-endian, x value of the shared point.
283 // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS
284 // 3.12.8's lib/ssl/ssl3ecc.c
285 PK11SymKey* pms = PK11_PubDeriveWithKDF(
286 priv_key, server_pub_key, PR_FALSE /* is sender */,
287 NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE,
288 CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */,
289 CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */);
290 SECKEY_DestroyPublicKey(server_pub_key);
291 SECStatus rv = PK11_ExtractKeyValue(pms);
292 DCHECK_EQ(SECSuccess, rv);
293 SECItem* x_data = PK11_GetKeyData(pms);
294
295 // The key and IV are 128-bits and generated from a SHA256 hash of the x
296 // value.
297 char key_data[SHA256_LENGTH];
298 HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data),
299 x_data->data, x_data->len);
300 PK11_FreeSymKey(pms);
301
302 DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes);
303 std::string raw_key(key_data, kKeySizeInBytes);
304
305 scoped_ptr<crypto::SymmetricKey> symkey(
306 crypto::SymmetricKey::Import(crypto::SymmetricKey::AES, raw_key));
307 std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes);
308
309 crypto::Encryptor encryptor;
310 bool r = encryptor.Init(symkey.get(), crypto::Encryptor::CBC, iv);
311 CHECK(r);
312
313 std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size());
314 std::string ciphertext;
315 encryptor.Encrypt(plaintext, &ciphertext);
316
317 // We use another Pickle object to serialise the 'outer' wrapping of the
318 // plaintext.
319 Pickle outer;
320 outer.WriteInt(kVersion);
321
322 SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key);
323 outer.WriteString(
324 std::string(reinterpret_cast<char*>(pub_key_serialized->data),
325 pub_key_serialized->len));
326 SECITEM_FreeItem(pub_key_serialized, PR_TRUE);
327
328 outer.WriteString(ciphertext);
329
330 SECKEY_DestroyPublicKey(pub_key);
331 SECKEY_DestroyPrivateKey(priv_key);
332
333 return std::string(reinterpret_cast<const char*>(outer.data()),
334 outer.size());
335 }
336
337 } // namespace net
338
339 #else // USE_OPENSSL
340
341 namespace net {
342
~Delegate()343 DnsCertProvenanceChecker::Delegate::~Delegate() {
344 }
345
~DnsCertProvenanceChecker()346 DnsCertProvenanceChecker::~DnsCertProvenanceChecker() {
347 }
348
DoAsyncLookup(const std::string & hostname,const std::vector<base::StringPiece> & der_certs,DnsRRResolver * dnsrr_resolver,Delegate * delegate)349 void DnsCertProvenanceChecker::DoAsyncLookup(
350 const std::string& hostname,
351 const std::vector<base::StringPiece>& der_certs,
352 DnsRRResolver* dnsrr_resolver,
353 Delegate* delegate) {
354 }
355
BuildEncryptedReport(const std::string & hostname,const std::vector<std::string> & der_certs)356 std::string DnsCertProvenanceChecker::BuildEncryptedReport(
357 const std::string& hostname,
358 const std::vector<std::string>& der_certs) {
359 return "";
360 }
361
362 } // namespace net
363
364 #endif // USE_OPENSSL
365