// Copyright 2018 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/web_package/signed_exchange_signature_verifier.h" #include <array> #include <string> #include <string_view> #include <vector> #include "base/containers/span.h" #include "base/format_macros.h" #include "base/metrics/histogram_macros.h" #include "base/numerics/byte_conversions.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "base/time/time.h" #include "base/trace_event/trace_event.h" #include "content/browser/web_package/signed_exchange_certificate_chain.h" #include "content/browser/web_package/signed_exchange_consts.h" #include "content/browser/web_package/signed_exchange_envelope.h" #include "content/browser/web_package/signed_exchange_signature_header_field.h" #include "content/browser/web_package/signed_exchange_utils.h" #include "content/public/browser/content_browser_client.h" #include "crypto/signature_verifier.h" #include "net/cert/asn1_util.h" #include "net/cert/x509_util.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/ec.h" #include "third_party/boringssl/src/include/openssl/ec_key.h" #include "third_party/boringssl/src/include/openssl/evp.h" namespace content { namespace { // https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#signature-validity // Step 5. "Let message be the concatenation of the following byte strings." constexpr uint8_t kMessageHeader[] = …// 5.1. "A string that consists of octet 32 (0x20) repeated 64 times." // [spec text] "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" // 5.2. "A context string: the ASCII encoding of "HTTP Exchange 1"." ... // "but implementations of drafts MUST NOT use it and MUST use another // draft-specific string beginning with "HTTP Exchange 1 " instead." // [spec text] // 5.3. "A single 0 byte which serves as a separator." [spec text] "HTTP Exchange 1 b3"; constexpr base::TimeDelta kOneWeek = …; constexpr base::TimeDelta kFourWeeks = …; std::optional<crypto::SignatureVerifier::SignatureAlgorithm> GetSignatureAlgorithm(scoped_refptr<net::X509Certificate> cert, SignedExchangeDevToolsProxy* devtools_proxy) { … } bool VerifySignature(base::span<const uint8_t> sig, base::span<const uint8_t> msg, scoped_refptr<net::X509Certificate> cert, crypto::SignatureVerifier::SignatureAlgorithm algorithm, SignedExchangeDevToolsProxy* devtools_proxy) { … } std::string HexDump(const std::vector<uint8_t>& msg) { … } void AppendToBuf8BytesBigEndian(std::vector<uint8_t>* buf, uint64_t n) { … } std::vector<uint8_t> GenerateSignedMessage( SignedExchangeVersion version, const SignedExchangeEnvelope& envelope) { … } base::Time TimeFromSignedExchangeUnixTime(uint64_t t) { … } SignedExchangeSignatureVerifier::Result VerifyValidityPeriod( const SignedExchangeEnvelope& envelope) { … } // Implements "Signature validity" of // https://wicg.github.io/webpackage/draft-yasskin-httpbis-origin-signed-exchanges-impl.html#signature-validity SignedExchangeSignatureVerifier::Result VerifyTimestamps( const SignedExchangeEnvelope& envelope, const base::Time& verification_time) { … } } // namespace SignedExchangeSignatureVerifier::Result SignedExchangeSignatureVerifier::Verify( SignedExchangeVersion version, const SignedExchangeEnvelope& envelope, const SignedExchangeCertificateChain* cert_chain, const base::Time& verification_time, SignedExchangeDevToolsProxy* devtools_proxy) { … } } // namespace content
Codebase Browser
chromium