// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "cast/common/certificate/boringssl_trust_store.h" #include <openssl/asn1.h> #include <openssl/evp.h> #include <openssl/mem.h> #include <openssl/ossl_typ.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <time.h> #include <chrono> #include <memory> #include <string> #include <string_view> #include <utility> #include "cast/common/certificate/boringssl_parsed_certificate.h" #include "cast/common/certificate/boringssl_util.h" #include "cast/common/certificate/date_time.h" #include "util/crypto/pem_helpers.h" #include "util/osp_logging.h" #include "util/stringprintf.h" namespace openscreen::cast { namespace { // ------------------------------------------------------------------------- // Cast trust anchors. // ------------------------------------------------------------------------- // There are two trusted roots for Cast certificate chains: // // (1) CN=Cast Root CA (kCastRootCaDer) // (2) CN=Eureka Root CA (kEurekaRootCaDer) // // These constants are defined by the files included next: #include "cast/common/certificate/cast_root_ca_cert_der-inc.h" #include "cast/common/certificate/eureka_root_ca_der-inc.h" // ------------------------------------------------------------------------- // Cast CRL trust anchors. // ------------------------------------------------------------------------- // There is one trusted root for Cast CRL certificate chains: // // (1) CN=Cast CRL Root CA (kCastCRLRootCaDer) // // These constants are defined by the file included next: #include "cast/common/certificate/cast_crl_root_ca_cert_der-inc.h" // Adds a trust anchor given a DER-encoded certificate from static // storage. template <size_t N> bssl::UniquePtr<X509> MakeTrustAnchor(const uint8_t (&data)[N]) { … } inline bssl::UniquePtr<X509> MakeTrustAnchor(const std::vector<uint8_t>& data) { … } constexpr static int32_t kMinRsaModulusLengthBits = …; // Stores intermediate state while attempting to find a valid certificate chain // from a set of trusted certificates to a target certificate. Together, a // sequence of these forms a certificate chain to be verified as well as a stack // that can be unwound for searching more potential paths. struct CertPathStep { … }; // These values are bit positions from RFC 5280 4.2.1.3 and will be passed to // ASN1_BIT_STRING_get_bit. enum KeyUsageBits { … }; bool CertInPath(X509_NAME* name, const std::vector<CertPathStep>& steps, uint32_t start, uint32_t stop) { … } bssl::UniquePtr<BASIC_CONSTRAINTS> GetConstraints(X509* issuer) { … } Error::Code VerifyCertTime(X509* cert, const DateTime& time) { … } bool VerifyPublicKeyLength(EVP_PKEY* public_key) { … } bssl::UniquePtr<ASN1_BIT_STRING> GetKeyUsage(X509* cert) { … } Error::Code VerifyCertificateChain(const std::vector<CertPathStep>& path, uint32_t step_index, const DateTime& time) { … } X509* ParseX509Der(const std::string& der) { … } } // namespace // static std::unique_ptr<TrustStore> TrustStore::CreateInstanceFromPemFile( std::string_view file_path) { … } // static std::unique_ptr<TrustStore> TrustStore::CreateInstanceForTest( const std::vector<uint8_t>& trust_anchor_der) { … } // static std::unique_ptr<TrustStore> CastTrustStore::Create() { … } // static std::unique_ptr<TrustStore> CastCRLTrustStore::Create() { … } BoringSSLTrustStore::BoringSSLTrustStore() { … } BoringSSLTrustStore::BoringSSLTrustStore( const std::vector<uint8_t>& trust_anchor_der) { … } BoringSSLTrustStore::BoringSSLTrustStore( std::vector<bssl::UniquePtr<X509>> certs) : … { … } BoringSSLTrustStore::~BoringSSLTrustStore() = default; ErrorOr<BoringSSLTrustStore::CertificatePathResult> BoringSSLTrustStore::FindCertificatePath( const std::vector<std::string>& der_certs, const DateTime& time) { … } } // namespace openscreen::cast
Codebase Browser
chromium