1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
|
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/internal/revocation_checker.h"
#include <optional>
#include <string>
#include <string_view>
#include "base/logging.h"
#include "crypto/sha2.h"
#include "net/cert/cert_net_fetcher.h"
#include "third_party/boringssl/src/include/openssl/pki/ocsp.h"
#include "third_party/boringssl/src/pki/common_cert_errors.h"
#include "third_party/boringssl/src/pki/crl.h"
#include "third_party/boringssl/src/pki/ocsp.h"
#include "third_party/boringssl/src/pki/parsed_certificate.h"
#include "third_party/boringssl/src/pki/trust_store.h"
#include "url/gurl.h"
namespace net {
namespace {
void MarkCertificateRevoked(bssl::CertErrors* errors) {
// TODO(eroman): Add a parameter to the error indicating which mechanism
// caused the revocation (i.e. CRLSet, OCSP, stapled OCSP, etc).
errors->AddError(bssl::cert_errors::kCertificateRevoked);
}
// Checks the revocation status of |certs[target_cert_index]| according to
// |policy|. If the checks failed, returns false and adds errors to
// |cert_errors|.
//
// TODO(eroman): Make the verification time an input.
bool CheckCertRevocation(const bssl::ParsedCertificateList& certs,
size_t target_cert_index,
const RevocationPolicy& policy,
base::TimeTicks deadline,
std::string_view stapled_ocsp_response,
std::optional<int64_t> max_age_seconds,
base::Time current_time,
CertNetFetcher* net_fetcher,
bssl::CertErrors* cert_errors,
bssl::OCSPVerifyResult* stapled_ocsp_verify_result) {
DCHECK_LT(target_cert_index, certs.size());
const bssl::ParsedCertificate* cert = certs[target_cert_index].get();
const bssl::ParsedCertificate* issuer_cert =
target_cert_index + 1 < certs.size() ? certs[target_cert_index + 1].get()
: nullptr;
time_t time_now = current_time.ToTimeT();
// Check using stapled OCSP, if available.
if (!stapled_ocsp_response.empty() && issuer_cert) {
bssl::OCSPVerifyResult::ResponseStatus response_details;
bssl::OCSPRevocationStatus ocsp_status =
bssl::CheckOCSP(stapled_ocsp_response, cert, issuer_cert, time_now,
max_age_seconds, &response_details);
if (stapled_ocsp_verify_result) {
stapled_ocsp_verify_result->response_status = response_details;
stapled_ocsp_verify_result->revocation_status = ocsp_status;
}
// TODO(eroman): Save the stapled OCSP response to cache.
switch (ocsp_status) {
case bssl::OCSPRevocationStatus::REVOKED:
MarkCertificateRevoked(cert_errors);
return false;
case bssl::OCSPRevocationStatus::GOOD:
return true;
case bssl::OCSPRevocationStatus::UNKNOWN:
// TODO(eroman): If the OCSP response was invalid, should we keep
// looking or fail?
break;
}
}
if (!policy.check_revocation) {
// TODO(eroman): Should still check CRL/OCSP caches.
return true;
}
bool found_revocation_info = false;
// Check OCSP.
if (cert->has_authority_info_access()) {
// Try each of the OCSP URIs
for (const auto& ocsp_uri : cert->ocsp_uris()) {
// Only consider http:// URLs (https:// could create a circular
// dependency).
GURL parsed_ocsp_url(ocsp_uri);
if (!parsed_ocsp_url.is_valid() ||
!parsed_ocsp_url.SchemeIs(url::kHttpScheme)) {
continue;
}
found_revocation_info = true;
// Check the deadline after setting found_revocation_info, to not give a
// misleading kNoRevocationMechanism failure.
if (!deadline.is_null() && base::TimeTicks::Now() > deadline)
break;
if (!policy.networking_allowed)
continue;
if (!net_fetcher) {
LOG(ERROR) << "Cannot fetch OCSP as didn't specify a |net_fetcher|";
continue;
}
// TODO(eroman): Duplication of work if there are multiple URLs to try.
// TODO(eroman): Are there cases where we would need to POST instead?
std::optional<std::string> get_url_str =
CreateOCSPGetURL(cert, issuer_cert, ocsp_uri);
if (!get_url_str.has_value()) {
// An unexpected failure from BoringSSL, or the input was too large to
// base64-encode.
continue;
}
GURL get_url(get_url_str.value());
if (!get_url.is_valid()) {
// Invalid URL.
continue;
}
// Fetch it over network.
//
// TODO(eroman): Issue POST instead of GET if request is larger than 255
// bytes?
// TODO(eroman): Improve interplay with HTTP cache.
std::unique_ptr<CertNetFetcher::Request> net_ocsp_request =
net_fetcher->FetchOcsp(get_url, CertNetFetcher::DEFAULT,
CertNetFetcher::DEFAULT);
Error net_error;
std::vector<uint8_t> ocsp_response_bytes;
net_ocsp_request->WaitForResult(&net_error, &ocsp_response_bytes);
if (net_error != OK)
continue;
bssl::OCSPVerifyResult::ResponseStatus response_details;
bssl::OCSPRevocationStatus ocsp_status = bssl::CheckOCSP(
std::string_view(
reinterpret_cast<const char*>(ocsp_response_bytes.data()),
ocsp_response_bytes.size()),
cert, issuer_cert, time_now, max_age_seconds, &response_details);
switch (ocsp_status) {
case bssl::OCSPRevocationStatus::REVOKED:
MarkCertificateRevoked(cert_errors);
return false;
case bssl::OCSPRevocationStatus::GOOD:
return true;
case bssl::OCSPRevocationStatus::UNKNOWN:
break;
}
}
}
// Check CRLs.
bssl::ParsedExtension crl_dp_extension;
if (policy.crl_allowed &&
cert->GetExtension(bssl::der::Input(bssl::kCrlDistributionPointsOid),
&crl_dp_extension)) {
std::vector<bssl::ParsedDistributionPoint> distribution_points;
if (ParseCrlDistributionPoints(crl_dp_extension.value,
&distribution_points)) {
for (const auto& distribution_point : distribution_points) {
if (distribution_point.crl_issuer) {
// Ignore indirect CRLs (CRL where CRLissuer != cert issuer), which
// are optional according to RFC 5280's profile.
continue;
}
if (distribution_point.reasons) {
// Ignore CRLs that only contain some reasons. RFC 5280's profile
// requires that conforming CAs "MUST include at least one
// DistributionPoint that points to a CRL that covers the certificate
// for all reasons".
continue;
}
if (!distribution_point.distribution_point_fullname) {
// Only distributionPoints with a fullName containing URIs are
// supported.
continue;
}
for (const auto& crl_uri :
distribution_point.distribution_point_fullname
->uniform_resource_identifiers) {
// Only consider http:// URLs (https:// could create a circular
// dependency).
GURL parsed_crl_url(crl_uri);
if (!parsed_crl_url.is_valid() ||
!parsed_crl_url.SchemeIs(url::kHttpScheme)) {
continue;
}
found_revocation_info = true;
// Check the deadline after setting found_revocation_info, to not give
// a misleading kNoRevocationMechanism failure.
if (!deadline.is_null() && base::TimeTicks::Now() > deadline)
break;
if (!policy.networking_allowed)
continue;
if (!net_fetcher) {
LOG(ERROR) << "Cannot fetch CRL as didn't specify a |net_fetcher|";
continue;
}
// Fetch it over network.
//
// Note that no attempt is made to refetch without cache if a cached
// CRL is too old, nor is there a separate CRL cache. It is assumed
// the CRL server will send reasonable HTTP caching headers.
std::unique_ptr<CertNetFetcher::Request> net_crl_request =
net_fetcher->FetchCrl(parsed_crl_url, CertNetFetcher::DEFAULT,
CertNetFetcher::DEFAULT);
Error net_error;
std::vector<uint8_t> crl_response_bytes;
net_crl_request->WaitForResult(&net_error, &crl_response_bytes);
if (net_error != OK)
continue;
bssl::CRLRevocationStatus crl_status = CheckCRL(
std::string_view(
reinterpret_cast<const char*>(crl_response_bytes.data()),
crl_response_bytes.size()),
certs, target_cert_index, distribution_point, time_now,
max_age_seconds);
switch (crl_status) {
case bssl::CRLRevocationStatus::REVOKED:
MarkCertificateRevoked(cert_errors);
return false;
case bssl::CRLRevocationStatus::GOOD:
return true;
case bssl::CRLRevocationStatus::UNKNOWN:
break;
}
}
}
}
}
// Reaching here means that revocation checking was inconclusive. Determine
// whether failure to complete revocation checking constitutes an error.
if (!found_revocation_info) {
if (policy.allow_missing_info) {
// If the certificate lacked any (recognized) revocation mechanisms, and
// the policy permits it, consider revocation checking a success.
return true;
} else {
// If the certificate lacked any (recognized) revocation mechanisms, and
// the policy forbids it, fail revocation checking.
cert_errors->AddError(bssl::cert_errors::kNoRevocationMechanism);
return false;
}
}
// In soft-fail mode permit other failures.
// TODO(eroman): Add a warning to |cert_errors| indicating the failure.
if (policy.allow_unable_to_check)
return true;
// Otherwise the policy doesn't allow revocation checking to fail.
cert_errors->AddError(bssl::cert_errors::kUnableToCheckRevocation);
return false;
}
} // namespace
void CheckValidatedChainRevocation(
const bssl::ParsedCertificateList& certs,
const RevocationPolicy& policy,
base::TimeTicks deadline,
std::string_view stapled_leaf_ocsp_response,
base::Time current_time,
CertNetFetcher* net_fetcher,
bssl::CertPathErrors* errors,
bssl::OCSPVerifyResult* stapled_ocsp_verify_result) {
if (stapled_ocsp_verify_result)
*stapled_ocsp_verify_result = bssl::OCSPVerifyResult();
// Check each certificate for revocation using OCSP/CRL. Checks proceed
// from the root certificate towards the leaf certificate. Revocation errors
// are added to |errors|.
for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
size_t i = certs.size() - reverse_i - 1;
// Trust anchors bypass OCSP/CRL revocation checks. (The only way to revoke
// trust anchors is via CRLSet or the built-in SPKI block list). Since
// |certs| must be a validated chain, the final cert must be a trust
// anchor.
if (reverse_i == 0)
continue;
// TODO(eroman): Plumb stapled OCSP for non-leaf certificates from TLS?
std::string_view stapled_ocsp =
(i == 0) ? stapled_leaf_ocsp_response : std::string_view();
std::optional<int64_t> max_age_seconds;
if (policy.enforce_baseline_requirements) {
max_age_seconds = ((i == 0) ? kMaxRevocationLeafUpdateAge
: kMaxRevocationIntermediateUpdateAge)
.InSeconds();
}
// Check whether this certificate's revocation status complies with the
// policy.
bool cert_ok = CheckCertRevocation(
certs, i, policy, deadline, stapled_ocsp, max_age_seconds, current_time,
net_fetcher, errors->GetErrorsForCert(i),
(i == 0) ? stapled_ocsp_verify_result : nullptr);
if (!cert_ok) {
// If any certificate in the chain fails revocation checks, the chain is
// revoked and no need to check revocation status for the remaining
// certificates.
DCHECK(errors->GetErrorsForCert(i)->ContainsAnyErrorWithSeverity(
bssl::CertError::SEVERITY_HIGH));
break;
}
}
}
CRLSet::Result CheckChainRevocationUsingCRLSet(
const CRLSet* crl_set,
const bssl::ParsedCertificateList& certs,
bssl::CertPathErrors* errors) {
// Iterate from the root certificate towards the leaf (the root certificate is
// also checked for revocation by CRLSet).
std::string issuer_spki_hash;
for (size_t reverse_i = 0; reverse_i < certs.size(); ++reverse_i) {
size_t i = certs.size() - reverse_i - 1;
const bssl::ParsedCertificate* cert = certs[i].get();
// True if |cert| is the root of the chain.
const bool is_root = reverse_i == 0;
// True if |cert| is the leaf certificate of the chain.
const bool is_target = i == 0;
// Check for revocation using the certificate's SPKI.
std::string spki_hash =
crypto::SHA256HashString(cert->tbs().spki_tlv.AsStringView());
CRLSet::Result result = crl_set->CheckSPKI(spki_hash);
// Check for revocation using the certificate's Subject.
if (result != CRLSet::REVOKED) {
result = crl_set->CheckSubject(cert->tbs().subject_tlv.AsStringView(),
spki_hash);
}
// Check for revocation using the certificate's serial number and issuer's
// SPKI.
if (result != CRLSet::REVOKED && !is_root) {
result = crl_set->CheckSerial(cert->tbs().serial_number.AsStringView(),
issuer_spki_hash);
}
// Prepare for the next iteration.
issuer_spki_hash = std::move(spki_hash);
switch (result) {
case CRLSet::REVOKED:
MarkCertificateRevoked(errors->GetErrorsForCert(i));
return CRLSet::Result::REVOKED;
case CRLSet::UNKNOWN:
// If the status is unknown, advance to the subordinate certificate.
break;
case CRLSet::GOOD:
if (is_target && !crl_set->IsExpired()) {
// If the target is covered by the CRLSet and known good, consider
// the entire chain to be valid (even though the revocation status
// of the intermediates may have been UNKNOWN).
//
// Only the leaf certificate is considered for coverage because some
// intermediates have CRLs with no revocations (after filtering) and
// those CRLs are pruned from the CRLSet at generation time.
return CRLSet::Result::GOOD;
}
break;
}
}
// If no certificate was revoked, and the target was not known good, then
// the revocation status is still unknown.
return CRLSet::Result::UNKNOWN;
}
} // namespace net
|
