Google Git
Sign in
boringssl / boringssl.git / d4faa8d63a06a5feff2e5b68695adf9bf8fd1f81 / . / pki / simple_path_builder_delegate.cc
blob: 822019b91b91f125304b67da3e1b3c428f8ba43d [file] [log] [blame]
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]1// Copyright 2017 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "simple_path_builder_delegate.h"
6
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]7#include <openssl/bn.h>
8#include <openssl/bytestring.h>
9#include <openssl/digest.h>
10#include <openssl/ec.h>
11#include <openssl/ec_key.h>
12#include <openssl/evp.h>
13#include <openssl/nid.h>
Bob Beck48b81462023-12-12 18:49:49 +0000[diff] [blame]14#include <openssl/pki/signature_verify_cache.h>
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]15#include <openssl/rsa.h>
Bob Beck48b81462023-12-12 18:49:49 +0000[diff] [blame]16
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]17#include "cert_error_params.h"
18#include "cert_errors.h"
19#include "signature_algorithm.h"
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]20#include "verify_signed_data.h"
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]21
22namespace bssl {
23
24DEFINE_CERT_ERROR_ID(SimplePathBuilderDelegate::kRsaModulusTooSmall,
25 "RSA modulus too small");
26
27namespace {
28
29DEFINE_CERT_ERROR_ID(kUnacceptableCurveForEcdsa,
30 "Only P-256, P-384, P-521 are supported for ECDSA");
31
32bool IsAcceptableCurveForEcdsa(int curve_nid) {
33 switch (curve_nid) {
34 case NID_X9_62_prime256v1:
35 case NID_secp384r1:
36 case NID_secp521r1:
37 return true;
38 }
39
40 return false;
41}
42
43} // namespace
44
45SimplePathBuilderDelegate::SimplePathBuilderDelegate(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]46 size_t min_rsa_modulus_length_bits, DigestPolicy digest_policy)
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]47 : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits),
48 digest_policy_(digest_policy) {}
49
50void SimplePathBuilderDelegate::CheckPathAfterVerification(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]51 const CertPathBuilder &path_builder, CertPathBuilderResultPath *path) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]52 // Do nothing - consider all candidate paths valid.
53}
54
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]55bool SimplePathBuilderDelegate::IsDeadlineExpired() { return false; }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]56
Bob Beck1fa9cc22023-11-21 13:58:30 -0700[diff] [blame]57bool SimplePathBuilderDelegate::IsDebugLogEnabled() { return false; }
58
Bob Beck324db642024-01-25 21:37:37 +0000[diff] [blame]59bool SimplePathBuilderDelegate::AcceptPreCertificates() { return false; }
60
Bob Beck1fa9cc22023-11-21 13:58:30 -0700[diff] [blame]61void SimplePathBuilderDelegate::DebugLog(std::string_view msg) {}
62
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]63SignatureVerifyCache *SimplePathBuilderDelegate::GetVerifyCache() {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]64 return nullptr;
65}
66
67bool SimplePathBuilderDelegate::IsSignatureAlgorithmAcceptable(
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]68 SignatureAlgorithm algorithm, CertErrors *errors) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]69 switch (algorithm) {
70 case SignatureAlgorithm::kRsaPkcs1Sha1:
71 case SignatureAlgorithm::kEcdsaSha1:
72 return digest_policy_ == DigestPolicy::kWeakAllowSha1;
73
74 case SignatureAlgorithm::kRsaPkcs1Sha256:
75 case SignatureAlgorithm::kRsaPkcs1Sha384:
76 case SignatureAlgorithm::kRsaPkcs1Sha512:
77 case SignatureAlgorithm::kEcdsaSha256:
78 case SignatureAlgorithm::kEcdsaSha384:
79 case SignatureAlgorithm::kEcdsaSha512:
80 case SignatureAlgorithm::kRsaPssSha256:
81 case SignatureAlgorithm::kRsaPssSha384:
82 case SignatureAlgorithm::kRsaPssSha512:
83 return true;
84 }
85 return false;
86}
87
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]88bool SimplePathBuilderDelegate::IsPublicKeyAcceptable(EVP_PKEY *public_key,
89 CertErrors *errors) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]90 int pkey_id = EVP_PKEY_id(public_key);
91 if (pkey_id == EVP_PKEY_RSA) {
92 // Extract the modulus length from the key.
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]93 RSA *rsa = EVP_PKEY_get0_RSA(public_key);
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]94 if (!rsa) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]95 return false;
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]96 }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]97 unsigned int modulus_length_bits = RSA_bits(rsa);
98
99 if (modulus_length_bits < min_rsa_modulus_length_bits_) {
100 errors->AddError(
101 kRsaModulusTooSmall,
102 CreateCertErrorParams2SizeT("actual", modulus_length_bits, "minimum",
103 min_rsa_modulus_length_bits_));
104 return false;
105 }
106
107 return true;
108 }
109
110 if (pkey_id == EVP_PKEY_EC) {
111 // Extract the curve name.
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]112 EC_KEY *ec = EVP_PKEY_get0_EC_KEY(public_key);
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]113 if (!ec) {
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]114 return false; // Unexpected.
Bob Beck6beabf32023-11-21 09:43:52 -0700[diff] [blame]115 }
Bob Beckbc97b7a2023-04-18 08:35:15 -0600[diff] [blame]116 int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
117
118 if (!IsAcceptableCurveForEcdsa(curve_nid)) {
119 errors->AddError(kUnacceptableCurveForEcdsa);
120 return false;
121 }
122
123 return true;
124 }
125
126 // Unexpected key type.
127 return false;
128}
129
Bob Beck5c7a2a02023-11-20 17:28:21 -0700[diff] [blame]130} // namespace bssl