security/ct/MultiLogCTVerifier.cpp
author Ben Campbell <benc@thunderbird.net>
Mon, 19 Aug 2019 18:00:38 +1200
changeset 489757 6b90caa175cbccbe61f9103c7ad4a9cb7273ebd3
parent 448947 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1427877 - Extend telemetry probe registry code-generation to handle extra definition files. r=chutten MANUAL PUSH: patches not from phab

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "MultiLogCTVerifier.h"

#include "CTObjectsExtractor.h"
#include "CTSerialization.h"

namespace mozilla {
namespace ct {

using namespace mozilla::pkix;

// Note: this moves |verifiedSct| to the target list in |result|.
static void StoreVerifiedSct(CTVerifyResult& result, VerifiedSCT&& verifiedSct,
                             VerifiedSCT::Status status) {
  verifiedSct.status = status;
  result.verifiedScts.push_back(std::move(verifiedSct));
}

void MultiLogCTVerifier::AddLog(CTLogVerifier&& log) {
  mLogs.push_back(std::move(log));
}

Result MultiLogCTVerifier::Verify(Input cert, Input issuerSubjectPublicKeyInfo,
                                  Input sctListFromCert,
                                  Input sctListFromOCSPResponse,
                                  Input sctListFromTLSExtension, Time time,
                                  CTVerifyResult& result) {
  assert(cert.GetLength() > 0);
  result.Reset();

  Result rv;

  // Verify embedded SCTs
  if (issuerSubjectPublicKeyInfo.GetLength() > 0 &&
      sctListFromCert.GetLength() > 0) {
    LogEntry precertEntry;
    rv = GetPrecertLogEntry(cert, issuerSubjectPublicKeyInfo, precertEntry);
    if (rv != Success) {
      return rv;
    }
    rv = VerifySCTs(sctListFromCert, precertEntry,
                    VerifiedSCT::Origin::Embedded, time, result);
    if (rv != Success) {
      return rv;
    }
  }

  LogEntry x509Entry;
  GetX509LogEntry(cert, x509Entry);

  // Verify SCTs from a stapled OCSP response
  if (sctListFromOCSPResponse.GetLength() > 0) {
    rv = VerifySCTs(sctListFromOCSPResponse, x509Entry,
                    VerifiedSCT::Origin::OCSPResponse, time, result);
    if (rv != Success) {
      return rv;
    }
  }

  // Verify SCTs from a TLS extension
  if (sctListFromTLSExtension.GetLength() > 0) {
    rv = VerifySCTs(sctListFromTLSExtension, x509Entry,
                    VerifiedSCT::Origin::TLSExtension, time, result);
    if (rv != Success) {
      return rv;
    }
  }
  return Success;
}

Result MultiLogCTVerifier::VerifySCTs(Input encodedSctList,
                                      const LogEntry& expectedEntry,
                                      VerifiedSCT::Origin origin, Time time,
                                      CTVerifyResult& result) {
  Reader listReader;
  Result rv = DecodeSCTList(encodedSctList, listReader);
  if (rv != Success) {
    result.decodingErrors++;
    return Success;
  }

  while (!listReader.AtEnd()) {
    Input encodedSct;
    rv = ReadSCTListItem(listReader, encodedSct);
    if (rv != Success) {
      result.decodingErrors++;
      return Success;
    }

    Reader encodedSctReader(encodedSct);
    SignedCertificateTimestamp sct;
    rv = DecodeSignedCertificateTimestamp(encodedSctReader, sct);
    if (rv != Success) {
      result.decodingErrors++;
      continue;
    }

    rv = VerifySingleSCT(std::move(sct), expectedEntry, origin, time, result);
    if (rv != Success) {
      return rv;
    }
  }
  return Success;
}

Result MultiLogCTVerifier::VerifySingleSCT(SignedCertificateTimestamp&& sct,
                                           const LogEntry& expectedEntry,
                                           VerifiedSCT::Origin origin,
                                           Time time, CTVerifyResult& result) {
  VerifiedSCT verifiedSct;
  verifiedSct.origin = origin;
  verifiedSct.sct = std::move(sct);

  CTLogVerifier* matchingLog = nullptr;
  for (auto& log : mLogs) {
    if (log.keyId() == verifiedSct.sct.logId) {
      matchingLog = &log;
      break;
    }
  }

  if (!matchingLog) {
    // SCT does not match any known log.
    StoreVerifiedSct(result, std::move(verifiedSct),
                     VerifiedSCT::Status::UnknownLog);
    return Success;
  }

  verifiedSct.logOperatorId = matchingLog->operatorId();

  if (!matchingLog->SignatureParametersMatch(verifiedSct.sct.signature)) {
    // SCT signature parameters do not match the log's.
    StoreVerifiedSct(result, std::move(verifiedSct),
                     VerifiedSCT::Status::InvalidSignature);
    return Success;
  }

  Result rv = matchingLog->Verify(expectedEntry, verifiedSct.sct);
  if (rv != Success) {
    if (rv == Result::ERROR_BAD_SIGNATURE) {
      StoreVerifiedSct(result, std::move(verifiedSct),
                       VerifiedSCT::Status::InvalidSignature);
      return Success;
    }
    return rv;
  }

  // Make sure the timestamp is legitimate (not in the future).
  // SCT's |timestamp| is measured in milliseconds since the epoch,
  // ignoring leap seconds. When converting it to a second-level precision
  // pkix::Time, we need to round it either up or down. In our case, rounding up
  // (towards the future) is more "secure", although practically
  // it does not matter.
  Time sctTime =
      TimeFromEpochInSeconds((verifiedSct.sct.timestamp + 999u) / 1000u);
  if (sctTime > time) {
    StoreVerifiedSct(result, std::move(verifiedSct),
                     VerifiedSCT::Status::InvalidTimestamp);
    return Success;
  }

  // SCT verified ok, see if the log is qualified. Since SCTs from
  // disqualified logs are treated as valid under certain circumstances (see
  // the CT Policy), the log qualification check must be the last one we do.
  if (matchingLog->isDisqualified()) {
    verifiedSct.logDisqualificationTime = matchingLog->disqualificationTime();
    StoreVerifiedSct(result, std::move(verifiedSct),
                     VerifiedSCT::Status::ValidFromDisqualifiedLog);
    return Success;
  }

  StoreVerifiedSct(result, std::move(verifiedSct), VerifiedSCT::Status::Valid);
  return Success;
}

}  // namespace ct
}  // namespace mozilla