Parse the body of the CanSignHttpExchanges extension.

The spec says the body is a NULL, so we should enforce it. Otherwise implementations may accidentally produce certificates that get this wrong, and then other consumers will need to mimic our laxness. https://tools.ietf.org/html/draft-iab-protocol-maintenance-00 Bug: 851778 Change-Id: I0bcfd076d94743ab285ce0a6938182b9a32b0e36 Reviewed-on: https://chromium-review.googlesource.com/1189061 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#586262}

Parse the body of the CanSignHttpExchanges extension.
The spec says the body is a NULL, so we should enforce it. Otherwise implementations may accidentally produce certificates that get this wrong, and then other consumers will need to mimic our laxness. https://tools.ietf.org/html/draft-iab-protocol-maintenance-00 Bug: 851778 Change-Id: I0bcfd076d94743ab285ce0a6938182b9a32b0e36 Reviewed-on: https://chromium-review.googlesource.com/1189061 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#586262}
933f39b8 · David Benjamin · Commit Bot · 736345b4 · 933f39b8 · 933f39b8
Commit 933f39b8 authored Aug 27, 2018 by David Benjamin Committed by Commit Bot Aug 27, 2018
6 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -2340,6 +2340,7 @@ bundle_data("test_support_bundle_data") {
    "data/ssl/certificates/aia-root.pem",
    "data/ssl/certificates/bad_validity.pem",
    "data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem",
+    "data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem",
    "data/ssl/certificates/client-empty-password.p12",
    "data/ssl/certificates/client-nokey.p12",
    "data/ssl/certificates/client-null-password.p12",

--- a/net/cert/asn1_util.cc
+++ b/net/cert/asn1_util.cc
@@ -261,7 +261,17 @@ bool HasCanSignHttpExchangesDraftExtension(base::StringPiece cert) {
  static const uint8_t kCanSignHttpExchangesDraftOid[] = {
      0x2B, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x16};

-  return HasExtensionWithOID(cert, der::Input(kCanSignHttpExchangesDraftOid));
+  bool extension_present;
+  ParsedExtension extension;
+  if (!ExtractExtensionWithOID(cert, der::Input(kCanSignHttpExchangesDraftOid),
+                               &extension_present, &extension) ||
+      !extension_present) {
+    return false;
+  }
+
+  // The extension should have contents NULL.
+  static const uint8_t kNull[] = {0x05, 0x00};
+  return extension.value == der::Input(kNull);
 }

 bool ExtractSignatureAlgorithmsFromDERCert(

--- a/net/cert/x509_certificate_unittest.cc
+++ b/net/cert/x509_certificate_unittest.cc
@@ -610,6 +610,16 @@ TEST(X509CertificateTest, HasCanSignHttpExchangesDraftExtension) {
      x509_util::CryptoBufferAsStringPiece(cert->cert_buffer())));
 }

+TEST(X509CertificateTest, HasCanSignHttpExchangesDraftExtensionInvalid) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+  scoped_refptr<X509Certificate> cert = ImportCertFromFile(
+      certs_dir, "can_sign_http_exchanges_draft_extension_invalid.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), cert.get());
+
+  EXPECT_FALSE(asn1::HasCanSignHttpExchangesDraftExtension(
+      x509_util::CryptoBufferAsStringPiece(cert->cert_buffer())));
+}
+
 TEST(X509CertificateTest, DoesNotHaveCanSignHttpExchangesDraftExtension) {
  base::FilePath certs_dir = GetTestCertsDirectory();
  scoped_refptr<X509Certificate> cert =

--- a/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
+++ b/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIJAKacjL/rr3TRMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwHhcNMTgw
+ODI0MjM0MjM1WhcNMTkwODI0MjM0MjM1WjBgMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4GA1UECgwH
+VGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAtrUDSOYujJGYyc9B35JV5panjbG8KOCky14YGdMQWvlo7mCK
+mbtefpFzC5EvZERZey8cMdKzUMRtoCDFNtqTS96V5XLxCzNTe6xynu9BHtQuddzS
+3E8e4fltfkvV2rz47Q/ciyUhfmXdMEW3RFdj7oohddRJtpF7FdNp9ShCnVILUIPJ
+sspaUJBVO3L+O042CwVwOndEt4N/Xd7Bf4516q4sVKAHL/QWpJzauHi50kvCVo6f
+b2h/e9eCin50Ydd+A3UjY02pQh6gmHZXvQwxYC9qRTrMI+LsBBnubXcCzloHT9FU
+8umggcLjeuPzcXQV5jwBwFiuMhJBUYl1a7USpwIDAQABoyUwIzAPBgNVHREECDAG
+hwR/AAABMBAGCisGAQQB1nkCARYEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCbrJ6W
+lrL6DJdafOjx+7nnqCzcY36r/58EFTyLkpKNBdzOLdpQld66QAsJi/nRlfxtk/2m
+AEMZOa0wyuC0jZ+2Z1fDJ0GJwir7QKxedJqm3Oh4x4O5MsNxB3U3u7hiT+mJQhWS
+2UWALvCbG4lmSLEv5NR6zNcATJX0jwCVPfibJwTVolpSeFCPfJ1nwVyXnYrNY4Qr
+gy5FnZc3o5qZ70QZ5dozhJSZF2gBFlOs3aanWjQwkw6IUzABhnAlwtlgxb6A/XkA
+OBvVlrMoSEMWdfTSJ2P6upcjhuVocqnd2UJ4CNDr79nJN63p6GQXPRhlYHpakm5w
+/wLqXAxa/mEXqkSQ
+-----END CERTIFICATE-----
--- a/net/data/ssl/scripts/ee.cnf
+++ b/net/data/ssl/scripts/ee.cnf
@@ -69,6 +69,10 @@ subjectAltName = IP:127.0.0.1
 subjectAltName = IP:127.0.0.1
 1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL

+[req_extensions_with_can_sign_http_exchanges_draft_invalid]
+subjectAltName = IP:127.0.0.1
+1.3.6.1.4.1.11129.2.1.22 = DER:30:00
+
 [req_localhost_san]
 subjectAltName = DNS:localhost


--- a/net/data/ssl/scripts/generate-test-certs.sh
+++ b/net/data/ssl/scripts/generate-test-certs.sh
@@ -452,6 +452,15 @@ openssl req -x509 -newkey rsa:2048 \
  -extensions req_extensions_with_can_sign_http_exchanges_draft \
  -nodes -config ee.cnf

+# Includes the canSignHttpExchangesDraft extension, but with a SEQUENCE in the
+# body rather than a NULL.
+openssl req -x509 -newkey rsa:2048 \
+  -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \
+  -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \
+  -days 365 \
+  -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \
+  -nodes -config ee.cnf
+
 # SHA-1 certificate issued by locally trusted CA
 openssl req \
  -config ../scripts/ee.cnf \