1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/ssl_platform_key_win.h"
6
7 #include <algorithm>
8 #include <memory>
9 #include <string>
10 #include <utility>
11 #include <vector>
12
13 #include "base/logging.h"
14 #include "base/macros.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "crypto/openssl_util.h"
17 #include "crypto/scoped_capi_types.h"
18 #include "net/base/net_errors.h"
19 #include "net/cert/x509_certificate.h"
20 #include "net/ssl/ssl_platform_key_util.h"
21 #include "net/ssl/ssl_private_key.h"
22 #include "net/ssl/threaded_ssl_private_key.h"
23 #include "third_party/boringssl/src/include/openssl/bn.h"
24 #include "third_party/boringssl/src/include/openssl/ecdsa.h"
25 #include "third_party/boringssl/src/include/openssl/evp.h"
26 #include "third_party/boringssl/src/include/openssl/ssl.h"
27
28 namespace net {
29
30 namespace {
31
GetCAPIProviderName(HCRYPTPROV provider)32 std::string GetCAPIProviderName(HCRYPTPROV provider) {
33 DWORD name_len;
34 if (!CryptGetProvParam(provider, PP_NAME, nullptr, &name_len, 0)) {
35 return "(error getting name)";
36 }
37 std::vector<BYTE> name(name_len);
38 if (!CryptGetProvParam(provider, PP_NAME, name.data(), &name_len, 0)) {
39 return "(error getting name)";
40 }
41 // Per Microsoft's documentation, PP_NAME is NUL-terminated. However,
42 // smartcard drivers are notoriously buggy, so check this.
43 auto nul = std::find(name.begin(), name.end(), 0);
44 if (nul != name.end()) {
45 name_len = nul - name.begin();
46 }
47 return std::string(reinterpret_cast<const char*>(name.data()), name_len);
48 }
49
50 class SSLPlatformKeyCAPI : public ThreadedSSLPrivateKey::Delegate {
51 public:
52 // Takes ownership of |provider|.
SSLPlatformKeyCAPI(HCRYPTPROV provider,DWORD key_spec)53 SSLPlatformKeyCAPI(HCRYPTPROV provider, DWORD key_spec)
54 : provider_name_(GetCAPIProviderName(provider)),
55 provider_(provider),
56 key_spec_(key_spec) {}
57
~SSLPlatformKeyCAPI()58 ~SSLPlatformKeyCAPI() override {}
59
GetProviderName()60 std::string GetProviderName() override { return "CAPI: " + provider_name_; }
61
GetAlgorithmPreferences()62 std::vector<uint16_t> GetAlgorithmPreferences() override {
63 // If the key is in CAPI, assume conservatively that the CAPI service
64 // provider may only be able to sign pre-TLS-1.2 and SHA-1 hashes.
65 // Prioritize SHA-1, but if the server doesn't advertise it, leave the other
66 // algorithms enabled to try.
67 return {
68 SSL_SIGN_RSA_PKCS1_SHA1, SSL_SIGN_RSA_PKCS1_SHA256,
69 SSL_SIGN_RSA_PKCS1_SHA384, SSL_SIGN_RSA_PKCS1_SHA512,
70 };
71 }
72
Sign(uint16_t algorithm,base::span<const uint8_t> input,std::vector<uint8_t> * signature)73 Error Sign(uint16_t algorithm,
74 base::span<const uint8_t> input,
75 std::vector<uint8_t>* signature) override {
76 const EVP_MD* md = SSL_get_signature_algorithm_digest(algorithm);
77 uint8_t digest[EVP_MAX_MD_SIZE];
78 unsigned digest_len;
79 if (!md || !EVP_Digest(input.data(), input.size(), digest, &digest_len, md,
80 nullptr)) {
81 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
82 }
83
84 ALG_ID hash_alg;
85 switch (EVP_MD_type(md)) {
86 case NID_md5_sha1:
87 hash_alg = CALG_SSL3_SHAMD5;
88 break;
89 case NID_sha1:
90 hash_alg = CALG_SHA1;
91 break;
92 case NID_sha256:
93 hash_alg = CALG_SHA_256;
94 break;
95 case NID_sha384:
96 hash_alg = CALG_SHA_384;
97 break;
98 case NID_sha512:
99 hash_alg = CALG_SHA_512;
100 break;
101 default:
102 NOTREACHED();
103 return ERR_FAILED;
104 }
105
106 crypto::ScopedHCRYPTHASH hash_handle;
107 if (!CryptCreateHash(provider_, hash_alg, 0, 0, hash_handle.receive())) {
108 PLOG(ERROR) << "CreateCreateHash failed";
109 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
110 }
111 DWORD hash_len;
112 DWORD arg_len = sizeof(hash_len);
113 if (!CryptGetHashParam(hash_handle.get(), HP_HASHSIZE,
114 reinterpret_cast<BYTE*>(&hash_len), &arg_len, 0)) {
115 PLOG(ERROR) << "CryptGetHashParam HP_HASHSIZE failed";
116 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
117 }
118 if (hash_len != digest_len)
119 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
120 if (!CryptSetHashParam(hash_handle.get(), HP_HASHVAL,
121 const_cast<BYTE*>(digest), 0)) {
122 PLOG(ERROR) << "CryptSetHashParam HP_HASHVAL failed";
123 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
124 }
125 DWORD signature_len = 0;
126 if (!CryptSignHash(hash_handle.get(), key_spec_, nullptr, 0, nullptr,
127 &signature_len)) {
128 PLOG(ERROR) << "CryptSignHash failed";
129 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
130 }
131 signature->resize(signature_len);
132 if (!CryptSignHash(hash_handle.get(), key_spec_, nullptr, 0,
133 signature->data(), &signature_len)) {
134 PLOG(ERROR) << "CryptSignHash failed";
135 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
136 }
137 signature->resize(signature_len);
138
139 // CryptoAPI signs in little-endian, so reverse it.
140 std::reverse(signature->begin(), signature->end());
141 return OK;
142 }
143
144 private:
145 std::string provider_name_;
146 crypto::ScopedHCRYPTPROV provider_;
147 DWORD key_spec_;
148
149 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCAPI);
150 };
151
152 class ScopedNCRYPT_PROV_HANDLE {
153 public:
ScopedNCRYPT_PROV_HANDLE()154 ScopedNCRYPT_PROV_HANDLE() {}
155 ScopedNCRYPT_PROV_HANDLE(const ScopedNCRYPT_PROV_HANDLE&) = delete;
156 ScopedNCRYPT_PROV_HANDLE& operator=(const ScopedNCRYPT_PROV_HANDLE&) = delete;
~ScopedNCRYPT_PROV_HANDLE()157 ~ScopedNCRYPT_PROV_HANDLE() {
158 if (prov_) {
159 NCryptFreeObject(prov_);
160 }
161 }
162
get() const163 NCRYPT_PROV_HANDLE get() const { return prov_; }
InitializeInto()164 NCRYPT_PROV_HANDLE* InitializeInto() { return &prov_; }
165
166 private:
167 NCRYPT_PROV_HANDLE prov_ = 0;
168 };
169
GetCNGProviderName(NCRYPT_KEY_HANDLE key)170 std::string GetCNGProviderName(NCRYPT_KEY_HANDLE key) {
171 ScopedNCRYPT_PROV_HANDLE prov;
172 DWORD prov_len = 0;
173 SECURITY_STATUS status = NCryptGetProperty(
174 key, NCRYPT_PROVIDER_HANDLE_PROPERTY,
175 reinterpret_cast<BYTE*>(prov.InitializeInto()),
176 sizeof(*prov.InitializeInto()), &prov_len, NCRYPT_SILENT_FLAG);
177 if (FAILED(status)) {
178 return "(error getting provider)";
179 }
180 DCHECK_EQ(sizeof(NCRYPT_PROV_HANDLE), prov_len);
181
182 // NCRYPT_NAME_PROPERTY is a NUL-terminated Unicode string, which means an
183 // array of wchar_t, however NCryptGetProperty works in bytes, so lengths must
184 // be converted.
185 DWORD name_len = 0;
186 status = NCryptGetProperty(prov.get(), NCRYPT_NAME_PROPERTY, nullptr, 0,
187 &name_len, NCRYPT_SILENT_FLAG);
188 if (FAILED(status) || name_len % sizeof(wchar_t) != 0) {
189 return "(error getting provider name)";
190 }
191 std::vector<wchar_t> name(name_len / sizeof(wchar_t));
192 status = NCryptGetProperty(
193 prov.get(), NCRYPT_NAME_PROPERTY, reinterpret_cast<BYTE*>(name.data()),
194 name.size() * sizeof(wchar_t), &name_len, NCRYPT_SILENT_FLAG);
195 if (FAILED(status)) {
196 return "(error getting provider name)";
197 }
198 name.resize(name_len / sizeof(wchar_t));
199
200 // Per Microsoft's documentation, the name is NUL-terminated. However,
201 // smartcard drivers are notoriously buggy, so check this.
202 auto nul = std::find(name.begin(), name.end(), 0);
203 if (nul != name.end()) {
204 name.erase(nul, name.end());
205 }
206 return base::WideToUTF8(base::WStringPiece(name.data(), name.size()));
207 }
208
209 class SSLPlatformKeyCNG : public ThreadedSSLPrivateKey::Delegate {
210 public:
211 // Takes ownership of |key|.
SSLPlatformKeyCNG(NCRYPT_KEY_HANDLE key,int type,size_t max_length)212 SSLPlatformKeyCNG(NCRYPT_KEY_HANDLE key, int type, size_t max_length)
213 : provider_name_(GetCNGProviderName(key)),
214 key_(key),
215 type_(type),
216 max_length_(max_length) {}
217
~SSLPlatformKeyCNG()218 ~SSLPlatformKeyCNG() override { NCryptFreeObject(key_); }
219
GetProviderName()220 std::string GetProviderName() override { return "CNG: " + provider_name_; }
221
GetAlgorithmPreferences()222 std::vector<uint16_t> GetAlgorithmPreferences() override {
223 // If this is an under 1024-bit RSA key, conservatively prefer to sign SHA-1
224 // hashes. Older Estonian ID cards can only sign SHA-1 hashes. Prioritize
225 // SHA-1, but if the server doesn't advertise it, leave the other algorithms
226 // enabled to try.
227 if (type_ == EVP_PKEY_RSA && max_length_ <= 1024 / 8) {
228 return {
229 SSL_SIGN_RSA_PKCS1_SHA1, SSL_SIGN_RSA_PKCS1_SHA256,
230 SSL_SIGN_RSA_PKCS1_SHA384, SSL_SIGN_RSA_PKCS1_SHA512,
231 // 1024-bit keys are too small for SSL_SIGN_RSA_PSS_SHA512.
232 SSL_SIGN_RSA_PSS_SHA256, SSL_SIGN_RSA_PSS_SHA384,
233 };
234 }
235 return SSLPrivateKey::DefaultAlgorithmPreferences(type_,
236 true /* supports PSS */);
237 }
238
Sign(uint16_t algorithm,base::span<const uint8_t> input,std::vector<uint8_t> * signature)239 Error Sign(uint16_t algorithm,
240 base::span<const uint8_t> input,
241 std::vector<uint8_t>* signature) override {
242 crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
243
244 const EVP_MD* md = SSL_get_signature_algorithm_digest(algorithm);
245 uint8_t digest[EVP_MAX_MD_SIZE];
246 unsigned digest_len;
247 if (!md || !EVP_Digest(input.data(), input.size(), digest, &digest_len, md,
248 nullptr)) {
249 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
250 }
251
252 BCRYPT_PKCS1_PADDING_INFO pkcs1_padding_info = {nullptr};
253 BCRYPT_PSS_PADDING_INFO pss_padding_info = {nullptr};
254 void* padding_info = nullptr;
255 DWORD flags = 0;
256 if (SSL_get_signature_algorithm_key_type(algorithm) == EVP_PKEY_RSA) {
257 const WCHAR* hash_alg;
258 switch (EVP_MD_type(md)) {
259 case NID_md5_sha1:
260 hash_alg = nullptr;
261 break;
262 case NID_sha1:
263 hash_alg = BCRYPT_SHA1_ALGORITHM;
264 break;
265 case NID_sha256:
266 hash_alg = BCRYPT_SHA256_ALGORITHM;
267 break;
268 case NID_sha384:
269 hash_alg = BCRYPT_SHA384_ALGORITHM;
270 break;
271 case NID_sha512:
272 hash_alg = BCRYPT_SHA512_ALGORITHM;
273 break;
274 default:
275 NOTREACHED();
276 return ERR_FAILED;
277 }
278 if (SSL_is_signature_algorithm_rsa_pss(algorithm)) {
279 pss_padding_info.pszAlgId = hash_alg;
280 pss_padding_info.cbSalt = EVP_MD_size(md);
281 padding_info = &pss_padding_info;
282 flags |= BCRYPT_PAD_PSS;
283 } else {
284 pkcs1_padding_info.pszAlgId = hash_alg;
285 padding_info = &pkcs1_padding_info;
286 flags |= BCRYPT_PAD_PKCS1;
287 }
288 }
289
290 DWORD signature_len;
291 SECURITY_STATUS status =
292 NCryptSignHash(key_, padding_info, const_cast<BYTE*>(digest),
293 digest_len, nullptr, 0, &signature_len, flags);
294 if (FAILED(status)) {
295 LOG(ERROR) << "NCryptSignHash failed: " << status;
296 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
297 }
298 signature->resize(signature_len);
299 status = NCryptSignHash(key_, padding_info, const_cast<BYTE*>(digest),
300 digest_len, signature->data(), signature_len,
301 &signature_len, flags);
302 if (FAILED(status)) {
303 LOG(ERROR) << "NCryptSignHash failed: " << status;
304 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
305 }
306 signature->resize(signature_len);
307
308 // CNG emits raw ECDSA signatures, but BoringSSL expects a DER-encoded
309 // ECDSA-Sig-Value.
310 if (type_ == EVP_PKEY_EC) {
311 if (signature->size() % 2 != 0) {
312 LOG(ERROR) << "Bad signature length";
313 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
314 }
315 size_t order_len = signature->size() / 2;
316
317 // Convert the RAW ECDSA signature to a DER-encoded ECDSA-Sig-Value.
318 bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
319 if (!sig || !BN_bin2bn(signature->data(), order_len, sig->r) ||
320 !BN_bin2bn(signature->data() + order_len, order_len, sig->s)) {
321 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
322 }
323
324 int len = i2d_ECDSA_SIG(sig.get(), nullptr);
325 if (len <= 0)
326 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
327 signature->resize(len);
328 uint8_t* ptr = signature->data();
329 len = i2d_ECDSA_SIG(sig.get(), &ptr);
330 if (len <= 0)
331 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
332 signature->resize(len);
333 }
334
335 return OK;
336 }
337
338 private:
339 std::string provider_name_;
340 NCRYPT_KEY_HANDLE key_;
341 int type_;
342 size_t max_length_;
343
344 DISALLOW_COPY_AND_ASSIGN(SSLPlatformKeyCNG);
345 };
346
347 } // namespace
348
WrapCAPIPrivateKey(const X509Certificate * certificate,HCRYPTPROV prov,DWORD key_spec)349 scoped_refptr<SSLPrivateKey> WrapCAPIPrivateKey(
350 const X509Certificate* certificate,
351 HCRYPTPROV prov,
352 DWORD key_spec) {
353 return base::MakeRefCounted<ThreadedSSLPrivateKey>(
354 std::make_unique<SSLPlatformKeyCAPI>(prov, key_spec),
355 GetSSLPlatformKeyTaskRunner());
356 }
357
WrapCNGPrivateKey(const X509Certificate * certificate,NCRYPT_KEY_HANDLE key)358 scoped_refptr<SSLPrivateKey> WrapCNGPrivateKey(
359 const X509Certificate* certificate,
360 NCRYPT_KEY_HANDLE key) {
361 // Rather than query the private key for metadata, extract the public key from
362 // the certificate without using Windows APIs. CNG does not consistently work
363 // depending on the system. See https://crbug.com/468345.
364 int key_type;
365 size_t max_length;
366 if (!GetClientCertInfo(certificate, &key_type, &max_length)) {
367 NCryptFreeObject(key);
368 return nullptr;
369 }
370
371 return base::MakeRefCounted<ThreadedSSLPrivateKey>(
372 std::make_unique<SSLPlatformKeyCNG>(key, key_type, max_length),
373 GetSSLPlatformKeyTaskRunner());
374 }
375
FetchClientCertPrivateKey(const X509Certificate * certificate,PCCERT_CONTEXT cert_context)376 scoped_refptr<SSLPrivateKey> FetchClientCertPrivateKey(
377 const X509Certificate* certificate,
378 PCCERT_CONTEXT cert_context) {
379 HCRYPTPROV_OR_NCRYPT_KEY_HANDLE prov_or_key = 0;
380 DWORD key_spec = 0;
381 BOOL must_free = FALSE;
382 DWORD flags = CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
383
384 if (!CryptAcquireCertificatePrivateKey(cert_context, flags, nullptr,
385 &prov_or_key, &key_spec, &must_free)) {
386 PLOG(WARNING) << "Could not acquire private key";
387 return nullptr;
388 }
389
390 // Should never get a cached handle back - ownership must always be
391 // transferred.
392 CHECK_EQ(must_free, TRUE);
393
394 if (key_spec == CERT_NCRYPT_KEY_SPEC) {
395 return WrapCNGPrivateKey(certificate, prov_or_key);
396 } else {
397 return WrapCAPIPrivateKey(certificate, prov_or_key, key_spec);
398 }
399 }
400
401 } // namespace net
402