[net/http auth] Support channel bindings for HTTP authentication.

Start using tls-server-end-point channel bindings for HTTP authentication if a certificate is available. The current implementation should work on Windows and Posix. Currently only SHA-256, SHA-384, and SHA-512 are supported for generating channel bindings. BUG=270219 R=rsleevi@chromium.org,davidben@chromium.org Review URL: https://codereview.chromium.org/1408433006 Cr-Commit-Position: refs/heads/master@{#382858}
Denger-Network · Mar 23, 2016 · 5ffd5d7 · 5ffd5d7
1 parent da41118
commit 5ffd5d7
Show file tree

Hide file tree

Showing 47 changed files with 957 additions and 274 deletions.
diff --git a/net/android/http_auth_negotiate_android.cc b/net/android/http_auth_negotiate_android.cc
@@ -101,6 +101,7 @@ HttpAuth::AuthorizationResult HttpAuthNegotiateAndroid::ParseChallenge(
 int HttpAuthNegotiateAndroid::GenerateAuthToken(
     const AuthCredentials* credentials,
     const std::string& spn,
+    const std::string& channel_bindings,
     std::string* auth_token,
     const net::CompletionCallback& callback) {
   if (prefs_->AuthAndroidNegotiateAccountType().empty()) {

diff --git a/net/android/http_auth_negotiate_android.h b/net/android/http_auth_negotiate_android.h
@@ -107,6 +107,7 @@ class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid {
   // credentials are used instead.
   int GenerateAuthToken(const AuthCredentials* credentials,
                         const std::string& spn,
+                        const std::string& channel_bindings,
                         std::string* auth_token,
                         const net::CompletionCallback& callback);
 

diff --git a/net/android/http_auth_negotiate_android_unittest.cc b/net/android/http_auth_negotiate_android_unittest.cc
@@ -31,8 +31,9 @@ TEST(HttpAuthNegotiateAndroidTest, GenerateAuthToken) {
   EXPECT_TRUE(auth.Init());
 
   TestCompletionCallback callback;
-  EXPECT_EQ(OK, callback.GetResult(auth.GenerateAuthToken(
-                    nullptr, "Dummy", &auth_token, callback.callback())));
+  EXPECT_EQ(OK, callback.GetResult(
+                    auth.GenerateAuthToken(nullptr, "Dummy", std::string(),
+                                           &auth_token, callback.callback())));
 
   EXPECT_EQ("Negotiate DummyToken", auth_token);
 

diff --git a/net/cert/x509_util.cc b/net/cert/x509_util.cc
@@ -8,6 +8,9 @@
 #include "base/time/time.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/rsa_private_key.h"
+#include "net/base/hash_value.h"
+#include "net/cert/internal/parse_certificate.h"
+#include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/x509_certificate.h"
 
 namespace net {

diff --git a/net/cert/x509_util.h b/net/cert/x509_util.h
@@ -31,6 +31,12 @@ enum DigestAlgorithm {
   DIGEST_SHA256
 };
 
+// Generate a 'tls-server-end-point' channel binding based on the specified
+// certificate. Channel bindings are based on RFC 5929.
+NET_EXPORT_PRIVATE bool GetTLSServerEndPointChannelBinding(
+    const X509Certificate& certificate,
+    std::string* token);
+
 // Creates a public-private keypair and a self-signed certificate.
 // Subject, serial number and validity period are given as parameters.
 // The certificate is signed by the private key in |key|. The key length and

diff --git a/net/cert/x509_util_nss.cc b/net/cert/x509_util_nss.cc
@@ -180,6 +180,12 @@ bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
   return true;
 }
 
+bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate,
+                                        std::string* token) {
+  NOTIMPLEMENTED();
+  return false;
+}
+
 } // namespace x509_util
 
 } // namespace net
diff --git a/net/cert/x509_util_openssl.cc b/net/cert/x509_util_openssl.cc
@@ -6,6 +6,7 @@
 
 #include <limits.h>
 #include <openssl/asn1.h>
+#include <openssl/digest.h>
 #include <openssl/mem.h>
 
 #include <algorithm>
@@ -19,7 +20,10 @@
 #include "crypto/openssl_util.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_openssl_types.h"
+#include "net/cert/internal/parse_certificate.h"
+#include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/x509_cert_types.h"
+#include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/ssl/scoped_openssl_types.h"
 
@@ -303,6 +307,57 @@ bool GetDER(X509* x509, base::StringPiece* der_cache) {
   return true;
 }
 
+bool GetTLSServerEndPointChannelBinding(const X509Certificate& certificate,
+                                        std::string* token) {
+  static const char kChannelBindingPrefix[] = "tls-server-end-point:";
+
+  std::string der_encoded_certificate;
+  if (!X509Certificate::GetDEREncoded(certificate.os_cert_handle(),
+                                      &der_encoded_certificate))
+    return false;
+
+  ParsedCertificate parsed_certificate;
+  if (!ParseCertificate(der::Input(base::StringPiece(der_encoded_certificate)),
+                        &parsed_certificate))
+    return false;
+
+  scoped_ptr<SignatureAlgorithm> signature_algorithm =
+      SignatureAlgorithm::CreateFromDer(
+          parsed_certificate.signature_algorithm_tlv);
+  if (!signature_algorithm)
+    return false;
+
+  const EVP_MD* digest_evp_md = nullptr;
+  switch (signature_algorithm->digest()) {
+    case net::DigestAlgorithm::Sha1:
+    case net::DigestAlgorithm::Sha256:
+      digest_evp_md = EVP_sha256();
+      break;
+
+    case net::DigestAlgorithm::Sha384:
+      digest_evp_md = EVP_sha384();
+      break;
+
+    case net::DigestAlgorithm::Sha512:
+      digest_evp_md = EVP_sha512();
+      break;
+  }
+  if (!digest_evp_md)
+    return false;
+
+  std::vector<uint8_t> digest(EVP_MAX_MD_SIZE);
+  unsigned int out_size = digest.size();
+  if (!EVP_Digest(der_encoded_certificate.data(),
+                  der_encoded_certificate.size(), digest.data(), &out_size,
+                  digest_evp_md, nullptr))
+    return false;
+
+  digest.resize(out_size);
+  token->assign(kChannelBindingPrefix);
+  token->append(digest.begin(), digest.end());
+  return true;
+}
+
 }  // namespace x509_util
 
 }  // namespace net