xref: /aosp_15_r20/external/grpc-grpc/src/core/lib/security/credentials/tls/grpc_tls_certificate_match.cc (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //     http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include <grpc/support/port_platform.h>
18 
19 #include <openssl/bio.h>
20 #include <openssl/crypto.h>
21 #include <openssl/evp.h>
22 #include <openssl/pem.h>
23 #include <openssl/x509.h>
24 
25 #include "absl/status/status.h"
26 #include "absl/status/statusor.h"
27 #include "absl/strings/string_view.h"
28 
29 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
30 
31 namespace grpc_core {
32 
PrivateKeyAndCertificateMatch(absl::string_view private_key,absl::string_view cert_chain)33 absl::StatusOr<bool> PrivateKeyAndCertificateMatch(
34     absl::string_view private_key, absl::string_view cert_chain) {
35   if (private_key.empty()) {
36     return absl::InvalidArgumentError("Private key string is empty.");
37   }
38   if (cert_chain.empty()) {
39     return absl::InvalidArgumentError("Certificate string is empty.");
40   }
41   BIO* cert_bio =
42       BIO_new_mem_buf(cert_chain.data(), static_cast<int>(cert_chain.size()));
43   if (cert_bio == nullptr) {
44     return absl::InvalidArgumentError(
45         "Conversion from certificate string to BIO failed.");
46   }
47   // Reads the first cert from the cert_chain which is expected to be the leaf
48   // cert
49   X509* x509 = PEM_read_bio_X509(cert_bio, nullptr, nullptr, nullptr);
50   BIO_free(cert_bio);
51   if (x509 == nullptr) {
52     return absl::InvalidArgumentError(
53         "Conversion from PEM string to X509 failed.");
54   }
55   EVP_PKEY* public_evp_pkey = X509_get_pubkey(x509);
56   X509_free(x509);
57   if (public_evp_pkey == nullptr) {
58     return absl::InvalidArgumentError(
59         "Extraction of public key from x.509 certificate failed.");
60   }
61   BIO* private_key_bio =
62       BIO_new_mem_buf(private_key.data(), static_cast<int>(private_key.size()));
63   if (private_key_bio == nullptr) {
64     EVP_PKEY_free(public_evp_pkey);
65     return absl::InvalidArgumentError(
66         "Conversion from private key string to BIO failed.");
67   }
68   EVP_PKEY* private_evp_pkey =
69       PEM_read_bio_PrivateKey(private_key_bio, nullptr, nullptr, nullptr);
70   BIO_free(private_key_bio);
71   if (private_evp_pkey == nullptr) {
72     EVP_PKEY_free(public_evp_pkey);
73     return absl::InvalidArgumentError(
74         "Conversion from PEM string to EVP_PKEY failed.");
75   }
76 #if OPENSSL_VERSION_NUMBER < 0x30000000L
77   bool result = EVP_PKEY_cmp(private_evp_pkey, public_evp_pkey) == 1;
78 #else
79   bool result = EVP_PKEY_eq(private_evp_pkey, public_evp_pkey) == 1;
80 #endif
81   EVP_PKEY_free(private_evp_pkey);
82   EVP_PKEY_free(public_evp_pkey);
83   return result;
84 }
85 
86 }  // namespace grpc_core
87