Fabcoin Core  0.16.2
P2P Digital Currency
paymentrequestplus.cpp
Go to the documentation of this file.
1 // Copyright (c) 2011-2017 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 //
6 // Wraps dumb protocol buffer paymentRequest
7 // with some extra methods
8 //
9 
10 #include <paymentrequestplus.h>
11 
12 #include <util.h>
13 
14 #include <stdexcept>
15 
16 #include <openssl/x509_vfy.h>
17 
18 #include <QDateTime>
19 #include <QDebug>
20 #include <QSslCertificate>
21 
22 class SSLVerifyError : public std::runtime_error
23 {
24 public:
25  SSLVerifyError(std::string err) : std::runtime_error(err) { }
26 };
27 
28 bool PaymentRequestPlus::parse(const QByteArray& data)
29 {
30  bool parseOK = paymentRequest.ParseFromArray(data.data(), data.size());
31  if (!parseOK) {
32  qWarning() << "PaymentRequestPlus::parse: Error parsing payment request";
33  return false;
34  }
35  if (paymentRequest.payment_details_version() > 1) {
36  qWarning() << "PaymentRequestPlus::parse: Received up-version payment details, version=" << paymentRequest.payment_details_version();
37  return false;
38  }
39 
40  parseOK = details.ParseFromString(paymentRequest.serialized_payment_details());
41  if (!parseOK)
42  {
43  qWarning() << "PaymentRequestPlus::parse: Error parsing payment details";
44  paymentRequest.Clear();
45  return false;
46  }
47  return true;
48 }
49 
50 bool PaymentRequestPlus::SerializeToString(std::string* output) const
51 {
52  return paymentRequest.SerializeToString(output);
53 }
54 
56 {
57  return paymentRequest.IsInitialized();
58 }
59 
60 bool PaymentRequestPlus::getMerchant(X509_STORE* certStore, QString& merchant) const
61 {
62  merchant.clear();
63 
64  if (!IsInitialized())
65  return false;
66 
67  // One day we'll support more PKI types, but just
68  // x509 for now:
69  const EVP_MD* digestAlgorithm = nullptr;
70  if (paymentRequest.pki_type() == "x509+sha256") {
71  digestAlgorithm = EVP_sha256();
72  }
73  else if (paymentRequest.pki_type() == "x509+sha1") {
74  digestAlgorithm = EVP_sha1();
75  }
76  else if (paymentRequest.pki_type() == "none") {
77  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: pki_type == none";
78  return false;
79  }
80  else {
81  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: unknown pki_type " << QString::fromStdString(paymentRequest.pki_type());
82  return false;
83  }
84 
86  if (!certChain.ParseFromString(paymentRequest.pki_data())) {
87  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: error parsing pki_data";
88  return false;
89  }
90 
91  std::vector<X509*> certs;
92  const QDateTime currentTime = QDateTime::currentDateTime();
93  for (int i = 0; i < certChain.certificate_size(); i++) {
94  QByteArray certData(certChain.certificate(i).data(), certChain.certificate(i).size());
95  QSslCertificate qCert(certData, QSsl::Der);
96  if (currentTime < qCert.effectiveDate() || currentTime > qCert.expiryDate()) {
97  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: certificate expired or not yet active: " << qCert;
98  return false;
99  }
100 #if QT_VERSION >= 0x050000
101  if (qCert.isBlacklisted()) {
102  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: certificate blacklisted: " << qCert;
103  return false;
104  }
105 #endif
106  const unsigned char *data = (const unsigned char *)certChain.certificate(i).data();
107  X509 *cert = d2i_X509(nullptr, &data, certChain.certificate(i).size());
108  if (cert)
109  certs.push_back(cert);
110  }
111  if (certs.empty()) {
112  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: empty certificate chain";
113  return false;
114  }
115 
116  // The first cert is the signing cert, the rest are untrusted certs that chain
117  // to a valid root authority. OpenSSL needs them separately.
118  STACK_OF(X509) *chain = sk_X509_new_null();
119  for (int i = certs.size() - 1; i > 0; i--) {
120  sk_X509_push(chain, certs[i]);
121  }
122  X509 *signing_cert = certs[0];
123 
124  // Now create a "store context", which is a single use object for checking,
125  // load the signing cert into it and verify.
126  X509_STORE_CTX *store_ctx = X509_STORE_CTX_new();
127  if (!store_ctx) {
128  qWarning() << "PaymentRequestPlus::getMerchant: Payment request: error creating X509_STORE_CTX";
129  return false;
130  }
131 
132  char *website = nullptr;
133  bool fResult = true;
134  try
135  {
136  if (!X509_STORE_CTX_init(store_ctx, certStore, signing_cert, chain))
137  {
138  int error = X509_STORE_CTX_get_error(store_ctx);
139  throw SSLVerifyError(X509_verify_cert_error_string(error));
140  }
141 
142  // Now do the verification!
143  int result = X509_verify_cert(store_ctx);
144  if (result != 1) {
145  int error = X509_STORE_CTX_get_error(store_ctx);
146  // For testing payment requests, we allow self signed root certs!
147  // This option is just shown in the UI options, if -help-debug is enabled.
148  if (!(error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT && gArgs.GetBoolArg("-allowselfsignedrootcertificates", DEFAULT_SELFSIGNED_ROOTCERTS))) {
149  throw SSLVerifyError(X509_verify_cert_error_string(error));
150  } else {
151  qDebug() << "PaymentRequestPlus::getMerchant: Allowing self signed root certificate, because -allowselfsignedrootcertificates is true.";
152  }
153  }
154  X509_NAME *certname = X509_get_subject_name(signing_cert);
155 
156  // Valid cert; check signature:
157  payments::PaymentRequest rcopy(paymentRequest); // Copy
158  rcopy.set_signature(std::string(""));
159  std::string data_to_verify; // Everything but the signature
160  rcopy.SerializeToString(&data_to_verify);
161 
162 #if HAVE_DECL_EVP_MD_CTX_NEW
163  EVP_MD_CTX *ctx = EVP_MD_CTX_new();
164  if (!ctx) throw SSLVerifyError("Error allocating OpenSSL context.");
165 #else
166  EVP_MD_CTX _ctx;
167  EVP_MD_CTX *ctx;
168  ctx = &_ctx;
169 #endif
170  EVP_PKEY *pubkey = X509_get_pubkey(signing_cert);
171  EVP_MD_CTX_init(ctx);
172  if (!EVP_VerifyInit_ex(ctx, digestAlgorithm, nullptr) ||
173  !EVP_VerifyUpdate(ctx, data_to_verify.data(), data_to_verify.size()) ||
174  !EVP_VerifyFinal(ctx, (const unsigned char*)paymentRequest.signature().data(), (unsigned int)paymentRequest.signature().size(), pubkey)) {
175  throw SSLVerifyError("Bad signature, invalid payment request.");
176  }
177 #if HAVE_DECL_EVP_MD_CTX_NEW
178  EVP_MD_CTX_free(ctx);
179 #endif
180 
181  // OpenSSL API for getting human printable strings from certs is baroque.
182  int textlen = X509_NAME_get_text_by_NID(certname, NID_commonName, nullptr, 0);
183  website = new char[textlen + 1];
184  if (X509_NAME_get_text_by_NID(certname, NID_commonName, website, textlen + 1) == textlen && textlen > 0) {
185  merchant = website;
186  }
187  else {
188  throw SSLVerifyError("Bad certificate, missing common name.");
189  }
190  // TODO: detect EV certificates and set merchant = business name instead of unfriendly NID_commonName ?
191  }
192  catch (const SSLVerifyError& err) {
193  fResult = false;
194  qWarning() << "PaymentRequestPlus::getMerchant: SSL error: " << err.what();
195  }
196 
197  if (website)
198  delete[] website;
199  X509_STORE_CTX_free(store_ctx);
200  for (unsigned int i = 0; i < certs.size(); i++)
201  X509_free(certs[i]);
202 
203  return fResult;
204 }
205 
206 QList<std::pair<CScript,CAmount> > PaymentRequestPlus::getPayTo() const
207 {
208  QList<std::pair<CScript,CAmount> > result;
209  for (int i = 0; i < details.outputs_size(); i++)
210  {
211  const unsigned char* scriptStr = (const unsigned char*)details.outputs(i).script().data();
212  CScript s(scriptStr, scriptStr+details.outputs(i).script().size());
213 
214  result.append(std::make_pair(s, details.outputs(i).amount()));
215  }
216  return result;
217 }
bool error(const char *fmt, const Args &...args)
Definition: util.h:178
const ::std::string & certificate(int index) const
bool IsInitialized() const
SSLVerifyError(std::string err)
bool getMerchant(X509_STORE *certStore, QString &merchant) const
bool GetBoolArg(const std::string &strArg, bool fDefault)
Return boolean argument or default value.
Definition: util.cpp:520
std::hash for asio::adress
Definition: Common.h:323
bool SerializeToString(std::string *output) const
bool parse(const QByteArray &data)
QList< std::pair< CScript, CAmount > > getPayTo() const
ArgsManager gArgs
Definition: util.cpp:94
void set_signature(const ::std::string &value)
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:417
uint8_t const * data
Definition: sha3.h:19