1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verifier.h"
6
7 #include <algorithm>
8 #include <utility>
9
10 #include "base/strings/string_util.h"
11 #include "base/types/optional_util.h"
12 #include "build/build_config.h"
13 #include "net/base/features.h"
14 #include "net/cert/caching_cert_verifier.h"
15 #include "net/cert/cert_verify_proc.h"
16 #include "net/cert/coalescing_cert_verifier.h"
17 #include "net/cert/crl_set.h"
18 #include "net/cert/multi_threaded_cert_verifier.h"
19 #include "net/net_buildflags.h"
20 #include "third_party/boringssl/src/include/openssl/pool.h"
21 #include "third_party/boringssl/src/include/openssl/sha.h"
22
23 namespace net {
24
25 namespace {
26
27 class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
28 public:
CreateCertVerifyProc(scoped_refptr<net::CertNetFetcher> cert_net_fetcher,const CertVerifyProcFactory::ImplParams & impl_params)29 scoped_refptr<net::CertVerifyProc> CreateCertVerifyProc(
30 scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
31 const CertVerifyProcFactory::ImplParams& impl_params) override {
32 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
33 if (impl_params.use_chrome_root_store) {
34 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
35 std::move(cert_net_fetcher), impl_params.crl_set,
36 base::OptionalToPtr(impl_params.root_store_data));
37 }
38 #endif
39 #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
40 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
41 std::move(cert_net_fetcher), impl_params.crl_set,
42 base::OptionalToPtr(impl_params.root_store_data));
43 #elif BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
44 return CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher),
45 impl_params.crl_set);
46 #else
47 return CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
48 impl_params.crl_set);
49 #endif
50 }
51
52 private:
53 ~DefaultCertVerifyProcFactory() override = default;
54 };
55
56 } // namespace
57
58 CertVerifier::Config::Config() = default;
59 CertVerifier::Config::Config(const Config&) = default;
60 CertVerifier::Config::Config(Config&&) = default;
61 CertVerifier::Config::~Config() = default;
62 CertVerifier::Config& CertVerifier::Config::operator=(const Config&) = default;
63 CertVerifier::Config& CertVerifier::Config::operator=(Config&&) = default;
64
65 CertVerifier::RequestParams::RequestParams() = default;
66
RequestParams(scoped_refptr<X509Certificate> certificate,base::StringPiece hostname,int flags,base::StringPiece ocsp_response,base::StringPiece sct_list)67 CertVerifier::RequestParams::RequestParams(
68 scoped_refptr<X509Certificate> certificate,
69 base::StringPiece hostname,
70 int flags,
71 base::StringPiece ocsp_response,
72 base::StringPiece sct_list)
73 : certificate_(std::move(certificate)),
74 hostname_(hostname),
75 flags_(flags),
76 ocsp_response_(ocsp_response),
77 sct_list_(sct_list) {
78 // For efficiency sake, rather than compare all of the fields for each
79 // comparison, compute a hash of their values. This is done directly in
80 // this class, rather than as an overloaded hash operator, for efficiency's
81 // sake.
82 SHA256_CTX ctx;
83 SHA256_Init(&ctx);
84 SHA256_Update(&ctx, CRYPTO_BUFFER_data(certificate_->cert_buffer()),
85 CRYPTO_BUFFER_len(certificate_->cert_buffer()));
86 for (const auto& cert_handle : certificate_->intermediate_buffers()) {
87 SHA256_Update(&ctx, CRYPTO_BUFFER_data(cert_handle.get()),
88 CRYPTO_BUFFER_len(cert_handle.get()));
89 }
90 SHA256_Update(&ctx, hostname.data(), hostname.size());
91 SHA256_Update(&ctx, &flags, sizeof(flags));
92 SHA256_Update(&ctx, ocsp_response.data(), ocsp_response.size());
93 SHA256_Update(&ctx, sct_list.data(), sct_list.size());
94 SHA256_Final(reinterpret_cast<uint8_t*>(
95 base::WriteInto(&key_, SHA256_DIGEST_LENGTH + 1)),
96 &ctx);
97 }
98
99 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =
100 default;
101 CertVerifier::RequestParams::~RequestParams() = default;
102
operator ==(const CertVerifier::RequestParams & other) const103 bool CertVerifier::RequestParams::operator==(
104 const CertVerifier::RequestParams& other) const {
105 return key_ == other.key_;
106 }
107
operator <(const CertVerifier::RequestParams & other) const108 bool CertVerifier::RequestParams::operator<(
109 const CertVerifier::RequestParams& other) const {
110 return key_ < other.key_;
111 }
112
113 // static
114 std::unique_ptr<CertVerifierWithUpdatableProc>
CreateDefaultWithoutCaching(scoped_refptr<CertNetFetcher> cert_net_fetcher)115 CertVerifier::CreateDefaultWithoutCaching(
116 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
117 auto proc_factory = base::MakeRefCounted<DefaultCertVerifyProcFactory>();
118 return std::make_unique<MultiThreadedCertVerifier>(
119 proc_factory->CreateCertVerifyProc(std::move(cert_net_fetcher), {}),
120 proc_factory);
121 }
122
123 // static
CreateDefault(scoped_refptr<CertNetFetcher> cert_net_fetcher)124 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault(
125 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
126 return std::make_unique<CachingCertVerifier>(
127 std::make_unique<CoalescingCertVerifier>(
128 CreateDefaultWithoutCaching(std::move(cert_net_fetcher))));
129 }
130
operator ==(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)131 bool operator==(const CertVerifier::Config& lhs,
132 const CertVerifier::Config& rhs) {
133 return std::tie(
134 lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors,
135 lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement,
136 lhs.additional_trust_anchors,
137 lhs.additional_untrusted_authorities) ==
138 std::tie(
139 rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors,
140 rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement,
141 rhs.additional_trust_anchors,
142 rhs.additional_untrusted_authorities);
143 }
144
operator !=(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)145 bool operator!=(const CertVerifier::Config& lhs,
146 const CertVerifier::Config& rhs) {
147 return !(lhs == rhs);
148 }
149
150 } // namespace net
151