• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_CERT_VERIFY_PROC_H_
6 #define NET_CERT_CERT_VERIFY_PROC_H_
7 
8 #include <string>
9 #include <vector>
10 
11 #include "base/feature_list.h"
12 #include "base/gtest_prod_util.h"
13 #include "base/memory/ref_counted.h"
14 #include "build/build_config.h"
15 #include "crypto/crypto_buildflags.h"
16 #include "net/base/hash_value.h"
17 #include "net/base/net_export.h"
18 #include "net/net_buildflags.h"
19 
20 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
21 #include "net/cert/internal/trust_store_chrome.h"
22 #endif
23 
24 namespace net {
25 
26 class CertNetFetcher;
27 class CertVerifyResult;
28 class CRLSet;
29 class NetLogWithSource;
30 class X509Certificate;
31 typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;
32 
33 // Class to perform certificate path building and verification for various
34 // certificate uses. All methods of this class must be thread-safe, as they
35 // may be called from various non-joinable worker threads.
36 class NET_EXPORT CertVerifyProc
37     : public base::RefCountedThreadSafe<CertVerifyProc> {
38  public:
39   enum VerifyFlags {
40     // If set, enables online revocation checking via CRLs and OCSP for the
41     // certificate chain.
42     // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set.
43     VERIFY_REV_CHECKING_ENABLED = 1 << 0,
44 
45     // If set, this is equivalent to VERIFY_REV_CHECKING_ENABLED, in that it
46     // enables online revocation checking via CRLs or OCSP, but only
47     // for certificates issued by non-public trust anchors. Failure to check
48     // revocation is treated as a hard failure.
49     // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set.
50     VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 1,
51 
52     // If set, certificates with SHA-1 signatures will be allowed, but only if
53     // they are issued by non-public trust anchors.
54     VERIFY_ENABLE_SHA1_LOCAL_ANCHORS = 1 << 2,
55 
56     // If set, disables the policy enforcement described at
57     // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
58     VERIFY_DISABLE_SYMANTEC_ENFORCEMENT = 1 << 3,
59 
60     // Disable network fetches during verification. This will override
61     // VERIFY_REV_CHECKING_ENABLED and
62     // VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS if they are also specified.
63     // (Note that this entirely disables the online revocation/AIA code paths.
64     // Theoretically we could still check for cached results.)
65     VERIFY_DISABLE_NETWORK_FETCHES = 1 << 4,
66   };
67 
68   // These values are persisted to logs. Entries should not be renumbered and
69   // numeric values should never be reused.
70   enum class NameNormalizationResult {
71     kError = 0,
72     kByteEqual = 1,
73     kNormalized = 2,
74     kChainLengthOne = 3,
75     kMaxValue = kChainLengthOne
76   };
77 
78 #if !(BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || \
79       BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(CHROME_ROOT_STORE_ONLY))
80   // Creates and returns a CertVerifyProc that uses the system verifier.
81   // |cert_net_fetcher| may not be used, depending on the implementation.
82   static scoped_refptr<CertVerifyProc> CreateSystemVerifyProc(
83       scoped_refptr<CertNetFetcher> cert_net_fetcher,
84       scoped_refptr<CRLSet> crl_set);
85 #endif
86 
87 #if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS)
88   // Creates and returns a CertVerifyProcBuiltin using the SSL SystemTrustStore.
89   static scoped_refptr<CertVerifyProc> CreateBuiltinVerifyProc(
90       scoped_refptr<CertNetFetcher> cert_net_fetcher,
91       scoped_refptr<CRLSet> crl_set);
92 #endif
93 
94 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
95   // Creates and returns a CertVerifyProcBuiltin using the Chrome Root Store
96   // SystemTrustStore and the given |root_store_data|, which may be nullptr to
97   // use the default.
98   static scoped_refptr<CertVerifyProc> CreateBuiltinWithChromeRootStore(
99       scoped_refptr<CertNetFetcher> cert_net_fetcher,
100       scoped_refptr<CRLSet> crl_set,
101       const ChromeRootStoreData* root_store_data);
102 #endif
103 
104   CertVerifyProc(const CertVerifyProc&) = delete;
105   CertVerifyProc& operator=(const CertVerifyProc&) = delete;
106 
107   // Verifies the certificate against the given hostname as an SSL server
108   // certificate. Returns OK if successful or an error code upon failure.
109   //
110   // The |*verify_result| structure, including the |verify_result->cert_status|
111   // bitmask, is always filled out regardless of the return value. If the
112   // certificate has multiple errors, the corresponding status flags are set in
113   // |verify_result->cert_status|, and the error code for the most serious
114   // error is returned.
115   //
116   // |ocsp_response|, if non-empty, is a stapled OCSP response to use.
117   //
118   // |sct_list|, if non-empty, is a SignedCertificateTimestampList from the TLS
119   // extension as described in RFC6962 section 3.3.1.
120   //
121   // |flags| is bitwise OR'd of VerifyFlags:
122   //
123   // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate
124   // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet
125   // based revocation checking is always enabled, regardless of this flag.
126   //
127   // |additional_trust_anchors| lists certificates that can be trusted when
128   // building a certificate chain, in addition to the anchors known to the
129   // implementation.
130   int Verify(X509Certificate* cert,
131              const std::string& hostname,
132              const std::string& ocsp_response,
133              const std::string& sct_list,
134              int flags,
135              const CertificateList& additional_trust_anchors,
136              CertVerifyResult* verify_result,
137              const NetLogWithSource& net_log);
138 
139   // Returns true if the implementation supports passing additional trust
140   // anchors to the Verify() call. The |additional_trust_anchors| parameter
141   // passed to Verify() is ignored when this returns false.
142   virtual bool SupportsAdditionalTrustAnchors() const = 0;
143 
144  protected:
145   explicit CertVerifyProc(scoped_refptr<CRLSet> crl_set);
146   virtual ~CertVerifyProc();
147 
crl_set()148   CRLSet* crl_set() const { return crl_set_.get(); }
149 
150   // Record a histogram of whether Name normalization was used in verifying the
151   // chain. This should only be called for successfully validated chains.
152   static void LogNameNormalizationResult(const std::string& histogram_suffix,
153                                          NameNormalizationResult result);
154 
155   // Record a histogram of whether Name normalization was used in verifying the
156   // chain. This should only be called for successfully validated chains.
157   static void LogNameNormalizationMetrics(const std::string& histogram_suffix,
158                                           X509Certificate* verified_cert,
159                                           bool is_issued_by_known_root);
160 
161  private:
162   friend class base::RefCountedThreadSafe<CertVerifyProc>;
163   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
164   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity);
165   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest,
166                            VerifyRejectsSHA1AfterDeprecationLegacyMode);
167   FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, SymantecCertsRejected);
168 
169   // Performs the actual verification using the desired underlying
170   //
171   // On entry, |verify_result| will be default-initialized as a successful
172   // validation, with |verify_result->verified_cert| set to |cert|.
173   //
174   // Implementations are expected to fill in all applicable fields, excluding:
175   //
176   // * ocsp_result
177   // * has_sha1
178   //
179   // which will be filled in by |Verify()|. If an error code is returned,
180   // |verify_result->cert_status| should be non-zero, indicating an
181   // error occurred.
182   //
183   // On success, net::OK should be returned, with |verify_result| updated to
184   // reflect the successfully verified chain.
185   virtual int VerifyInternal(X509Certificate* cert,
186                              const std::string& hostname,
187                              const std::string& ocsp_response,
188                              const std::string& sct_list,
189                              int flags,
190                              const CertificateList& additional_trust_anchors,
191                              CertVerifyResult* verify_result,
192                              const NetLogWithSource& net_log) = 0;
193 
194   // HasNameConstraintsViolation returns true iff one of |public_key_hashes|
195   // (which are hashes of SubjectPublicKeyInfo structures) has name constraints
196   // imposed on it and the names in |dns_names| are not permitted.
197   static bool HasNameConstraintsViolation(
198       const HashValueVector& public_key_hashes,
199       const std::string& common_name,
200       const std::vector<std::string>& dns_names,
201       const std::vector<std::string>& ip_addrs);
202 
203   // The CA/Browser Forum's Baseline Requirements specify maximum validity
204   // periods (https://cabforum.org/baseline-requirements-documents/).
205   //
206   // For certificates issued after 1 July 2012: 60 months.
207   // For certificates issued after 1 April 2015: 39 months.
208   // For certificates issued after 1 March 2018: 825 days.
209   //
210   // For certificates issued before the BRs took effect, there were no
211   // guidelines, but clamp them at a maximum of 10 year validity, with the
212   // requirement they expire within 7 years after the effective date of the BRs
213   // (i.e. by 1 July 2019).
214   static bool HasTooLongValidity(const X509Certificate& cert);
215 
216   const scoped_refptr<CRLSet> crl_set_;
217 };
218 
219 // Factory for creating new CertVerifyProcs when they need to be updated.
220 class NET_EXPORT CertVerifyProcFactory
221     : public base::RefCountedThreadSafe<CertVerifyProcFactory> {
222  public:
223   // The set of factory parameters that are variable over time, but are
224   // expected to be consistent between multiple verifiers that are created. For
225   // example, CertNetFetcher is not in this struct as it is expected that
226   // different verifiers will have different net fetchers. (There is no
227   // technical restriction against creating different verifiers with different
228   // ImplParams, structuring the parameters this way just makes some APIs more
229   // convenient for the common case.)
230   struct NET_EXPORT ImplParams {
231     ImplParams();
232     ~ImplParams();
233     ImplParams(const ImplParams&);
234     ImplParams& operator=(const ImplParams& other);
235     ImplParams(ImplParams&&);
236     ImplParams& operator=(ImplParams&& other);
237 
238     scoped_refptr<CRLSet> crl_set;
239 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
240     absl::optional<net::ChromeRootStoreData> root_store_data;
241 #endif
242 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
243     bool use_chrome_root_store;
244 #endif
245   };
246 
247   // Create a new CertVerifyProc that uses the passed in CRLSet and
248   // ChromeRootStoreData.
249   virtual scoped_refptr<CertVerifyProc> CreateCertVerifyProc(
250       scoped_refptr<CertNetFetcher> cert_net_fetcher,
251       const ImplParams& impl_params) = 0;
252 
253  protected:
254   virtual ~CertVerifyProcFactory() = default;
255 
256  private:
257   friend class base::RefCountedThreadSafe<CertVerifyProcFactory>;
258 };
259 
260 }  // namespace net
261 
262 #endif  // NET_CERT_CERT_VERIFY_PROC_H_
263