1 // Copyright 2013 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_ 6 #define NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_ 7 8 #include <map> 9 #include <memory> 10 #include <set> 11 #include <string> 12 #include <vector> 13 14 #include "base/compiler_specific.h" 15 #include "base/memory/raw_ptr.h" 16 #include "net/base/net_export.h" 17 #include "net/base/network_anonymization_key.h" 18 #include "net/cert/cert_verify_result.h" 19 #include "net/cert/x509_certificate.h" 20 #include "net/log/net_log_with_source.h" 21 #include "net/third_party/quiche/src/quiche/quic/core/crypto/proof_verifier.h" 22 23 namespace net { 24 25 class CTPolicyEnforcer; 26 class CertVerifier; 27 class SCTAuditingDelegate; 28 class TransportSecurityState; 29 30 // ProofVerifyDetailsChromium is the implementation-specific information that a 31 // ProofVerifierChromium returns about a certificate verification. 32 class NET_EXPORT_PRIVATE ProofVerifyDetailsChromium 33 : public quic::ProofVerifyDetails { 34 public: 35 ProofVerifyDetailsChromium(); 36 ProofVerifyDetailsChromium(const ProofVerifyDetailsChromium&); 37 ~ProofVerifyDetailsChromium() override; 38 39 // quic::ProofVerifyDetails implementation 40 quic::ProofVerifyDetails* Clone() const override; 41 42 CertVerifyResult cert_verify_result; 43 44 // pinning_failure_log contains a message produced by 45 // TransportSecurityState::PKPState::CheckPublicKeyPins in the event of a 46 // pinning failure. It is a (somewhat) human-readable string. 47 std::string pinning_failure_log; 48 49 // True if PKP was bypassed due to a local trust anchor. 50 bool pkp_bypassed = false; 51 52 // True if there was a certificate error which should be treated as fatal, 53 // and false otherwise. 54 bool is_fatal_cert_error = false; 55 }; 56 57 // ProofVerifyContextChromium is the implementation-specific information that a 58 // ProofVerifierChromium needs in order to log correctly. 59 struct ProofVerifyContextChromium : public quic::ProofVerifyContext { 60 public: ProofVerifyContextChromiumProofVerifyContextChromium61 ProofVerifyContextChromium(int cert_verify_flags, 62 const NetLogWithSource& net_log) 63 : cert_verify_flags(cert_verify_flags), net_log(net_log) {} 64 65 int cert_verify_flags; 66 NetLogWithSource net_log; 67 }; 68 69 // ProofVerifierChromium implements the QUIC quic::ProofVerifier interface. It 70 // is capable of handling multiple simultaneous requests. 71 class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier { 72 public: 73 ProofVerifierChromium( 74 CertVerifier* cert_verifier, 75 CTPolicyEnforcer* ct_policy_enforcer, 76 TransportSecurityState* transport_security_state, 77 SCTAuditingDelegate* sct_auditing_delegate, 78 std::set<std::string> hostnames_to_allow_unknown_roots, 79 const NetworkAnonymizationKey& network_anonymization_key); 80 81 ProofVerifierChromium(const ProofVerifierChromium&) = delete; 82 ProofVerifierChromium& operator=(const ProofVerifierChromium&) = delete; 83 84 ~ProofVerifierChromium() override; 85 86 // quic::ProofVerifier interface 87 quic::QuicAsyncStatus VerifyProof( 88 const std::string& hostname, 89 const uint16_t port, 90 const std::string& server_config, 91 quic::QuicTransportVersion quic_version, 92 absl::string_view chlo_hash, 93 const std::vector<std::string>& certs, 94 const std::string& cert_sct, 95 const std::string& signature, 96 const quic::ProofVerifyContext* verify_context, 97 std::string* error_details, 98 std::unique_ptr<quic::ProofVerifyDetails>* verify_details, 99 std::unique_ptr<quic::ProofVerifierCallback> callback) override; 100 quic::QuicAsyncStatus VerifyCertChain( 101 const std::string& hostname, 102 const uint16_t port, 103 const std::vector<std::string>& certs, 104 const std::string& ocsp_response, 105 const std::string& cert_sct, 106 const quic::ProofVerifyContext* verify_context, 107 std::string* error_details, 108 std::unique_ptr<quic::ProofVerifyDetails>* verify_details, 109 uint8_t* out_alert, 110 std::unique_ptr<quic::ProofVerifierCallback> callback) override; 111 std::unique_ptr<quic::ProofVerifyContext> CreateDefaultContext() override; 112 113 private: 114 class Job; 115 116 void OnJobComplete(Job* job); 117 118 // Set owning pointers to active jobs. 119 std::map<Job*, std::unique_ptr<Job>> active_jobs_; 120 121 // Underlying verifier used to verify certificates. 122 const raw_ptr<CertVerifier> cert_verifier_; 123 const raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_; 124 125 const raw_ptr<TransportSecurityState> transport_security_state_; 126 127 const raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_; 128 129 std::set<std::string> hostnames_to_allow_unknown_roots_; 130 131 const NetworkAnonymizationKey network_anonymization_key_; 132 }; 133 134 } // namespace net 135 136 #endif // NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_ 137