• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2021 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
6 #define QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
7 
8 #include <memory>
9 
10 #include "absl/container/flat_hash_map.h"
11 #include "quiche/quic/core/crypto/certificate_view.h"
12 #include "quiche/quic/core/crypto/proof_source.h"
13 
14 namespace quic {
15 
16 // ClientProofSource is the interface for a QUIC client to provide client certs
17 // and keys based on server hostname. It is only used by TLS handshakes.
18 class QUIC_EXPORT_PRIVATE ClientProofSource {
19  public:
20   using Chain = ProofSource::Chain;
21 
~ClientProofSource()22   virtual ~ClientProofSource() {}
23 
24   struct QUIC_EXPORT_PRIVATE CertAndKey {
CertAndKeyCertAndKey25     CertAndKey(quiche::QuicheReferenceCountedPointer<Chain> chain,
26                CertificatePrivateKey private_key)
27         : chain(std::move(chain)), private_key(std::move(private_key)) {}
28 
29     quiche::QuicheReferenceCountedPointer<Chain> chain;
30     CertificatePrivateKey private_key;
31   };
32 
33   // Get the client certificate to be sent to the server with |server_hostname|
34   // and its corresponding private key. It returns nullptr if the cert and key
35   // can not be found.
36   //
37   // |server_hostname| is typically a full domain name(www.foo.com), but it
38   // could also be a wildcard domain(*.foo.com), or a "*" which will return the
39   // default cert.
40   virtual const CertAndKey* GetCertAndKey(
41       absl::string_view server_hostname) const = 0;
42 };
43 
44 // DefaultClientProofSource is an implementation that simply keeps an in memory
45 // map of server hostnames to certs.
46 class QUIC_EXPORT_PRIVATE DefaultClientProofSource : public ClientProofSource {
47  public:
~DefaultClientProofSource()48   ~DefaultClientProofSource() override {}
49 
50   // Associate all hostnames in |server_hostnames| with {|chain|,|private_key|}.
51   // Elements of |server_hostnames| can be full domain names(www.foo.com),
52   // wildcard domains(*.foo.com), or "*" which means the given cert chain is the
53   // default one.
54   // If any element of |server_hostnames| is already associated with a cert
55   // chain, it will be updated to be associated with the new cert chain.
56   bool AddCertAndKey(std::vector<std::string> server_hostnames,
57                      quiche::QuicheReferenceCountedPointer<Chain> chain,
58                      CertificatePrivateKey private_key);
59 
60   // ClientProofSource implementation
61   const CertAndKey* GetCertAndKey(absl::string_view hostname) const override;
62 
63  private:
64   const CertAndKey* LookupExact(absl::string_view map_key) const;
65   absl::flat_hash_map<std::string, std::shared_ptr<CertAndKey>> cert_and_keys_;
66 };
67 
68 }  // namespace quic
69 
70 #endif  // QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
71