1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verifier.h"
6
7 #include <algorithm>
8 #include <utility>
9
10 #include "base/strings/string_util.h"
11 #include "base/types/optional_util.h"
12 #include "build/build_config.h"
13 #include "net/base/features.h"
14 #include "net/cert/caching_cert_verifier.h"
15 #include "net/cert/cert_verify_proc.h"
16 #include "net/cert/coalescing_cert_verifier.h"
17 #include "net/cert/crl_set.h"
18 #include "net/cert/multi_threaded_cert_verifier.h"
19 #include "net/net_buildflags.h"
20 #include "third_party/boringssl/src/include/openssl/pool.h"
21 #include "third_party/boringssl/src/include/openssl/sha.h"
22
23 namespace net {
24
25 namespace {
26
27 class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
28 public:
CreateCertVerifyProc(scoped_refptr<net::CertNetFetcher> cert_net_fetcher,const CertVerifyProc::ImplParams & impl_params,const CertVerifyProc::InstanceParams & instance_params)29 scoped_refptr<net::CertVerifyProc> CreateCertVerifyProc(
30 scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
31 const CertVerifyProc::ImplParams& impl_params,
32 const CertVerifyProc::InstanceParams& instance_params) override {
33 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
34 if (impl_params.use_chrome_root_store) {
35 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
36 std::move(cert_net_fetcher), impl_params.crl_set,
37 base::OptionalToPtr(impl_params.root_store_data), instance_params);
38 }
39 #endif
40 #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
41 return CertVerifyProc::CreateBuiltinWithChromeRootStore(
42 std::move(cert_net_fetcher), impl_params.crl_set,
43 base::OptionalToPtr(impl_params.root_store_data), instance_params);
44 #elif BUILDFLAG(IS_FUCHSIA)
45 return CertVerifyProc::CreateBuiltinVerifyProc(
46 std::move(cert_net_fetcher), impl_params.crl_set, instance_params);
47 #else
48 return CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
49 impl_params.crl_set);
50 #endif
51 }
52
53 private:
54 ~DefaultCertVerifyProcFactory() override = default;
55 };
56
57 } // namespace
58
59 CertVerifier::Config::Config() = default;
60 CertVerifier::Config::Config(const Config&) = default;
61 CertVerifier::Config::Config(Config&&) = default;
62 CertVerifier::Config::~Config() = default;
63 CertVerifier::Config& CertVerifier::Config::operator=(const Config&) = default;
64 CertVerifier::Config& CertVerifier::Config::operator=(Config&&) = default;
65
66 CertVerifier::RequestParams::RequestParams() = default;
67
RequestParams(scoped_refptr<X509Certificate> certificate,base::StringPiece hostname,int flags,base::StringPiece ocsp_response,base::StringPiece sct_list)68 CertVerifier::RequestParams::RequestParams(
69 scoped_refptr<X509Certificate> certificate,
70 base::StringPiece hostname,
71 int flags,
72 base::StringPiece ocsp_response,
73 base::StringPiece sct_list)
74 : certificate_(std::move(certificate)),
75 hostname_(hostname),
76 flags_(flags),
77 ocsp_response_(ocsp_response),
78 sct_list_(sct_list) {
79 // For efficiency sake, rather than compare all of the fields for each
80 // comparison, compute a hash of their values. This is done directly in
81 // this class, rather than as an overloaded hash operator, for efficiency's
82 // sake.
83 SHA256_CTX ctx;
84 SHA256_Init(&ctx);
85 SHA256_Update(&ctx, CRYPTO_BUFFER_data(certificate_->cert_buffer()),
86 CRYPTO_BUFFER_len(certificate_->cert_buffer()));
87 for (const auto& cert_handle : certificate_->intermediate_buffers()) {
88 SHA256_Update(&ctx, CRYPTO_BUFFER_data(cert_handle.get()),
89 CRYPTO_BUFFER_len(cert_handle.get()));
90 }
91 SHA256_Update(&ctx, hostname.data(), hostname.size());
92 SHA256_Update(&ctx, &flags, sizeof(flags));
93 SHA256_Update(&ctx, ocsp_response.data(), ocsp_response.size());
94 SHA256_Update(&ctx, sct_list.data(), sct_list.size());
95 SHA256_Final(reinterpret_cast<uint8_t*>(
96 base::WriteInto(&key_, SHA256_DIGEST_LENGTH + 1)),
97 &ctx);
98 }
99
100 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =
101 default;
102 CertVerifier::RequestParams::~RequestParams() = default;
103
operator ==(const CertVerifier::RequestParams & other) const104 bool CertVerifier::RequestParams::operator==(
105 const CertVerifier::RequestParams& other) const {
106 return key_ == other.key_;
107 }
108
operator <(const CertVerifier::RequestParams & other) const109 bool CertVerifier::RequestParams::operator<(
110 const CertVerifier::RequestParams& other) const {
111 return key_ < other.key_;
112 }
113
114 // static
115 std::unique_ptr<CertVerifierWithUpdatableProc>
CreateDefaultWithoutCaching(scoped_refptr<CertNetFetcher> cert_net_fetcher)116 CertVerifier::CreateDefaultWithoutCaching(
117 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
118 auto proc_factory = base::MakeRefCounted<DefaultCertVerifyProcFactory>();
119 return std::make_unique<MultiThreadedCertVerifier>(
120 proc_factory->CreateCertVerifyProc(std::move(cert_net_fetcher), {}, {}),
121 proc_factory);
122 }
123
124 // static
CreateDefault(scoped_refptr<CertNetFetcher> cert_net_fetcher)125 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault(
126 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
127 return std::make_unique<CachingCertVerifier>(
128 std::make_unique<CoalescingCertVerifier>(
129 CreateDefaultWithoutCaching(std::move(cert_net_fetcher))));
130 }
131
operator ==(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)132 bool operator==(const CertVerifier::Config& lhs,
133 const CertVerifier::Config& rhs) {
134 return std::tie(
135 lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors,
136 lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement) ==
137 std::tie(
138 rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors,
139 rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement);
140 }
141
operator !=(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)142 bool operator!=(const CertVerifier::Config& lhs,
143 const CertVerifier::Config& rhs) {
144 return !(lhs == rhs);
145 }
146
147 } // namespace net
148