1 // Copyright 2019 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.h"
6 
7 #include <utility>
8 
9 #include "base/files/file_path.h"
10 #include "base/strings/utf_string_conversions.h"
11 #include "build/build_config.h"
12 #include "net/base/network_isolation_key.h"
13 #include "net/cert/cert_verifier.h"
14 #include "net/cert/ct_log_verifier.h"
15 #include "net/http/transport_security_state.h"
16 #include "net/quic/crypto/proof_source_chromium.h"
17 #include "net/quic/crypto/proof_verifier_chromium.h"
18 #include "net/quic/platform/impl/quic_chromium_clock.h"
19 #include "net/third_party/quiche/src/quiche/common/platform/api/quiche_command_line_flags.h"
20 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_flags.h"
21 #include "net/third_party/quiche/src/quiche/quic/tools/simple_ticket_crypter.h"
22 
23 DEFINE_QUICHE_COMMAND_LINE_FLAG(
24     bool,
25     allow_unknown_root_cert,
26     false,
27     "If true, don't restrict cert verification to known roots");
28 
29 DEFINE_QUICHE_COMMAND_LINE_FLAG(std::string,
30                                 certificate_file,
31                                 "",
32                                 "Path to the certificate chain.");
33 
34 DEFINE_QUICHE_COMMAND_LINE_FLAG(std::string,
35                                 key_file,
36                                 "",
37                                 "Path to the pkcs8 private key.");
38 
39 using net::CertVerifier;
40 using net::ProofVerifierChromium;
41 
42 namespace quiche {
43 
44 namespace {
45 
UnknownRootAllowlistForHost(std::string host)46 std::set<std::string> UnknownRootAllowlistForHost(std::string host) {
47   if (!GetQuicFlag(allow_unknown_root_cert)) {
48     return std::set<std::string>();
49   }
50   return {host};
51 }
52 
53 }  // namespace
54 
55 class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
56  public:
ProofVerifierChromiumWithOwnership(std::unique_ptr<net::CertVerifier> cert_verifier,std::string host)57   ProofVerifierChromiumWithOwnership(
58       std::unique_ptr<net::CertVerifier> cert_verifier,
59       std::string host)
60       : net::ProofVerifierChromium(
61             cert_verifier.get(),
62             &transport_security_state_,
63             /*sct_auditing_delegate=*/nullptr,
64             UnknownRootAllowlistForHost(host),
65             // Fine to use an empty NetworkAnonymizationKey
66             // here, since this isn't used in Chromium.
67             net::NetworkAnonymizationKey()),
68         cert_verifier_(std::move(cert_verifier)) {}
69 
70  private:
71   std::unique_ptr<net::CertVerifier> cert_verifier_;
72   net::TransportSecurityState transport_security_state_;
73 };
74 
CreateDefaultProofVerifierImpl(const std::string & host)75 std::unique_ptr<quic::ProofVerifier> CreateDefaultProofVerifierImpl(
76     const std::string& host) {
77   std::unique_ptr<net::CertVerifier> cert_verifier =
78       net::CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr);
79   return std::make_unique<ProofVerifierChromiumWithOwnership>(
80       std::move(cert_verifier), host);
81 }
82 
CreateDefaultProofSourceImpl()83 std::unique_ptr<quic::ProofSource> CreateDefaultProofSourceImpl() {
84   auto proof_source = std::make_unique<net::ProofSourceChromium>();
85   proof_source->SetTicketCrypter(std::make_unique<quic::SimpleTicketCrypter>(
86       quic::QuicChromiumClock::GetInstance()));
87   CHECK(proof_source->Initialize(
88 #if BUILDFLAG(IS_WIN)
89       base::FilePath(base::UTF8ToWide(GetQuicFlag(certificate_file))),
90       base::FilePath(base::UTF8ToWide(GetQuicFlag(key_file))),
91       base::FilePath()));
92 #else
93       base::FilePath(GetQuicFlag(certificate_file)),
94       base::FilePath(GetQuicFlag(key_file)), base::FilePath()));
95 #endif
96   return std::move(proof_source);
97 }
98 
99 }  // namespace quiche
100