1 // Copyright 2020 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_ 6 #define QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_ 7 8 #include <forward_list> 9 #include <memory> 10 11 #include "absl/base/attributes.h" 12 #include "absl/container/node_hash_map.h" 13 #include "absl/strings/string_view.h" 14 #include "quiche/quic/core/crypto/certificate_view.h" 15 #include "quiche/quic/core/crypto/proof_source.h" 16 #include "quiche/quic/core/crypto/quic_crypto_proof.h" 17 18 namespace quic { 19 20 // ProofSourceX509 accepts X.509 certificates with private keys and picks a 21 // certificate internally based on its SubjectAltName value. 22 class QUICHE_EXPORT ProofSourceX509 : public ProofSource { 23 public: 24 // Creates a proof source that uses |default_chain| when no SubjectAltName 25 // value matches. Returns nullptr if |default_chain| is invalid. 26 static std::unique_ptr<ProofSourceX509> Create( 27 quiche::QuicheReferenceCountedPointer<Chain> default_chain, 28 CertificatePrivateKey default_key); 29 30 // ProofSource implementation. 31 void GetProof(const QuicSocketAddress& server_address, 32 const QuicSocketAddress& client_address, 33 const std::string& hostname, const std::string& server_config, 34 QuicTransportVersion transport_version, 35 absl::string_view chlo_hash, 36 std::unique_ptr<Callback> callback) override; 37 quiche::QuicheReferenceCountedPointer<Chain> GetCertChain( 38 const QuicSocketAddress& server_address, 39 const QuicSocketAddress& client_address, const std::string& hostname, 40 bool* cert_matched_sni) override; 41 void ComputeTlsSignature( 42 const QuicSocketAddress& server_address, 43 const QuicSocketAddress& client_address, const std::string& hostname, 44 uint16_t signature_algorithm, absl::string_view in, 45 std::unique_ptr<SignatureCallback> callback) override; 46 QuicSignatureAlgorithmVector SupportedTlsSignatureAlgorithms() const override; 47 TicketCrypter* GetTicketCrypter() override; 48 49 // Adds a certificate chain to the verifier. Returns false if the chain is 50 // not valid. Newer certificates will override older certificates with the 51 // same SubjectAltName value. 52 ABSL_MUST_USE_RESULT bool AddCertificateChain( 53 quiche::QuicheReferenceCountedPointer<Chain> chain, 54 CertificatePrivateKey key); 55 56 protected: 57 ProofSourceX509(quiche::QuicheReferenceCountedPointer<Chain> default_chain, 58 CertificatePrivateKey default_key); valid()59 bool valid() const { return default_certificate_ != nullptr; } 60 61 // Gives an opportunity for the subclass proof source to provide SCTs for a 62 // given hostname. MaybeAddSctsForHostname(absl::string_view,std::string &)63 virtual void MaybeAddSctsForHostname(absl::string_view /*hostname*/, 64 std::string& /*leaf_cert_scts*/) {} 65 66 private: 67 struct QUICHE_EXPORT Certificate { 68 quiche::QuicheReferenceCountedPointer<Chain> chain; 69 CertificatePrivateKey key; 70 }; 71 72 // Looks up certficiate for hostname, returns the default if no certificate is 73 // found. 74 Certificate* GetCertificate(const std::string& hostname, 75 bool* cert_matched_sni) const; 76 77 std::forward_list<Certificate> certificates_; 78 Certificate* default_certificate_ = nullptr; 79 absl::node_hash_map<std::string, Certificate*> certificate_map_; 80 }; 81 82 } // namespace quic 83 84 #endif // QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_ 85