1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_verifier.h"
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker #include <algorithm>
8*6777b538SAndroid Build Coastguard Worker #include <string_view>
9*6777b538SAndroid Build Coastguard Worker #include <utility>
10*6777b538SAndroid Build Coastguard Worker
11*6777b538SAndroid Build Coastguard Worker #include "base/containers/span.h"
12*6777b538SAndroid Build Coastguard Worker #include "base/types/optional_util.h"
13*6777b538SAndroid Build Coastguard Worker #include "build/build_config.h"
14*6777b538SAndroid Build Coastguard Worker #include "net/base/features.h"
15*6777b538SAndroid Build Coastguard Worker #include "net/cert/caching_cert_verifier.h"
16*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_verify_proc.h"
17*6777b538SAndroid Build Coastguard Worker #include "net/cert/coalescing_cert_verifier.h"
18*6777b538SAndroid Build Coastguard Worker #include "net/cert/crl_set.h"
19*6777b538SAndroid Build Coastguard Worker #include "net/cert/do_nothing_ct_verifier.h"
20*6777b538SAndroid Build Coastguard Worker #include "net/cert/multi_threaded_cert_verifier.h"
21*6777b538SAndroid Build Coastguard Worker #include "net/net_buildflags.h"
22*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/pool.h"
23*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/sha.h"
24*6777b538SAndroid Build Coastguard Worker
25*6777b538SAndroid Build Coastguard Worker namespace net {
26*6777b538SAndroid Build Coastguard Worker
27*6777b538SAndroid Build Coastguard Worker namespace {
28*6777b538SAndroid Build Coastguard Worker
29*6777b538SAndroid Build Coastguard Worker class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
30*6777b538SAndroid Build Coastguard Worker public:
CreateCertVerifyProc(scoped_refptr<net::CertNetFetcher> cert_net_fetcher,const CertVerifyProc::ImplParams & impl_params,const CertVerifyProc::InstanceParams & instance_params)31*6777b538SAndroid Build Coastguard Worker scoped_refptr<net::CertVerifyProc> CreateCertVerifyProc(
32*6777b538SAndroid Build Coastguard Worker scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
33*6777b538SAndroid Build Coastguard Worker const CertVerifyProc::ImplParams& impl_params,
34*6777b538SAndroid Build Coastguard Worker const CertVerifyProc::InstanceParams& instance_params) override {
35*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
36*6777b538SAndroid Build Coastguard Worker if (impl_params.use_chrome_root_store) {
37*6777b538SAndroid Build Coastguard Worker return CertVerifyProc::CreateBuiltinWithChromeRootStore(
38*6777b538SAndroid Build Coastguard Worker std::move(cert_net_fetcher), impl_params.crl_set,
39*6777b538SAndroid Build Coastguard Worker std::make_unique<net::DoNothingCTVerifier>(),
40*6777b538SAndroid Build Coastguard Worker base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
41*6777b538SAndroid Build Coastguard Worker base::OptionalToPtr(impl_params.root_store_data), instance_params);
42*6777b538SAndroid Build Coastguard Worker }
43*6777b538SAndroid Build Coastguard Worker #endif
44*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
45*6777b538SAndroid Build Coastguard Worker return CertVerifyProc::CreateBuiltinWithChromeRootStore(
46*6777b538SAndroid Build Coastguard Worker std::move(cert_net_fetcher), impl_params.crl_set,
47*6777b538SAndroid Build Coastguard Worker std::make_unique<net::DoNothingCTVerifier>(),
48*6777b538SAndroid Build Coastguard Worker base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
49*6777b538SAndroid Build Coastguard Worker base::OptionalToPtr(impl_params.root_store_data), instance_params);
50*6777b538SAndroid Build Coastguard Worker #elif BUILDFLAG(IS_FUCHSIA)
51*6777b538SAndroid Build Coastguard Worker return CertVerifyProc::CreateBuiltinVerifyProc(
52*6777b538SAndroid Build Coastguard Worker std::move(cert_net_fetcher), impl_params.crl_set,
53*6777b538SAndroid Build Coastguard Worker std::make_unique<net::DoNothingCTVerifier>(),
54*6777b538SAndroid Build Coastguard Worker base::MakeRefCounted<DefaultCTPolicyEnforcer>(), instance_params);
55*6777b538SAndroid Build Coastguard Worker #else
56*6777b538SAndroid Build Coastguard Worker return CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
57*6777b538SAndroid Build Coastguard Worker impl_params.crl_set);
58*6777b538SAndroid Build Coastguard Worker #endif
59*6777b538SAndroid Build Coastguard Worker }
60*6777b538SAndroid Build Coastguard Worker
61*6777b538SAndroid Build Coastguard Worker private:
62*6777b538SAndroid Build Coastguard Worker ~DefaultCertVerifyProcFactory() override = default;
63*6777b538SAndroid Build Coastguard Worker };
64*6777b538SAndroid Build Coastguard Worker
CryptoBufferToSpan(const CRYPTO_BUFFER * b)65*6777b538SAndroid Build Coastguard Worker base::span<const uint8_t> CryptoBufferToSpan(const CRYPTO_BUFFER* b) {
66*6777b538SAndroid Build Coastguard Worker return base::make_span(CRYPTO_BUFFER_data(b), CRYPTO_BUFFER_len(b));
67*6777b538SAndroid Build Coastguard Worker }
68*6777b538SAndroid Build Coastguard Worker
Sha256UpdateLengthPrefixed(SHA256_CTX * ctx,base::span<const uint8_t> s)69*6777b538SAndroid Build Coastguard Worker void Sha256UpdateLengthPrefixed(SHA256_CTX* ctx, base::span<const uint8_t> s) {
70*6777b538SAndroid Build Coastguard Worker // Include a length prefix to ensure the hash is injective.
71*6777b538SAndroid Build Coastguard Worker uint64_t l = s.size();
72*6777b538SAndroid Build Coastguard Worker SHA256_Update(ctx, reinterpret_cast<uint8_t*>(&l), sizeof(l));
73*6777b538SAndroid Build Coastguard Worker SHA256_Update(ctx, s.data(), s.size());
74*6777b538SAndroid Build Coastguard Worker }
75*6777b538SAndroid Build Coastguard Worker
76*6777b538SAndroid Build Coastguard Worker } // namespace
77*6777b538SAndroid Build Coastguard Worker
78*6777b538SAndroid Build Coastguard Worker CertVerifier::Config::Config() = default;
79*6777b538SAndroid Build Coastguard Worker CertVerifier::Config::Config(const Config&) = default;
80*6777b538SAndroid Build Coastguard Worker CertVerifier::Config::Config(Config&&) = default;
81*6777b538SAndroid Build Coastguard Worker CertVerifier::Config::~Config() = default;
82*6777b538SAndroid Build Coastguard Worker CertVerifier::Config& CertVerifier::Config::operator=(const Config&) = default;
83*6777b538SAndroid Build Coastguard Worker CertVerifier::Config& CertVerifier::Config::operator=(Config&&) = default;
84*6777b538SAndroid Build Coastguard Worker
85*6777b538SAndroid Build Coastguard Worker CertVerifier::RequestParams::RequestParams() = default;
86*6777b538SAndroid Build Coastguard Worker
RequestParams(scoped_refptr<X509Certificate> certificate,std::string_view hostname,int flags,std::string_view ocsp_response,std::string_view sct_list)87*6777b538SAndroid Build Coastguard Worker CertVerifier::RequestParams::RequestParams(
88*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> certificate,
89*6777b538SAndroid Build Coastguard Worker std::string_view hostname,
90*6777b538SAndroid Build Coastguard Worker int flags,
91*6777b538SAndroid Build Coastguard Worker std::string_view ocsp_response,
92*6777b538SAndroid Build Coastguard Worker std::string_view sct_list)
93*6777b538SAndroid Build Coastguard Worker : certificate_(std::move(certificate)),
94*6777b538SAndroid Build Coastguard Worker hostname_(hostname),
95*6777b538SAndroid Build Coastguard Worker flags_(flags),
96*6777b538SAndroid Build Coastguard Worker ocsp_response_(ocsp_response),
97*6777b538SAndroid Build Coastguard Worker sct_list_(sct_list) {
98*6777b538SAndroid Build Coastguard Worker // For efficiency sake, rather than compare all of the fields for each
99*6777b538SAndroid Build Coastguard Worker // comparison, compute a hash of their values. This is done directly in
100*6777b538SAndroid Build Coastguard Worker // this class, rather than as an overloaded hash operator, for efficiency's
101*6777b538SAndroid Build Coastguard Worker // sake.
102*6777b538SAndroid Build Coastguard Worker SHA256_CTX ctx;
103*6777b538SAndroid Build Coastguard Worker SHA256_Init(&ctx);
104*6777b538SAndroid Build Coastguard Worker Sha256UpdateLengthPrefixed(&ctx,
105*6777b538SAndroid Build Coastguard Worker CryptoBufferToSpan(certificate_->cert_buffer()));
106*6777b538SAndroid Build Coastguard Worker for (const auto& cert_handle : certificate_->intermediate_buffers()) {
107*6777b538SAndroid Build Coastguard Worker Sha256UpdateLengthPrefixed(&ctx, CryptoBufferToSpan(cert_handle.get()));
108*6777b538SAndroid Build Coastguard Worker }
109*6777b538SAndroid Build Coastguard Worker Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(hostname));
110*6777b538SAndroid Build Coastguard Worker SHA256_Update(&ctx, &flags, sizeof(flags));
111*6777b538SAndroid Build Coastguard Worker Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(ocsp_response));
112*6777b538SAndroid Build Coastguard Worker Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(sct_list));
113*6777b538SAndroid Build Coastguard Worker key_.resize(SHA256_DIGEST_LENGTH);
114*6777b538SAndroid Build Coastguard Worker SHA256_Final(reinterpret_cast<uint8_t*>(key_.data()), &ctx);
115*6777b538SAndroid Build Coastguard Worker }
116*6777b538SAndroid Build Coastguard Worker
117*6777b538SAndroid Build Coastguard Worker CertVerifier::RequestParams::RequestParams(const RequestParams& other) =
118*6777b538SAndroid Build Coastguard Worker default;
119*6777b538SAndroid Build Coastguard Worker CertVerifier::RequestParams::~RequestParams() = default;
120*6777b538SAndroid Build Coastguard Worker
operator ==(const CertVerifier::RequestParams & other) const121*6777b538SAndroid Build Coastguard Worker bool CertVerifier::RequestParams::operator==(
122*6777b538SAndroid Build Coastguard Worker const CertVerifier::RequestParams& other) const {
123*6777b538SAndroid Build Coastguard Worker return key_ == other.key_;
124*6777b538SAndroid Build Coastguard Worker }
125*6777b538SAndroid Build Coastguard Worker
operator <(const CertVerifier::RequestParams & other) const126*6777b538SAndroid Build Coastguard Worker bool CertVerifier::RequestParams::operator<(
127*6777b538SAndroid Build Coastguard Worker const CertVerifier::RequestParams& other) const {
128*6777b538SAndroid Build Coastguard Worker return key_ < other.key_;
129*6777b538SAndroid Build Coastguard Worker }
130*6777b538SAndroid Build Coastguard Worker
131*6777b538SAndroid Build Coastguard Worker // static
132*6777b538SAndroid Build Coastguard Worker std::unique_ptr<CertVerifierWithUpdatableProc>
CreateDefaultWithoutCaching(scoped_refptr<CertNetFetcher> cert_net_fetcher)133*6777b538SAndroid Build Coastguard Worker CertVerifier::CreateDefaultWithoutCaching(
134*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher) {
135*6777b538SAndroid Build Coastguard Worker auto proc_factory = base::MakeRefCounted<DefaultCertVerifyProcFactory>();
136*6777b538SAndroid Build Coastguard Worker return std::make_unique<MultiThreadedCertVerifier>(
137*6777b538SAndroid Build Coastguard Worker proc_factory->CreateCertVerifyProc(std::move(cert_net_fetcher), {}, {}),
138*6777b538SAndroid Build Coastguard Worker proc_factory);
139*6777b538SAndroid Build Coastguard Worker }
140*6777b538SAndroid Build Coastguard Worker
141*6777b538SAndroid Build Coastguard Worker // static
CreateDefault(scoped_refptr<CertNetFetcher> cert_net_fetcher)142*6777b538SAndroid Build Coastguard Worker std::unique_ptr<CertVerifier> CertVerifier::CreateDefault(
143*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher) {
144*6777b538SAndroid Build Coastguard Worker return std::make_unique<CachingCertVerifier>(
145*6777b538SAndroid Build Coastguard Worker std::make_unique<CoalescingCertVerifier>(
146*6777b538SAndroid Build Coastguard Worker CreateDefaultWithoutCaching(std::move(cert_net_fetcher))));
147*6777b538SAndroid Build Coastguard Worker }
148*6777b538SAndroid Build Coastguard Worker
operator ==(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)149*6777b538SAndroid Build Coastguard Worker bool operator==(const CertVerifier::Config& lhs,
150*6777b538SAndroid Build Coastguard Worker const CertVerifier::Config& rhs) {
151*6777b538SAndroid Build Coastguard Worker return std::tie(
152*6777b538SAndroid Build Coastguard Worker lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors,
153*6777b538SAndroid Build Coastguard Worker lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement) ==
154*6777b538SAndroid Build Coastguard Worker std::tie(
155*6777b538SAndroid Build Coastguard Worker rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors,
156*6777b538SAndroid Build Coastguard Worker rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement);
157*6777b538SAndroid Build Coastguard Worker }
158*6777b538SAndroid Build Coastguard Worker
operator !=(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)159*6777b538SAndroid Build Coastguard Worker bool operator!=(const CertVerifier::Config& lhs,
160*6777b538SAndroid Build Coastguard Worker const CertVerifier::Config& rhs) {
161*6777b538SAndroid Build Coastguard Worker return !(lhs == rhs);
162*6777b538SAndroid Build Coastguard Worker }
163*6777b538SAndroid Build Coastguard Worker
164*6777b538SAndroid Build Coastguard Worker } // namespace net
165