1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_verifier.h"
6
7 #include <algorithm>
8
9 #include "base/strings/string_util.h"
10 #include "build/build_config.h"
11 #include "net/base/features.h"
12 #include "net/cert/cert_verify_proc.h"
13 #include "net/cert/crl_set.h"
14 #include "third_party/boringssl/src/include/openssl/pool.h"
15 #include "third_party/boringssl/src/include/openssl/sha.h"
16
17 #if defined(OS_NACL)
18 #include "base/notreached.h"
19 #else
20 #include "net/cert/caching_cert_verifier.h"
21 #include "net/cert/coalescing_cert_verifier.h"
22 #include "net/cert/multi_threaded_cert_verifier.h"
23 #endif
24
25 namespace net {
26
27 CertVerifier::Config::Config() = default;
28 CertVerifier::Config::Config(const Config&) = default;
29 CertVerifier::Config::Config(Config&&) = default;
30 CertVerifier::Config::~Config() = default;
31 CertVerifier::Config& CertVerifier::Config::operator=(const Config&) = default;
32 CertVerifier::Config& CertVerifier::Config::operator=(Config&&) = default;
33
34 CertVerifier::RequestParams::RequestParams() = default;
35
RequestParams(scoped_refptr<X509Certificate> certificate,const std::string & hostname,int flags,const std::string & ocsp_response,const std::string & sct_list)36 CertVerifier::RequestParams::RequestParams(
37 scoped_refptr<X509Certificate> certificate,
38 const std::string& hostname,
39 int flags,
40 const std::string& ocsp_response,
41 const std::string& sct_list)
42 : certificate_(std::move(certificate)),
43 hostname_(hostname),
44 flags_(flags),
45 ocsp_response_(ocsp_response),
46 sct_list_(sct_list) {
47 // For efficiency sake, rather than compare all of the fields for each
48 // comparison, compute a hash of their values. This is done directly in
49 // this class, rather than as an overloaded hash operator, for efficiency's
50 // sake.
51 SHA256_CTX ctx;
52 SHA256_Init(&ctx);
53 SHA256_Update(&ctx, CRYPTO_BUFFER_data(certificate_->cert_buffer()),
54 CRYPTO_BUFFER_len(certificate_->cert_buffer()));
55 for (const auto& cert_handle : certificate_->intermediate_buffers()) {
56 SHA256_Update(&ctx, CRYPTO_BUFFER_data(cert_handle.get()),
57 CRYPTO_BUFFER_len(cert_handle.get()));
58 }
59 SHA256_Update(&ctx, hostname_.data(), hostname.size());
60 SHA256_Update(&ctx, &flags, sizeof(flags));
61 SHA256_Update(&ctx, ocsp_response.data(), ocsp_response.size());
62 SHA256_Update(&ctx, sct_list.data(), sct_list.size());
63 SHA256_Final(reinterpret_cast<uint8_t*>(
64 base::WriteInto(&key_, SHA256_DIGEST_LENGTH + 1)),
65 &ctx);
66 }
67
68 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =
69 default;
70 CertVerifier::RequestParams::~RequestParams() = default;
71
operator ==(const CertVerifier::RequestParams & other) const72 bool CertVerifier::RequestParams::operator==(
73 const CertVerifier::RequestParams& other) const {
74 return key_ == other.key_;
75 }
76
operator <(const CertVerifier::RequestParams & other) const77 bool CertVerifier::RequestParams::operator<(
78 const CertVerifier::RequestParams& other) const {
79 return key_ < other.key_;
80 }
81
82 // static
CreateDefaultWithoutCaching(scoped_refptr<CertNetFetcher> cert_net_fetcher)83 std::unique_ptr<CertVerifier> CertVerifier::CreateDefaultWithoutCaching(
84 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
85 #if defined(OS_NACL)
86 NOTIMPLEMENTED();
87 return std::unique_ptr<CertVerifier>();
88 #else
89 scoped_refptr<CertVerifyProc> verify_proc;
90 #if defined(OS_FUCHSIA) || defined(OS_LINUX) || defined(OS_CHROMEOS) || defined(OS_BSD)
91 verify_proc =
92 CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher));
93 #elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
94 if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) {
95 verify_proc =
96 CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher));
97 } else {
98 verify_proc =
99 CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher));
100 }
101 #else
102 verify_proc =
103 CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher));
104 #endif
105
106 return std::make_unique<MultiThreadedCertVerifier>(std::move(verify_proc));
107 #endif
108 }
109
110 // static
CreateDefault(scoped_refptr<CertNetFetcher> cert_net_fetcher)111 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault(
112 scoped_refptr<CertNetFetcher> cert_net_fetcher) {
113 return std::make_unique<CachingCertVerifier>(
114 std::make_unique<CoalescingCertVerifier>(
115 CreateDefaultWithoutCaching(std::move(cert_net_fetcher))));
116 }
117
operator ==(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)118 bool operator==(const CertVerifier::Config& lhs,
119 const CertVerifier::Config& rhs) {
120 return std::tie(
121 lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors,
122 lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement,
123 lhs.crl_set, lhs.additional_trust_anchors,
124 lhs.additional_untrusted_authorities) ==
125 std::tie(
126 rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors,
127 rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement,
128 rhs.crl_set, rhs.additional_trust_anchors,
129 rhs.additional_untrusted_authorities);
130 }
131
operator !=(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)132 bool operator!=(const CertVerifier::Config& lhs,
133 const CertVerifier::Config& rhs) {
134 return !(lhs == rhs);
135 }
136
137 } // namespace net
138