1 // Copyright 2020 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_
6 #define QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_
7 
8 #include <forward_list>
9 #include <memory>
10 
11 #include "absl/base/attributes.h"
12 #include "absl/strings/string_view.h"
13 #include "net/third_party/quiche/src/quic/core/crypto/certificate_view.h"
14 #include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
15 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
16 
17 namespace quic {
18 
19 // ProofSourceX509 accepts X.509 certificates with private keys and picks a
20 // certificate internally based on its SubjectAltName value.
21 class QUIC_EXPORT_PRIVATE ProofSourceX509 : public ProofSource {
22  public:
23   // Creates a proof source that uses |default_chain| when no SubjectAltName
24   // value matches.  Returns nullptr if |default_chain| is invalid.
25   static std::unique_ptr<ProofSourceX509> Create(
26       QuicReferenceCountedPointer<Chain> default_chain,
27       CertificatePrivateKey default_key);
28 
29   // ProofSource implementation.
30   void GetProof(const QuicSocketAddress& server_address,
31                 const QuicSocketAddress& client_address,
32                 const std::string& hostname,
33                 const std::string& server_config,
34                 QuicTransportVersion transport_version,
35                 absl::string_view chlo_hash,
36                 std::unique_ptr<Callback> callback) override;
37   QuicReferenceCountedPointer<Chain> GetCertChain(
38       const QuicSocketAddress& server_address,
39       const QuicSocketAddress& client_address,
40       const std::string& hostname) override;
41   void ComputeTlsSignature(
42       const QuicSocketAddress& server_address,
43       const QuicSocketAddress& client_address,
44       const std::string& hostname,
45       uint16_t signature_algorithm,
46       absl::string_view in,
47       std::unique_ptr<SignatureCallback> callback) override;
48   TicketCrypter* GetTicketCrypter() override;
49 
50   // Adds a certificate chain to the verifier.  Returns false if the chain is
51   // not valid.  Newer certificates will override older certificates with the
52   // same SubjectAltName value.
53   ABSL_MUST_USE_RESULT bool AddCertificateChain(
54       QuicReferenceCountedPointer<Chain> chain,
55       CertificatePrivateKey key);
56 
57  private:
58   ProofSourceX509() = default;
59 
60   struct QUIC_EXPORT_PRIVATE Certificate {
61     QuicReferenceCountedPointer<Chain> chain;
62     CertificatePrivateKey key;
63   };
64 
65   // Looks up certficiate for hostname, returns the default if no certificate is
66   // found.
67   Certificate* GetCertificate(const std::string& hostname) const;
68 
69   std::forward_list<Certificate> certificates_;
70   Certificate* default_certificate_;
71   QuicUnorderedMap<std::string, Certificate*> certificate_map_;
72 };
73 
74 }  // namespace quic
75 
76 #endif  // QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_
77