Implement the ability to whitelist certs from specific issuers

net/cert/cert_verify_proc_whitelist.cc

+// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/cert_verify_proc_whitelist.h"
+
+#include <cstdlib>
+
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+namespace {
+
+const uint8_t kBuiltinWhitelistHashes[][crypto::kSHA256Length] = {};
+
+const PublicKeyWhitelist kBuiltinWhitelist[] = {
+  { { 0x00 },
+    kBuiltinWhitelistHashes,
+    0 },
+};
+const size_t kBuiltinWhitelistSize = 0;

[davidben, 2015/03/31 02:02:13]

I'm guessing this will later be replaced with a #include blahblah.inc?

[Ryan Sleevi, 2015/03/31 18:33:52]

Yup. Potentially in a subsequent CL.

+
+const PublicKeyWhitelist* g_whitelist = kBuiltinWhitelist;
+size_t g_whitelist_size = kBuiltinWhitelistSize;
+
+// Comparator to compare a SHA256HashValue with a uint8_t array containing a
+// raw SHA-256 hash.
+// Return value follows memcmp semantics.
+int CompareHashValueToRawHash(const void* key, const void* element) {
+  const SHA256HashValue* search_key =
+      reinterpret_cast<const SHA256HashValue*>(key);
+  return memcmp(search_key->data, element, sizeof(search_key->data));
+}
+
+}  // namespace
+
+bool IsNonWhitelistedCertificate(
+    const X509Certificate& cert,
+    const HashValueVector& public_key_hashes) {
+  if (g_whitelist_size == 0)
+    return false;

[davidben, 2015/03/31 02:02:13]

The for loop still works out fine. i < g_whitelist_size is still defined when i
= 0 and g_whitelist_size = 0. It'll be false, but that's what you want. (I'm
guessing you added this to deal with the compiler warning when it deduced that
g_whitelist_size is always zero? I don't think this is a concern anymore with
SetCertificateWhitelistForTesting existing.)

[Ryan Sleevi, 2015/03/31 18:33:52]

Right, it's defined, I just thought it was more readable with the initial
condition :)

[davidben, 2015/03/31 18:42:05]

Mmm. I generally don't like unnecessary special-cases. They make me stop to
wonder why the general case didn't work. I suppose the compiler will figure it
out one way or another. *shrug*

+  for (size_t i = 0; i < g_whitelist_size; ++i) {
+    for (const auto& hash : public_key_hashes) {

[davidben, 2015/03/31 02:02:13]

Potential nuisance: if a root we whitelist ever cross-signs an otherwise valid
root and the chain builder is being obnoxious, we might end up rejecting certs.
Hopefully we've flushed out those problems with the SHA-256 work. (Though worst
comes to worst, we could always add the ability to whitelist intermediates.)

[Ryan Sleevi, 2015/03/31 18:33:52]

We already implicitly have the ability to whitelist intermediates. We just
whitelist based on key hash. So we could whitelist on either degree. I chose
root to be more specific.

But yes, it's valid in as much as it's an "attack" scenario, at which point, the
CA would just lose their whitelist because they were engaging in a DoS.

+      if (hash.tag != HASH_VALUE_SHA256)
+        continue;
+      if (memcmp(hash.data(), g_whitelist[i].public_key,
+                 crypto::kSHA256Length) != 0) {
+        continue;
+      }
+      const SHA256HashValue leaf_hash =
+          X509Certificate::CalculateFingerprint256(cert.os_cert_handle());
+      void* result = bsearch(&leaf_hash, g_whitelist[i].whitelist,
+                             g_whitelist[i].whitelist_size,
+                             crypto::kSHA256Length, CompareHashValueToRawHash);
+      if (result == nullptr)
+        return true;
+      return false;
+    }
+  }
+  return false;
+}
+
+void SetCertificateWhitelistForTesting(
+    const PublicKeyWhitelist* whitelist,
+    size_t whitelist_size) {
+  if (whitelist == nullptr || whitelist_size == 0) {
+    g_whitelist = kBuiltinWhitelist;
+    g_whitelist_size = kBuiltinWhitelistSize;
+    return;
+  }
+
+  g_whitelist = whitelist;
+  g_whitelist_size = whitelist_size;
+}
+
+}  // namespace net