OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_CERT_INTERNAL_PATH_BUILDER_H_ | |
6 #define NET_CERT_INTERNAL_PATH_BUILDER_H_ | |
7 | |
8 #include <memory> | |
9 #include <string> | |
10 #include <unordered_map> | |
11 #include <vector> | |
12 | |
13 #include "base/callback.h" | |
14 #include "net/base/completion_callback.h" | |
15 #include "net/base/net_errors.h" | |
16 #include "net/base/net_export.h" | |
17 #include "net/cert/internal/verify_certificate_chain.h" | |
18 #include "net/der/input.h" | |
19 | |
20 namespace net { | |
21 | |
22 using CertVector = std::vector<std::unique_ptr<CertThing>>; | |
23 | |
24 class NET_EXPORT CertSource { | |
25 public: | |
26 using IssuerCallback = base::Callback<void(CertVector)>; | |
27 | |
28 class Request { | |
29 public: | |
30 Request() {} | |
31 // Destruction of the Request cancels it. | |
32 virtual ~Request() {} | |
33 | |
34 private: | |
35 DISALLOW_COPY_AND_ASSIGN(Request); | |
36 }; | |
37 | |
38 virtual ~CertSource() {} | |
39 | |
40 // Append certs to |issuers|. Any existing contents of |issuers| will not be | |
41 // modified. | |
42 virtual bool SyncGetIssuersOf(const CertThing& cert, CertVector* issuers) = 0; | |
43 // Returns ERR_IO_PENDING if async callback will be made, or OK if no async | |
44 // results are available from this source. | |
45 // If |*out_req| is destroyed, the callback will not be run. | |
46 virtual int AsyncGetIssuersOf(const CertThing& cert, | |
47 const IssuerCallback& issuers_callback, | |
48 std::unique_ptr<Request>* out_req) = 0; | |
49 }; | |
50 | |
51 class NET_EXPORT StaticCertsSource : public CertSource { | |
52 public: | |
53 StaticCertsSource(); | |
54 ~StaticCertsSource() override; | |
55 | |
56 // Initialize the StaticCertsSource with the given certificates. The data | |
57 // referred to by |certs| must outlive the StaticCertsSource object. | |
58 // XXX Should this just take a CertVector? | |
59 bool Init(std::vector<der::Input> certs); | |
60 | |
61 // CertSource implementation: | |
62 bool SyncGetIssuersOf(const CertThing& cert, CertVector* issuers) override; | |
63 int AsyncGetIssuersOf(const CertThing& cert, | |
64 const IssuerCallback& issuers_callback, | |
65 std::unique_ptr<Request>* out_req) override; | |
66 | |
67 private: | |
68 // The certificates that the StaticCertsSource can return, keyed on the | |
69 // normalized subject value. | |
70 // XXX key using StringPiece to avoid copy? | |
71 std::unordered_multimap<std::string, std::unique_ptr<CertThing>> | |
72 intermediates_; | |
73 }; | |
74 | |
75 // XXX possible cert sources: | |
76 // * intermediates supplied by server (synchronous) | |
77 // * AIA fetch (async) | |
78 // * intermediates in OS cert store (async?) | |
79 // * certs cached from previous requests (sync?) | |
80 | |
81 class CertPathIter; | |
82 | |
83 class NET_EXPORT CertPathBuilder { | |
84 public: | |
85 using CertSources = std::vector<CertSource*>; | |
86 | |
87 struct ResultPath { | |
88 ResultPath(); | |
89 ~ResultPath(); | |
90 | |
91 std::vector<std::unique_ptr<CertThing>> path; | |
92 int rv; | |
93 }; | |
94 | |
95 struct Result { | |
96 Result(); | |
97 ~Result(); | |
98 | |
99 // Returns the overall result. This is the same value that was returned by | |
100 // Run (if synchronous) or by the CompletionCallback (if asynchronous). | |
101 int result() { | |
102 if (paths.empty()) | |
103 return ERR_CERT_AUTHORITY_INVALID; | |
104 return paths[best_result_index]->rv; | |
105 } | |
106 | |
107 // List of paths that were attempted and the result for each. | |
108 std::vector<std::unique_ptr<ResultPath>> paths; | |
109 // Index into |paths|. | |
110 size_t best_result_index = 0; | |
111 }; | |
112 | |
113 // TODO: allow caller specified filters / checkers, initial values of name | |
114 // constraints, etc | |
115 // | |
116 // Creates a CertPathBuilder that attempts to find a path from |cert| to a | |
117 // trust anchor in |trust_store|, using intermediates from |cert_sources| if | |
118 // necessary, which satisfies |signature_policy| and is valid at |time|. | |
119 // Details of attempted path(s) are stored in |*result|. | |
120 CertPathBuilder(std::unique_ptr<CertThing> cert, | |
121 const CertSources& cert_sources, | |
122 const TrustStore& trust_store, | |
123 const SignaturePolicy* signature_policy, | |
124 const der::GeneralizedTime& time, | |
125 Result* result); | |
126 ~CertPathBuilder(); | |
127 | |
128 // Begins verification of |cert|. If the return value is ERR_IO_PENDING, | |
129 // |callback| will be called asynchronously with the result. Otherwise, the | |
130 // result is returned synchronously and |callback| is not called. | |
131 int Run(const CompletionCallback& callback); | |
132 | |
133 private: | |
134 enum State { | |
135 STATE_NONE, | |
136 STATE_GET_NEXT_PATH, | |
137 STATE_GET_NEXT_PATH_COMPLETE, | |
138 }; | |
139 | |
140 int DoLoop(int result); | |
141 | |
142 int DoGetNextPath(); | |
143 void HandleGotNextPath(int result); | |
144 int DoGetNextPathComplete(int result); | |
145 | |
146 void AddResultPath(const CertVector& path, bool result); | |
147 | |
148 CompletionCallback callback_; | |
149 | |
150 std::unique_ptr<CertPathIter> cert_path_iter_; | |
151 const TrustStore& trust_store_; | |
152 const SignaturePolicy* signature_policy_; | |
153 const der::GeneralizedTime& time_; | |
eroman
2016/04/26 22:10:11
Why a const reference? This seems like a problem s
mattm
2016/04/26 22:54:16
Good catch. Just a bad copy/paste.
| |
154 | |
155 CertVector next_path_; | |
156 State next_state_; | |
157 | |
158 Result* out_result_; | |
159 | |
160 DISALLOW_COPY_AND_ASSIGN(CertPathBuilder); | |
161 }; | |
162 | |
163 } // namespace net | |
164 | |
165 #endif // NET_CERT_INTERNAL_PATH_BUILDER_H_ | |
OLD | NEW |