chrome/browser/ssl/ignore_errors_cert_verifier.cc - Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram.

Side by Side Diff: chrome/browser/ssl/ignore_errors_cert_verifier.cc

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)

Patch Set: Add --ignore-certificate-errors-spki-list switch and UMA histogram. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« chrome/browser/ssl/ignore_errors_cert_verifier.h ('K') | « chrome/browser/ssl/ignore_errors_cert_verifier.h ('k') | chrome/browser/ssl/ignore_errors_cert_verifier_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/ssl/ignore_errors_cert_verifier.h"

	6

	7 #include <utility>

	8

	9 #include "base/base64.h"

	10 #include "base/memory/ref_counted.h"

	11 #include "base/strings/string_piece.h"

	12 #include "crypto/sha2.h"

	13 #include "net/base/completion_callback.h"

	14 #include "net/base/hash_value.h"

	15 #include "net/base/net_errors.h"

	16 #include "net/base/net_export.h"

	17 #include "net/cert/asn1_util.h"

	18 #include "net/cert/cert_verify_result.h"

	19 #include "net/cert/x509_certificate.h"

	20

	21 using ::net::CertVerifier;

	22 using ::net::CompletionCallback;

	23 using ::net::HashValue;

	24 using ::net::SHA256HashValue;

	25 using ::net::SHA256HashValueLessThan;

	26 using ::net::X509Certificate;

	27

	28 // static

	29 IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist(

	30 const std::vector<std::string>& fingerprints) {

	31 IgnoreErrorsCertVerifier::SPKIHashSet whitelist;

	32 for (const std::string& fingerprint : fingerprints) {

	33 HashValue hash;

	34 if (!hash.FromString("sha256/" + fingerprint)) {

	35 LOG(ERROR) << "Invalid SPKI: " << fingerprint;

	36 continue;

	37 }

	38 SHA256HashValue sha256;

	39 DCHECK_EQ(hash.size(), sizeof(sha256));

	40 memcpy(&sha256, hash.data(), sizeof(sha256));

	41 whitelist.insert(sha256);

	42 }

	43 return whitelist;

	44 }

	45

	46 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier(

	47 std::unique_ptr<CertVerifier> verifier,

	48 IgnoreErrorsCertVerifier::SPKIHashSet whitelist)

	49 : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)) {}

	50

	51 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {}

	52

	53 int IgnoreErrorsCertVerifier::Verify(const RequestParams& params,

	54 net::CRLSet* crl_set,

	55 net::CertVerifyResult* verify_result,

	56 const net::CompletionCallback& callback,

	57 std::unique_ptr<Request>* out_req,

	58 const net::NetLogWithSource& net_log) {

	59 SPKIHashSet spki_fingerprints;

	60 std::string cert_der;

	61 base::StringPiece cert_spki;

	62 SHA256HashValue hash;

	63 if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(),

	64 &cert_der) &&

	65 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) {

	66 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));

	67 spki_fingerprints.insert(hash);

	68 }

	69 for (const X509Certificate::OSCertHandle& intermediate :

	70 params.certificate()->GetIntermediateCertificates()) {

	71 if (X509Certificate::GetDEREncoded(intermediate, &cert_der) &&

	72 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) {

	73 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));

	74 spki_fingerprints.insert(hash);

	75 }

	76 }

	77

	78 // Intersect SPKI hashes from the chain with the whitelist.

	79 auto whitelist_begin = whitelist_.begin();

	80 auto whitelist_end = whitelist_.end();

	81 auto fingerprints_begin = spki_fingerprints.begin();

	82 auto fingerprints_end = spki_fingerprints.end();

	83 static const SHA256HashValueLessThan sha256_lt;

	84 bool ignore_errors = false;

	85 while (whitelist_begin != whitelist_end &&

	86 fingerprints_begin != fingerprints_end) {

	87 if (sha256_lt(whitelist_begin, fingerprints_begin)) {

	88 ++whitelist_begin;

	89 } else if (sha256_lt(fingerprints_begin, whitelist_begin)) {

	90 ++fingerprints_begin;

	91 } else {

	92 ignore_errors = true;

	93 break;

	94 }

	95 }

	96

	97 if (ignore_errors) {

	98 verify_result->Reset();

	99 verify_result->verified_cert = params.certificate();

	100 std::transform(spki_fingerprints.begin(), spki_fingerprints.end(),

	101 std::back_inserter(verify_result->public_key_hashes),

	102 [](const SHA256HashValue v) { return HashValue(v); });
	Ryan Sleevi 2017/04/25 18:07:09 this should be "const SHA256HashValue& v", right? this should be "const SHA256HashValue& v", right? martinkr 2017/04/25 19:48:37 Done. Show quoted text On 2017/04/25 18:07:09, Ryan Sleevi wrote: > this should be "const SHA256HashValue& v", right? Done.
	103 return net::OK;

	104 }

	105

	106 return verifier_->Verify(params, crl_set, verify_result, callback, out_req,

	107 net_log);

	108 }

OLD	NEW