OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/ssl/ignore_errors_cert_verifier.h" |
| 6 |
| 7 #include <utility> |
| 8 |
| 9 #include "base/base64.h" |
| 10 #include "base/memory/ref_counted.h" |
| 11 #include "base/strings/string_piece.h" |
| 12 #include "crypto/sha2.h" |
| 13 #include "net/base/completion_callback.h" |
| 14 #include "net/base/hash_value.h" |
| 15 #include "net/base/net_errors.h" |
| 16 #include "net/base/net_export.h" |
| 17 #include "net/cert/asn1_util.h" |
| 18 #include "net/cert/cert_verify_result.h" |
| 19 #include "net/cert/x509_certificate.h" |
| 20 |
| 21 using ::net::CertVerifier; |
| 22 using ::net::CompletionCallback; |
| 23 using ::net::HashValue; |
| 24 using ::net::SHA256HashValue; |
| 25 using ::net::SHA256HashValueLessThan; |
| 26 using ::net::X509Certificate; |
| 27 |
| 28 // static |
| 29 IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist( |
| 30 const std::vector<std::string>& fingerprints) { |
| 31 IgnoreErrorsCertVerifier::SPKIHashSet whitelist; |
| 32 for (const std::string& fingerprint : fingerprints) { |
| 33 HashValue hash; |
| 34 if (!hash.FromString("sha256/" + fingerprint)) { |
| 35 LOG(ERROR) << "Invalid SPKI: " << fingerprint; |
| 36 continue; |
| 37 } |
| 38 SHA256HashValue sha256; |
| 39 DCHECK_EQ(hash.size(), sizeof(sha256)); |
| 40 memcpy(&sha256, hash.data(), sizeof(sha256)); |
| 41 whitelist.insert(sha256); |
| 42 } |
| 43 return whitelist; |
| 44 } |
| 45 |
| 46 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier( |
| 47 std::unique_ptr<CertVerifier> verifier, |
| 48 IgnoreErrorsCertVerifier::SPKIHashSet whitelist) |
| 49 : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)) {} |
| 50 |
| 51 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {} |
| 52 |
| 53 int IgnoreErrorsCertVerifier::Verify(const RequestParams& params, |
| 54 net::CRLSet* crl_set, |
| 55 net::CertVerifyResult* verify_result, |
| 56 const net::CompletionCallback& callback, |
| 57 std::unique_ptr<Request>* out_req, |
| 58 const net::NetLogWithSource& net_log) { |
| 59 SPKIHashSet spki_fingerprints; |
| 60 std::string cert_der; |
| 61 base::StringPiece cert_spki; |
| 62 SHA256HashValue hash; |
| 63 if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(), |
| 64 &cert_der) && |
| 65 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { |
| 66 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); |
| 67 spki_fingerprints.insert(hash); |
| 68 } |
| 69 for (const X509Certificate::OSCertHandle& intermediate : |
| 70 params.certificate()->GetIntermediateCertificates()) { |
| 71 if (X509Certificate::GetDEREncoded(intermediate, &cert_der) && |
| 72 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { |
| 73 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); |
| 74 spki_fingerprints.insert(hash); |
| 75 } |
| 76 } |
| 77 |
| 78 // Intersect SPKI hashes from the chain with the whitelist. |
| 79 auto whitelist_begin = whitelist_.begin(); |
| 80 auto whitelist_end = whitelist_.end(); |
| 81 auto fingerprints_begin = spki_fingerprints.begin(); |
| 82 auto fingerprints_end = spki_fingerprints.end(); |
| 83 static const SHA256HashValueLessThan sha256_lt; |
| 84 bool ignore_errors = false; |
| 85 while (whitelist_begin != whitelist_end && |
| 86 fingerprints_begin != fingerprints_end) { |
| 87 if (sha256_lt(*whitelist_begin, *fingerprints_begin)) { |
| 88 ++whitelist_begin; |
| 89 } else if (sha256_lt(*fingerprints_begin, *whitelist_begin)) { |
| 90 ++fingerprints_begin; |
| 91 } else { |
| 92 ignore_errors = true; |
| 93 break; |
| 94 } |
| 95 } |
| 96 |
| 97 if (ignore_errors) { |
| 98 verify_result->Reset(); |
| 99 verify_result->verified_cert = params.certificate(); |
| 100 std::transform(spki_fingerprints.begin(), spki_fingerprints.end(), |
| 101 std::back_inserter(verify_result->public_key_hashes), |
| 102 [](const SHA256HashValue& v) { return HashValue(v); }); |
| 103 return net::OK; |
| 104 } |
| 105 |
| 106 return verifier_->Verify(params, crl_set, verify_result, callback, out_req, |
| 107 net_log); |
| 108 } |
OLD | NEW |