chrome/browser/ssl/ignore_errors_cert_verifier.h - Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram.

Side by Side Diff: chrome/browser/ssl/ignore_errors_cert_verifier.h

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)

Patch Set: Move test for --user-data-dir into unittest; add bad flags prompt. Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright (c) 2017 The Chromium Authors. All rights reserved.
	estark 2017/05/17 18:04:18 nit: copyright header is old format, use https://c nit: copyright header is old format, use https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md... instead (please check the other files as well) martinkr 2017/05/23 18:30:43 Done. Show quoted text On 2017/05/17 18:04:18, estark (temporarily slow) wrote: > nit: copyright header is old format, use > https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md... > instead > (please check the other files as well) Done.
	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_

	6 #define CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_

	7

	8 #include <memory>

	9 #include <string>

	10 #include <vector>

	11

	12 #include "base/command_line.h"

	13 #include "base/containers/flat_set.h"

	14 #include "net/cert/cert_verifier.h"

	15

	16 namespace net {

	17 struct SHA256HashValue;

	18 class SHA256HashValueLessThan;

	19 } // namespace net

	20

	21 // IgnoreErrorsCertVerifier wraps another CertVerifier in order to ignore

	22 // verification errors from certificate chains that match a whitelist of SPKI

	23 // fingerprints.

	24 class IgnoreErrorsCertVerifier : public net::CertVerifier {

	25 public:

	26 // SPKIHashSet is a set of SHA-256 SPKI fingerprints (RFC 7469, Section 2.4).

	27 using SPKIHashSet =

	28 base::flat_set<net::SHA256HashValue, net::SHA256HashValueLessThan>;

	29

	30 // MaybeWrapCertVerifier returns an IgnoreErrorsCertVerifier wrapping the

	31 // supplied verifier using the whitelist from the

	32 // --ignore-certificate-errors-spki-list flag of the command line if the

	33 // --user-data-dir flag is also present. If either of these flags are missing,

	34 // it returns the supplied verifier.

	35 static std::unique_ptr<net::CertVerifier> MaybeWrapCertVerifier(

	36 const base::CommandLine& command_line,

	37 std::unique_ptr<net::CertVerifier> verifier);

	38

	39 // MakeWhitelist converts a vector of Base64-encoded SHA-256 SPKI fingerprints

	40 // into an SPKIHashSet. Invalid fingerprints are logged and skipped.

	41 static SPKIHashSet MakeWhitelist(

	42 const std::vector<std::string>& fingerprints);

	43

	44 IgnoreErrorsCertVerifier(std::unique_ptr<net::CertVerifier> verifier,

	45 SPKIHashSet whitelist);

	46

	47 ~IgnoreErrorsCertVerifier() override;

	48

	49 // Verify skips certificate verification and returns OK if any of the

	50 // certificates from the chain in \|params\| match one of the SPKI fingerprints

	51 // from the whitelist. Otherwise, it invokes Verify on the wrapped verifier

	52 // and returns the result.

	53 int Verify(const RequestParams& params,

	54 net::CRLSet* crl_set,

	55 net::CertVerifyResult* verify_result,

	56 const net::CompletionCallback& callback,

	57 std::unique_ptr<Request>* out_req,

	58 const net::NetLogWithSource& net_log) override;

	59

	60 private:

	61 friend class IgnoreErrorsCertVerifierTest;

	62 void set_whitelist(const SPKIHashSet& whitelist); // Testing only.

	63

	64 std::unique_ptr<net::CertVerifier> verifier_;

	65 SPKIHashSet whitelist_;

	66 };

	67

	68 #endif // CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_

OLD	NEW