OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/ignore_errors_cert_verifier.h" | |
6 | |
7 #include "crypto/sha2.h" | |
8 #include "net/base/net_errors.h" | |
9 #include "net/cert/asn1_util.h" | |
10 | |
11 namespace net { | |
12 | |
13 // static | |
14 IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist( | |
15 const std::vector<std::string>& fingerprints) { | |
16 IgnoreErrorsCertVerifier::SPKIHashSet whitelist; | |
17 for (const std::string& fingerprint : fingerprints) { | |
18 net::HashValue hv; | |
19 if (!hv.FromString("sha256/" + fingerprint)) { | |
20 LOG(ERROR) << "Invalid SPKI: " << fingerprint; | |
21 continue; | |
22 } | |
23 net::SHA256HashValue sha256; | |
24 DCHECK_EQ(hv.size(), sizeof(sha256)); | |
25 memcpy(&sha256, hv.data(), sizeof(sha256)); | |
26 whitelist.insert(sha256); | |
27 } | |
28 return whitelist; | |
29 } | |
30 | |
31 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier( | |
32 std::unique_ptr<CertVerifier> verifier, | |
33 IgnoreErrorsCertVerifier::SPKIHashSet whitelist) | |
34 : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)){}; | |
35 | |
36 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {} | |
37 | |
38 int IgnoreErrorsCertVerifier::Verify(const RequestParams& params, | |
39 CRLSet* crl_set, | |
40 CertVerifyResult* verify_result, | |
41 const CompletionCallback& callback, | |
42 std::unique_ptr<Request>* out_req, | |
43 const NetLogWithSource& net_log) { | |
44 SPKIHashSet spki_fingerprints; | |
45 std::string cert_der; | |
46 base::StringPiece cert_spki; | |
47 SHA256HashValue hash; | |
48 if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(), | |
49 &cert_der) && | |
50 asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
51 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
52 spki_fingerprints.insert(hash); | |
53 } | |
54 for (const net::X509Certificate::OSCertHandle& intermediate : | |
55 params.certificate()->GetIntermediateCertificates()) { | |
56 if (X509Certificate::GetDEREncoded(intermediate, &cert_der) && | |
57 asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
58 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
59 spki_fingerprints.insert(hash); | |
60 } | |
61 } | |
62 | |
63 // Intersect SPKI hashes from the chain with the whitelist. | |
64 auto wl = whitelist_.begin(); | |
65 auto wl_end = whitelist_.end(); | |
66 auto sf = spki_fingerprints.begin(); | |
67 auto sf_end = spki_fingerprints.end(); | |
68 static const net::SHA256HashValueLessThan sha256_lt; | |
69 bool ignore_errors = false; | |
70 while (wl != wl_end && sf != sf_end) { | |
71 if (sha256_lt(*wl, *sf)) | |
72 ++wl; | |
73 else if (sha256_lt(*sf, *wl)) | |
74 ++sf; | |
75 else { | |
76 ignore_errors = true; | |
77 break; | |
78 } | |
79 } | |
80 | |
81 CompletionCallback callback_ok = base::Bind( | |
82 [](CompletionCallback callback, int result) { callback.Run(OK); }, | |
83 callback); | |
Ryan Sleevi
2017/04/07 16:08:05
I'm not sure - why do you chain to the verifier if
martinkr
2017/04/07 21:40:57
IIUC, at least CertVerifyResult.verified_cert need
| |
84 int result = verifier_->Verify(params, crl_set, verify_result, | |
85 ignore_errors ? callback_ok : callback, | |
86 out_req, net_log); | |
87 if (ignore_errors && result != ERR_IO_PENDING) { | |
88 return OK; | |
89 } | |
90 return result; | |
91 } | |
92 | |
93 } // namespace net | |
OLD | NEW |