Chromium Code Reviews Chromium Code Reviews
Issue 2753123002:
Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/ignore_errors_cert_verifier.h" | |
| 6 | |
| 7 #include "crypto/sha2.h" | |
| 8 #include "net/base/net_errors.h" | |
| 9 #include "net/cert/asn1_util.h" | |
| 10 | |
| 11 namespace net { | |
| 12 | |
| 13 // static | |
| 14 IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist( | |
| 15 const std::vector<std::string>& fingerprints) { | |
| 16 IgnoreErrorsCertVerifier::SPKIHashSet whitelist; | |
| 17 for (const std::string& fingerprint : fingerprints) { | |
| 18 net::HashValue hv; | |
| 19 if (!hv.FromString("sha256/" + fingerprint)) { | |
| 20 LOG(ERROR) << "Invalid SPKI: " << fingerprint; | |
| 21 continue; | |
| 22 } | |
| 23 net::SHA256HashValue sha256; | |
| 24 DCHECK_EQ(hv.size(), sizeof(sha256)); | |
| 25 memcpy(&sha256, hv.data(), sizeof(sha256)); | |
| 26 whitelist.insert(sha256); | |
| 27 } | |
| 28 return whitelist; | |
| 29 } | |
| 30 | |
| 31 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier( | |
| 32 std::unique_ptr<CertVerifier> verifier, | |
| 33 IgnoreErrorsCertVerifier::SPKIHashSet whitelist) | |
| 34 : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)){}; | |
| 35 | |
| 36 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {} | |
| 37 | |
| 38 int IgnoreErrorsCertVerifier::Verify(const RequestParams& params, | |
| 39 CRLSet* crl_set, | |
| 40 CertVerifyResult* verify_result, | |
| 41 const CompletionCallback& callback, | |
| 42 std::unique_ptr<Request>* out_req, | |
| 43 const NetLogWithSource& net_log) { | |
| 44 SPKIHashSet spki_fingerprints; | |
| 45 std::string cert_der; | |
| 46 base::StringPiece cert_spki; | |
| 47 SHA256HashValue hash; | |
| 48 if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(), | |
| 49 &cert_der) && | |
| 50 asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
| 51 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
| 52 spki_fingerprints.insert(hash); | |
| 53 } | |
| 54 for (const net::X509Certificate::OSCertHandle& intermediate : | |
| 55 params.certificate()->GetIntermediateCertificates()) { | |
| 56 if (X509Certificate::GetDEREncoded(intermediate, &cert_der) && | |
| 57 asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
| 58 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
| 59 spki_fingerprints.insert(hash); | |
| 60 } | |
| 61 } | |
| 62 | |
| 63 // Intersect SPKI hashes from the chain with the whitelist. | |
| 64 auto wl = whitelist_.begin(); | |
| 65 auto wl_end = whitelist_.end(); | |
| 66 auto sf = spki_fingerprints.begin(); | |
| 67 auto sf_end = spki_fingerprints.end(); | |
| 68 static const net::SHA256HashValueLessThan sha256_lt; | |
| 69 bool ignore_errors = false; | |
| 70 while (wl != wl_end && sf != sf_end) { | |
| 71 if (sha256_lt(*wl, *sf)) | |
| 72 ++wl; | |
| 73 else if (sha256_lt(*sf, *wl)) | |
| 74 ++sf; | |
| 75 else { | |
| 76 ignore_errors = true; | |
| 77 break; | |
| 78 } | |
| 79 } | |
| 80 | |
| 81 CompletionCallback callback_ok = base::Bind( | |
| 82 [](CompletionCallback callback, int result) { callback.Run(OK); }, | |
| 83 callback); | |
|
Ryan Sleevi
2017/04/07 16:08:05
I'm not sure - why do you chain to the verifier if
martinkr
2017/04/07 21:40:57
IIUC, at least CertVerifyResult.verified_cert need
| |
| 84 int result = verifier_->Verify(params, crl_set, verify_result, | |
| 85 ignore_errors ? callback_ok : callback, | |
| 86 out_req, net_log); | |
| 87 if (ignore_errors && result != ERR_IO_PENDING) { | |
| 88 return OK; | |
| 89 } | |
| 90 return result; | |
| 91 } | |
| 92 | |
| 93 } // namespace net | |
| OLD | NEW |
