OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2017 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/browser/ssl/ignore_errors_cert_verifier.h" | |
6 | |
7 #include <utility> | |
8 | |
9 #include "base/memory/ref_counted.h" | |
10 #include "crypto/sha2.h" | |
11 #include "net/base/completion_callback.h" | |
12 #include "net/base/hash_value.h" | |
13 #include "net/base/net_errors.h" | |
14 #include "net/base/net_export.h" | |
15 #include "net/cert/asn1_util.h" | |
16 #include "net/cert/x509_certificate.h" | |
17 | |
18 using ::net::CertVerifier; | |
19 using ::net::CompletionCallback; | |
20 using ::net::HashValue; | |
21 using ::net::SHA256HashValue; | |
22 using ::net::SHA256HashValueLessThan; | |
23 using ::net::X509Certificate; | |
24 | |
25 // static | |
26 IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist( | |
27 const std::vector<std::string>& fingerprints) { | |
28 IgnoreErrorsCertVerifier::SPKIHashSet whitelist; | |
29 for (const std::string& fingerprint : fingerprints) { | |
30 HashValue hv; | |
Ryan Sleevi
2017/04/12 21:53:17
style: https://google.github.io/styleguide/cppguid
martinkr
2017/04/24 23:54:25
Done.
| |
31 if (!hv.FromString("sha256/" + fingerprint)) { | |
32 LOG(ERROR) << "Invalid SPKI: " << fingerprint; | |
33 continue; | |
34 } | |
35 SHA256HashValue sha256; | |
36 DCHECK_EQ(hv.size(), sizeof(sha256)); | |
37 memcpy(&sha256, hv.data(), sizeof(sha256)); | |
38 whitelist.insert(sha256); | |
39 } | |
40 return whitelist; | |
41 } | |
42 | |
43 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier( | |
44 std::unique_ptr<CertVerifier> verifier, | |
45 IgnoreErrorsCertVerifier::SPKIHashSet whitelist) | |
46 : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)) {} | |
47 | |
48 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {} | |
49 | |
50 int IgnoreErrorsCertVerifier::Verify(const RequestParams& params, | |
51 net::CRLSet* crl_set, | |
52 net::CertVerifyResult* verify_result, | |
53 const net::CompletionCallback& callback, | |
54 std::unique_ptr<Request>* out_req, | |
55 const net::NetLogWithSource& net_log) { | |
56 SPKIHashSet spki_fingerprints; | |
57 std::string cert_der; | |
58 base::StringPiece cert_spki; | |
59 SHA256HashValue hash; | |
60 if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(), | |
61 &cert_der) && | |
62 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
63 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
64 spki_fingerprints.insert(hash); | |
65 } | |
66 for (const X509Certificate::OSCertHandle& intermediate : | |
67 params.certificate()->GetIntermediateCertificates()) { | |
68 if (X509Certificate::GetDEREncoded(intermediate, &cert_der) && | |
69 net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) { | |
70 crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue)); | |
71 spki_fingerprints.insert(hash); | |
72 } | |
73 } | |
74 | |
75 // Intersect SPKI hashes from the chain with the whitelist. | |
76 auto wl = whitelist_.begin(); | |
Ryan Sleevi
2017/04/12 21:53:17
style: https://google.github.io/styleguide/cppguid
martinkr
2017/04/24 23:54:25
Done.
| |
77 auto wl_end = whitelist_.end(); | |
78 auto sf = spki_fingerprints.begin(); | |
79 auto sf_end = spki_fingerprints.end(); | |
80 static const SHA256HashValueLessThan sha256_lt; | |
81 bool ignore_errors = false; | |
82 while (wl != wl_end && sf != sf_end) { | |
83 if (sha256_lt(*wl, *sf)) { | |
84 ++wl; | |
85 } else if (sha256_lt(*sf, *wl)) { | |
86 ++sf; | |
87 } else { | |
88 ignore_errors = true; | |
89 break; | |
90 } | |
91 } | |
92 | |
93 CompletionCallback callback_ok = base::Bind( | |
94 [](CompletionCallback callback, int result) { callback.Run(net::OK); }, | |
Ryan Sleevi
2017/04/12 21:53:17
So in thinking more about this, the problem is tha
martinkr
2017/04/24 23:54:25
Done.
| |
95 callback); | |
96 int result = verifier_->Verify(params, crl_set, verify_result, | |
97 ignore_errors ? callback_ok : callback, | |
98 out_req, net_log); | |
99 if (ignore_errors && result != net::ERR_IO_PENDING) { | |
100 return net::OK; | |
101 } | |
102 return result; | |
103 } | |
OLD | NEW |