Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(342)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/ssl/ignore_errors_cert_verifier.h

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)
Patch Set: Add --ignore-certificate-errors-spki-list switch and UMA histogram. Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/io_thread.cc ('k') | chrome/browser/ssl/ignore_errors_cert_verifier.cc » ('j') | chrome/browser/ssl/ignore_errors_cert_verifier.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/ssl/ignore_errors_cert_verifier.h
diff --git a/chrome/browser/ssl/ignore_errors_cert_verifier.h b/chrome/browser/ssl/ignore_errors_cert_verifier.h
new file mode 100644
index 0000000000000000000000000000000000000000..c79aa64563529094f8aab996f29da521d67fe10e
--- /dev/null
+++ b/chrome/browser/ssl/ignore_errors_cert_verifier.h
@@ -0,0 +1,56 @@
+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_
+#define CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/containers/flat_set.h"
+#include "net/cert/cert_verifier.h"
+
+namespace net {
+struct SHA256HashValue;
+class SHA256HashValueLessThan;
+} // namespace net
+
+// IgnoreErrorsCertVerifier wraps another CertVerifier in order to ignore
+// verification errors from certificate chains that match a whitelist of SPKI
+// fingerprints.
+class NET_EXPORT IgnoreErrorsCertVerifier : public net::CertVerifier {
+ public:
+ // SPKIHashSet is a set of SHA-256 SPKI fingerprints (RFC 7469, Section 2.4).
+ using SPKIHashSet =
+ base::flat_set<net::SHA256HashValue, net::SHA256HashValueLessThan>;
+
+ // MakeWhitelist converts a vector of Base64-encoded SHA-256 SPKI fingerprints
+ // into an SPKIHashSet. Invalid fingerprints are logged and skipped.
+ static SPKIHashSet MakeWhitelist(
+ const std::vector<std::string>& fingerprints);
+
+ IgnoreErrorsCertVerifier(std::unique_ptr<net::CertVerifier> verifier,
+ SPKIHashSet whitelist);
+
+ ~IgnoreErrorsCertVerifier() override;
+
+ // Verify invokes Verify() on the wrapped CertVerifier. If any of the
+ // certificates from the chain in |params| match one of the SPKI fingerprints
+ // from the whitelist, it returns OK regardless of the actual verification
+ // result (or ERR_IO_PENDING on asynchronous completion). Otherwise the actual
+ // result is returned.
Ryan Sleevi 2017/04/25 18:07:09 I think this needs updating with the new behaviour
martinkr 2017/04/25 19:48:37 Done.
+ int Verify(const RequestParams& params,
+ net::CRLSet* crl_set,
+ net::CertVerifyResult* verify_result,
+ const net::CompletionCallback& callback,
+ std::unique_ptr<Request>* out_req,
+ const net::NetLogWithSource& net_log) override;
+
+ private:
+ std::unique_ptr<net::CertVerifier> verifier_;
+ SPKIHashSet whitelist_;
+};
+
+#endif // CHROME_BROWSER_SSL_IGNORE_ERRORS_CERT_VERIFIER_H_
« no previous file with comments | « chrome/browser/io_thread.cc ('k') | chrome/browser/ssl/ignore_errors_cert_verifier.cc » ('j') | chrome/browser/ssl/ignore_errors_cert_verifier.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698