Add --ignore-certificate-errors-spki-list switch and UMA histogram.

chrome/browser/ssl/ignore_errors_cert_verifier.cc

Index: chrome/browser/ssl/ignore_errors_cert_verifier.cc
diff --git a/chrome/browser/ssl/ignore_errors_cert_verifier.cc b/chrome/browser/ssl/ignore_errors_cert_verifier.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2b35c7a9a64cfd2e9471e92cc0c5727a3b4f5769
--- /dev/null
+++ b/chrome/browser/ssl/ignore_errors_cert_verifier.cc
@@ -0,0 +1,103 @@
+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/ignore_errors_cert_verifier.h"
+
+#include <utility>
+
+#include "base/memory/ref_counted.h"
+#include "crypto/sha2.h"
+#include "net/base/completion_callback.h"
+#include "net/base/hash_value.h"
+#include "net/base/net_errors.h"
+#include "net/base/net_export.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/x509_certificate.h"
+
+using ::net::CertVerifier;
+using ::net::CompletionCallback;
+using ::net::HashValue;
+using ::net::SHA256HashValue;
+using ::net::SHA256HashValueLessThan;
+using ::net::X509Certificate;
+
+// static
+IgnoreErrorsCertVerifier::SPKIHashSet IgnoreErrorsCertVerifier::MakeWhitelist(
+    const std::vector<std::string>& fingerprints) {
+  IgnoreErrorsCertVerifier::SPKIHashSet whitelist;
+  for (const std::string& fingerprint : fingerprints) {
+    HashValue hv;

[Ryan Sleevi, 2017/04/12 21:53:17]

style: https://google.github.io/styleguide/cppguide.html#General_Naming_Rules

a name like "hash" or "hash_value" is probably more appropriate here.

[martinkr, 2017/04/24 23:54:25]

Done.

+    if (!hv.FromString("sha256/" + fingerprint)) {
+      LOG(ERROR) << "Invalid SPKI: " << fingerprint;
+      continue;
+    }
+    SHA256HashValue sha256;
+    DCHECK_EQ(hv.size(), sizeof(sha256));
+    memcpy(&sha256, hv.data(), sizeof(sha256));
+    whitelist.insert(sha256);
+  }
+  return whitelist;
+}
+
+IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier(
+    std::unique_ptr<CertVerifier> verifier,
+    IgnoreErrorsCertVerifier::SPKIHashSet whitelist)
+    : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)) {}
+
+IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {}
+
+int IgnoreErrorsCertVerifier::Verify(const RequestParams& params,
+                                     net::CRLSet* crl_set,
+                                     net::CertVerifyResult* verify_result,
+                                     const net::CompletionCallback& callback,
+                                     std::unique_ptr<Request>* out_req,
+                                     const net::NetLogWithSource& net_log) {
+  SPKIHashSet spki_fingerprints;
+  std::string cert_der;
+  base::StringPiece cert_spki;
+  SHA256HashValue hash;
+  if (X509Certificate::GetDEREncoded(params.certificate()->os_cert_handle(),
+                                     &cert_der) &&
+      net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) {
+    crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));
+    spki_fingerprints.insert(hash);
+  }
+  for (const X509Certificate::OSCertHandle& intermediate :
+       params.certificate()->GetIntermediateCertificates()) {
+    if (X509Certificate::GetDEREncoded(intermediate, &cert_der) &&
+        net::asn1::ExtractSPKIFromDERCert(cert_der, &cert_spki)) {
+      crypto::SHA256HashString(cert_spki, &hash, sizeof(SHA256HashValue));
+      spki_fingerprints.insert(hash);
+    }
+  }
+
+  // Intersect SPKI hashes from the chain with the whitelist.
+  auto wl = whitelist_.begin();

[Ryan Sleevi, 2017/04/12 21:53:17]

style: https://google.github.io/styleguide/cppguide.html#General_Naming_Rules

whitelist_begin/whitelist_end, fingerprints_begin/fingerprints_end ?

[martinkr, 2017/04/24 23:54:25]

Done.

+  auto wl_end = whitelist_.end();
+  auto sf = spki_fingerprints.begin();
+  auto sf_end = spki_fingerprints.end();
+  static const SHA256HashValueLessThan sha256_lt;
+  bool ignore_errors = false;
+  while (wl != wl_end && sf != sf_end) {
+    if (sha256_lt(*wl, *sf)) {
+      ++wl;
+    } else if (sha256_lt(*sf, *wl)) {
+      ++sf;
+    } else {
+      ignore_errors = true;
+      break;
+    }
+  }
+
+  CompletionCallback callback_ok = base::Bind(
+      [](CompletionCallback callback, int result) { callback.Run(net::OK); },

[Ryan Sleevi, 2017/04/12 21:53:17]

So in thinking more about this, the problem is that it potentially violates the
contract between the net::Error returned and the CertStatus in the
CertVerifyResult

if (ignore_errors) {
  verify_result->Reset();
  verify_result->verified_cert = cert;
  verify_result->public_key_hashes.assign(spki_fingerprints.begin(),
spki_fingerprints.end());
  return net::OK;
}

return verifier_->Verify(params, crl_set, verify_result, callback, out_req,
net_log);

[martinkr, 2017/04/24 23:54:25]

Done.

+      callback);
+  int result = verifier_->Verify(params, crl_set, verify_result,
+                                 ignore_errors ? callback_ok : callback,
+                                 out_req, net_log);
+  if (ignore_errors && result != net::ERR_IO_PENDING) {
+    return net::OK;
+  }
+  return result;
+}