OLD | NEW |
| (Empty) |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_ | |
6 #define COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_ | |
7 | |
8 #include <stdint.h> | |
9 | |
10 #include <string> | |
11 #include <vector> | |
12 | |
13 #include "base/gtest_prod_util.h" | |
14 #include "base/macros.h" | |
15 #include "base/version.h" | |
16 #include "net/cert/ct_ev_whitelist.h" | |
17 | |
18 namespace packed_ct_ev_whitelist { | |
19 | |
20 // An implementation of the EVCertsWhitelist that gets its data packed using | |
21 // Golomb coding to encode the difference between subsequent hash values. | |
22 // Format of the packed list: | |
23 // * First 8 bytes: First hash | |
24 // * Repeating Golomb-coded number which is the numeric difference of the | |
25 // previous hash value from this one | |
26 // | |
27 // The resulting, unpacked list is a sorted list of hash values that can be | |
28 // efficiently searched. | |
29 class PackedEVCertsWhitelist : public net::ct::EVCertsWhitelist { | |
30 public: | |
31 // Unpacks the given |compressed_whitelist|. See the class documentation | |
32 // for description of the |compressed_whitelist| format. | |
33 PackedEVCertsWhitelist(const std::string& compressed_whitelist, | |
34 const base::Version& version); | |
35 | |
36 // Returns true if the |certificate_hash| appears in the EV certificate hashes | |
37 // whitelist. Must not be called if IsValid for this instance returned false. | |
38 bool ContainsCertificateHash( | |
39 const std::string& certificate_hash) const override; | |
40 | |
41 // Returns true if the EV certificate hashes whitelist provided in the c'tor | |
42 // was valid, false otherwise. | |
43 bool IsValid() const override; | |
44 | |
45 // Returns the version of the whitelist in use, if available. | |
46 base::Version Version() const override; | |
47 | |
48 protected: | |
49 ~PackedEVCertsWhitelist() override; | |
50 | |
51 private: | |
52 FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, | |
53 UncompressFailsForTooShortList); | |
54 FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, | |
55 UncompressFailsForTruncatedList); | |
56 FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, | |
57 UncompressFailsForInvalidValuesInList); | |
58 FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, | |
59 UncompressesWhitelistCorrectly); | |
60 | |
61 // Given a Golomb-coded list of hashes in |compressed_whitelist|, unpack into | |
62 // |uncompressed_list|. Returns true if the format of the compressed whitelist | |
63 // is valid, false otherwise. | |
64 static bool UncompressEVWhitelist(const std::string& compressed_whitelist, | |
65 std::vector<uint64_t>* uncompressed_list); | |
66 | |
67 // The whitelist is an array containing certificate hashes (truncated | |
68 // to a fixed size of 8 bytes), sorted. | |
69 // Binary search is used to locate hashes in the the array. | |
70 // Benchmarking bsearch vs std::set (with 120K entries, doing 1.2M lookups) | |
71 // shows that bsearch is about twice as fast as std::set lookups (and std::set | |
72 // has additional memory overhead). | |
73 std::vector<uint64_t> whitelist_; | |
74 base::Version version_; | |
75 | |
76 DISALLOW_COPY_AND_ASSIGN(PackedEVCertsWhitelist); | |
77 }; | |
78 | |
79 // Sets the EV certificate hashes whitelist in the SSLConfigService | |
80 // to the provided |whitelist|, if valid. Otherwise, does nothing. | |
81 // To set the new whitelist, this function dispatches a task to the IO thread. | |
82 void SetEVCertsWhitelist(scoped_refptr<net::ct::EVCertsWhitelist> whitelist); | |
83 | |
84 } // namespace packed_ct_ev_whitelist | |
85 | |
86 #endif // COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_ | |
OLD | NEW |