Certificate Transparency: Code for unpacking EV cert hashes whitelist

chrome/browser/net/packed_ct_ev_whitelist.cc

Index: chrome/browser/net/packed_ct_ev_whitelist.cc
diff --git a/chrome/browser/net/packed_ct_ev_whitelist.cc b/chrome/browser/net/packed_ct_ev_whitelist.cc
new file mode 100644
index 0000000000000000000000000000000000000000..12e76fbcf36892c0377efa9bd1426d40a28ad185
--- /dev/null
+++ b/chrome/browser/net/packed_ct_ev_whitelist.cc
@@ -0,0 +1,175 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/net/packed_ct_ev_whitelist.h"
+
+#include <set>
+
+#include "base/big_endian.h"
+#include "base/bind.h"
+#include "base/file_util.h"
+#include "base/lazy_instance.h"
+#include "base/logging.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/ssl/ssl_config_service.h"
+
+namespace {
+const uint8_t kCertHashLengthBits = 64;     // 8 bytes
+const uint64_t kGolombMParameterBits = 47;  // 2^47
+}  // namespace
+
+namespace internal {
+
+BitStreamReader::BitStreamReader(const base::StringPiece& source)
+    : source_(source), current_byte_(0), current_bit_(7) {
+}
+
+bool BitStreamReader::ReadUnaryEncoding(uint64_t* out) {
+  uint64_t res = 0;
+  if (BitsLeft() == 0)
+    return false;
+
+  while ((BitsLeft() > 0) && ReadBit())
+    res++;
+
+  *out = res;
+  return true;
+}
+
+bool BitStreamReader::ReadBits(uint8_t num_bits, uint64_t* out) {
+  if (num_bits > 64)
+    return false;
+
+  if (BitsLeft() < num_bits)
+    return false;
+
+  uint64_t res = 0;
+  for (uint8_t i = 0; i < num_bits; ++i)
+    res |= (static_cast<uint64_t>(ReadBit()) << (num_bits - (i + 1)));
+
+  *out = res;
+  return true;
+}
+
+uint64_t BitStreamReader::BitsLeft() const {
+  if (current_byte_ == source_.length())
+    return 0;
+  return (source_.length() - (current_byte_ + 1)) * 8 + current_bit_ + 1;
+}
+
+uint8_t BitStreamReader::ReadBit() {
+  DCHECK_GT(BitsLeft(), 0u);
+  DCHECK(current_bit_ < 8 && current_bit_ >= 0);
+  uint8_t res =
+      (source_.data()[current_byte_] & (1 << current_bit_)) >> current_bit_;
+  current_bit_--;
+  if (current_bit_ < 0) {
+    current_byte_++;
+    current_bit_ = 7;
+  }
+
+  return res;
+}
+
+void SetNewEVWhitelistInSSLConfigService(
+    scoped_refptr<net::ct::EVCertsWhitelist> new_whitelist,
+    scoped_refptr<net::SSLConfigService> ssl_config_service) {
+  if (ssl_config_service.get() != NULL) {
+    ssl_config_service->SetEVCertsWhitelist(new_whitelist);
+  }
+}
+
+}  // namespace internal
+
+void SetEVWhitelistFromFile(
+    const base::FilePath& compressed_whitelist_file,
+    scoped_refptr<net::SSLConfigService> ssl_config_service) {
+  VLOG(1) << "Setting EV whitelist from file: "
+          << compressed_whitelist_file.value();
+  std::string compressed_list;
+  if (!base::ReadFileToString(compressed_whitelist_file, &compressed_list)) {
+    VLOG(1) << "Failed reading from " << compressed_whitelist_file.value();
+    return;
+  }
+
+  scoped_refptr<net::ct::EVCertsWhitelist> new_whitelist(
+      new PackedEVCertsWhitelist(compressed_list));
+  if (!new_whitelist->IsValid()) {
+    VLOG(1) << "Failed uncompressing EV certs whitelist.";
+    return;
+  }
+
+  base::Callback<void(void)> assign_cb =
+      base::Bind(&internal::SetNewEVWhitelistInSSLConfigService,
+                 new_whitelist,
+                 ssl_config_service);
+  content::BrowserThread::PostTask(
+      content::BrowserThread::IO, FROM_HERE, assign_cb);
+}
+
+bool PackedEVCertsWhitelist::UncompressEVWhitelist(
+    const std::string& compressed_whitelist,
+    std::set<std::string>* uncompressed_list) {
+  internal::BitStreamReader reader(base::StringPiece(
+      compressed_whitelist.data(), compressed_whitelist.size()));
+  std::set<std::string> result;
+
+  VLOG(1) << "Uncompressing EV whitelist of size "
+          << compressed_whitelist.size();
+  uint64_t curr_hash(0);
+  if (!reader.ReadBits(kCertHashLengthBits, &curr_hash)) {
+    VLOG(1) << "Failed reading first hash.";
+    return false;
+  }
+  char hash_bytes[8];
+  base::WriteBigEndian(hash_bytes, curr_hash);
+  result.insert(std::string(hash_bytes, 8));
+  static const uint64_t M = static_cast<uint64_t>(1) << kGolombMParameterBits;
+
+  while (reader.BitsLeft() > kGolombMParameterBits) {
+    uint64_t read_prefix = 0;
+    if (!reader.ReadUnaryEncoding(&read_prefix)) {
+      VLOG(1) << "Failed reading unary-encoded prefix.";
+      return false;
+    }
+
+    uint64_t r = 0;
+    if (!reader.ReadBits(kGolombMParameterBits, &r)) {
+      VLOG(1) << "Failed reading " << kGolombMParameterBits << " bits.";
+      return false;
+    }
+
+    uint64_t curr_diff = read_prefix * M + r;
+    curr_hash += curr_diff;
+
+    base::WriteBigEndian(hash_bytes, curr_hash);
+    result.insert(std::string(hash_bytes, 8));
+  }
+
+  uncompressed_list->swap(result);
+  return true;
+}
+
+PackedEVCertsWhitelist::PackedEVCertsWhitelist(
+    const std::string& compressed_whitelist)
+    : is_whitelist_valid_(false) {
+  std::set<std::string> new_whitelist;
+  if (!UncompressEVWhitelist(compressed_whitelist, &new_whitelist))
+    return;
+
+  whitelist_.swap(new_whitelist);
+  is_whitelist_valid_ = true;
+}
+
+PackedEVCertsWhitelist::~PackedEVCertsWhitelist() {
+}
+
+bool PackedEVCertsWhitelist::ContainsCertificateHash(
+    const std::string& certificate_hash) const {
+  return whitelist_.find(certificate_hash) != whitelist_.end();
+}
+
+bool PackedEVCertsWhitelist::IsValid() const {
+  return is_whitelist_valid_;
+}