Index: chrome/browser/net/packed_ct_ev_whitelist.h |
diff --git a/chrome/browser/net/packed_ct_ev_whitelist.h b/chrome/browser/net/packed_ct_ev_whitelist.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..2321d63ad04006f3e496b38273b57e58d89318d2 |
--- /dev/null |
+++ b/chrome/browser/net/packed_ct_ev_whitelist.h |
@@ -0,0 +1,85 @@ |
+// Copyright 2014 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_ |
+#define CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_ |
+ |
+#include <stdint.h> |
+ |
+#include <string> |
+#include <vector> |
+ |
+#include "base/gtest_prod_util.h" |
+#include "net/cert/ct_ev_whitelist.h" |
+ |
+namespace base { |
+class FilePath; |
+} |
+ |
+// An implementation of the EVCertsWhitelist that gets its data packed using |
+// Golomb coding to encode the difference between subsequent hash values. |
+// Format of the packed list: |
+// * First 8 bytes: First hash |
+// * Repeating Golomb-coded number which is the numeric difference of the |
+// previous hash value from this one |
+// |
+// The resulting, unpacked list is a sorted list of hash values that can be |
+// efficiently searched. |
+class PackedEVCertsWhitelist : public net::ct::EVCertsWhitelist { |
+ public: |
+ // Unpacks the given |compressed_whitelist|. See the class documentation |
+ // for description of the |compressed_whitelist| format. |
+ explicit PackedEVCertsWhitelist(const std::string& compressed_whitelist); |
+ |
+ // Returns true if the |certificate_hash| appears in the EV certificate hashes |
+ // whitelist. Must not be called if IsValid for this instance returned false. |
+ bool ContainsCertificateHash( |
+ const std::string& certificate_hash) const override; |
+ |
+ // Returns true if the EV certificate hashes whitelist provided in the c'tor |
+ // was valid, false otherwise. |
+ bool IsValid() const override; |
+ |
+ protected: |
+ ~PackedEVCertsWhitelist() override; |
+ |
+ private: |
+ FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, |
+ UncompressFailsForTooShortList); |
+ FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, |
+ UncompressFailsForTruncatedList); |
+ FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, |
+ UncompressFailsForInvalidValuesInList); |
+ FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest, |
+ UncompressesWhitelistCorrectly); |
+ |
+ // Given a Golomb-coded list of hashes in |compressed_whitelist|, unpack into |
+ // |uncompressed_list|. Returns true if the format of the compressed whitelist |
+ // is valid, false otherwise. |
+ static bool UncompressEVWhitelist(const std::string& compressed_whitelist, |
+ std::vector<uint64_t>* uncompressed_list); |
+ |
+ bool is_whitelist_valid_; |
+ |
+ // The whitelist is an array containing certificate hashes (truncated |
+ // to a fixed size of 8 bytes), sorted. |
+ // Binary search is used to locate hashes in the the array. |
+ // Benchmarking bsearch vs std::set (with 120K entries, doing 1.2M lookups) |
+ // shows that bsearch is about twice as fast as std::set lookups (and std::set |
+ // has additional memory overhead). |
+ std::vector<uint64_t> whitelist_; |
+ |
+ DISALLOW_COPY_AND_ASSIGN(PackedEVCertsWhitelist); |
+}; |
+ |
+// Sets the EV certificate hashes whitelist from |compressed_whitelist_file| |
+// in |ssl_config_service|, after uncompressing it. |
+// If the data in |compressed_whitelist_file| is not a valid compressed |
+// whitelist, does nothing. |
+// As this function performs file operations, it should be called from a |
+// blocking pool worker or a file worker. |
+// To set the new whitelist, this function dispatches a task to the IO thread. |
+void SetEVWhitelistFromFile(const base::FilePath& compressed_whitelist_file); |
+ |
+#endif // CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_ |