xref: /aosp_15_r20/external/cronet/net/cert/cert_verifier.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/cert_verifier.h"
6 
7 #include <algorithm>
8 #include <string_view>
9 #include <utility>
10 
11 #include "base/containers/span.h"
12 #include "base/types/optional_util.h"
13 #include "build/build_config.h"
14 #include "net/base/features.h"
15 #include "net/cert/caching_cert_verifier.h"
16 #include "net/cert/cert_verify_proc.h"
17 #include "net/cert/coalescing_cert_verifier.h"
18 #include "net/cert/crl_set.h"
19 #include "net/cert/do_nothing_ct_verifier.h"
20 #include "net/cert/multi_threaded_cert_verifier.h"
21 #include "net/net_buildflags.h"
22 #include "third_party/boringssl/src/include/openssl/pool.h"
23 #include "third_party/boringssl/src/include/openssl/sha.h"
24 
25 namespace net {
26 
27 namespace {
28 
29 class DefaultCertVerifyProcFactory : public net::CertVerifyProcFactory {
30  public:
CreateCertVerifyProc(scoped_refptr<net::CertNetFetcher> cert_net_fetcher,const CertVerifyProc::ImplParams & impl_params,const CertVerifyProc::InstanceParams & instance_params)31   scoped_refptr<net::CertVerifyProc> CreateCertVerifyProc(
32       scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
33       const CertVerifyProc::ImplParams& impl_params,
34       const CertVerifyProc::InstanceParams& instance_params) override {
35 #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
36     if (impl_params.use_chrome_root_store) {
37       return CertVerifyProc::CreateBuiltinWithChromeRootStore(
38           std::move(cert_net_fetcher), impl_params.crl_set,
39           std::make_unique<net::DoNothingCTVerifier>(),
40           base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
41           base::OptionalToPtr(impl_params.root_store_data), instance_params);
42     }
43 #endif
44 #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
45     return CertVerifyProc::CreateBuiltinWithChromeRootStore(
46         std::move(cert_net_fetcher), impl_params.crl_set,
47         std::make_unique<net::DoNothingCTVerifier>(),
48         base::MakeRefCounted<DefaultCTPolicyEnforcer>(),
49         base::OptionalToPtr(impl_params.root_store_data), instance_params);
50 #elif BUILDFLAG(IS_FUCHSIA)
51     return CertVerifyProc::CreateBuiltinVerifyProc(
52         std::move(cert_net_fetcher), impl_params.crl_set,
53         std::make_unique<net::DoNothingCTVerifier>(),
54         base::MakeRefCounted<DefaultCTPolicyEnforcer>(), instance_params);
55 #else
56     return CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
57                                                   impl_params.crl_set);
58 #endif
59   }
60 
61  private:
62   ~DefaultCertVerifyProcFactory() override = default;
63 };
64 
CryptoBufferToSpan(const CRYPTO_BUFFER * b)65 base::span<const uint8_t> CryptoBufferToSpan(const CRYPTO_BUFFER* b) {
66   return base::make_span(CRYPTO_BUFFER_data(b), CRYPTO_BUFFER_len(b));
67 }
68 
Sha256UpdateLengthPrefixed(SHA256_CTX * ctx,base::span<const uint8_t> s)69 void Sha256UpdateLengthPrefixed(SHA256_CTX* ctx, base::span<const uint8_t> s) {
70   // Include a length prefix to ensure the hash is injective.
71   uint64_t l = s.size();
72   SHA256_Update(ctx, reinterpret_cast<uint8_t*>(&l), sizeof(l));
73   SHA256_Update(ctx, s.data(), s.size());
74 }
75 
76 }  // namespace
77 
78 CertVerifier::Config::Config() = default;
79 CertVerifier::Config::Config(const Config&) = default;
80 CertVerifier::Config::Config(Config&&) = default;
81 CertVerifier::Config::~Config() = default;
82 CertVerifier::Config& CertVerifier::Config::operator=(const Config&) = default;
83 CertVerifier::Config& CertVerifier::Config::operator=(Config&&) = default;
84 
85 CertVerifier::RequestParams::RequestParams() = default;
86 
RequestParams(scoped_refptr<X509Certificate> certificate,std::string_view hostname,int flags,std::string_view ocsp_response,std::string_view sct_list)87 CertVerifier::RequestParams::RequestParams(
88     scoped_refptr<X509Certificate> certificate,
89     std::string_view hostname,
90     int flags,
91     std::string_view ocsp_response,
92     std::string_view sct_list)
93     : certificate_(std::move(certificate)),
94       hostname_(hostname),
95       flags_(flags),
96       ocsp_response_(ocsp_response),
97       sct_list_(sct_list) {
98   // For efficiency sake, rather than compare all of the fields for each
99   // comparison, compute a hash of their values. This is done directly in
100   // this class, rather than as an overloaded hash operator, for efficiency's
101   // sake.
102   SHA256_CTX ctx;
103   SHA256_Init(&ctx);
104   Sha256UpdateLengthPrefixed(&ctx,
105                              CryptoBufferToSpan(certificate_->cert_buffer()));
106   for (const auto& cert_handle : certificate_->intermediate_buffers()) {
107     Sha256UpdateLengthPrefixed(&ctx, CryptoBufferToSpan(cert_handle.get()));
108   }
109   Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(hostname));
110   SHA256_Update(&ctx, &flags, sizeof(flags));
111   Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(ocsp_response));
112   Sha256UpdateLengthPrefixed(&ctx, base::as_byte_span(sct_list));
113   key_.resize(SHA256_DIGEST_LENGTH);
114   SHA256_Final(reinterpret_cast<uint8_t*>(key_.data()), &ctx);
115 }
116 
117 CertVerifier::RequestParams::RequestParams(const RequestParams& other) =
118     default;
119 CertVerifier::RequestParams::~RequestParams() = default;
120 
operator ==(const CertVerifier::RequestParams & other) const121 bool CertVerifier::RequestParams::operator==(
122     const CertVerifier::RequestParams& other) const {
123   return key_ == other.key_;
124 }
125 
operator <(const CertVerifier::RequestParams & other) const126 bool CertVerifier::RequestParams::operator<(
127     const CertVerifier::RequestParams& other) const {
128   return key_ < other.key_;
129 }
130 
131 // static
132 std::unique_ptr<CertVerifierWithUpdatableProc>
CreateDefaultWithoutCaching(scoped_refptr<CertNetFetcher> cert_net_fetcher)133 CertVerifier::CreateDefaultWithoutCaching(
134     scoped_refptr<CertNetFetcher> cert_net_fetcher) {
135   auto proc_factory = base::MakeRefCounted<DefaultCertVerifyProcFactory>();
136   return std::make_unique<MultiThreadedCertVerifier>(
137       proc_factory->CreateCertVerifyProc(std::move(cert_net_fetcher), {}, {}),
138       proc_factory);
139 }
140 
141 // static
CreateDefault(scoped_refptr<CertNetFetcher> cert_net_fetcher)142 std::unique_ptr<CertVerifier> CertVerifier::CreateDefault(
143     scoped_refptr<CertNetFetcher> cert_net_fetcher) {
144   return std::make_unique<CachingCertVerifier>(
145       std::make_unique<CoalescingCertVerifier>(
146           CreateDefaultWithoutCaching(std::move(cert_net_fetcher))));
147 }
148 
operator ==(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)149 bool operator==(const CertVerifier::Config& lhs,
150                 const CertVerifier::Config& rhs) {
151   return std::tie(
152              lhs.enable_rev_checking, lhs.require_rev_checking_local_anchors,
153              lhs.enable_sha1_local_anchors, lhs.disable_symantec_enforcement) ==
154          std::tie(
155              rhs.enable_rev_checking, rhs.require_rev_checking_local_anchors,
156              rhs.enable_sha1_local_anchors, rhs.disable_symantec_enforcement);
157 }
158 
operator !=(const CertVerifier::Config & lhs,const CertVerifier::Config & rhs)159 bool operator!=(const CertVerifier::Config& lhs,
160                 const CertVerifier::Config& rhs) {
161   return !(lhs == rhs);
162 }
163 
164 }  // namespace net
165