1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_CERT_CERT_VERIFY_PROC_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_CERT_CERT_VERIFY_PROC_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <string> 9*6777b538SAndroid Build Coastguard Worker #include <vector> 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Worker #include "base/feature_list.h" 12*6777b538SAndroid Build Coastguard Worker #include "base/gtest_prod_util.h" 13*6777b538SAndroid Build Coastguard Worker #include "base/memory/ref_counted.h" 14*6777b538SAndroid Build Coastguard Worker #include "build/build_config.h" 15*6777b538SAndroid Build Coastguard Worker #include "crypto/crypto_buildflags.h" 16*6777b538SAndroid Build Coastguard Worker #include "net/base/hash_value.h" 17*6777b538SAndroid Build Coastguard Worker #include "net/base/ip_address.h" 18*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 19*6777b538SAndroid Build Coastguard Worker #include "net/cert/ct_log_verifier.h" 20*6777b538SAndroid Build Coastguard Worker #include "net/cert/ct_policy_enforcer.h" 21*6777b538SAndroid Build Coastguard Worker #include "net/cert/ct_verifier.h" 22*6777b538SAndroid Build Coastguard Worker #include "net/net_buildflags.h" 23*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/pki/parsed_certificate.h" 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 26*6777b538SAndroid Build Coastguard Worker #include "net/cert/internal/trust_store_chrome.h" 27*6777b538SAndroid Build Coastguard Worker #endif 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard Worker namespace net { 30*6777b538SAndroid Build Coastguard Worker 31*6777b538SAndroid Build Coastguard Worker class CertNetFetcher; 32*6777b538SAndroid Build Coastguard Worker class CertVerifyResult; 33*6777b538SAndroid Build Coastguard Worker class CRLSet; 34*6777b538SAndroid Build Coastguard Worker class NetLogWithSource; 35*6777b538SAndroid Build Coastguard Worker class X509Certificate; 36*6777b538SAndroid Build Coastguard Worker typedef std::vector<scoped_refptr<X509Certificate>> CertificateList; 37*6777b538SAndroid Build Coastguard Worker 38*6777b538SAndroid Build Coastguard Worker // Class to perform certificate path building and verification for various 39*6777b538SAndroid Build Coastguard Worker // certificate uses. All methods of this class must be thread-safe, as they 40*6777b538SAndroid Build Coastguard Worker // may be called from various non-joinable worker threads. 41*6777b538SAndroid Build Coastguard Worker class NET_EXPORT CertVerifyProc 42*6777b538SAndroid Build Coastguard Worker : public base::RefCountedThreadSafe<CertVerifyProc> { 43*6777b538SAndroid Build Coastguard Worker public: 44*6777b538SAndroid Build Coastguard Worker enum VerifyFlags { 45*6777b538SAndroid Build Coastguard Worker // If set, enables online revocation checking via CRLs and OCSP for the 46*6777b538SAndroid Build Coastguard Worker // certificate chain. 47*6777b538SAndroid Build Coastguard Worker // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set. 48*6777b538SAndroid Build Coastguard Worker VERIFY_REV_CHECKING_ENABLED = 1 << 0, 49*6777b538SAndroid Build Coastguard Worker 50*6777b538SAndroid Build Coastguard Worker // If set, this is equivalent to VERIFY_REV_CHECKING_ENABLED, in that it 51*6777b538SAndroid Build Coastguard Worker // enables online revocation checking via CRLs or OCSP, but only 52*6777b538SAndroid Build Coastguard Worker // for certificates issued by non-public trust anchors. Failure to check 53*6777b538SAndroid Build Coastguard Worker // revocation is treated as a hard failure. 54*6777b538SAndroid Build Coastguard Worker // Note: has no effect if VERIFY_DISABLE_NETWORK_FETCHES is set. 55*6777b538SAndroid Build Coastguard Worker VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS = 1 << 1, 56*6777b538SAndroid Build Coastguard Worker 57*6777b538SAndroid Build Coastguard Worker // If set, certificates with SHA-1 signatures will be allowed, but only if 58*6777b538SAndroid Build Coastguard Worker // they are issued by non-public trust anchors. 59*6777b538SAndroid Build Coastguard Worker VERIFY_ENABLE_SHA1_LOCAL_ANCHORS = 1 << 2, 60*6777b538SAndroid Build Coastguard Worker 61*6777b538SAndroid Build Coastguard Worker // If set, disables the policy enforcement described at 62*6777b538SAndroid Build Coastguard Worker // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html 63*6777b538SAndroid Build Coastguard Worker VERIFY_DISABLE_SYMANTEC_ENFORCEMENT = 1 << 3, 64*6777b538SAndroid Build Coastguard Worker 65*6777b538SAndroid Build Coastguard Worker // Disable network fetches during verification. This will override 66*6777b538SAndroid Build Coastguard Worker // VERIFY_REV_CHECKING_ENABLED and 67*6777b538SAndroid Build Coastguard Worker // VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS if they are also specified. 68*6777b538SAndroid Build Coastguard Worker // (Note that this entirely disables the online revocation/AIA code paths. 69*6777b538SAndroid Build Coastguard Worker // Theoretically we could still check for cached results.) 70*6777b538SAndroid Build Coastguard Worker VERIFY_DISABLE_NETWORK_FETCHES = 1 << 4, 71*6777b538SAndroid Build Coastguard Worker 72*6777b538SAndroid Build Coastguard Worker // Also update GetNetConstants() in net/log/net_log_util.cc when updating 73*6777b538SAndroid Build Coastguard Worker // this enum. 74*6777b538SAndroid Build Coastguard Worker VERIFY_FLAGS_LAST = VERIFY_DISABLE_NETWORK_FETCHES 75*6777b538SAndroid Build Coastguard Worker }; 76*6777b538SAndroid Build Coastguard Worker 77*6777b538SAndroid Build Coastguard Worker // The set factory parameters that are variable over time, but are expected to 78*6777b538SAndroid Build Coastguard Worker // be consistent between multiple verifiers that are created. For example, 79*6777b538SAndroid Build Coastguard Worker // CertNetFetcher is not in this struct as it is expected that different 80*6777b538SAndroid Build Coastguard Worker // verifiers will have different net fetchers. (There is no technical 81*6777b538SAndroid Build Coastguard Worker // restriction against creating different verifiers with different ImplParams, 82*6777b538SAndroid Build Coastguard Worker // structuring the parameters this way just makes some APIs more convenient 83*6777b538SAndroid Build Coastguard Worker // for the common case.) 84*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT ImplParams { 85*6777b538SAndroid Build Coastguard Worker ImplParams(); 86*6777b538SAndroid Build Coastguard Worker ~ImplParams(); 87*6777b538SAndroid Build Coastguard Worker ImplParams(const ImplParams&); 88*6777b538SAndroid Build Coastguard Worker ImplParams& operator=(const ImplParams& other); 89*6777b538SAndroid Build Coastguard Worker ImplParams(ImplParams&&); 90*6777b538SAndroid Build Coastguard Worker ImplParams& operator=(ImplParams&& other); 91*6777b538SAndroid Build Coastguard Worker 92*6777b538SAndroid Build Coastguard Worker scoped_refptr<CRLSet> crl_set; 93*6777b538SAndroid Build Coastguard Worker std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs; 94*6777b538SAndroid Build Coastguard Worker scoped_refptr<net::CTPolicyEnforcer> ct_policy_enforcer; 95*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 96*6777b538SAndroid Build Coastguard Worker std::optional<net::ChromeRootStoreData> root_store_data; 97*6777b538SAndroid Build Coastguard Worker #endif 98*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL) 99*6777b538SAndroid Build Coastguard Worker bool use_chrome_root_store; 100*6777b538SAndroid Build Coastguard Worker #endif 101*6777b538SAndroid Build Coastguard Worker }; 102*6777b538SAndroid Build Coastguard Worker 103*6777b538SAndroid Build Coastguard Worker // CIDR, consisting of an IP and a netmask. 104*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT CIDR { 105*6777b538SAndroid Build Coastguard Worker net::IPAddress ip; 106*6777b538SAndroid Build Coastguard Worker net::IPAddress mask; 107*6777b538SAndroid Build Coastguard Worker }; 108*6777b538SAndroid Build Coastguard Worker 109*6777b538SAndroid Build Coastguard Worker // Single certificate, with constraints. 110*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT CertificateWithConstraints { 111*6777b538SAndroid Build Coastguard Worker CertificateWithConstraints(); 112*6777b538SAndroid Build Coastguard Worker ~CertificateWithConstraints(); 113*6777b538SAndroid Build Coastguard Worker CertificateWithConstraints(const CertificateWithConstraints&); 114*6777b538SAndroid Build Coastguard Worker CertificateWithConstraints& operator=( 115*6777b538SAndroid Build Coastguard Worker const CertificateWithConstraints& other); 116*6777b538SAndroid Build Coastguard Worker CertificateWithConstraints(CertificateWithConstraints&&); 117*6777b538SAndroid Build Coastguard Worker CertificateWithConstraints& operator=(CertificateWithConstraints&& other); 118*6777b538SAndroid Build Coastguard Worker 119*6777b538SAndroid Build Coastguard Worker std::shared_ptr<const bssl::ParsedCertificate> certificate; 120*6777b538SAndroid Build Coastguard Worker 121*6777b538SAndroid Build Coastguard Worker std::vector<std::string> permitted_dns_names; 122*6777b538SAndroid Build Coastguard Worker 123*6777b538SAndroid Build Coastguard Worker std::vector<CIDR> permitted_cidrs; 124*6777b538SAndroid Build Coastguard Worker }; 125*6777b538SAndroid Build Coastguard Worker 126*6777b538SAndroid Build Coastguard Worker // The set of parameters that are variable over time and can differ between 127*6777b538SAndroid Build Coastguard Worker // different verifiers created by a CertVerifierProcFactory. 128*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT InstanceParams { 129*6777b538SAndroid Build Coastguard Worker InstanceParams(); 130*6777b538SAndroid Build Coastguard Worker ~InstanceParams(); 131*6777b538SAndroid Build Coastguard Worker InstanceParams(const InstanceParams&); 132*6777b538SAndroid Build Coastguard Worker InstanceParams& operator=(const InstanceParams& other); 133*6777b538SAndroid Build Coastguard Worker InstanceParams(InstanceParams&&); 134*6777b538SAndroid Build Coastguard Worker InstanceParams& operator=(InstanceParams&& other); 135*6777b538SAndroid Build Coastguard Worker 136*6777b538SAndroid Build Coastguard Worker // Additional trust anchors to consider during path validation. Ordinarily, 137*6777b538SAndroid Build Coastguard Worker // implementations of CertVerifier use trust anchors from the configured 138*6777b538SAndroid Build Coastguard Worker // system store. This is implementation-specific plumbing for passing 139*6777b538SAndroid Build Coastguard Worker // additional anchors through. 140*6777b538SAndroid Build Coastguard Worker bssl::ParsedCertificateList additional_trust_anchors; 141*6777b538SAndroid Build Coastguard Worker 142*6777b538SAndroid Build Coastguard Worker // Same as additional_trust_anchors, but embedded anchor constraints and 143*6777b538SAndroid Build Coastguard Worker // NotBefore/NotAfter are enforced. 144*6777b538SAndroid Build Coastguard Worker bssl::ParsedCertificateList 145*6777b538SAndroid Build Coastguard Worker additional_trust_anchors_with_enforced_constraints; 146*6777b538SAndroid Build Coastguard Worker 147*6777b538SAndroid Build Coastguard Worker // Additional trust anchors to consider during path validation, but with 148*6777b538SAndroid Build Coastguard Worker // name constraints specified outside of the certificate. 149*6777b538SAndroid Build Coastguard Worker std::vector<CertificateWithConstraints> 150*6777b538SAndroid Build Coastguard Worker additional_trust_anchors_with_constraints; 151*6777b538SAndroid Build Coastguard Worker 152*6777b538SAndroid Build Coastguard Worker // Additional temporary certs to consider as intermediates during path 153*6777b538SAndroid Build Coastguard Worker // validation. Ordinarily, implementations of CertVerifier use intermediate 154*6777b538SAndroid Build Coastguard Worker // certs from the configured system store. This is implementation-specific 155*6777b538SAndroid Build Coastguard Worker // plumbing for passing additional intermediates through. 156*6777b538SAndroid Build Coastguard Worker bssl::ParsedCertificateList additional_untrusted_authorities; 157*6777b538SAndroid Build Coastguard Worker 158*6777b538SAndroid Build Coastguard Worker // Additional SPKIs to consider as distrusted during path validation. 159*6777b538SAndroid Build Coastguard Worker std::vector<std::vector<uint8_t>> additional_distrusted_spkis; 160*6777b538SAndroid Build Coastguard Worker 161*6777b538SAndroid Build Coastguard Worker // If true, use the user-added certs in the system trust store for path 162*6777b538SAndroid Build Coastguard Worker // validation. 163*6777b538SAndroid Build Coastguard Worker // This only has an impact if the Chrome Root Store is being used. 164*6777b538SAndroid Build Coastguard Worker bool include_system_trust_store = true; 165*6777b538SAndroid Build Coastguard Worker }; 166*6777b538SAndroid Build Coastguard Worker 167*6777b538SAndroid Build Coastguard Worker // These values are persisted to logs. Entries should not be renumbered and 168*6777b538SAndroid Build Coastguard Worker // numeric values should never be reused. 169*6777b538SAndroid Build Coastguard Worker enum class NameNormalizationResult { 170*6777b538SAndroid Build Coastguard Worker kError = 0, 171*6777b538SAndroid Build Coastguard Worker kByteEqual = 1, 172*6777b538SAndroid Build Coastguard Worker kNormalized = 2, 173*6777b538SAndroid Build Coastguard Worker kChainLengthOne = 3, 174*6777b538SAndroid Build Coastguard Worker kMaxValue = kChainLengthOne 175*6777b538SAndroid Build Coastguard Worker }; 176*6777b538SAndroid Build Coastguard Worker 177*6777b538SAndroid Build Coastguard Worker #if !(BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || \ 178*6777b538SAndroid Build Coastguard Worker BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(CHROME_ROOT_STORE_ONLY)) 179*6777b538SAndroid Build Coastguard Worker // Creates and returns a CertVerifyProc that uses the system verifier. 180*6777b538SAndroid Build Coastguard Worker // |cert_net_fetcher| may not be used, depending on the implementation. 181*6777b538SAndroid Build Coastguard Worker static scoped_refptr<CertVerifyProc> CreateSystemVerifyProc( 182*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher, 183*6777b538SAndroid Build Coastguard Worker scoped_refptr<CRLSet> crl_set); 184*6777b538SAndroid Build Coastguard Worker #endif 185*6777b538SAndroid Build Coastguard Worker 186*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_FUCHSIA) 187*6777b538SAndroid Build Coastguard Worker // Creates and returns a CertVerifyProcBuiltin using the SSL SystemTrustStore. 188*6777b538SAndroid Build Coastguard Worker static scoped_refptr<CertVerifyProc> CreateBuiltinVerifyProc( 189*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher, 190*6777b538SAndroid Build Coastguard Worker scoped_refptr<CRLSet> crl_set, 191*6777b538SAndroid Build Coastguard Worker std::unique_ptr<CTVerifier> ct_verifier, 192*6777b538SAndroid Build Coastguard Worker scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer, 193*6777b538SAndroid Build Coastguard Worker const InstanceParams instance_params); 194*6777b538SAndroid Build Coastguard Worker #endif 195*6777b538SAndroid Build Coastguard Worker 196*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) 197*6777b538SAndroid Build Coastguard Worker // Creates and returns a CertVerifyProcBuiltin using the Chrome Root Store 198*6777b538SAndroid Build Coastguard Worker // SystemTrustStore and the given |root_store_data|, which may be nullptr to 199*6777b538SAndroid Build Coastguard Worker // use the default. 200*6777b538SAndroid Build Coastguard Worker static scoped_refptr<CertVerifyProc> CreateBuiltinWithChromeRootStore( 201*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher, 202*6777b538SAndroid Build Coastguard Worker scoped_refptr<CRLSet> crl_set, 203*6777b538SAndroid Build Coastguard Worker std::unique_ptr<CTVerifier> ct_verifier, 204*6777b538SAndroid Build Coastguard Worker scoped_refptr<CTPolicyEnforcer> ct_policy_enforcer, 205*6777b538SAndroid Build Coastguard Worker const ChromeRootStoreData* root_store_data, 206*6777b538SAndroid Build Coastguard Worker const InstanceParams instance_params); 207*6777b538SAndroid Build Coastguard Worker #endif 208*6777b538SAndroid Build Coastguard Worker 209*6777b538SAndroid Build Coastguard Worker CertVerifyProc(const CertVerifyProc&) = delete; 210*6777b538SAndroid Build Coastguard Worker CertVerifyProc& operator=(const CertVerifyProc&) = delete; 211*6777b538SAndroid Build Coastguard Worker 212*6777b538SAndroid Build Coastguard Worker // Verifies the certificate against the given hostname as an SSL server 213*6777b538SAndroid Build Coastguard Worker // certificate. Returns OK if successful or an error code upon failure. 214*6777b538SAndroid Build Coastguard Worker // 215*6777b538SAndroid Build Coastguard Worker // The |*verify_result| structure, including the |verify_result->cert_status| 216*6777b538SAndroid Build Coastguard Worker // bitmask, is always filled out regardless of the return value. If the 217*6777b538SAndroid Build Coastguard Worker // certificate has multiple errors, the corresponding status flags are set in 218*6777b538SAndroid Build Coastguard Worker // |verify_result->cert_status|, and the error code for the most serious 219*6777b538SAndroid Build Coastguard Worker // error is returned. 220*6777b538SAndroid Build Coastguard Worker // 221*6777b538SAndroid Build Coastguard Worker // |ocsp_response|, if non-empty, is a stapled OCSP response to use. 222*6777b538SAndroid Build Coastguard Worker // 223*6777b538SAndroid Build Coastguard Worker // |sct_list|, if non-empty, is a SignedCertificateTimestampList from the TLS 224*6777b538SAndroid Build Coastguard Worker // extension as described in RFC6962 section 3.3.1. 225*6777b538SAndroid Build Coastguard Worker // 226*6777b538SAndroid Build Coastguard Worker // |flags| is bitwise OR'd of VerifyFlags: 227*6777b538SAndroid Build Coastguard Worker // 228*6777b538SAndroid Build Coastguard Worker // If |time_now| is set it will be used as the current time, otherwise the 229*6777b538SAndroid Build Coastguard Worker // system time will be used. 230*6777b538SAndroid Build Coastguard Worker // 231*6777b538SAndroid Build Coastguard Worker // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, online certificate 232*6777b538SAndroid Build Coastguard Worker // revocation checking is performed (i.e. OCSP and downloading CRLs). CRLSet 233*6777b538SAndroid Build Coastguard Worker // based revocation checking is always enabled, regardless of this flag. 234*6777b538SAndroid Build Coastguard Worker int Verify(X509Certificate* cert, 235*6777b538SAndroid Build Coastguard Worker const std::string& hostname, 236*6777b538SAndroid Build Coastguard Worker const std::string& ocsp_response, 237*6777b538SAndroid Build Coastguard Worker const std::string& sct_list, 238*6777b538SAndroid Build Coastguard Worker int flags, 239*6777b538SAndroid Build Coastguard Worker CertVerifyResult* verify_result, 240*6777b538SAndroid Build Coastguard Worker const NetLogWithSource& net_log, 241*6777b538SAndroid Build Coastguard Worker std::optional<base::Time> time_now = std::nullopt); 242*6777b538SAndroid Build Coastguard Worker 243*6777b538SAndroid Build Coastguard Worker protected: 244*6777b538SAndroid Build Coastguard Worker explicit CertVerifyProc(scoped_refptr<CRLSet> crl_set); 245*6777b538SAndroid Build Coastguard Worker virtual ~CertVerifyProc(); 246*6777b538SAndroid Build Coastguard Worker crl_set()247*6777b538SAndroid Build Coastguard Worker CRLSet* crl_set() const { return crl_set_.get(); } 248*6777b538SAndroid Build Coastguard Worker 249*6777b538SAndroid Build Coastguard Worker // Record a histogram of whether Name normalization was used in verifying the 250*6777b538SAndroid Build Coastguard Worker // chain. This should only be called for successfully validated chains. 251*6777b538SAndroid Build Coastguard Worker static void LogNameNormalizationResult(const std::string& histogram_suffix, 252*6777b538SAndroid Build Coastguard Worker NameNormalizationResult result); 253*6777b538SAndroid Build Coastguard Worker 254*6777b538SAndroid Build Coastguard Worker // Record a histogram of whether Name normalization was used in verifying the 255*6777b538SAndroid Build Coastguard Worker // chain. This should only be called for successfully validated chains. 256*6777b538SAndroid Build Coastguard Worker static void LogNameNormalizationMetrics(const std::string& histogram_suffix, 257*6777b538SAndroid Build Coastguard Worker X509Certificate* verified_cert, 258*6777b538SAndroid Build Coastguard Worker bool is_issued_by_known_root); 259*6777b538SAndroid Build Coastguard Worker 260*6777b538SAndroid Build Coastguard Worker private: 261*6777b538SAndroid Build Coastguard Worker friend class base::RefCountedThreadSafe<CertVerifyProc>; 262*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); 263*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, TestHasTooLongValidity); 264*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, 265*6777b538SAndroid Build Coastguard Worker VerifyRejectsSHA1AfterDeprecationLegacyMode); 266*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, SymantecCertsRejected); 267*6777b538SAndroid Build Coastguard Worker 268*6777b538SAndroid Build Coastguard Worker // Performs the actual verification using the desired underlying 269*6777b538SAndroid Build Coastguard Worker // 270*6777b538SAndroid Build Coastguard Worker // On entry, |verify_result| will be default-initialized as a successful 271*6777b538SAndroid Build Coastguard Worker // validation, with |verify_result->verified_cert| set to |cert|. 272*6777b538SAndroid Build Coastguard Worker // 273*6777b538SAndroid Build Coastguard Worker // Implementations are expected to fill in all applicable fields, excluding: 274*6777b538SAndroid Build Coastguard Worker // 275*6777b538SAndroid Build Coastguard Worker // * ocsp_result 276*6777b538SAndroid Build Coastguard Worker // * has_sha1 277*6777b538SAndroid Build Coastguard Worker // 278*6777b538SAndroid Build Coastguard Worker // which will be filled in by |Verify()|. If an error code is returned, 279*6777b538SAndroid Build Coastguard Worker // |verify_result->cert_status| should be non-zero, indicating an 280*6777b538SAndroid Build Coastguard Worker // error occurred. 281*6777b538SAndroid Build Coastguard Worker // 282*6777b538SAndroid Build Coastguard Worker // If |time_now| is not nullopt, it will be used as the current time for 283*6777b538SAndroid Build Coastguard Worker // certificate verification, if it is nullopt, the system time will be used 284*6777b538SAndroid Build Coastguard Worker // instead. If a certificate verification fails with a NotBefore/NotAfter 285*6777b538SAndroid Build Coastguard Worker // error when |time_now| is set, it will be retried with the system time. 286*6777b538SAndroid Build Coastguard Worker // 287*6777b538SAndroid Build Coastguard Worker // On success, net::OK should be returned, with |verify_result| updated to 288*6777b538SAndroid Build Coastguard Worker // reflect the successfully verified chain. 289*6777b538SAndroid Build Coastguard Worker virtual int VerifyInternal(X509Certificate* cert, 290*6777b538SAndroid Build Coastguard Worker const std::string& hostname, 291*6777b538SAndroid Build Coastguard Worker const std::string& ocsp_response, 292*6777b538SAndroid Build Coastguard Worker const std::string& sct_list, 293*6777b538SAndroid Build Coastguard Worker int flags, 294*6777b538SAndroid Build Coastguard Worker CertVerifyResult* verify_result, 295*6777b538SAndroid Build Coastguard Worker const NetLogWithSource& net_log, 296*6777b538SAndroid Build Coastguard Worker std::optional<base::Time> time_now) = 0; 297*6777b538SAndroid Build Coastguard Worker 298*6777b538SAndroid Build Coastguard Worker // HasNameConstraintsViolation returns true iff one of |public_key_hashes| 299*6777b538SAndroid Build Coastguard Worker // (which are hashes of SubjectPublicKeyInfo structures) has name constraints 300*6777b538SAndroid Build Coastguard Worker // imposed on it and the names in |dns_names| are not permitted. 301*6777b538SAndroid Build Coastguard Worker static bool HasNameConstraintsViolation( 302*6777b538SAndroid Build Coastguard Worker const HashValueVector& public_key_hashes, 303*6777b538SAndroid Build Coastguard Worker const std::string& common_name, 304*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& dns_names, 305*6777b538SAndroid Build Coastguard Worker const std::vector<std::string>& ip_addrs); 306*6777b538SAndroid Build Coastguard Worker 307*6777b538SAndroid Build Coastguard Worker // Checks the validity period of the certificate against the maximum 308*6777b538SAndroid Build Coastguard Worker // allowable validity period for publicly trusted certificates. Returns true 309*6777b538SAndroid Build Coastguard Worker // if the validity period is too long. 310*6777b538SAndroid Build Coastguard Worker static bool HasTooLongValidity(const X509Certificate& cert); 311*6777b538SAndroid Build Coastguard Worker 312*6777b538SAndroid Build Coastguard Worker const scoped_refptr<CRLSet> crl_set_; 313*6777b538SAndroid Build Coastguard Worker }; 314*6777b538SAndroid Build Coastguard Worker 315*6777b538SAndroid Build Coastguard Worker // Factory for creating new CertVerifyProcs when they need to be updated. 316*6777b538SAndroid Build Coastguard Worker class NET_EXPORT CertVerifyProcFactory 317*6777b538SAndroid Build Coastguard Worker : public base::RefCountedThreadSafe<CertVerifyProcFactory> { 318*6777b538SAndroid Build Coastguard Worker public: 319*6777b538SAndroid Build Coastguard Worker 320*6777b538SAndroid Build Coastguard Worker // Create a new CertVerifyProc that uses the passed in CRLSet and 321*6777b538SAndroid Build Coastguard Worker // ChromeRootStoreData. 322*6777b538SAndroid Build Coastguard Worker virtual scoped_refptr<CertVerifyProc> CreateCertVerifyProc( 323*6777b538SAndroid Build Coastguard Worker scoped_refptr<CertNetFetcher> cert_net_fetcher, 324*6777b538SAndroid Build Coastguard Worker const CertVerifyProc::ImplParams& impl_params, 325*6777b538SAndroid Build Coastguard Worker const CertVerifyProc::InstanceParams& instance_params) = 0; 326*6777b538SAndroid Build Coastguard Worker 327*6777b538SAndroid Build Coastguard Worker protected: 328*6777b538SAndroid Build Coastguard Worker virtual ~CertVerifyProcFactory() = default; 329*6777b538SAndroid Build Coastguard Worker 330*6777b538SAndroid Build Coastguard Worker private: 331*6777b538SAndroid Build Coastguard Worker friend class base::RefCountedThreadSafe<CertVerifyProcFactory>; 332*6777b538SAndroid Build Coastguard Worker }; 333*6777b538SAndroid Build Coastguard Worker 334*6777b538SAndroid Build Coastguard Worker } // namespace net 335*6777b538SAndroid Build Coastguard Worker 336*6777b538SAndroid Build Coastguard Worker #endif // NET_CERT_CERT_VERIFY_PROC_H_ 337