xref: /aosp_15_r20/external/cronet/net/quic/crypto/proof_verifier_chromium.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
6 #define NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
7 
8 #include <map>
9 #include <memory>
10 #include <set>
11 #include <string>
12 #include <vector>
13 
14 #include "base/compiler_specific.h"
15 #include "base/memory/raw_ptr.h"
16 #include "net/base/net_export.h"
17 #include "net/base/network_anonymization_key.h"
18 #include "net/cert/cert_verify_result.h"
19 #include "net/cert/x509_certificate.h"
20 #include "net/log/net_log_with_source.h"
21 #include "net/third_party/quiche/src/quiche/quic/core/crypto/proof_verifier.h"
22 
23 namespace net {
24 
25 class CertVerifier;
26 class SCTAuditingDelegate;
27 class TransportSecurityState;
28 
29 // ProofVerifyDetailsChromium is the implementation-specific information that a
30 // ProofVerifierChromium returns about a certificate verification.
31 class NET_EXPORT_PRIVATE ProofVerifyDetailsChromium
32     : public quic::ProofVerifyDetails {
33  public:
34   ProofVerifyDetailsChromium();
35   ProofVerifyDetailsChromium(const ProofVerifyDetailsChromium&);
36   ~ProofVerifyDetailsChromium() override;
37 
38   // quic::ProofVerifyDetails implementation
39   quic::ProofVerifyDetails* Clone() const override;
40 
41   CertVerifyResult cert_verify_result;
42 
43   // True if PKP was bypassed due to a local trust anchor.
44   bool pkp_bypassed = false;
45 
46   // True if there was a certificate error which should be treated as fatal,
47   // and false otherwise.
48   bool is_fatal_cert_error = false;
49 };
50 
51 // ProofVerifyContextChromium is the implementation-specific information that a
52 // ProofVerifierChromium needs in order to log correctly.
53 struct ProofVerifyContextChromium : public quic::ProofVerifyContext {
54  public:
ProofVerifyContextChromiumProofVerifyContextChromium55   ProofVerifyContextChromium(int cert_verify_flags,
56                              const NetLogWithSource& net_log)
57       : cert_verify_flags(cert_verify_flags), net_log(net_log) {}
58 
59   int cert_verify_flags;
60   NetLogWithSource net_log;
61 };
62 
63 // ProofVerifierChromium implements the QUIC quic::ProofVerifier interface.  It
64 // is capable of handling multiple simultaneous requests.
65 class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier {
66  public:
67   ProofVerifierChromium(
68       CertVerifier* cert_verifier,
69       TransportSecurityState* transport_security_state,
70       SCTAuditingDelegate* sct_auditing_delegate,
71       std::set<std::string> hostnames_to_allow_unknown_roots,
72       const NetworkAnonymizationKey& network_anonymization_key);
73 
74   ProofVerifierChromium(const ProofVerifierChromium&) = delete;
75   ProofVerifierChromium& operator=(const ProofVerifierChromium&) = delete;
76 
77   ~ProofVerifierChromium() override;
78 
79   // quic::ProofVerifier interface
80   quic::QuicAsyncStatus VerifyProof(
81       const std::string& hostname,
82       const uint16_t port,
83       const std::string& server_config,
84       quic::QuicTransportVersion quic_version,
85       std::string_view chlo_hash,
86       const std::vector<std::string>& certs,
87       const std::string& cert_sct,
88       const std::string& signature,
89       const quic::ProofVerifyContext* verify_context,
90       std::string* error_details,
91       std::unique_ptr<quic::ProofVerifyDetails>* verify_details,
92       std::unique_ptr<quic::ProofVerifierCallback> callback) override;
93   quic::QuicAsyncStatus VerifyCertChain(
94       const std::string& hostname,
95       const uint16_t port,
96       const std::vector<std::string>& certs,
97       const std::string& ocsp_response,
98       const std::string& cert_sct,
99       const quic::ProofVerifyContext* verify_context,
100       std::string* error_details,
101       std::unique_ptr<quic::ProofVerifyDetails>* verify_details,
102       uint8_t* out_alert,
103       std::unique_ptr<quic::ProofVerifierCallback> callback) override;
104   std::unique_ptr<quic::ProofVerifyContext> CreateDefaultContext() override;
105 
106  private:
107   class Job;
108 
109   void OnJobComplete(Job* job);
110 
111   // Set owning pointers to active jobs.
112   std::map<Job*, std::unique_ptr<Job>> active_jobs_;
113 
114   // Underlying verifier used to verify certificates.
115   const raw_ptr<CertVerifier> cert_verifier_;
116 
117   const raw_ptr<TransportSecurityState> transport_security_state_;
118 
119   const raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
120 
121   std::set<std::string> hostnames_to_allow_unknown_roots_;
122 
123   const NetworkAnonymizationKey network_anonymization_key_;
124 };
125 
126 }  // namespace net
127 
128 #endif  // NET_QUIC_CRYPTO_PROOF_VERIFIER_CHROMIUM_H_
129