quic/core/crypto/client_proof_source.h - quiche - Git at Google

 // Copyright (c) 2021 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
 #define QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_

 #include <memory>

 #include "absl/container/flat_hash_map.h"
 #include "quic/core/crypto/certificate_view.h"
 #include "quic/core/crypto/proof_source.h"

 namespace quic {

 // ClientProofSource is the interface for a QUIC client to provide client certs
 // and keys based on server hostname. It is only used by TLS handshakes.
 class QUIC_EXPORT_PRIVATE ClientProofSource {
  public:
   using Chain = ProofSource::Chain;

   virtual ~ClientProofSource() {}

   struct QUIC_EXPORT_PRIVATE CertAndKey {
     CertAndKey(QuicReferenceCountedPointer<Chain> chain,
                CertificatePrivateKey private_key)
         : chain(std::move(chain)), private_key(std::move(private_key)) {}

     QuicReferenceCountedPointer<Chain> chain;
     CertificatePrivateKey private_key;
   };

   // Get the client certificate to be sent to the server with |server_hostname|
   // and its corresponding private key. It returns nullptr if the cert and key
   // can not be found.
   //
   // |server_hostname| is typically a full domain name(www.foo.com), but it
   // could also be a wildcard domain(*.foo.com), or a "*" which will return the
   // default cert.
   virtual const CertAndKey* GetCertAndKey(
       absl::string_view server_hostname) const = 0;
 };

 // DefaultClientProofSource is an implementation that simply keeps an in memory
 // map of server hostnames to certs.
 class QUIC_EXPORT_PRIVATE DefaultClientProofSource : public ClientProofSource {
  public:
   ~DefaultClientProofSource() override {}

   // Associate all hostnames in |server_hostnames| with {|chain|,|private_key|}.
   // Elements of |server_hostnames| can be full domain names(www.foo.com),
   // wildcard domains(*.foo.com), or "*" which means the given cert chain is the
   // default one.
   // If any element of |server_hostnames| is already associated with a cert
   // chain, it will be updated to be associated with the new cert chain.
   bool AddCertAndKey(std::vector<std::string> server_hostnames,
                      QuicReferenceCountedPointer<Chain> chain,
                      CertificatePrivateKey private_key);

   // ClientProofSource implementation
   const CertAndKey* GetCertAndKey(absl::string_view hostname) const override;

  private:
   const CertAndKey* LookupExact(absl::string_view map_key) const;
   absl::flat_hash_map<std::string, std::shared_ptr<CertAndKey>> cert_and_keys_;
 };

 }  // namespace quic

 #endif  // QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
	// Copyright (c) 2021 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_
	#define QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_

	#include <memory>

	#include "absl/container/flat_hash_map.h"
	#include "quic/core/crypto/certificate_view.h"
	#include "quic/core/crypto/proof_source.h"

	namespace quic {

	// ClientProofSource is the interface for a QUIC client to provide client certs
	// and keys based on server hostname. It is only used by TLS handshakes.
	class QUIC_EXPORT_PRIVATE ClientProofSource {
	public:
	using Chain = ProofSource::Chain;

	virtual ~ClientProofSource() {}

	struct QUIC_EXPORT_PRIVATE CertAndKey {
	CertAndKey(QuicReferenceCountedPointer<Chain> chain,
	CertificatePrivateKey private_key)
	: chain(std::move(chain)), private_key(std::move(private_key)) {}

	QuicReferenceCountedPointer<Chain> chain;
	CertificatePrivateKey private_key;
	};

	// Get the client certificate to be sent to the server with \|server_hostname\|
	// and its corresponding private key. It returns nullptr if the cert and key
	// can not be found.
	//
	// \|server_hostname\| is typically a full domain name(www.foo.com), but it
	// could also be a wildcard domain(.foo.com), or a "" which will return the
	// default cert.
	virtual const CertAndKey* GetCertAndKey(
	absl::string_view server_hostname) const = 0;
	};

	// DefaultClientProofSource is an implementation that simply keeps an in memory
	// map of server hostnames to certs.
	class QUIC_EXPORT_PRIVATE DefaultClientProofSource : public ClientProofSource {
	public:
	~DefaultClientProofSource() override {}

	// Associate all hostnames in \|server_hostnames\| with {\|chain\|,\|private_key\|}.
	// Elements of \|server_hostnames\| can be full domain names(www.foo.com),
	// wildcard domains(.foo.com), or "" which means the given cert chain is the
	// default one.
	// If any element of \|server_hostnames\| is already associated with a cert
	// chain, it will be updated to be associated with the new cert chain.
	bool AddCertAndKey(std::vector<std::string> server_hostnames,
	QuicReferenceCountedPointer<Chain> chain,
	CertificatePrivateKey private_key);

	// ClientProofSource implementation
	const CertAndKey* GetCertAndKey(absl::string_view hostname) const override;

	private:
	const CertAndKey* LookupExact(absl::string_view map_key) const;
	absl::flat_hash_map<std::string, std::shared_ptr<CertAndKey>> cert_and_keys_;
	};

	} // namespace quic

	#endif // QUICHE_QUIC_CORE_CRYPTO_CLIENT_PROOF_SOURCE_H_