| // Copyright 2020 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef QUICHE_QUIC_QUIC_TRANSPORT_FINGERPRINT_PROOF_VERIFIER_H_ |
| #define QUICHE_QUIC_QUIC_TRANSPORT_FINGERPRINT_PROOF_VERIFIER_H_ |
| |
| #include <vector> |
| |
| #include "absl/strings/string_view.h" |
| #include "quic/core/crypto/certificate_view.h" |
| #include "quic/core/crypto/proof_verifier.h" |
| #include "quic/core/quic_clock.h" |
| #include "quic/platform/api/quic_export.h" |
| |
| namespace quic { |
| |
| // Represents a fingerprint of an X.509 certificate in a format based on |
| // https://w3c.github.io/webrtc-pc/#dom-rtcdtlsfingerprint. |
| // TODO(vasilvv): remove this once all consumers of this API use |
| // WebTransportHash. |
| struct QUIC_EXPORT_PRIVATE CertificateFingerprint { |
| static constexpr char kSha256[] = "sha-256"; |
| |
| // An algorithm described by one of the names in |
| // https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml |
| std::string algorithm; |
| // Hex-encoded, colon-separated fingerprint of the certificate. For example, |
| // "12:3d:5b:71:8c:54:df:85:7e:bd:e3:7c:66:da:f9:db:6a:94:8f:85:cb:6e:44:7f:09:3e:05:f2:dd:d4:f7:86" |
| std::string fingerprint; |
| }; |
| |
| // Represents a fingerprint of an X.509 certificate in a format based on |
| // https://w3c.github.io/webtransport/#dictdef-webtransporthash. |
| struct QUIC_EXPORT_PRIVATE WebTransportHash { |
| static constexpr char kSha256[] = "sha-256"; |
| |
| // An algorithm described by one of the names in |
| // https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml |
| std::string algorithm; |
| // Raw bytes of the hash. |
| std::string value; |
| }; |
| |
| // WebTransportFingerprintProofVerifier verifies the server leaf certificate |
| // against a supplied list of certificate fingerprints following the procedure |
| // described in the WebTransport specification. The certificate is deemed |
| // trusted if it matches a fingerprint in the list, has expiry dates that are |
| // not too long and has not expired. Only the leaf is checked, the rest of the |
| // chain is ignored. Reference specification: |
| // https://wicg.github.io/web-transport/#dom-quictransportconfiguration-server_certificate_fingerprints |
| class QUIC_EXPORT_PRIVATE WebTransportFingerprintProofVerifier |
| : public ProofVerifier { |
| public: |
| // Note: the entries in this list may be logged into a UMA histogram, and thus |
| // should not be renumbered. |
| enum class Status { |
| kValidCertificate = 0, |
| kUnknownFingerprint = 1, |
| kCertificateParseFailure = 2, |
| kExpiryTooLong = 3, |
| kExpired = 4, |
| kInternalError = 5, |
| kDisallowedKeyAlgorithm = 6, |
| |
| kMaxValue = kDisallowedKeyAlgorithm, |
| }; |
| |
| class QUIC_EXPORT_PRIVATE Details : public ProofVerifyDetails { |
| public: |
| explicit Details(Status status) : status_(status) {} |
| Status status() const { return status_; } |
| |
| ProofVerifyDetails* Clone() const override; |
| |
| private: |
| const Status status_; |
| }; |
| |
| // |clock| is used to check if the certificate has expired. It is not owned |
| // and must outlive the object. |max_validity_days| is the maximum time for |
| // which the certificate is allowed to be valid. |
| WebTransportFingerprintProofVerifier(const QuicClock* clock, |
| int max_validity_days); |
| |
| // Adds a certificate fingerprint to be trusted. The fingerprints are |
| // case-insensitive and are validated internally; the function returns true if |
| // the validation passes. |
| bool AddFingerprint(CertificateFingerprint fingerprint); |
| bool AddFingerprint(WebTransportHash hash); |
| |
| // ProofVerifier implementation. |
| QuicAsyncStatus VerifyProof( |
| const std::string& hostname, |
| const uint16_t port, |
| const std::string& server_config, |
| QuicTransportVersion transport_version, |
| absl::string_view chlo_hash, |
| const std::vector<std::string>& certs, |
| const std::string& cert_sct, |
| const std::string& signature, |
| const ProofVerifyContext* context, |
| std::string* error_details, |
| std::unique_ptr<ProofVerifyDetails>* details, |
| std::unique_ptr<ProofVerifierCallback> callback) override; |
| QuicAsyncStatus VerifyCertChain( |
| const std::string& hostname, |
| const uint16_t port, |
| const std::vector<std::string>& certs, |
| const std::string& ocsp_response, |
| const std::string& cert_sct, |
| const ProofVerifyContext* context, |
| std::string* error_details, |
| std::unique_ptr<ProofVerifyDetails>* details, |
| uint8_t* out_alert, |
| std::unique_ptr<ProofVerifierCallback> callback) override; |
| std::unique_ptr<ProofVerifyContext> CreateDefaultContext() override; |
| |
| protected: |
| virtual bool IsKeyTypeAllowedByPolicy(const CertificateView& certificate); |
| |
| private: |
| bool HasKnownFingerprint(absl::string_view der_certificate); |
| bool HasValidExpiry(const CertificateView& certificate); |
| bool IsWithinValidityPeriod(const CertificateView& certificate); |
| |
| const QuicClock* clock_; // Unowned. |
| const int max_validity_days_; |
| const QuicTime::Delta max_validity_; |
| std::vector<WebTransportHash> hashes_; |
| }; |
| |
| } // namespace quic |
| |
| #endif // QUICHE_QUIC_QUIC_TRANSPORT_FINGERPRINT_PROOF_VERIFIER_H_ |
