// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/crl_set.h" #include <algorithm> #include <string_view> #include "base/base64.h" #include "base/json/json_reader.h" #include "base/time/time.h" #include "base/values.h" #include "crypto/sha2.h" #include "net/base/trace_constants.h" #include "net/base/tracing.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/mem.h" namespace net { namespace { // CRLSet format: // // uint16le header_len // byte[header_len] header_bytes // repeated { // byte[32] parent_spki_sha256 // uint32le num_serials // [num_serials] { // uint8_t serial_length; // byte[serial_length] serial; // } // // header_bytes consists of a JSON dictionary with the following keys: // Version (int): currently 0 // ContentType (string): "CRLSet" (magic value) // Sequence (int32_t): the monotonic sequence number of this CRL set. // NotAfter (optional) (double/int64_t): The number of seconds since the // Unix epoch, after which, this CRLSet is expired. // BlockedSPKIs (array of string): An array of Base64 encoded, SHA-256 hashed // SubjectPublicKeyInfos that should be blocked. // LimitedSubjects (object/map of string -> array of string): A map between // the Base64-encoded SHA-256 hash of the DER-encoded Subject and the // Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfos that are // allowed for that subject. // KnownInterceptionSPKIs (array of string): An array of Base64-encoded // SHA-256 hashed SubjectPublicKeyInfos known to be used for interception. // BlockedInterceptionSPKIs (array of string): An array of Base64-encoded // SHA-256 hashed SubjectPublicKeyInfos known to be used for interception // and that should be actively blocked. // // ReadHeader reads the header (including length prefix) from |data| and // updates |data| to remove the header on return. Caller takes ownership of the // returned pointer. std::optional<base::Value> ReadHeader(std::string_view* data) { … } // kCurrentFileVersion is the version of the CRLSet file format that we // currently implement. static const int kCurrentFileVersion = …; bool ReadCRL(std::string_view* data, std::string* out_parent_spki_hash, std::vector<std::string>* out_serials) { … } // CopyHashListFromHeader parses a list of base64-encoded, SHA-256 hashes from // the given |key| (without path expansion) in |header_dict| and sets |*out| // to the decoded values. It's not an error if |key| is not found in // |header_dict|. bool CopyHashListFromHeader(const base::Value::Dict& header_dict, const char* key, std::vector<std::string>* out) { … } // CopyHashToHashesMapFromHeader parse a map from base64-encoded, SHA-256 // hashes to lists of the same, from the given |key| in |header_dict|. It // copies the map data into |out| (after base64-decoding). bool CopyHashToHashesMapFromHeader( const base::Value::Dict& header_dict, const char* key, std::unordered_map<std::string, std::vector<std::string>>* out) { … } } // namespace CRLSet::CRLSet() = default; CRLSet::~CRLSet() = default; // static bool CRLSet::Parse(std::string_view data, scoped_refptr<CRLSet>* out_crl_set) { … } CRLSet::Result CRLSet::CheckSPKI(std::string_view spki_hash) const { … } CRLSet::Result CRLSet::CheckSubject(std::string_view encoded_subject, std::string_view spki_hash) const { … } CRLSet::Result CRLSet::CheckSerial(std::string_view serial_number, std::string_view issuer_spki_hash) const { … } bool CRLSet::IsKnownInterceptionKey(std::string_view spki_hash) const { … } bool CRLSet::IsExpired() const { … } uint32_t CRLSet::sequence() const { … } const CRLSet::CRLList& CRLSet::CrlsForTesting() const { … } // static scoped_refptr<CRLSet> CRLSet::BuiltinCRLSet() { … } // static scoped_refptr<CRLSet> CRLSet::EmptyCRLSetForTesting() { … } // static scoped_refptr<CRLSet> CRLSet::ExpiredCRLSetForTesting() { … } // static scoped_refptr<CRLSet> CRLSet::ForTesting( bool is_expired, const SHA256HashValue* issuer_spki, std::string_view serial_number, std::string_view utf8_common_name, const std::vector<std::string>& acceptable_spki_hashes_for_cn) { … } } // namespace net
Codebase Browser
chromium