// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "services/cert_verifier/cert_verifier_service_factory.h" #include <memory> #include <string_view> #include "base/functional/bind.h" #include "base/functional/callback_helpers.h" #include "base/logging.h" #include "base/memory/raw_ptr.h" #include "base/memory/scoped_refptr.h" #include "base/task/thread_pool.h" #include "base/types/optional_util.h" #include "build/build_config.h" #include "crypto/sha2.h" #include "mojo/public/cpp/bindings/callback_helpers.h" #include "mojo/public/cpp/bindings/pending_receiver.h" #include "mojo/public/cpp/bindings/pending_remote.h" #include "mojo/public/cpp/bindings/remote.h" #include "net/base/features.h" #include "net/base/ip_address.h" #include "net/cert/cert_net_fetcher.h" #include "net/cert/cert_verifier.h" #include "net/cert/crl_set.h" #include "net/cert/internal/platform_trust_store.h" #include "net/cert/internal/system_trust_store.h" #include "net/cert/internal/trust_store_chrome.h" #include "net/cert/x509_util.h" #include "net/net_buildflags.h" #include "services/cert_verifier/cert_net_url_loader/cert_net_fetcher_url_loader.h" #include "services/cert_verifier/cert_verifier_creation.h" #include "services/cert_verifier/cert_verifier_service.h" #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom.h" #include "services/network/public/mojom/url_loader_factory.mojom.h" #if BUILDFLAG(IS_CT_SUPPORTED) #include "components/certificate_transparency/chrome_ct_policy_enforcer.h" #include "services/network/public/mojom/ct_log_info.mojom.h" #endif #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) #include <optional> #include "base/version_info/version_info.h" // nogncheck #include "mojo/public/cpp/base/big_buffer.h" #include "mojo/public/cpp/base/proto_wrapper.h" #include "net/cert/internal/trust_store_chrome.h" #include "net/cert/root_store_proto_lite/root_store.pb.h" #include "third_party/boringssl/src/pki/parse_name.h" #include "third_party/boringssl/src/pki/parsed_certificate.h" #endif namespace net { class ChromeRootStoreData; } namespace cert_verifier { namespace { internal::CertVerifierServiceImpl* GetNewCertVerifierImpl( mojo::PendingReceiver<mojom::CertVerifierService> service_receiver, mojo::PendingReceiver<mojom::CertVerifierServiceUpdater> updater_receiver, mojo::PendingRemote<mojom::CertVerifierServiceClient> client, mojom::CertVerifierCreationParamsPtr creation_params, const net::CertVerifyProc::ImplParams& impl_params, scoped_refptr<CertNetFetcherURLLoader>* out_cert_net_fetcher) { … } #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) std::string GetHash(const bssl::ParsedCertificate& cert) { … } bool IsVersionConstraintSatisified( const net::ChromeRootCertConstraints constraint) { … } // we only check any version constraints, as we don't have a certificate here to // check any SCT constraints. bool IsAnchorTrustedOnThisChromeVersion( const net::ChromeRootStoreData::Anchor& anchor) { … } #endif // Attempts to parse |crl_set|, returning nullptr on error or the parsed // CRLSet. scoped_refptr<net::CRLSet> ParseCRLSet(mojo_base::BigBuffer crl_set) { … } #if BUILDFLAG(IS_CT_SUPPORTED) // Filters `log_list` for disqualified logs, returning them as sorted vectors // in `disqualified_logs`, and stores the operator history of all logs in // `operator_history`, suitable for use with a `CTPolicyEnforcer`. void GetCTPolicyConfigForCTLogInfo( const std::vector<network::mojom::CTLogInfoPtr>& log_list, std::vector<std::pair<std::string, base::Time>>* disqualified_logs, std::map<std::string, certificate_transparency::OperatorHistoryEntry>* operator_history) { … } #endif } // namespace CertVerifierServiceFactoryImpl::CertVerifierServiceFactoryImpl( mojo::PendingReceiver<mojom::CertVerifierServiceFactory> receiver) : … { … } CertVerifierServiceFactoryImpl::~CertVerifierServiceFactoryImpl() = default; void CertVerifierServiceFactoryImpl::GetNewCertVerifier( mojo::PendingReceiver<mojom::CertVerifierService> service_receiver, mojo::PendingReceiver<mojom::CertVerifierServiceUpdater> updater_receiver, mojo::PendingRemote<mojom::CertVerifierServiceClient> client, mojom::CertVerifierCreationParamsPtr creation_params) { … } void CertVerifierServiceFactoryImpl::GetNewCertVerifierForTesting( mojo::PendingReceiver<mojom::CertVerifierService> service_receiver, mojo::PendingReceiver<mojom::CertVerifierServiceUpdater> updater_receiver, mojo::PendingRemote<mojom::CertVerifierServiceClient> client, mojom::CertVerifierCreationParamsPtr creation_params, scoped_refptr<CertNetFetcherURLLoader>* cert_net_fetcher_ptr) { … } void CertVerifierServiceFactoryImpl::UpdateCRLSet( mojo_base::BigBuffer crl_set, mojom::CertVerifierServiceFactory::UpdateCRLSetCallback callback) { … } #if BUILDFLAG(IS_CT_SUPPORTED) void CertVerifierServiceFactoryImpl::UpdateCtLogList( std::vector<network::mojom::CTLogInfoPtr> log_list, base::Time update_time, UpdateCtLogListCallback callback) { … } #endif void CertVerifierServiceFactoryImpl::OnCRLSetParsed( scoped_refptr<net::CRLSet> parsed_crl_set) { … } #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) void CertVerifierServiceFactoryImpl::UpdateChromeRootStore( mojo_base::ProtoWrapper new_root_store, UpdateChromeRootStoreCallback callback) { … } void CertVerifierServiceFactoryImpl::GetChromeRootStoreInfo( GetChromeRootStoreInfoCallback callback) { … } // TODO(crbug.com/40928765): look into adding a test here. Possible ways to do // this: // * add a SetSystemTrustStoreForTesting() call, have code use that if its set. // * save a SystemTrustStore upon first call add a // UpdateSystemTrustStoreForTesting void CertVerifierServiceFactoryImpl::GetPlatformRootStoreInfo( GetPlatformRootStoreInfoCallback callback) { … } #endif void CertVerifierServiceFactoryImpl::UpdateNetworkTime( base::Time system_time, base::TimeTicks system_ticks, base::Time current_time) { … } #if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL) void CertVerifierServiceFactoryImpl::SetUseChromeRootStore( bool use_crs, SetUseChromeRootStoreCallback callback) { if (use_crs != proc_params_.use_chrome_root_store) { proc_params_.use_chrome_root_store = use_crs; UpdateVerifierServices(); } std::move(callback).Run(); } #endif void CertVerifierServiceFactoryImpl::RemoveService( internal::CertVerifierServiceImpl* service_impl) { … } void CertVerifierServiceFactoryImpl::UpdateVerifierServices() { … } } // namespace cert_verifier
Codebase Browser
chromium