| // Copyright 2018 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef NET_CERT_TRIAL_COMPARISON_CERT_VERIFIER_H_ |
| #define NET_CERT_TRIAL_COMPARISON_CERT_VERIFIER_H_ |
| |
| #include <stdint.h> |
| |
| #include <memory> |
| #include <set> |
| #include <string> |
| |
| #include "base/containers/unique_ptr_adapters.h" |
| #include "base/memory/scoped_refptr.h" |
| #include "base/memory/weak_ptr.h" |
| #include "base/threading/thread_checker.h" |
| #include "net/base/net_export.h" |
| #include "net/cert/cert_verifier.h" |
| |
| namespace net { |
| class CertVerifyProcFactory; |
| class CertNetFetcher; |
| |
| // TrialComparisonCertVerifier is a CertVerifier that can be used to compare |
| // the results between two different CertVerifyProcs. The results are reported |
| // back to the caller via a ReportCallback, allowing the caller to further |
| // examine the differences. |
| class NET_EXPORT TrialComparisonCertVerifier |
| : public CertVerifierWithUpdatableProc, |
| public CertVerifier::Observer { |
| public: |
| using ReportCallback = base::RepeatingCallback<void( |
| const std::string& hostname, |
| const scoped_refptr<X509Certificate>& unverified_cert, |
| bool enable_rev_checking, |
| bool require_rev_checking_local_anchors, |
| bool enable_sha1_local_anchors, |
| bool disable_symantec_enforcement, |
| const std::string& stapled_ocsp, |
| const std::string& sct_list, |
| const net::CertVerifyResult& primary_result, |
| const net::CertVerifyResult& trial_result)>; |
| |
| // Create a new TrialComparisonCertVerifier. The `verify_proc_factory` will |
| // be used to create the underlying primary and trial verifiers. |
| // |
| // Initially, no trial verifications will actually be performed; that is, |
| // calls to Verify() will be dispatched to the underlying `primary_verifier_` |
| // or `trial_verifier_` depending on the `impl_params`. This can be changed |
| // by calling `set_trial_allowed()`. |
| // |
| // When trial verifications are enabled, calls to Verify() will first call |
| // into `primary_verifier_` to verify. The result of this verification will |
| // be immediately returned to the caller of Verify, allowing them to proceed. |
| // However, the verifier will continue in the background, attempting to |
| // verify the same RequestParams using `trial_verifier_`. If there are |
| // differences in the results, they will be reported via `report_callback`, |
| // allowing the creator to receive information about differences. |
| // |
| // If the caller abandons the CertVerifier::Request prior to the primary |
| // verification completed, no trial verification will be done. However, once |
| // the primary verifier has returned, the trial verifications will continue, |
| // provided that the underlying configuration has not been changed by |
| // calling `SetConfig()` or `UpdateVerifyProcData()`. |
| // |
| // Note that there may be multiple calls to both the primary CertVerifyProc |
| // and trial CertVerifyProc, using different parameters to account for |
| // platform differences. |
| TrialComparisonCertVerifier( |
| scoped_refptr<CertVerifyProcFactory> verify_proc_factory, |
| scoped_refptr<CertNetFetcher> cert_net_fetcher, |
| const CertVerifyProcFactory::ImplParams& impl_params, |
| ReportCallback report_callback); |
| |
| TrialComparisonCertVerifier(const TrialComparisonCertVerifier&) = delete; |
| TrialComparisonCertVerifier& operator=(const TrialComparisonCertVerifier&) = |
| delete; |
| |
| ~TrialComparisonCertVerifier() override; |
| |
| void set_trial_allowed(bool allowed) { allowed_ = allowed; } |
| bool trial_allowed() const { return allowed_; } |
| |
| // CertVerifier implementation |
| int Verify(const RequestParams& params, |
| CertVerifyResult* verify_result, |
| CompletionOnceCallback callback, |
| std::unique_ptr<Request>* out_req, |
| const NetLogWithSource& net_log) override; |
| void SetConfig(const Config& config) override; |
| void AddObserver(CertVerifier::Observer* observer) override; |
| void RemoveObserver(CertVerifier::Observer* observer) override; |
| void UpdateVerifyProcData( |
| scoped_refptr<CertNetFetcher> cert_net_fetcher, |
| const CertVerifyProcFactory::ImplParams& impl_params) override; |
| |
| private: |
| class Job; |
| friend class Job; |
| |
| CertVerifier* primary_verifier() const { return primary_verifier_.get(); } |
| CertVerifier* primary_reverifier() const { return primary_reverifier_.get(); } |
| CertVerifier* trial_verifier() const { return trial_verifier_.get(); } |
| |
| void RemoveJob(Job* job_ptr); |
| void NotifyJobsOfConfigChange(); |
| |
| // Processes the params from the caller, updates the state of the trial and |
| // returns the pair of {primary verifier params, trial verifier params} to |
| // be used in creating or updating the wrapped verifiers. |
| std::tuple<CertVerifyProcFactory::ImplParams, |
| CertVerifyProcFactory::ImplParams> |
| ProcessImplParams(const CertVerifyProcFactory::ImplParams& impl_params); |
| |
| // CertVerifier::Observer methods: |
| void OnCertVerifierChanged() override; |
| |
| // Whether the trial is allowed. |
| bool allowed_ = false; |
| // Callback that reports are sent to. |
| ReportCallback report_callback_; |
| |
| // The actual `use_chrome_root_store` value that is requested by the caller. |
| // This determines which verifier's result is returned to the caller as the |
| // actual verification result. |
| bool actual_use_chrome_root_store_; |
| |
| CertVerifier::Config config_; |
| |
| std::unique_ptr<CertVerifierWithUpdatableProc> primary_verifier_; |
| std::unique_ptr<CertVerifierWithUpdatableProc> primary_reverifier_; |
| std::unique_ptr<CertVerifierWithUpdatableProc> trial_verifier_; |
| |
| std::set<std::unique_ptr<Job>, base::UniquePtrComparator> jobs_; |
| |
| THREAD_CHECKER(thread_checker_); |
| }; |
| |
| } // namespace net |
| |
| #endif // NET_CERT_TRIAL_COMPARISON_CERT_VERIFIER_H_ |
