chromium/net/third_party/quiche/src/quic/core/crypto/proof_source_x509.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

// Copyright 2020 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_
#define QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_

#include <forward_list>
#include <memory>

#include "net/third_party/quiche/src/quic/core/crypto/certificate_view.h"
#include "net/third_party/quiche/src/quic/core/crypto/proof_source.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
#include "net/third_party/quiche/src/quic/platform/api/quic_macros.h"
#include "net/third_party/quiche/src/common/platform/api/quiche_string_piece.h"

namespace quic {

// ProofSourceX509 accepts X.509 certificates with private keys and picks a
// certificate internally based on its SubjectAltName value.
class QUIC_EXPORT_PRIVATE ProofSourceX509 : public ProofSource {
 public:
  // Creates a proof source that uses |default_chain| when no SubjectAltName
  // value matches.  Returns nullptr if |default_chain| is invalid.
  static std::unique_ptr<ProofSourceX509> Create(
      QuicReferenceCountedPointer<Chain> default_chain,
      CertificatePrivateKey default_key);

  // ProofSource implementation.
  void GetProof(const QuicSocketAddress& server_address,
                const QuicSocketAddress& client_address,
                const std::string& hostname,
                const std::string& server_config,
                QuicTransportVersion transport_version,
                quiche::QuicheStringPiece chlo_hash,
                std::unique_ptr<Callback> callback) override;
  QuicReferenceCountedPointer<Chain> GetCertChain(
      const QuicSocketAddress& server_address,
      const QuicSocketAddress& client_address,
      const std::string& hostname) override;
  void ComputeTlsSignature(
      const QuicSocketAddress& server_address,
      const QuicSocketAddress& client_address,
      const std::string& hostname,
      uint16_t signature_algorithm,
      quiche::QuicheStringPiece in,
      std::unique_ptr<SignatureCallback> callback) override;
  TicketCrypter* GetTicketCrypter() override;

  // Adds a certificate chain to the verifier.  Returns false if the chain is
  // not valid.  Newer certificates will override older certificates with the
  // same SubjectAltName value.
  QUIC_MUST_USE_RESULT bool AddCertificateChain(
      QuicReferenceCountedPointer<Chain> chain,
      CertificatePrivateKey key);

 private:
  ProofSourceX509() = default;

  struct QUIC_EXPORT_PRIVATE Certificate {
    QuicReferenceCountedPointer<Chain> chain;
    CertificatePrivateKey key;
  };

  // Looks up certficiate for hostname, returns the default if no certificate is
  // found.
  Certificate* GetCertificate(const std::string& hostname) const;

  std::forward_list<Certificate> certificates_;
  Certificate* default_certificate_;
  QuicUnorderedMap<std::string, Certificate*> certificate_map_;
};

}  // namespace quic

#endif  // QUICHE_QUIC_CORE_CRYPTO_PROOF_SOURCE_X509_H_