File: chrome_require_ct_delegate.h

package info (click to toggle)
chromium 141.0.7390.107-1~deb13u1
  • links: PTS, VCS
  • area: main
  • in suites: trixie-proposed-updates
  • size: 6,246,428 kB
  • sloc: cpp: 35,264,965; ansic: 7,169,920; javascript: 4,250,185; python: 1,460,635; asm: 950,788; xml: 751,751; pascal: 187,972; sh: 89,459; perl: 88,691; objc: 79,953; sql: 53,924; cs: 44,622; fortran: 24,137; makefile: 22,313; tcl: 15,277; php: 14,018; yacc: 8,995; ruby: 7,553; awk: 3,720; lisp: 3,096; lex: 1,330; ada: 727; jsp: 228; sed: 36
file content (97 lines) | stat: -rw-r--r-- 3,904 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_CHROME_REQUIRE_CT_DELEGATE_H_
#define COMPONENTS_CERTIFICATE_TRANSPARENCY_CHROME_REQUIRE_CT_DELEGATE_H_

#include <memory>
#include <string>
#include <string_view>
#include <vector>

#include "base/component_export.h"
#include "components/url_matcher/url_matcher.h"
#include "net/base/hash_value.h"
#include "net/cert/require_ct_delegate.h"
#include "third_party/abseil-cpp/absl/container/flat_hash_set.h"

namespace net {
class X509Certificate;
}  // namespace net

namespace certificate_transparency {

// ChromeRequireCTDelegate implements the policies used by Chrome to determine
// when to require Certificate Transparency for a host or certificate. Combined
// with ChromeCTPolicyEnforcer, these two classes implement the
// "Certificate Transparency in Chrome" policy from
// https://goo.gl/chrome/ct-policy - PolicyEnforcer imposing the policies on
// the SCTs to determine whether or not a certificate complies, and
// RequireCTDelegate to determine whether or not compliance is required for the
// connection to succeed.
//
// To support Enterprise configuration, additional requirements or exceptions
// can be provided via |UpdateCTPolicies()|, which uses the configuration
// syntax documented in pref_names.h for each of the options.
class COMPONENT_EXPORT(CERTIFICATE_TRANSPARENCY) ChromeRequireCTDelegate
    : public net::RequireCTDelegate {
 public:
  explicit ChromeRequireCTDelegate();

  ChromeRequireCTDelegate(const ChromeRequireCTDelegate&) = delete;
  ChromeRequireCTDelegate& operator=(const ChromeRequireCTDelegate&) = delete;

  // RequireCTDelegate implementation
  CTRequirementLevel IsCTRequiredForHost(
      std::string_view hostname,
      const net::X509Certificate* chain,
      const std::vector<net::SHA256HashValue>& spki_hashes) const override;

  // Updates the CTDelegate to exclude |excluded_hosts| from CT policies. In
  // addition, this method updates |excluded_spkis| intended for use within an
  // Enterprise (see https://crbug.com/824184).
  // TODO(crbug.com/41392053): make these constructor params and remove ability
  // to update existing object.
  void UpdateCTPolicies(const std::vector<std::string>& excluded_hosts,
                        const std::vector<std::string>& excluded_spkis);

 protected:
  ~ChromeRequireCTDelegate() override;

 private:
  struct Filter {
    bool match_subdomains = false;
    size_t host_length = 0;
  };

  // Returns true if a policy to disable Certificate Transparency for |hostname|
  // is found.
  bool MatchHostname(std::string_view hostname) const;

  // Returns true if a policy to disable Certificate Transparency for |chain|,
  // which contains the SPKI hashes |hashes|, is found.
  bool MatchSPKI(const net::X509Certificate* chain,
                 const std::vector<net::SHA256HashValue>& hashes) const;

  // Parses the filters from |host_patterns|, adding them as filters to
  // |filters_|, and updating |*conditions| with the corresponding
  // URLMatcher::Conditions to match the host.
  void AddFilters(const std::vector<std::string>& host_patterns,
                  url_matcher::URLMatcherConditionSet::Vector* conditions);

  // Parses the SPKIs from |spki_list|, setting |*hashes| to the set of all
  // valid SPKIs.
  void ParseSpkiHashes(const std::vector<std::string> spki_list,
                       absl::flat_hash_set<net::SHA256HashValue>* hashes) const;

  std::unique_ptr<url_matcher::URLMatcher> url_matcher_;
  base::MatcherStringPattern::ID next_id_;
  std::map<base::MatcherStringPattern::ID, Filter> filters_;

  absl::flat_hash_set<net::SHA256HashValue> spkis_;
};

}  // namespace certificate_transparency

#endif  // COMPONENTS_CERTIFICATE_TRANSPARENCY_CHROME_REQUIRE_CT_DELEGATE_H_