services/cert_verifier/cert_verifier_creation.cc - chromium/src - Git at Google

 // Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "services/cert_verifier/cert_verifier_creation.h"

 #include "build/build_config.h"
 #include "build/chromeos_buildflags.h"
 #include "net/base/features.h"
 #include "net/cert_net/cert_net_fetcher_url_request.h"
 #include "net/net_buildflags.h"

 #if BUILDFLAG(IS_CHROMEOS_ASH)
 #include "crypto/nss_util_internal.h"
 #include "net/cert/cert_verify_proc.h"
 #include "net/cert/cert_verify_proc_builtin.h"
 #include "net/cert/internal/system_trust_store.h"
 #include "net/cert/internal/system_trust_store_nss.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #endif

 #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) || \
     BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
 #include "net/cert/cert_verify_proc.h"
 #include "net/cert/cert_verify_proc_builtin.h"
 #include "net/cert/multi_threaded_cert_verifier.h"
 #endif

 #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
 #include "services/cert_verifier/trial_comparison_cert_verifier_mojo.h"
 #endif

 namespace cert_verifier {

 namespace {

 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
 bool UsingBuiltinCertVerifier(
     mojom::CertVerifierCreationParams::CertVerifierImpl mode) {
   switch (mode) {
     case mojom::CertVerifierCreationParams::CertVerifierImpl::kDefault:
       return base::FeatureList::IsEnabled(
           net::features::kCertVerifierBuiltinFeature);
     case mojom::CertVerifierCreationParams::CertVerifierImpl::kBuiltin:
       return true;
     case mojom::CertVerifierCreationParams::CertVerifierImpl::kSystem:
       return false;
   }
 }
 #endif

 #if BUILDFLAG(IS_CHROMEOS_ASH)
 scoped_refptr<net::CertVerifyProc> CreateCertVerifyProcForUser(
     scoped_refptr<net::CertNetFetcher> net_fetcher,
     crypto::ScopedPK11Slot user_public_slot) {
   return net::CreateCertVerifyProcBuiltin(
       std::move(net_fetcher),
       net::CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
           std::move(user_public_slot)));
 }

 scoped_refptr<net::CertVerifyProc> CreateCertVerifyProcWithoutUserSlots(
     scoped_refptr<net::CertNetFetcher> net_fetcher) {
   return net::CreateCertVerifyProcBuiltin(
       std::move(net_fetcher),
       net::CreateSslSystemTrustStoreNSSWithNoUserSlots());
 }
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)

 }  // namespace

 bool IsUsingCertNetFetcher() {
 #if defined(OS_ANDROID) || defined(OS_FUCHSIA) || defined(OS_CHROMEOS) || \
     defined(OS_LINUX) ||                                                  \
     BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) ||                \
     BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
   return true;
 #else
   return false;
 #endif
 }

 std::unique_ptr<net::CertVerifier> CreateCertVerifier(
     mojom::CertVerifierCreationParams* creation_params,
     scoped_refptr<net::CertNetFetcher> cert_net_fetcher) {
   DCHECK(cert_net_fetcher || !IsUsingCertNetFetcher());

   std::unique_ptr<net::CertVerifier> cert_verifier;

   bool use_builtin_cert_verifier;
 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
   use_builtin_cert_verifier =
       creation_params
           ? UsingBuiltinCertVerifier(creation_params->use_builtin_cert_verifier)
           : UsingBuiltinCertVerifier(
                 mojom::CertVerifierCreationParams::CertVerifierImpl::kDefault);
 #else
   use_builtin_cert_verifier = false;
 #endif

 #if BUILDFLAG(IS_CHROMEOS_ASH)
   scoped_refptr<net::CertVerifyProc> verify_proc;
   if (!creation_params || creation_params->username_hash.empty()) {
     verify_proc =
         CreateCertVerifyProcWithoutUserSlots(std::move(cert_net_fetcher));
   } else {
     // Make sure NSS is initialized for the user.
     crypto::InitializeNSSForChromeOSUser(creation_params->username_hash,
                                          creation_params->nss_path.value());

     crypto::ScopedPK11Slot public_slot =
         crypto::GetPublicSlotForChromeOSUser(creation_params->username_hash);
     verify_proc = CreateCertVerifyProcForUser(std::move(cert_net_fetcher),
                                               std::move(public_slot));
   }
   cert_verifier =
       std::make_unique<net::MultiThreadedCertVerifier>(std::move(verify_proc));
 #endif
 #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
   if (!cert_verifier && creation_params &&
       creation_params->trial_comparison_cert_verifier_params) {
     cert_verifier = std::make_unique<TrialComparisonCertVerifierMojo>(
         creation_params->trial_comparison_cert_verifier_params->initial_allowed,
         std::move(creation_params->trial_comparison_cert_verifier_params
                       ->config_client_receiver),
         std::move(creation_params->trial_comparison_cert_verifier_params
                       ->report_client),
         net::CertVerifyProc::CreateSystemVerifyProc(cert_net_fetcher),
         net::CertVerifyProc::CreateBuiltinVerifyProc(cert_net_fetcher));
   }
 #endif
 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
   if (!cert_verifier) {
     cert_verifier = std::make_unique<net::MultiThreadedCertVerifier>(
         use_builtin_cert_verifier
             ? net::CertVerifyProc::CreateBuiltinVerifyProc(
                   std::move(cert_net_fetcher))
             : net::CertVerifyProc::CreateSystemVerifyProc(
                   std::move(cert_net_fetcher)));
   }
 #endif

   if (!cert_verifier) {
     cert_verifier = net::CertVerifier::CreateDefaultWithoutCaching(
         std::move(cert_net_fetcher));
   }

   return cert_verifier;
 }
 }  // namespace cert_verifier
	// Copyright 2020 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "services/cert_verifier/cert_verifier_creation.h"

	#include "build/build_config.h"
	#include "build/chromeos_buildflags.h"
	#include "net/base/features.h"
	#include "net/cert_net/cert_net_fetcher_url_request.h"
	#include "net/net_buildflags.h"

	#if BUILDFLAG(IS_CHROMEOS_ASH)
	#include "crypto/nss_util_internal.h"
	#include "net/cert/cert_verify_proc.h"
	#include "net/cert/cert_verify_proc_builtin.h"
	#include "net/cert/internal/system_trust_store.h"
	#include "net/cert/internal/system_trust_store_nss.h"
	#include "net/cert/multi_threaded_cert_verifier.h"
	#endif

	#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) \|\| \
	BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
	#include "net/cert/cert_verify_proc.h"
	#include "net/cert/cert_verify_proc_builtin.h"
	#include "net/cert/multi_threaded_cert_verifier.h"
	#endif

	#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
	#include "services/cert_verifier/trial_comparison_cert_verifier_mojo.h"
	#endif

	namespace cert_verifier {

	namespace {

	#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
	bool UsingBuiltinCertVerifier(
	mojom::CertVerifierCreationParams::CertVerifierImpl mode) {
	switch (mode) {
	case mojom::CertVerifierCreationParams::CertVerifierImpl::kDefault:
	return base::FeatureList::IsEnabled(
	net::features::kCertVerifierBuiltinFeature);
	case mojom::CertVerifierCreationParams::CertVerifierImpl::kBuiltin:
	return true;
	case mojom::CertVerifierCreationParams::CertVerifierImpl::kSystem:
	return false;
	}
	}
	#endif

	#if BUILDFLAG(IS_CHROMEOS_ASH)
	scoped_refptr<net::CertVerifyProc> CreateCertVerifyProcForUser(
	scoped_refptr<net::CertNetFetcher> net_fetcher,
	crypto::ScopedPK11Slot user_public_slot) {
	return net::CreateCertVerifyProcBuiltin(
	std::move(net_fetcher),
	net::CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
	std::move(user_public_slot)));
	}

	scoped_refptr<net::CertVerifyProc> CreateCertVerifyProcWithoutUserSlots(
	scoped_refptr<net::CertNetFetcher> net_fetcher) {
	return net::CreateCertVerifyProcBuiltin(
	std::move(net_fetcher),
	net::CreateSslSystemTrustStoreNSSWithNoUserSlots());
	}
	#endif // BUILDFLAG(IS_CHROMEOS_ASH)

	} // namespace

	bool IsUsingCertNetFetcher() {
	#if defined(OS_ANDROID) \|\| defined(OS_FUCHSIA) \|\| defined(OS_CHROMEOS) \|\| \
	defined(OS_LINUX) \|\| \
	BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) \|\| \
	BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
	return true;
	#else
	return false;
	#endif
	}

	std::unique_ptr<net::CertVerifier> CreateCertVerifier(
	mojom::CertVerifierCreationParams* creation_params,
	scoped_refptr<net::CertNetFetcher> cert_net_fetcher) {
	DCHECK(cert_net_fetcher \|\| !IsUsingCertNetFetcher());

	std::unique_ptr<net::CertVerifier> cert_verifier;

	bool use_builtin_cert_verifier;
	#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
	use_builtin_cert_verifier =
	creation_params
	? UsingBuiltinCertVerifier(creation_params->use_builtin_cert_verifier)
	: UsingBuiltinCertVerifier(
	mojom::CertVerifierCreationParams::CertVerifierImpl::kDefault);
	#else
	use_builtin_cert_verifier = false;
	#endif

	#if BUILDFLAG(IS_CHROMEOS_ASH)
	scoped_refptr<net::CertVerifyProc> verify_proc;
	if (!creation_params \|\| creation_params->username_hash.empty()) {
	verify_proc =
	CreateCertVerifyProcWithoutUserSlots(std::move(cert_net_fetcher));
	} else {
	// Make sure NSS is initialized for the user.
	crypto::InitializeNSSForChromeOSUser(creation_params->username_hash,
	creation_params->nss_path.value());

	crypto::ScopedPK11Slot public_slot =
	crypto::GetPublicSlotForChromeOSUser(creation_params->username_hash);
	verify_proc = CreateCertVerifyProcForUser(std::move(cert_net_fetcher),
	std::move(public_slot));
	}
	cert_verifier =
	std::make_unique<net::MultiThreadedCertVerifier>(std::move(verify_proc));
	#endif
	#if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
	if (!cert_verifier && creation_params &&
	creation_params->trial_comparison_cert_verifier_params) {
	cert_verifier = std::make_unique<TrialComparisonCertVerifierMojo>(
	creation_params->trial_comparison_cert_verifier_params->initial_allowed,
	std::move(creation_params->trial_comparison_cert_verifier_params
	->config_client_receiver),
	std::move(creation_params->trial_comparison_cert_verifier_params
	->report_client),
	net::CertVerifyProc::CreateSystemVerifyProc(cert_net_fetcher),
	net::CertVerifyProc::CreateBuiltinVerifyProc(cert_net_fetcher));
	}
	#endif
	#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
	if (!cert_verifier) {
	cert_verifier = std::make_unique<net::MultiThreadedCertVerifier>(
	use_builtin_cert_verifier
	? net::CertVerifyProc::CreateBuiltinVerifyProc(
	std::move(cert_net_fetcher))
	: net::CertVerifyProc::CreateSystemVerifyProc(
	std::move(cert_net_fetcher)));
	}
	#endif

	if (!cert_verifier) {
	cert_verifier = net::CertVerifier::CreateDefaultWithoutCaching(
	std::move(cert_net_fetcher));
	}

	return cert_verifier;
	}
	} // namespace cert_verifier