chrome/browser/net/packed_ct_ev_whitelist.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_
   6 #define CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_
   7
   8 #include <stdint.h>
   9
  10 #include <string>
  11 #include <vector>
  12
  13 #include "base/gtest_prod_util.h"
  14 #include "net/cert/ct_ev_whitelist.h"
  15
  16 namespace base {
  17 class FilePath;
  18 }
  19
  20 // An implementation of the EVCertsWhitelist that gets its data packed using
  21 // Golomb coding to encode the difference between subsequent hash values.
  22 // Format of the packed list:
  23 // * First 8 bytes: First hash
  24 // * Repeating Golomb-coded number which is the numeric difference of the
  25 //   previous hash value from this one
  26 //
  27 // The resulting, unpacked list is a sorted list of hash values that can be
  28 // efficiently searched.
  29 class PackedEVCertsWhitelist : public net::ct::EVCertsWhitelist {
  30  public:
  31   // Unpacks the given |compressed_whitelist|. See the class documentation
  32   // for description of the |compressed_whitelist| format.
  33   explicit PackedEVCertsWhitelist(const std::string& compressed_whitelist);
  34
  35   // Returns true if the |certificate_hash| appears in the EV certificate hashes
  36   // whitelist. Must not be called if IsValid for this instance returned false.
  37   bool ContainsCertificateHash(
  38       const std::string& certificate_hash) const override;
  39
  40   // Returns true if the EV certificate hashes whitelist provided in the c'tor
  41   // was valid, false otherwise.
  42   bool IsValid() const override;
  43
  44  protected:
  45   ~PackedEVCertsWhitelist() override;
  46
  47  private:
  48   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  49                            UncompressFailsForTooShortList);
  50   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  51                            UncompressFailsForTruncatedList);
  52   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  53                            UncompressFailsForInvalidValuesInList);
  54   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  55                            UncompressesWhitelistCorrectly);
  56
  57   // Given a Golomb-coded list of hashes in |compressed_whitelist|, unpack into
  58   // |uncompressed_list|. Returns true if the format of the compressed whitelist
  59   // is valid, false otherwise.
  60   static bool UncompressEVWhitelist(const std::string& compressed_whitelist,
  61                                     std::vector<uint64_t>* uncompressed_list);
  62
  63   // The whitelist is an array containing certificate hashes (truncated
  64   // to a fixed size of 8 bytes), sorted.
  65   // Binary search is used to locate hashes in the the array.
  66   // Benchmarking bsearch vs std::set (with 120K entries, doing 1.2M lookups)
  67   // shows that bsearch is about twice as fast as std::set lookups (and std::set
  68   // has additional memory overhead).
  69   std::vector<uint64_t> whitelist_;
  70
  71   DISALLOW_COPY_AND_ASSIGN(PackedEVCertsWhitelist);
  72 };
  73
  74 // Sets the EV certificate hashes whitelist from |compressed_whitelist_file|
  75 // in |ssl_config_service|, after uncompressing it.
  76 // If the data in |compressed_whitelist_file| is not a valid compressed
  77 // whitelist, does nothing.
  78 // As this function performs file operations, it should be called from a
  79 // blocking pool worker or a file worker.
  80 // To set the new whitelist, this function dispatches a task to the IO thread.
  81 void SetEVWhitelistFromFile(const base::FilePath& compressed_whitelist_file);
  82
  83 #endif  // CHROME_BROWSER_NET_PACKED_CT_EV_WHITELIST_H_