components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_
   6 #define COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_
   7
   8 #include <stdint.h>
   9
  10 #include <string>
  11 #include <vector>
  12
  13 #include "base/gtest_prod_util.h"
  14 #include "base/version.h"
  15 #include "net/cert/ct_ev_whitelist.h"
  16
  17 namespace base {
  18 class FilePath;
  19 }
  20
  21 namespace packed_ct_ev_whitelist {
  22
  23 // An implementation of the EVCertsWhitelist that gets its data packed using
  24 // Golomb coding to encode the difference between subsequent hash values.
  25 // Format of the packed list:
  26 // * First 8 bytes: First hash
  27 // * Repeating Golomb-coded number which is the numeric difference of the
  28 //   previous hash value from this one
  29 //
  30 // The resulting, unpacked list is a sorted list of hash values that can be
  31 // efficiently searched.
  32 class PackedEVCertsWhitelist : public net::ct::EVCertsWhitelist {
  33  public:
  34   // Unpacks the given |compressed_whitelist|. See the class documentation
  35   // for description of the |compressed_whitelist| format.
  36   PackedEVCertsWhitelist(const std::string& compressed_whitelist,
  37                          const base::Version& version);
  38
  39   // Returns true if the |certificate_hash| appears in the EV certificate hashes
  40   // whitelist. Must not be called if IsValid for this instance returned false.
  41   bool ContainsCertificateHash(
  42       const std::string& certificate_hash) const override;
  43
  44   // Returns true if the EV certificate hashes whitelist provided in the c'tor
  45   // was valid, false otherwise.
  46   bool IsValid() const override;
  47
  48   // Returns the version of the whitelist in use, if available.
  49   base::Version Version() const override;
  50
  51  protected:
  52   ~PackedEVCertsWhitelist() override;
  53
  54  private:
  55   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  56                            UncompressFailsForTooShortList);
  57   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  58                            UncompressFailsForTruncatedList);
  59   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  60                            UncompressFailsForInvalidValuesInList);
  61   FRIEND_TEST_ALL_PREFIXES(PackedEVCertsWhitelistTest,
  62                            UncompressesWhitelistCorrectly);
  63
  64   // Given a Golomb-coded list of hashes in |compressed_whitelist|, unpack into
  65   // |uncompressed_list|. Returns true if the format of the compressed whitelist
  66   // is valid, false otherwise.
  67   static bool UncompressEVWhitelist(const std::string& compressed_whitelist,
  68                                     std::vector<uint64_t>* uncompressed_list);
  69
  70   // The whitelist is an array containing certificate hashes (truncated
  71   // to a fixed size of 8 bytes), sorted.
  72   // Binary search is used to locate hashes in the the array.
  73   // Benchmarking bsearch vs std::set (with 120K entries, doing 1.2M lookups)
  74   // shows that bsearch is about twice as fast as std::set lookups (and std::set
  75   // has additional memory overhead).
  76   std::vector<uint64_t> whitelist_;
  77   base::Version version_;
  78
  79   DISALLOW_COPY_AND_ASSIGN(PackedEVCertsWhitelist);
  80 };
  81
  82 // Sets the EV certificate hashes whitelist in the SSLConfigService
  83 // to the provided |whitelist|, if valid. Otherwise, does nothing.
  84 // To set the new whitelist, this function dispatches a task to the IO thread.
  85 void SetEVCertsWhitelist(scoped_refptr<net::ct::EVCertsWhitelist> whitelist);
  86
  87 }  // namespace packed_ct_ev_whitelist
  88
  89 #endif  // COMPONENTS_PACKED_CT_EV_WHITELIST_PACKED_CT_EV_WHITELIST_H_