1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.h"
11 #include "base/big_endian.h"
12 #include "base/files/file_util.h"
13 #include "base/lazy_instance.h"
14 #include "base/logging.h"
15 #include "components/packed_ct_ev_whitelist/bit_stream_reader.h"
16 #include "content/public/browser/browser_thread.h"
17 #include "net/ssl/ssl_config_service.h"
20 const uint8_t kCertHashLengthBits
= 64; // 8 bytes
21 const uint8_t kCertHashLength
= kCertHashLengthBits
/ 8;
22 const uint64_t kGolombMParameterBits
= 47; // 2^47
24 void SetEVWhitelistInSSLConfigService(
25 const scoped_refptr
<net::ct::EVCertsWhitelist
>& new_whitelist
) {
26 VLOG(1) << "Setting new EV Certs whitelist.";
27 net::SSLConfigService::SetEVCertsWhitelist(new_whitelist
);
30 int TruncatedHashesComparator(const void* v1
, const void* v2
) {
31 const uint64_t& h1(*(static_cast<const uint64_t*>(v1
)));
32 const uint64_t& h2(*(static_cast<const uint64_t*>(v2
)));
41 namespace packed_ct_ev_whitelist
{
43 void SetEVCertsWhitelist(scoped_refptr
<net::ct::EVCertsWhitelist
> whitelist
) {
44 if (!whitelist
->IsValid()) {
45 VLOG(1) << "EV Certs whitelist is not valid, not setting.";
49 base::Closure assign_cb
=
50 base::Bind(SetEVWhitelistInSSLConfigService
, whitelist
);
51 content::BrowserThread::PostTask(
52 content::BrowserThread::IO
, FROM_HERE
, assign_cb
);
55 bool PackedEVCertsWhitelist::UncompressEVWhitelist(
56 const std::string
& compressed_whitelist
,
57 std::vector
<uint64_t>* uncompressed_list
) {
58 internal::BitStreamReader
reader(base::StringPiece(
59 compressed_whitelist
.data(), compressed_whitelist
.size()));
60 std::vector
<uint64_t> result
;
62 VLOG(1) << "Uncompressing EV whitelist of size "
63 << compressed_whitelist
.size();
64 uint64_t curr_hash(0);
65 if (!reader
.ReadBits(kCertHashLengthBits
, &curr_hash
)) {
66 VLOG(1) << "Failed reading first hash.";
69 result
.push_back(curr_hash
);
70 // M is the tunable parameter used by the Golomb coding.
71 static const uint64_t kGolombParameterM
= static_cast<uint64_t>(1)
72 << kGolombMParameterBits
;
74 while (reader
.BitsLeft() > kGolombMParameterBits
) {
75 uint64_t read_prefix
= 0;
76 if (!reader
.ReadUnaryEncoding(&read_prefix
)) {
77 VLOG(1) << "Failed reading unary-encoded prefix.";
80 if (read_prefix
> (UINT64_MAX
/ kGolombParameterM
)) {
81 VLOG(1) << "Received value that would cause overflow: " << read_prefix
;
86 if (!reader
.ReadBits(kGolombMParameterBits
, &r
)) {
87 VLOG(1) << "Failed reading " << kGolombMParameterBits
<< " bits.";
90 DCHECK_LT(r
, kGolombParameterM
);
92 uint64_t curr_diff
= read_prefix
* kGolombParameterM
+ r
;
93 curr_hash
+= curr_diff
;
95 result
.push_back(curr_hash
);
98 uncompressed_list
->swap(result
);
102 PackedEVCertsWhitelist::PackedEVCertsWhitelist(
103 const std::string
& compressed_whitelist
,
104 const base::Version
& version
)
105 : version_(version
) {
106 if (!UncompressEVWhitelist(compressed_whitelist
, &whitelist_
)) {
112 PackedEVCertsWhitelist::~PackedEVCertsWhitelist() {
115 bool PackedEVCertsWhitelist::ContainsCertificateHash(
116 const std::string
& certificate_hash
) const {
117 DCHECK(!whitelist_
.empty());
118 uint64_t hash_to_lookup
;
120 base::ReadBigEndian(certificate_hash
.data(), &hash_to_lookup
);
121 return bsearch(&hash_to_lookup
,
125 TruncatedHashesComparator
) != NULL
;
128 bool PackedEVCertsWhitelist::IsValid() const {
129 return whitelist_
.size() > 0;
132 base::Version
PackedEVCertsWhitelist::Version() const {
136 } // namespace packed_ct_ev_whitelist
