-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
Copy pathenvoy_quic_proof_verifier.h
65 lines (51 loc) · 2.36 KB
/
envoy_quic_proof_verifier.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#pragma once
#include <memory>
#include "source/common/quic/envoy_quic_proof_verifier_base.h"
#include "source/common/quic/quic_ssl_connection_info.h"
#include "source/common/tls/context_impl.h"
namespace Envoy {
namespace Quic {
class CertVerifyResult : public quic::ProofVerifyDetails {
public:
explicit CertVerifyResult(bool is_valid) : is_valid_(is_valid) {}
ProofVerifyDetails* Clone() const override { return new CertVerifyResult(is_valid_); }
bool isValid() const { return is_valid_; }
private:
bool is_valid_{false};
};
using CertVerifyResultPtr = std::unique_ptr<CertVerifyResult>();
// An interface for the Envoy specific QUIC verify context.
class EnvoyQuicProofVerifyContext : public quic::ProofVerifyContext {
public:
virtual Event::Dispatcher& dispatcher() const PURE;
virtual bool isServer() const PURE;
virtual const Network::TransportSocketOptionsConstSharedPtr& transportSocketOptions() const PURE;
virtual Extensions::TransportSockets::Tls::CertValidator::ExtraValidationContext
extraValidationContext() const PURE;
};
using EnvoyQuicProofVerifyContextPtr = std::unique_ptr<EnvoyQuicProofVerifyContext>;
// A quic::ProofVerifier implementation which verifies cert chain using SSL
// client context config.
class EnvoyQuicProofVerifier : public EnvoyQuicProofVerifierBase {
public:
explicit EnvoyQuicProofVerifier(Envoy::Ssl::ClientContextSharedPtr&& context,
bool accept_untrusted = false)
: context_(std::move(context)), accept_untrusted_(accept_untrusted) {
ASSERT(context_.get());
}
// EnvoyQuicProofVerifierBase
quic::QuicAsyncStatus
VerifyCertChain(const std::string& hostname, const uint16_t port,
const std::vector<std::string>& certs, const std::string& ocsp_response,
const std::string& cert_sct, const quic::ProofVerifyContext* context,
std::string* error_details, std::unique_ptr<quic::ProofVerifyDetails>* details,
uint8_t* out_alert,
std::unique_ptr<quic::ProofVerifierCallback> callback) override;
private:
Envoy::Ssl::ClientContextSharedPtr context_;
// True if the verifier should accept untrusted certs (see documentation for
// envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext::ACCEPT_UNTRUSTED)
bool accept_untrusted_;
};
} // namespace Quic
} // namespace Envoy