Support custom certificates in network::QuicTransport

Bug: 1011392 Change-Id: Ibd0c765f6a6af28ae91eccdc69997bc53ee4abfa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2249400 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Victor Vasiliev <vasilvv@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#780203}

Support custom certificates in network::QuicTransport
Bug: 1011392 Change-Id: Ibd0c765f6a6af28ae91eccdc69997bc53ee4abfa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2249400 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Victor Vasiliev <vasilvv@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#780203}
0b7c1975 · Yutaka Hirano · Commit Bot · 92bf3925 · 0b7c1975 · 0b7c1975
Commit 0b7c1975 authored Jun 19, 2020 by Yutaka Hirano Committed by Commit Bot Jun 19, 2020
17 changed files
--- a/content/browser/webtransport/quic_transport_connector_impl.cc
+++ b/content/browser/webtransport/quic_transport_connector_impl.cc
@@ -65,6 +65,8 @@ QuicTransportConnectorImpl::~QuicTransportConnectorImpl() = default;
 void QuicTransportConnectorImpl::Connect(
    const GURL& url,
+    std::vector<network::mojom::QuicTransportCertificateFingerprintPtr>
+        fingerprints,
    mojo::PendingRemote<network::mojom::QuicTransportHandshakeClient>
        handshake_client) {
  RenderProcessHost* process = RenderProcessHost::FromID(process_id_);
@@ -82,7 +84,7 @@ void QuicTransportConnectorImpl::Connect(
      handshake_client_to_pass.InitWithNewPipeAndPassReceiver());
  process->GetStoragePartition()->GetNetworkContext()->CreateQuicTransport(
-      url, origin_, network_isolation_key_,
+      url, origin_, network_isolation_key_, std::move(fingerprints),
      std::move(handshake_client_to_pass));
 }

--- a/content/browser/webtransport/quic_transport_connector_impl.h
+++ b/content/browser/webtransport/quic_transport_connector_impl.h
@@ -30,9 +30,12 @@ class QuicTransportConnectorImpl final
      const net::NetworkIsolationKey& network_isolation_key);
  ~QuicTransportConnectorImpl() override;
-  void Connect(const GURL& url,
+  void Connect(
-               mojo::PendingRemote<network::mojom::QuicTransportHandshakeClient>
+      const GURL& url,
-                   handshake_client) override;
+      std::vector<network::mojom::QuicTransportCertificateFingerprintPtr>
+          fingerprints,
+      mojo::PendingRemote<network::mojom::QuicTransportHandshakeClient>
+          handshake_client) override;
 private:
  const int process_id_;

--- a/net/quic/quic_context.h
+++ b/net/quic/quic_context.h
@@ -189,6 +189,11 @@ class NET_EXPORT_PRIVATE QuicContext {
    return params_.supported_versions;
  }
+  void SetHelperForTesting(
+      std::unique_ptr<quic::QuicConnectionHelperInterface> helper) {
+    helper_ = std::move(helper);
+  }
 private:
  std::unique_ptr<quic::QuicConnectionHelperInterface> helper_;

--- a/net/quic/quic_transport_client.cc
+++ b/net/quic/quic_transport_client.cc
@@ -61,6 +61,8 @@ std::unique_ptr<quic::ProofVerifier> CreateProofVerifier(
 QuicTransportClient::Parameters::Parameters() = default;
 QuicTransportClient::Parameters::~Parameters() = default;
+QuicTransportClient::Parameters::Parameters(const Parameters&) = default;
+QuicTransportClient::Parameters::Parameters(Parameters&&) = default;
 QuicTransportClient::QuicTransportClient(
    const GURL& url,

--- a/net/quic/quic_transport_client.h
+++ b/net/quic/quic_transport_client.h
@@ -85,6 +85,8 @@ class NET_EXPORT QuicTransportClient
  struct NET_EXPORT Parameters {
    Parameters();
    ~Parameters();
+    Parameters(const Parameters&);
+    Parameters(Parameters&&);
    // A vector of fingerprints for expected server certificates, as described
    // in

--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -1228,10 +1228,12 @@ void NetworkContext::CreateQuicTransport(
    const GURL& url,
    const url::Origin& origin,
    const net::NetworkIsolationKey& key,
+    std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
    mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
        pending_handshake_client) {
-  quic_transports_.insert(std::make_unique<QuicTransport>(
+  quic_transports_.insert(
-      url, origin, key, this, std::move(pending_handshake_client)));
+      std::make_unique<QuicTransport>(url, origin, key, fingerprints, this,
+                                      std::move(pending_handshake_client)));
 }
 void NetworkContext::CreateNetLogExporter(

--- a/services/network/network_context.h
+++ b/services/network/network_context.h
@@ -308,6 +308,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
      const GURL& url,
      const url::Origin& origin,
      const net::NetworkIsolationKey& network_isolation_key,
+      std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
      mojo::PendingRemote<mojom::QuicTransportHandshakeClient> handshake_client)
      override;
  void CreateNetLogExporter(

--- a/services/network/public/mojom/network_context.mojom
+++ b/services/network/public/mojom/network_context.mojom
@@ -1200,12 +1200,15 @@ interface NetworkContext {
  // Creates a QuicTransport connection to |url|. |origin| is used for the
  // client indication - see
  // https://tools.ietf.org/html/draft-vvv-webtransport-quic-01#section-3.2 .
+  // When |fingerprints| is not empty, it is used to verify the certificate.
+  // https://wicg.github.io/web-transport/#dom-quictransportconfiguration-server_certificate_fingerprints
  //
  // It is recommended to detect mojo connection errors on |handshake_client|.
  CreateQuicTransport(
        url.mojom.Url url,
        url.mojom.Origin origin,
        NetworkIsolationKey network_isolation_key,
+        array<QuicTransportCertificateFingerprint> fingerprints,
        pending_remote<QuicTransportHandshakeClient> handshake_client);
  // Create a NetLogExporter, which helps export NetLog to an existing file.

--- a/services/network/public/mojom/quic_transport.mojom
+++ b/services/network/public/mojom/quic_transport.mojom
@@ -26,6 +26,14 @@ struct QuicTransportError {
  bool safe_to_report_details = false;
 };
+// The fingerprint of a certificate accompanied with the hash algorithm.
+// https://wicg.github.io/web-transport/#quic-transport-configuration
+// https://www.w3.org/TR/webrtc/#dom-rtcdtlsfingerprint
+struct QuicTransportCertificateFingerprint {
+  string algorithm;
+  string fingerprint;
+};
 // A mojo interface for https://wicg.github.io/web-transport/#quic-transport.
 interface QuicTransport {
  // A datagram message is sent from the client. The response message represents

--- a/services/network/quic_transport.cc
+++ b/services/network/quic_transport.cc
@@ -19,6 +19,23 @@
 namespace network {
+namespace {
+net::QuicTransportClient::Parameters CreateParameters(
+    const std::vector<mojom::QuicTransportCertificateFingerprintPtr>&
+        fingerprints) {
+  net::QuicTransportClient::Parameters params;
+  for (const auto& fingerprint : fingerprints) {
+    params.server_certificate_fingerprints.push_back(
+        quic::CertificateFingerprint{.algorithm = fingerprint->algorithm,
+                                     .fingerprint = fingerprint->fingerprint});
+  }
+  return params;
+}
+}  // namespace
 class QuicTransport::Stream final {
 public:
  class StreamVisitor final : public quic::QuicTransportStream::Visitor {
@@ -297,6 +314,8 @@ QuicTransport::QuicTransport(
    const GURL& url,
    const url::Origin& origin,
    const net::NetworkIsolationKey& key,
+    const std::vector<mojom::QuicTransportCertificateFingerprintPtr>&
+        fingerprints,
    NetworkContext* context,
    mojo::PendingRemote<mojom::QuicTransportHandshakeClient> handshake_client)
    : transport_(std::make_unique<net::QuicTransportClient>(
@@ -305,7 +324,7 @@ QuicTransport::QuicTransport(
          this,
          key,
          context->url_request_context(),
-          net::QuicTransportClient::Parameters())),
+          CreateParameters(fingerprints))),
      context_(context),
      receiver_(this),
      handshake_client_(std::move(handshake_client)) {

--- a/services/network/quic_transport.h
+++ b/services/network/quic_transport.h
@@ -43,12 +43,15 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) QuicTransport final
                              mojo::ScopedDataPipeProducerHandle)>;
  using UnidirectionalStreamAcceptanceCallback =
      base::OnceCallback<void(uint32_t, mojo::ScopedDataPipeConsumerHandle)>;
-  QuicTransport(const GURL& url,
+  QuicTransport(
-                const url::Origin& origin,
+      const GURL& url,
-                const net::NetworkIsolationKey& key,
+      const url::Origin& origin,
-                NetworkContext* context,
+      const net::NetworkIsolationKey& key,
-                mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
+      const std::vector<mojom::QuicTransportCertificateFingerprintPtr>&
-                    handshake_client);
+          fingerprints,
+      NetworkContext* context,
+      mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
+          handshake_client);
  ~QuicTransport() override;
  // mojom::QuicTransport implementation:

--- a/services/network/quic_transport_unittest.cc
+++ b/services/network/quic_transport_unittest.cc
@@ -13,6 +13,8 @@
 #include "base/test/task_environment.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/quic/crypto/proof_source_chromium.h"
+#include "net/test/test_data_directory.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/tools/quic/quic_transport_simple_server.h"
 #include "net/url_request/url_request_context.h"
@@ -25,6 +27,41 @@
 namespace network {
 namespace {
+// A clock that only mocks out WallNow(), but uses real Now() and
+// ApproximateNow().  Useful for certificate verification.
+class TestWallClock : public quic::QuicClock {
+ public:
+  quic::QuicTime Now() const override {
+    return quic::QuicChromiumClock::GetInstance()->Now();
+  }
+  quic::QuicTime ApproximateNow() const override {
+    return quic::QuicChromiumClock::GetInstance()->ApproximateNow();
+  }
+  quic::QuicWallTime WallNow() const override { return wall_now_; }
+  void set_wall_now(quic::QuicWallTime now) { wall_now_ = now; }
+ private:
+  quic::QuicWallTime wall_now_ = quic::QuicWallTime::Zero();
+};
+class TestConnectionHelper : public quic::QuicConnectionHelperInterface {
+ public:
+  const quic::QuicClock* GetClock() const override { return &clock_; }
+  quic::QuicRandom* GetRandomGenerator() override {
+    return quic::QuicRandom::GetInstance();
+  }
+  quic::QuicBufferAllocator* GetStreamSendBufferAllocator() override {
+    return &allocator_;
+  }
+  TestWallClock& clock() { return clock_; }
+ private:
+  TestWallClock clock_;
+  quic::SimpleBufferAllocator allocator_;
+};
 mojom::NetworkContextParamsPtr CreateNetworkContextParams() {
  auto context_params = mojom::NetworkContextParams::New();
  // Use a dummy CertVerifier that always passes cert verification, since
@@ -198,6 +235,9 @@ quic::ParsedQuicVersion GetTestVersion() {
 class QuicTransportTest : public testing::Test {
 public:
  QuicTransportTest()
+      : QuicTransportTest(
+            quic::test::crypto_test_utils::ProofSourceForTesting()) {}
+  explicit QuicTransportTest(std::unique_ptr<quic::ProofSource> proof_source)
      : version_(GetTestVersion()),
        origin_(url::Origin::Create(GURL("https://example.org/"))),
        task_environment_(base::test::TaskEnvironment::MainThreadType::IO),
@@ -206,9 +246,7 @@ class QuicTransportTest : public testing::Test {
        network_context_(network_service_.get(),
                         network_context_remote_.BindNewPipeAndPassReceiver(),
                         CreateNetworkContextParams()),
-        server_(/* port= */ 0,
+        server_(/* port= */ 0, {origin_}, std::move(proof_source)) {
-                {origin_},
-                quic::test::crypto_test_utils::ProofSourceForTesting()) {
    EXPECT_EQ(EXIT_SUCCESS, server_.Start());
    cert_verifier_.set_default_result(net::OK);
@@ -227,20 +265,31 @@ class QuicTransportTest : public testing::Test {
      const GURL& url,
      const url::Origin& origin,
      const net::NetworkIsolationKey& key,
+      std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
      mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
          handshake_client) {
-    network_context_.CreateQuicTransport(url, origin, key,
+    network_context_.CreateQuicTransport(
-                                         std::move(handshake_client));
+        url, origin, key, std::move(fingerprints), std::move(handshake_client));
  }
  void CreateQuicTransport(
      const GURL& url,
      const url::Origin& origin,
      mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
          handshake_client) {
-    CreateQuicTransport(url, origin, net::NetworkIsolationKey(),
+    CreateQuicTransport(url, origin, net::NetworkIsolationKey(), {},
                        std::move(handshake_client));
  }
+  void CreateQuicTransport(
+      const GURL& url,
+      const url::Origin& origin,
+      std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
+      mojo::PendingRemote<mojom::QuicTransportHandshakeClient>
+          handshake_client) {
+    CreateQuicTransport(url, origin, net::NetworkIsolationKey(),
+                        std::move(fingerprints), std::move(handshake_client));
+  }
  GURL GetURL(base::StringPiece suffix) {
    return GURL(quiche::QuicheStrCat("quic-transport://test.example.com:",
                                     server_.server_address().port(), suffix));
@@ -248,6 +297,7 @@ class QuicTransportTest : public testing::Test {
  const url::Origin& origin() const { return origin_; }
  const NetworkContext& network_context() const { return network_context_; }
+  NetworkContext& mutable_network_context() { return network_context_; }
  void RunPendingTasks() {
    base::RunLoop run_loop;
@@ -521,5 +571,83 @@ TEST_F(QuicTransportTest, EchoOnBidirectionalStream) {
  EXPECT_TRUE(client.stream_is_closed_as_incoming_stream(stream_id));
 }
+class QuicTransportWithCustomCertificateTest : public QuicTransportTest {
+ public:
+  QuicTransportWithCustomCertificateTest()
+      : QuicTransportTest(CreateProofSource()) {
+    auto helper = std::make_unique<TestConnectionHelper>();
+    // Set clock to a time in which quic-short-lived.pem is valid
+    // (2020-06-05T20:35:00.000Z).
+    helper->clock().set_wall_now(
+        quic::QuicWallTime::FromUNIXSeconds(1591389300));
+    mutable_network_context()
+        .url_request_context()
+        ->quic_context()
+        ->SetHelperForTesting(std::move(helper));
+  }
+  ~QuicTransportWithCustomCertificateTest() override = default;
+  static std::unique_ptr<quic::ProofSource> CreateProofSource() {
+    auto proof_source = std::make_unique<net::ProofSourceChromium>();
+    base::FilePath certs_dir = net::GetTestCertsDirectory();
+    EXPECT_TRUE(proof_source->Initialize(
+        certs_dir.AppendASCII("quic-short-lived.pem"),
+        certs_dir.AppendASCII("quic-leaf-cert.key"),
+        certs_dir.AppendASCII("quic-leaf-cert.key.sct")));
+    return proof_source;
+  }
+};
+TEST_F(QuicTransportWithCustomCertificateTest, WithValidFingerprint) {
+  base::RunLoop run_loop_for_handshake;
+  mojo::PendingRemote<mojom::QuicTransportHandshakeClient> handshake_client;
+  TestHandshakeClient test_handshake_client(
+      handshake_client.InitWithNewPipeAndPassReceiver(),
+      run_loop_for_handshake.QuitClosure());
+  auto fingerprint = mojom::QuicTransportCertificateFingerprint::New(
+      "sha-256",
+      "ED:3D:D7:C3:67:10:94:68:D1:DC:D1:26:5C:B2:74:D7:1C:"
+      "A2:63:3E:94:94:C0:84:39:D6:64:FA:08:B9:77:37");
+  std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints;
+  fingerprints.push_back(std::move(fingerprint));
+  CreateQuicTransport(GetURL("/discard"), origin(), std::move(fingerprints),
+                      std::move(handshake_client));
+  run_loop_for_handshake.Run();
+  EXPECT_TRUE(test_handshake_client.has_seen_connection_establishment());
+  EXPECT_FALSE(test_handshake_client.has_seen_handshake_failure());
+  EXPECT_FALSE(test_handshake_client.has_seen_mojo_connection_error());
+  EXPECT_EQ(1u, network_context().NumOpenQuicTransports());
+}
+TEST_F(QuicTransportWithCustomCertificateTest, WithInvalidFingerprint) {
+  base::RunLoop run_loop_for_handshake;
+  mojo::PendingRemote<mojom::QuicTransportHandshakeClient> handshake_client;
+  TestHandshakeClient test_handshake_client(
+      handshake_client.InitWithNewPipeAndPassReceiver(),
+      run_loop_for_handshake.QuitClosure());
+  auto fingerprint = network::mojom::QuicTransportCertificateFingerprint::New(
+      "sha-256",
+      "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:"
+      "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00");
+  std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints;
+  fingerprints.push_back(std::move(fingerprint));
+  CreateQuicTransport(GetURL("/discard"), origin(), std::move(fingerprints),
+                      std::move(handshake_client));
+  run_loop_for_handshake.Run();
+  EXPECT_FALSE(test_handshake_client.has_seen_connection_establishment());
+  EXPECT_TRUE(test_handshake_client.has_seen_handshake_failure());
+  EXPECT_FALSE(test_handshake_client.has_seen_mojo_connection_error());
+  EXPECT_EQ(0u, network_context().NumOpenQuicTransports());
+}
 }  // namespace
 }  // namespace network
--- a/services/network/test/test_network_context.h
+++ b/services/network/test/test_network_context.h
@@ -34,7 +34,7 @@
 namespace net {
 class NetworkIsolationKey;
 class IsolationInfo;
-}
+}  // namespace net
 namespace network {
@@ -167,6 +167,7 @@ class TestNetworkContext : public mojom::NetworkContext {
      const GURL& url,
      const url::Origin& origin,
      const net::NetworkIsolationKey& network_isolation_key,
+      std::vector<mojom::QuicTransportCertificateFingerprintPtr> fingerprints,
      mojo::PendingRemote<mojom::QuicTransportHandshakeClient> handshake_client)
      override {}
  void LookUpProxyForURL(

--- a/third_party/blink/public/mojom/webtransport/quic_transport_connector.mojom
+++ b/third_party/blink/public/mojom/webtransport/quic_transport_connector.mojom
@@ -12,6 +12,8 @@ import "url/mojom/url.mojom";
 interface QuicTransportConnector {
  // Starts an opening handshake.
  // It is recommended to detect mojo connection errors on |client|.
-  Connect(url.mojom.Url url,
+  Connect(
-          pending_remote<network.mojom.QuicTransportHandshakeClient> client);
+    url.mojom.Url url,
+    array<network.mojom.QuicTransportCertificateFingerprint> fingerprints,
+    pending_remote<network.mojom.QuicTransportHandshakeClient> client);
 };
--- a/third_party/blink/renderer/modules/webtransport/bidirectional_stream_test.cc
+++ b/third_party/blink/renderer/modules/webtransport/bidirectional_stream_test.cc
@@ -231,6 +231,8 @@ class ScopedQuicTransport : public mojom::blink::QuicTransportConnector {
  // Implementation of mojom::blink::QuicTransportConnector.
  void Connect(
      const KURL&,
+      Vector<network::mojom::blink::QuicTransportCertificateFingerprintPtr>
+          fingerprints,
      mojo::PendingRemote<network::mojom::blink::QuicTransportHandshakeClient>
          pending_handshake_client) override {
    mojo::Remote<network::mojom::blink::QuicTransportHandshakeClient>

--- a/third_party/blink/renderer/modules/webtransport/quic_transport.cc
+++ b/third_party/blink/renderer/modules/webtransport/quic_transport.cc
@@ -652,8 +652,9 @@ void QuicTransport::Init(const String& url, ExceptionState& exception_state) {
          execution_context->GetTaskRunner(TaskType::kNetworking)));
  connector->Connect(
-      url_, handshake_client_receiver_.BindNewPipeAndPassRemote(
+      url_, /*fingerprints=*/{},
-                execution_context->GetTaskRunner(TaskType::kNetworking)));
+      handshake_client_receiver_.BindNewPipeAndPassRemote(
+          execution_context->GetTaskRunner(TaskType::kNetworking)));
  handshake_client_receiver_.set_disconnect_handler(
      WTF::Bind(&QuicTransport::OnConnectionError, WrapWeakPersistent(this)));

--- a/third_party/blink/renderer/modules/webtransport/quic_transport_test.cc
+++ b/third_party/blink/renderer/modules/webtransport/quic_transport_test.cc
@@ -77,6 +77,8 @@ class QuicTransportConnector final
  void Connect(
      const KURL& url,
+      Vector<network::mojom::blink::QuicTransportCertificateFingerprintPtr>
+          fingerprints,
      mojo::PendingRemote<network::mojom::blink::QuicTransportHandshakeClient>
          handshake_client) override {
    connect_args_.push_back(ConnectArgs(url, std::move(handshake_client)));