Add flag to allow unknown root in quic_client bin

Bug: 980654 Change-Id: I035f4edf159c9d949edd60118ac09c32bc3976dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1772373 Commit-Queue: Ryan Hamilton <rch@chromium.org> Reviewed-by: Ryan Hamilton <rch@chromium.org> Cr-Commit-Position: refs/heads/master@{#691837}

Add flag to allow unknown root in quic_client bin
Bug: 980654 Change-Id: I035f4edf159c9d949edd60118ac09c32bc3976dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1772373 Commit-Queue: Ryan Hamilton <rch@chromium.org> Reviewed-by: Ryan Hamilton <rch@chromium.org> Cr-Commit-Position: refs/heads/master@{#691837}
9c6af4b5 · Nick Harper · Commit Bot · 90608d57 · 9c6af4b5 · 9c6af4b5
Commit 9c6af4b5 authored Aug 29, 2019 by Nick Harper Committed by Commit Bot Aug 29, 2019
2 changed files
--- a/net/quic/platform/impl/quic_default_proof_providers_impl.cc
+++ b/net/quic/platform/impl/quic_default_proof_providers_impl.cc
@@ -19,6 +19,12 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+DEFINE_QUIC_COMMAND_LINE_FLAG(
+    bool,
+    allow_unknown_root_cert,
+    false,
+    "If true, don't restrict cert verification to known roots");
 DEFINE_QUIC_COMMAND_LINE_FLAG(std::string,
                              certificate_file,
                              "",
@@ -36,15 +42,27 @@ using net::ProofVerifierChromium;
 namespace quic {
+namespace {
+std::set<std::string> UnknownRootAllowlistForHost(std::string host) {
+  if (!GetQuicFlag(FLAGS_allow_unknown_root_cert)) {
+    return std::set<std::string>();
+  }
+  return {host};
+}
+}  // namespace
 class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
 public:
  ProofVerifierChromiumWithOwnership(
-      std::unique_ptr<net::CertVerifier> cert_verifier)
+      std::unique_ptr<net::CertVerifier> cert_verifier,
+      std::string host)
      : net::ProofVerifierChromium(cert_verifier.get(),
                                   &ct_policy_enforcer_,
                                   &transport_security_state_,
                                   &ct_verifier_,
-                                   std::set<std::string>()),
+                                   UnknownRootAllowlistForHost(host)),
        cert_verifier_(std::move(cert_verifier)) {}
 private:
@@ -55,11 +73,11 @@ class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
 };
 std::unique_ptr<ProofVerifier> CreateDefaultProofVerifierImpl(
-    const std::string& /*host*/) {
+    const std::string& host) {
  std::unique_ptr<net::CertVerifier> cert_verifier =
      net::CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr);
  return QuicMakeUnique<ProofVerifierChromiumWithOwnership>(
-      std::move(cert_verifier));
+      std::move(cert_verifier), host);
 }
 std::unique_ptr<ProofSource> CreateDefaultProofSourceImpl() {

--- a/net/quic/platform/impl/quic_default_proof_providers_impl.h
+++ b/net/quic/platform/impl/quic_default_proof_providers_impl.h
@@ -15,5 +15,7 @@ namespace quic {
 std::unique_ptr<ProofVerifier> CreateDefaultProofVerifierImpl(
    const std::string& host);
 std::unique_ptr<ProofSource> CreateDefaultProofSourceImpl();
 }  // namespace quic
 #endif  // NET_QUIC_PLATFORM_IMPL_QUIC_DEFAULT_PROOF_PROVIDERS_IMPL_H_