Add client fingerprint verification

Author: qwu16

quic_transport/BUILD.gn

@@ -33,8 +33,6 @@ source_set("owt_quic_transport_impl") {
     "sdk/impl/logging.cc",
     "sdk/impl/proof_source_owt.cc",
     "sdk/impl/proof_source_owt.h",
-    "sdk/impl/proof_verifier_owt.cc",
-    "sdk/impl/proof_verifier_owt.h",
     "sdk/impl/quic_transport_factory_impl.cc",
     "sdk/impl/quic_transport_factory_impl.h",
     "sdk/impl/quic_transport_owt_client_base.cc",

quic_transport/sdk/impl/proof_verifier_owt.cc

@@ -21,7 +21,6 @@
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/proof_source.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h"
-#include "net/third_party/quiche/src/quiche/quic/core/quic_types.h"
 #include "url/gurl.h"
 #include "net/quic/address_utils.h"
 #include "net/tools/quic/synchronous_host_resolver.h"
@@ -161,6 +160,22 @@ void QuicTransportFactoryImpl::Init() {
   logging::InitLogging(settings);
   logging::SetMinLogLevel(1);
 
+  char* str = std::getenv("QUIC_SERVER_FINGERPRINTS");
+  if(str == NULL) {
+      LOG(ERROR) <<"No server fingerprints provided in env";
+  } else {
+    const char delimiter = ',';
+    std::stringstream ss;
+    std::string s;
+    ss << str;
+
+    while (std::getline(ss, s, delimiter)) {
+      ::quic::CertificateFingerprint quic_fingerprint;
+      quic_fingerprint.algorithm = ::quic::CertificateFingerprint::kSha256;
+      quic_fingerprint.fingerprint = s;
+      server_certificate_fingerprints.push_back(quic_fingerprint);
+    }
+  }
 }
 
 QuicTransportClientInterface*
@@ -174,10 +189,9 @@ QuicTransportFactoryImpl::CreateQuicTransportClient(
       FROM_HERE,
       base::BindOnce(
           [](const char* host, int port,
+             const std::vector<::quic::CertificateFingerprint>& fingerprints,
              base::Thread* io_thread, base::Thread* event_thread,
              owt::quic::QuicTransportClientInterface** result, base::WaitableEvent* event) {
-            std::unique_ptr<::quic::ProofVerifier> proof_verifier;
-            proof_verifier.reset(new FakeProofVerifier());
             ::quic::QuicIpAddress ip_addr;
 
             GURL url("https://www.example.org");
@@ -196,16 +210,16 @@ QuicTransportFactoryImpl::CreateQuicTransportClient(
                   net::ToQuicIpAddress(addresses[0].address());
             }
 
-            ::quic::QuicServerId server_id(url.host(), url.EffectiveIntPort(),
-                                         net::PRIVACY_MODE_DISABLED);
+            ::quic::QuicServerId server_id(host, port, false);
             ::quic::ParsedQuicVersionVector versions = ::quic::CurrentSupportedVersions();
+            printf("url host is:%s, origin host is:%s\n", url.host().c_str(), host);
 
             *result = new net::QuicTransportOwtClientImpl(
-                ::quic::QuicSocketAddress(ip_addr, port), server_id, versions, std::move(proof_verifier),
+                ::quic::QuicSocketAddress(ip_addr, port), server_id, versions, fingerprints,
                 io_thread, event_thread);
             event->Signal();
           },
-          base::Unretained(host), port, base::Unretained(io_thread_.get()),
+          base::Unretained(host), port, server_certificate_fingerprints, base::Unretained(io_thread_.get()),
           base::Unretained(event_thread_.get()), base::Unretained(&result),
           base::Unretained(&done)));
   done.Wait();

quic_transport/sdk/impl/proof_verifier_owt.h

@@ -13,7 +13,9 @@
 #include "owt/quic/export.h"
 #include "owt/quic/quic_transport_factory.h"
 #include "owt/quic_transport/sdk/impl/proof_source_owt.h"
-#include "owt/quic_transport/sdk/impl/proof_verifier_owt.h"
+#include "net/third_party/quiche/src/quiche/quic/platform/api/quic_default_proof_providers.h"
+#include "net/third_party/quiche/src/quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
 
 namespace quic {
 class QuicAlarmFactory;
@@ -61,6 +63,7 @@ class OWT_EXPORT QuicTransportFactoryImpl : public owt::quic::QuicTransportFacto
   std::unique_ptr<base::AtExitManager> at_exit_manager_;
   std::unique_ptr<base::Thread> io_thread_;
   std::unique_ptr<base::Thread> event_thread_;
+  std::vector<::quic::CertificateFingerprint> server_certificate_fingerprints;
 };
 
 }  // namespace quic

quic_transport/sdk/impl/quic_transport_factory_impl.cc

@@ -29,17 +29,39 @@
 #include "net/third_party/quiche/src/quiche/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.h"
-//#include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
+#include "net/quic/platform/impl/quic_chromium_clock.h"
 
 using std::string;
 
 namespace net {
 
+// From
+// https://wicg.github.io/web-transport/#dom-quictransportconfiguration-server_certificate_fingerprints
+constexpr int kCustomCertificateMaxValidityDays = 14;
+
+std::unique_ptr<::quic::ProofVerifier> CreateProofVerifier(
+    quic::QuicChromiumClock* clock,
+    const std::vector<::quic::CertificateFingerprint> server_certificate_fingerprints) {
+
+  auto verifier =
+      std::make_unique<::quic::WebTransportFingerprintProofVerifier>(
+          clock, kCustomCertificateMaxValidityDays);
+  for (const ::quic::CertificateFingerprint& fingerprint :
+       server_certificate_fingerprints) {
+    bool success = verifier->AddFingerprint(fingerprint);
+    if (!success) {
+      DLOG(WARNING) << "Failed to add a certificate fingerprint: "
+                    << fingerprint.fingerprint;
+    }
+  }
+  return verifier;
+}
+
 QuicTransportOwtClientImpl::QuicTransportOwtClientImpl(
     quic::QuicSocketAddress server_address,
     const quic::QuicServerId& server_id,
     const quic::ParsedQuicVersionVector& supported_versions,
-    std::unique_ptr<quic::ProofVerifier> proof_verifier,
+    const std::vector<::quic::CertificateFingerprint> server_certificate_fingerprints,
     base::Thread* io_thread,
     base::Thread* event_thread)
     : quic::QuicTransportOwtClientBase(
@@ -49,7 +71,7 @@ QuicTransportOwtClientImpl::QuicTransportOwtClientImpl(
           CreateQuicConnectionHelper(),
           CreateQuicAlarmFactory(),
           base::WrapUnique(CreateNetworkHelper()),
-          std::move(proof_verifier),
+          CreateProofVerifier(&clock_, server_certificate_fingerprints),
           nullptr,
           io_thread->task_runner().get(),
           event_thread->task_runner().get()),

quic_transport/sdk/impl/quic_transport_factory_impl.h

@@ -23,7 +23,7 @@
 #include "owt/quic_transport/sdk/impl/quic_transport_owt_client_base.h"
 #include "owt/quic/quic_transport_client_interface.h"
 #include "owt/quic/quic_transport_stream_interface.h"
-#include "owt/quic_transport/sdk/impl/proof_verifier_owt.h"
+#include "net/third_party/quiche/src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
 #include "base/threading/thread.h"
 
 namespace net {
@@ -40,7 +40,7 @@ class QuicTransportOwtClientImpl : public quic::QuicTransportOwtClientBase,
   QuicTransportOwtClientImpl(quic::QuicSocketAddress server_address,
                    const quic::QuicServerId& server_id,
                    const quic::ParsedQuicVersionVector& supported_versions,
-                   std::unique_ptr<quic::ProofVerifier> proof_verifier,
+                   const std::vector<::quic::CertificateFingerprint> server_certificate_fingerprints,
                    base::Thread* io_thread,
                    base::Thread* event_thread);