Provide the certificate and the SPKI hash in WebTransportFingerprintProofVerifier.

vasilvv · copybara-github · commit 4b0023652603 · 2026-02-09T14:18:32.000-08:00
This will be used to populate net::SSLInfo in Chromium.

PiperOrigin-RevId: 867770493
diff --git a/quiche/quic/core/crypto/certificate_view.cc b/quiche/quic/core/crypto/certificate_view.cc
@@ -375,6 +375,7 @@ std::unique_ptr<CertificateView> CertificateView::ParseSingleCertificate(
   result->validity_start_ = *not_before_parsed;
   result->validity_end_ = *not_after_parsed;
 
+  result->spki_ = CbsToStringPiece(spki);
   result->public_key_.reset(EVP_parse_public_key(&spki));
   if (result->public_key_ == nullptr) {
     QUIC_DLOG(WARNING) << "Failed to parse the public key";
diff --git a/quiche/quic/core/crypto/certificate_view.h b/quiche/quic/core/crypto/certificate_view.h
@@ -88,12 +88,16 @@ class QUICHE_EXPORT CertificateView {
   // Returns the type of the key used in the certificate's SPKI.
   PublicKeyType public_key_type() const;
 
+  // Returns the raw bytes of SubjectPublicKeyInfo.
+  absl::string_view raw_spki() const { return spki_; }
+
  private:
   CertificateView() = default;
 
   QuicWallTime validity_start_ = QuicWallTime::Zero();
   QuicWallTime validity_end_ = QuicWallTime::Zero();
   absl::string_view subject_der_;
+  absl::string_view spki_;
 
   // Public key parsed from SPKI.
   bssl::UniquePtr<EVP_PKEY> public_key_;
diff --git a/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.cc b/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.cc
@@ -4,6 +4,7 @@
 
 #include "quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
 
+#include <cstddef>
 #include <cstdint>
 #include <memory>
 #include <string>
@@ -17,9 +18,11 @@
 #include "absl/strings/string_view.h"
 #include "openssl/sha.h"
 #include "quiche/quic/core/crypto/certificate_view.h"
+#include "quiche/quic/core/crypto/proof_verifier.h"
 #include "quiche/quic/core/quic_time.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/core/quic_utils.h"
+#include "quiche/quic/core/quic_versions.h"
 #include "quiche/quic/platform/api/quic_bug_tracker.h"
 #include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/common/quiche_text_utils.h"
@@ -44,6 +47,12 @@ void NormalizeFingerprint(CertificateFingerprint& fingerprint) {
 constexpr char CertificateFingerprint::kSha256[];
 constexpr char WebTransportHash::kSha256[];
 
+WebTransportFingerprintProofVerifier::Details::Details(
+    Status status, absl::string_view cert, const CertificateView& parsed_cert)
+    : status_(status),
+      cert_(cert),
+      spki_sha256_hash_(RawSha256(parsed_cert.raw_spki())) {}
+
 ProofVerifyDetails* WebTransportFingerprintProofVerifier::Details::Clone()
     const {
   return new Details(*this);
@@ -140,12 +149,6 @@ QuicAsyncStatus WebTransportFingerprintProofVerifier::VerifyCertChain(
     return QUIC_FAILURE;
   }
 
-  if (!HasKnownFingerprint(certs[0])) {
-    *details = std::make_unique<Details>(Status::kUnknownFingerprint);
-    *error_details = "Certificate does not match any fingerprint";
-    return QUIC_FAILURE;
-  }
-
   std::unique_ptr<CertificateView> view =
       CertificateView::ParseSingleCertificate(certs[0]);
   if (view == nullptr) {
@@ -154,30 +157,40 @@ QuicAsyncStatus WebTransportFingerprintProofVerifier::VerifyCertChain(
     return QUIC_FAILURE;
   }
 
+  if (!HasKnownFingerprint(certs[0])) {
+    *details =
+        std::make_unique<Details>(Status::kUnknownFingerprint, certs[0], *view);
+    *error_details = "Certificate does not match any fingerprint";
+    return QUIC_FAILURE;
+  }
+
   if (!HasValidExpiry(*view)) {
-    *details = std::make_unique<Details>(Status::kExpiryTooLong);
+    *details =
+        std::make_unique<Details>(Status::kExpiryTooLong, certs[0], *view);
     *error_details =
         absl::StrCat("Certificate expiry exceeds the configured limit of ",
                      max_validity_days_, " days");
     return QUIC_FAILURE;
   }
 
   if (!IsWithinValidityPeriod(*view)) {
-    *details = std::make_unique<Details>(Status::kExpired);
+    *details = std::make_unique<Details>(Status::kExpired, certs[0], *view);
     *error_details =
         "Certificate has expired or has validity listed in the future";
     return QUIC_FAILURE;
   }
 
   if (!IsKeyTypeAllowedByPolicy(*view)) {
-    *details = std::make_unique<Details>(Status::kDisallowedKeyAlgorithm);
+    *details = std::make_unique<Details>(Status::kDisallowedKeyAlgorithm,
+                                         certs[0], *view);
     *error_details =
         absl::StrCat("Certificate uses a disallowed public key type (",
                      PublicKeyTypeToString(view->public_key_type()), ")");
     return QUIC_FAILURE;
   }
 
-  *details = std::make_unique<Details>(Status::kValidCertificate);
+  *details =
+      std::make_unique<Details>(Status::kValidCertificate, certs[0], *view);
   return QUIC_SUCCESS;
 }
 
diff --git a/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h b/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h
@@ -5,13 +5,19 @@
 #ifndef QUICHE_QUIC_CORE_CRYPTO_WEB_TRANSPORT_FINGERPRINT_PROOF_VERIFIER_H_
 #define QUICHE_QUIC_CORE_CRYPTO_WEB_TRANSPORT_FINGERPRINT_PROOF_VERIFIER_H_
 
+#include <cstdint>
+#include <memory>
+#include <string>
 #include <vector>
 
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/certificate_view.h"
 #include "quiche/quic/core/crypto/proof_verifier.h"
 #include "quiche/quic/core/quic_clock.h"
-#include "quiche/quic/platform/api/quic_export.h"
+#include "quiche/quic/core/quic_time.h"
+#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/quic_versions.h"
+#include "quiche/common/platform/api/quiche_export.h"
 
 namespace quic {
 
@@ -68,13 +74,21 @@ class QUICHE_EXPORT WebTransportFingerprintProofVerifier
 
   class QUICHE_EXPORT Details : public ProofVerifyDetails {
    public:
+    explicit Details(Status status, absl::string_view cert,
+                     const CertificateView& parsed_cert);
+    // Used in failure states where a parsed certificate may not be available.
     explicit Details(Status status) : status_(status) {}
+
     Status status() const { return status_; }
+    absl::string_view cert() const { return cert_; }
+    absl::string_view spki_sha256_hash() const { return spki_sha256_hash_; }
 
     ProofVerifyDetails* Clone() const override;
 
    private:
     const Status status_;
+    const std::string cert_;
+    const std::string spki_sha256_hash_;
   };
 
   // |clock| is used to check if the certificate has expired.  It is not owned
diff --git a/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc b/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc
@@ -4,11 +4,16 @@
 
 #include "quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
 
+#include <cstdint>
 #include <memory>
 #include <string>
+#include <vector>
 
+#include "absl/memory/memory.h"
 #include "absl/strings/escaping.h"
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/crypto/proof_verifier.h"
+#include "quiche/quic/core/quic_time.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/core/quic_utils.h"
 #include "quiche/quic/platform/api/quic_test.h"
@@ -27,6 +32,7 @@ constexpr QuicTime::Delta kValidTime = QuicTime::Delta::FromSeconds(1580560556);
 struct VerifyResult {
   QuicAsyncStatus status;
   WebTransportFingerprintProofVerifier::Status detailed_status;
+  std::unique_ptr<WebTransportFingerprintProofVerifier::Details> details;
   std::string error;
 };
 
@@ -51,10 +57,10 @@ class WebTransportFingerprintProofVerifierTest : public QuicTest {
         /*cert_sct=*/"",
         /*context=*/nullptr, &result.error, &details, &tls_alert,
         /*callback=*/nullptr);
-    result.detailed_status =
+    result.details = absl::WrapUnique(
         static_cast<WebTransportFingerprintProofVerifier::Details*>(
-            details.get())
-            ->status();
+            details.release()));
+    result.detailed_status = result.details->status();
     return result;
   }
 
@@ -79,6 +85,11 @@ TEST_F(WebTransportFingerprintProofVerifierTest, SimpleFingerprint) {
   EXPECT_EQ(result.status, QUIC_SUCCESS);
   EXPECT_EQ(result.detailed_status,
             WebTransportFingerprintProofVerifier::Status::kValidCertificate);
+  EXPECT_EQ(result.details->cert(), kTestCertificate);
+  // Hash manually computed from the test certificate by extracting the SPKI
+  // using ascii2der/der2ascii.
+  EXPECT_EQ(absl::BytesToHexString(result.details->spki_sha256_hash()),
+            "dfbf620ab8c5c16acc9f1ce52bad06381095f157f9cc2ad8d28e71ecd6b0b8dd");
 
   result = Verify(kWildcardCertificate);
   EXPECT_EQ(result.status, QUIC_FAILURE);
@@ -148,6 +159,7 @@ TEST_F(WebTransportFingerprintProofVerifierTest, InvalidCertificate) {
   EXPECT_EQ(
       result.detailed_status,
       WebTransportFingerprintProofVerifier::Status::kCertificateParseFailure);
+  EXPECT_EQ(result.details->cert(), "");
 }
 
 TEST_F(WebTransportFingerprintProofVerifierTest, AddCertificate) {
