Chromium Code Reviews Chromium Code Reviews
Issue 9415040:
Refactor TransportSecurityState. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 127 // set on Windows XP without error. There is some overhead from the server | 127 // set on Windows XP without error. There is some overhead from the server |
| 128 // sending the OCSP response if it supports the extension, for the subset of | 128 // sending the OCSP response if it supports the extension, for the subset of |
| 129 // XP clients who will request it but be unable to use it, but this is an | 129 // XP clients who will request it but be unable to use it, but this is an |
| 130 // acceptable trade-off for simplicity of implementation. | 130 // acceptable trade-off for simplicity of implementation. |
| 131 static bool IsOCSPStaplingSupported() { | 131 static bool IsOCSPStaplingSupported() { |
| 132 return true; | 132 return true; |
| 133 } | 133 } |
| 134 #elif defined(USE_NSS) | 134 #elif defined(USE_NSS) |
| 135 typedef SECStatus | 135 typedef SECStatus |
| 136 (*CacheOCSPResponseFromSideChannelFunction)( | 136 (*CacheOCSPResponseFromSideChannelFunction)( |
| 137 CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, | 137 CERTCertDBHandle* handle, CERTCertificate *cert, PRTime time, |
| 138 SECItem *encodedResponse, void *pwArg); | 138 SECItem* encodedResponse, void *pwArg); |
|
Ryan Sleevi
2012/03/28 00:50:32
This were typed such to match the underlying NSS s
palmer
2012/04/10 23:25:51
Done.
| |
| 139 | 139 |
| 140 // On Linux, we dynamically link against the system version of libnss3.so. In | 140 // On Linux, we dynamically link against the system version of libnss3.so. In |
| 141 // order to continue working on systems without up-to-date versions of NSS we | 141 // order to continue working on systems without up-to-date versions of NSS we |
| 142 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym. | 142 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym. |
| 143 | 143 |
| 144 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any | 144 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any |
| 145 // runtime symbol resolution that we need. | 145 // runtime symbol resolution that we need. |
| 146 class RuntimeLibNSSFunctionPointers { | 146 class RuntimeLibNSSFunctionPointers { |
| 147 public: | 147 public: |
| 148 CacheOCSPResponseFromSideChannelFunction | 148 CacheOCSPResponseFromSideChannelFunction |
| (...skipping 1578 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1727 | 1727 |
| 1728 if (!start_cert_verification_time_.is_null()) { | 1728 if (!start_cert_verification_time_.is_null()) { |
| 1729 base::TimeDelta verify_time = | 1729 base::TimeDelta verify_time = |
| 1730 base::TimeTicks::Now() - start_cert_verification_time_; | 1730 base::TimeTicks::Now() - start_cert_verification_time_; |
| 1731 if (result == OK) | 1731 if (result == OK) |
| 1732 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time); | 1732 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time); |
| 1733 else | 1733 else |
| 1734 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time); | 1734 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time); |
| 1735 } | 1735 } |
| 1736 | 1736 |
| 1737 PeerCertificateChain chain(nss_fd_); | |
| 1738 for (unsigned i = 1; i < chain.size(); i++) { | |
| 1739 if (strcmp(chain[i]->subjectName, "CN=meta") != 0) | |
| 1740 continue; | |
| 1741 | |
| 1742 base::StringPiece leaf_der( | |
| 1743 reinterpret_cast<char*>(server_cert_nss_->derCert.data), | |
| 1744 server_cert_nss_->derCert.len); | |
| 1745 base::StringPiece leaf_spki; | |
| 1746 if (!asn1::ExtractSPKIFromDERCert(leaf_der, &leaf_spki)) | |
| 1747 break; | |
| 1748 | |
| 1749 static SECOidTag side_data_tag; | |
| 1750 static bool side_data_tag_valid; | |
| 1751 if (!side_data_tag_valid) { | |
| 1752 // It's harmless if multiple threads enter this block concurrently. | |
| 1753 static const uint8 kSideDataOID[] = | |
| 1754 // 1.3.6.1.4.1.11129.2.1.4 | |
| 1755 // (iso.org.dod.internet.private.enterprises.google.googleSecurity. | |
| 1756 // certificateExtensions.sideData) | |
| 1757 {0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x05}; | |
| 1758 SECOidData oid_data; | |
| 1759 memset(&oid_data, 0, sizeof(oid_data)); | |
| 1760 oid_data.oid.data = const_cast<uint8*>(kSideDataOID); | |
| 1761 oid_data.oid.len = sizeof(kSideDataOID); | |
| 1762 oid_data.desc = "Certificate side data"; | |
| 1763 oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION; | |
| 1764 side_data_tag = SECOID_AddEntry(&oid_data); | |
| 1765 DCHECK_NE(SEC_OID_UNKNOWN, side_data_tag); | |
| 1766 side_data_tag_valid = true; | |
| 1767 } | |
| 1768 | |
| 1769 SECItem side_data_item; | |
| 1770 SECStatus rv = CERT_FindCertExtension(chain[i], | |
| 1771 side_data_tag, &side_data_item); | |
| 1772 if (rv != SECSuccess) | |
| 1773 continue; | |
| 1774 | |
| 1775 base::StringPiece side_data( | |
| 1776 reinterpret_cast<char*>(side_data_item.data), | |
| 1777 side_data_item.len); | |
| 1778 | |
| 1779 if (!TransportSecurityState::ParseSidePin( | |
| 1780 leaf_spki, side_data, &side_pinned_public_keys_)) { | |
| 1781 LOG(WARNING) << "Side pinning data failed to parse: " | |
| 1782 << host_and_port_.host(); | |
| 1783 } | |
| 1784 break; | |
| 1785 } | |
| 1786 | |
| 1787 // We used to remember the intermediate CA certs in the NSS database | 1737 // We used to remember the intermediate CA certs in the NSS database |
| 1788 // persistently. However, NSS opens a connection to the SQLite database | 1738 // persistently. However, NSS opens a connection to the SQLite database |
| 1789 // during NSS initialization and doesn't close the connection until NSS | 1739 // during NSS initialization and doesn't close the connection until NSS |
| 1790 // shuts down. If the file system where the database resides is gone, | 1740 // shuts down. If the file system where the database resides is gone, |
| 1791 // the database connection goes bad. What's worse, the connection won't | 1741 // the database connection goes bad. What's worse, the connection won't |
| 1792 // recover when the file system comes back. Until this NSS or SQLite bug | 1742 // recover when the file system comes back. Until this NSS or SQLite bug |
| 1793 // is fixed, we need to avoid using the NSS database for non-essential | 1743 // is fixed, we need to avoid using the NSS database for non-essential |
| 1794 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and | 1744 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and |
| 1795 // http://crbug.com/15630 for more info. | 1745 // http://crbug.com/15630 for more info. |
| 1796 | 1746 |
| (...skipping 915 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2712 EnsureThreadIdAssigned(); | 2662 EnsureThreadIdAssigned(); |
| 2713 base::AutoLock auto_lock(lock_); | 2663 base::AutoLock auto_lock(lock_); |
| 2714 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 2664 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 2715 } | 2665 } |
| 2716 | 2666 |
| 2717 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { | 2667 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { |
| 2718 return server_bound_cert_service_; | 2668 return server_bound_cert_service_; |
| 2719 } | 2669 } |
| 2720 | 2670 |
| 2721 } // namespace net | 2671 } // namespace net |
| OLD | NEW |
