Route OCSP stapling through CertVerifier.

net/cert/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_nss.h"
 
 #include <string>
 #include <vector>
 
 #include <cert.h>
@@ skipping 15 matching lines @@
 #include "net/cert/crl_set.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 
 #if defined(OS_IOS)
 #include <CommonCrypto/CommonDigest.h>
 #include "net/cert/x509_util_ios.h"
 #endif  // defined(OS_IOS)
 
+#if defined(USE_NSS_CERTS)
+#include <dlfcn.h>
+#endif
+
 namespace net {
 
 namespace {
 
 typedef scoped_ptr<
     CERTCertificatePolicies,
     crypto::NSSDestroyer<CERTCertificatePolicies,
                          CERT_DestroyCertificatePoliciesExtension> >
     ScopedCERTCertificatePolicies;
 
@@ skipping 703 matching lines @@
 #else
     CERTCertificate* cert = list[i]->os_cert_handle();
 #endif
     CERT_AddCertToListTail(result, CERT_DupCertificate(cert));
   }
   return result;
 }
 
 }  // namespace
 
-CertVerifyProcNSS::CertVerifyProcNSS() {}
+CertVerifyProcNSS::CertVerifyProcNSS() {
+#if defined(USE_NSS_CERTS)
+  cache_ocsp_response_from_side_channel_ =

[Ryan Sleevi, 2015/04/23 01:41:23]

In order to const, you have to move to a more challenging form:
#if defined(USE_NSS_CERTS)
  : cache_ocsp_response_from_side_channel_(
  reinterpret_cast<CacheOCSPResponseFromSideChannelFunction>(dlsym(...)))
#endif
  {

Yes, I unquestionably agree it's less readable, but the above at least tries to
address several issues:
1) const-explicitness for the pointer (CacheOCSPResponseFromSideChannelFunction*
const) since it will be hit on multiple threads
2) casting

[davidben, 2015/04/23 20:41:47]

Done.

+      (CacheOCSPResponseFromSideChannelFunction)dlsym(
+          RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
+#endif
+}
 
 CertVerifyProcNSS::~CertVerifyProcNSS() {}
 
 bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
+bool CertVerifyProcNSS::SupportsOCSPStapling() const {
+#if defined(USE_NSS_CERTS)
+  return cache_ocsp_response_from_side_channel_ != nullptr;

[Ryan Sleevi, 2015/04/23 01:41:23]

Drop the explicit "!= nullptr"; this follows the idiomatic form for all of our
pointer types of allowing bool coercion according to the type (raw pointers
promote to bool, scoped_ptr has a converter, scoped_refptr will eventually)

[davidben, 2015/04/23 20:41:47]

Done.

+#else
+  // TODO(davidben): Support OCSP stapling on iOS.
+  return false;
+#endif
+}
+
 int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
+    const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CERTChainVerifyCallback* chain_verify_callback,
     CertVerifyResult* verify_result) {
 #if defined(OS_IOS)
   // For iOS, the entire chain must be loaded into NSS's in-memory certificate
   // store.
   x509_util_ios::NSSCertChain scoped_chain(cert);
   CERTCertificate* cert_handle = scoped_chain.cert_handle();
 #else
   CERTCertificate* cert_handle = cert->os_cert_handle();
 #endif  // defined(OS_IOS)
 
+#if defined(USE_NSS_CERTS)
+  if (!ocsp_response.empty() &&
+      cache_ocsp_response_from_side_channel_ != nullptr) {

[Ryan Sleevi, 2015/04/23 01:41:23]

ditto bool conversion. Drop the != nullptr

[davidben, 2015/04/23 20:41:47]

Done.

+    // Note: NSS uses a global hash table, so this call will affect any

[Ryan Sleevi, 2015/04/23 01:41:23]

s/a global/a thread-safe global/

[davidben, 2015/04/23 20:41:47]

Done.

+    // concurrent verification operations on |cert| or copies of the same
+    // certificate. This is an unavoidable limitation of NSS's OCSP API.
+    SECItem ocsp_response_item;
+    ocsp_response_item.data = reinterpret_cast<unsigned char*>(
+        const_cast<char*>(ocsp_response.data()));
+    ocsp_response_item.len = ocsp_response.size();
+    cache_ocsp_response_from_side_channel_(CERT_GetDefaultCertDB(), cert_handle,
+                                           PR_Now(), &ocsp_response_item, NULL);
+  }
+#endif  // defined(USE_NSS_CERTS)
+
   if (!cert->VerifyNameMatch(hostname,
                              &verify_result->common_name_fallback_used)) {
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
   }
 
   // Make sure that the cert is valid now.
   SECCertTimeValidity validity = CERT_CheckCertValidTimes(
       cert_handle, PR_Now(), PR_TRUE);
   if (validity != secCertTimeValid)
     verify_result->cert_status |= CERT_STATUS_DATE_INVALID;
@@ skipping 127 matching lines @@
       verify_result->cert_status |= CERT_STATUS_IS_EV;
     }
   }
 
   return OK;
 }
 
 int CertVerifyProcNSS::VerifyInternal(
     X509Certificate* cert,
     const std::string& hostname,
+    const std::string& ocsp_response,
     int flags,
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
-  return VerifyInternalImpl(cert,
-                            hostname,
-                            flags,
-                            crl_set,
+  return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
                             additional_trust_anchors,
                             NULL,  // chain_verify_callback
                             verify_result);
 }
 
 }  // namespace net