Chromium Code Reviews Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss| Index: net/cert/cert_verify_proc_nss.cc |
| diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc |
| index 1236f41dda43036f5a76343710f1cc8938bafaaa..b3aed296a40aeb52394ed5c9fbaaa9e099362612 100644 |
| --- a/net/cert/cert_verify_proc_nss.cc |
| +++ b/net/cert/cert_verify_proc_nss.cc |
| @@ -33,6 +33,10 @@ |
| #include "net/cert/x509_util_ios.h" |
| #endif // defined(OS_IOS) |
| +#if defined(USE_NSS_CERTS) |
| +#include <dlfcn.h> |
| +#endif |
| + |
| namespace net { |
| namespace { |
| @@ -756,7 +760,13 @@ CERTCertList* CertificateListToCERTCertList(const CertificateList& list) { |
| } // namespace |
| -CertVerifyProcNSS::CertVerifyProcNSS() {} |
| +CertVerifyProcNSS::CertVerifyProcNSS() { |
| +#if defined(USE_NSS_CERTS) |
| + cache_ocsp_response_from_side_channel_ = |
|
Ryan Sleevi
2015/04/23 01:41:23
In order to const, you have to move to a more chal
davidben
2015/04/23 20:41:47
Done.
|
| + (CacheOCSPResponseFromSideChannelFunction)dlsym( |
| + RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel"); |
| +#endif |
| +} |
| CertVerifyProcNSS::~CertVerifyProcNSS() {} |
| @@ -764,9 +774,19 @@ bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const { |
| return true; |
| } |
| +bool CertVerifyProcNSS::SupportsOCSPStapling() const { |
| +#if defined(USE_NSS_CERTS) |
| + return cache_ocsp_response_from_side_channel_ != nullptr; |
|
Ryan Sleevi
2015/04/23 01:41:23
Drop the explicit "!= nullptr"; this follows the i
davidben
2015/04/23 20:41:47
Done.
|
| +#else |
| + // TODO(davidben): Support OCSP stapling on iOS. |
| + return false; |
| +#endif |
| +} |
| + |
| int CertVerifyProcNSS::VerifyInternalImpl( |
| X509Certificate* cert, |
| const std::string& hostname, |
| + const std::string& ocsp_response, |
| int flags, |
| CRLSet* crl_set, |
| const CertificateList& additional_trust_anchors, |
| @@ -781,6 +801,21 @@ int CertVerifyProcNSS::VerifyInternalImpl( |
| CERTCertificate* cert_handle = cert->os_cert_handle(); |
| #endif // defined(OS_IOS) |
| +#if defined(USE_NSS_CERTS) |
| + if (!ocsp_response.empty() && |
| + cache_ocsp_response_from_side_channel_ != nullptr) { |
|
Ryan Sleevi
2015/04/23 01:41:23
ditto bool conversion. Drop the != nullptr
davidben
2015/04/23 20:41:47
Done.
|
| + // Note: NSS uses a global hash table, so this call will affect any |
|
Ryan Sleevi
2015/04/23 01:41:23
s/a global/a thread-safe global/
davidben
2015/04/23 20:41:47
Done.
|
| + // concurrent verification operations on |cert| or copies of the same |
| + // certificate. This is an unavoidable limitation of NSS's OCSP API. |
| + SECItem ocsp_response_item; |
| + ocsp_response_item.data = reinterpret_cast<unsigned char*>( |
| + const_cast<char*>(ocsp_response.data())); |
| + ocsp_response_item.len = ocsp_response.size(); |
| + cache_ocsp_response_from_side_channel_(CERT_GetDefaultCertDB(), cert_handle, |
| + PR_Now(), &ocsp_response_item, NULL); |
| + } |
| +#endif // defined(USE_NSS_CERTS) |
| + |
| if (!cert->VerifyNameMatch(hostname, |
| &verify_result->common_name_fallback_used)) { |
| verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
| @@ -928,14 +963,12 @@ int CertVerifyProcNSS::VerifyInternalImpl( |
| int CertVerifyProcNSS::VerifyInternal( |
| X509Certificate* cert, |
| const std::string& hostname, |
| + const std::string& ocsp_response, |
| int flags, |
| CRLSet* crl_set, |
| const CertificateList& additional_trust_anchors, |
| CertVerifyResult* verify_result) { |
| - return VerifyInternalImpl(cert, |
| - hostname, |
| - flags, |
| - crl_set, |
| + return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set, |
| additional_trust_anchors, |
| NULL, // chain_verify_callback |
| verify_result); |
