Use the CT policy enforcer for QUIC, if specified.

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/signature_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/ssl/ssl_config_service.h"
 
 using base::StringPiece;
 using base::StringPrintf;
 using std::string;
 using std::vector;
 
 namespace net {
 
 ProofVerifyDetails* ProofVerifyDetailsChromium::Clone() const {
   ProofVerifyDetailsChromium* other = new ProofVerifyDetailsChromium;
   other->cert_verify_result = cert_verify_result;
   return other;
 }
 
 // A Job handles the verification of a single proof.  It is owned by the
 // ProofVerifier. If the verification can not complete synchronously, it
 // will notify the ProofVerifier upon completion.
 class ProofVerifierChromium::Job {
  public:
   Job(ProofVerifierChromium* proof_verifier,
       CertVerifier* cert_verifier,
+      CertPolicyEnforcer* cert_policy_enforcer,
       TransportSecurityState* transport_security_state,
       int cert_verify_flags,
       const BoundNetLog& net_log);
 
   // Starts the proof verification.  If |QUIC_PENDING| is returned, then
   // |callback| will be invoked asynchronously when the verification completes.
   QuicAsyncStatus VerifyProof(const std::string& hostname,
                               const std::string& server_config,
                               const std::vector<std::string>& certs,
                               const std::string& signature,
@@ skipping 17 matching lines @@
                        const std::string& signature,
                        const std::string& cert);
 
   // Proof verifier to notify when this jobs completes.
   ProofVerifierChromium* proof_verifier_;
 
   // The underlying verifier used for verifying certificates.
   CertVerifier* verifier_;
   scoped_ptr<CertVerifier::Request> cert_verifier_request_;
 
+  CertPolicyEnforcer* policy_enforcer_;
+
   TransportSecurityState* transport_security_state_;
 
   // |hostname| specifies the hostname for which |certs| is a valid chain.
   std::string hostname_;
 
   scoped_ptr<ProofVerifierCallback> callback_;
   scoped_ptr<ProofVerifyDetailsChromium> verify_details_;
   std::string error_details_;
 
   // X509Certificate from a chain of DER encoded certificates.
   scoped_refptr<X509Certificate> cert_;
 
   // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is
   // passed to CertVerifier::Verify.
   int cert_verify_flags_;
 
   State next_state_;
 
   BoundNetLog net_log_;
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
 
 ProofVerifierChromium::Job::Job(
     ProofVerifierChromium* proof_verifier,
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state,
     int cert_verify_flags,
     const BoundNetLog& net_log)
     : proof_verifier_(proof_verifier),
       verifier_(cert_verifier),
+      policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state),
       cert_verify_flags_(cert_verify_flags),
       next_state_(STATE_NONE),
       net_log_(net_log) {
 }
 
 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof(
     const string& hostname,
     const string& server_config,
     const vector<string>& certs,
@@ skipping 109 matching lines @@
                  base::Unretained(this)),
       &cert_verifier_request_, net_log_);
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   cert_verifier_request_.reset();
 
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
+
+  if (result == OK && policy_enforcer_ &&
+      (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
+    // QUIC does not support OCSP stapling or the CT TLS extension; as a
+    // result, CT can never be verified, thus the result is always empty.
+    ct::CTVerifyResult empty_ct_result;
+    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+            cert_verify_result.verified_cert.get(),
+            SSLConfigService::GetEVCertsWhitelist().get(), empty_ct_result,
+            net_log_)) {
+      verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
+    }
+  }
+
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
       !transport_security_state_->CheckPublicKeyPins(
           hostname_,
           cert_verify_result.is_issued_by_known_root,
           cert_verify_result.public_key_hashes,
           &verify_details_->pinning_failure_log)) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
-  scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
-      SSLConfigService::GetEVCertsWhitelist();
-  if ((cert_status & CERT_STATUS_IS_EV) && ev_whitelist.get() &&
-      ev_whitelist->IsValid()) {
-    const SHA256HashValue fingerprint(
-        X509Certificate::CalculateFingerprint256(cert_->os_cert_handle()));
-
-    UMA_HISTOGRAM_BOOLEAN(
-        "Net.SSL_EVCertificateInWhitelist",
-        ev_whitelist->ContainsCertificateHash(
-            std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));

[Ryan Hamilton, 2015/07/06 17:36:48]

You would know better than I would, of course, but is it OK to remove this
histogram? My guess is that it's OK because since we're not checking CT we don't
*Really* know if this is EV?

[Ryan Sleevi, 2015/07/06 17:38:51]

This code should not have been histogramming here in the first place - that's
the responsibility of CertPolicyEnforcer. The histogram here was just sort of
hacked in to mimic the CPE being there, but leads to it representing two
different things depending on whether or not QUIC is being used.

[Ryan Hamilton, 2015/07/06 17:39:43]

Ah, that makes sense. Thanks!

-  }
-
   if (result != OK) {
     std::string error_string = ErrorToString(result);
     error_details_ = StringPrintf("Failed to verify certificate chain: %s",
                                   error_string.c_str());
     DLOG(WARNING) << error_details_;
   }
 
   // Exit DoLoop and return the result to the caller to VerifyProof.
   DCHECK_EQ(STATE_NONE, next_state_);
   return result;
@@ skipping 75 matching lines @@
     DLOG(WARNING) << "VerifyFinal failed";
     return false;
   }
 
   DVLOG(1) << "VerifyFinal success";
   return true;
 }
 
 ProofVerifierChromium::ProofVerifierChromium(
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state)
     : cert_verifier_(cert_verifier),
+      cert_policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state) {
 }
 
 ProofVerifierChromium::~ProofVerifierChromium() {
   STLDeleteElements(&active_jobs_);
 }
 
 QuicAsyncStatus ProofVerifierChromium::VerifyProof(
     const std::string& hostname,
     const std::string& server_config,
     const std::vector<std::string>& certs,
     const std::string& signature,
     const ProofVerifyContext* verify_context,
     std::string* error_details,
     scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
   if (!verify_context) {
     *error_details = "Missing context";
     return QUIC_FAILURE;
   }
   const ProofVerifyContextChromium* chromium_context =
       reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
-  scoped_ptr<Job> job(new Job(this, cert_verifier_, transport_security_state_,
-                              chromium_context->cert_verify_flags,
-                              chromium_context->net_log));
+  scoped_ptr<Job> job(new Job(
+      this, cert_verifier_, cert_policy_enforcer_, transport_security_state_,
+      chromium_context->cert_verify_flags, chromium_context->net_log));
   QuicAsyncStatus status =
       job->VerifyProof(hostname, server_config, certs, signature, error_details,
                        verify_details, callback);
   if (status == QUIC_PENDING) {
     active_jobs_.insert(job.release());
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net