Use the CT policy enforcer for QUIC, if specified.

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/signature_verifier.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/ssl/ssl_config_service.h"
 
 using base::StringPiece;
 using base::StringPrintf;
 using std::string;
 using std::vector;
 
 namespace net {
 
 ProofVerifyDetails* ProofVerifyDetailsChromium::Clone() const {
   ProofVerifyDetailsChromium* other = new ProofVerifyDetailsChromium;
   other->cert_verify_result = cert_verify_result;
   return other;
 }
 
 // A Job handles the verification of a single proof.  It is owned by the
 // ProofVerifier. If the verification can not complete synchronously, it
 // will notify the ProofVerifier upon completion.
 class ProofVerifierChromium::Job {
  public:
   Job(ProofVerifierChromium* proof_verifier,
       CertVerifier* cert_verifier,
+      CertPolicyEnforcer* cert_policy_enforcer,
       TransportSecurityState* transport_security_state,
       int cert_verify_flags,
       const BoundNetLog& net_log);
 
   // Starts the proof verification.  If |QUIC_PENDING| is returned, then
   // |callback| will be invoked asynchronously when the verification completes.
   QuicAsyncStatus VerifyProof(const std::string& hostname,
                               const std::string& server_config,
                               const std::vector<std::string>& certs,
                               const std::string& signature,
@@ skipping 17 matching lines @@
                        const std::string& signature,
                        const std::string& cert);
 
   // Proof verifier to notify when this jobs completes.
   ProofVerifierChromium* proof_verifier_;
 
   // The underlying verifier used for verifying certificates.
   CertVerifier* verifier_;
   scoped_ptr<CertVerifier::Request> cert_verifier_request_;
 
+  CertPolicyEnforcer* policy_enforcer_;
+
   TransportSecurityState* transport_security_state_;
 
   // |hostname| specifies the hostname for which |certs| is a valid chain.
   std::string hostname_;
 
   scoped_ptr<ProofVerifierCallback> callback_;
   scoped_ptr<ProofVerifyDetailsChromium> verify_details_;
   std::string error_details_;
 
   // X509Certificate from a chain of DER encoded certificates.
   scoped_refptr<X509Certificate> cert_;
 
   // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is
   // passed to CertVerifier::Verify.
   int cert_verify_flags_;
 
   State next_state_;
 
   BoundNetLog net_log_;
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
 
 ProofVerifierChromium::Job::Job(
     ProofVerifierChromium* proof_verifier,
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state,
     int cert_verify_flags,
     const BoundNetLog& net_log)
     : proof_verifier_(proof_verifier),
       verifier_(cert_verifier),
+      policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state),
       cert_verify_flags_(cert_verify_flags),
       next_state_(STATE_NONE),
-      net_log_(net_log) {
-}
+      net_log_(net_log) {}
 
 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof(
     const string& hostname,
     const string& server_config,
     const vector<string>& certs,
     const string& signature,
     std::string* error_details,
     scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
   DCHECK(error_details);
@@ skipping 104 matching lines @@
                  base::Unretained(this)),
       &cert_verifier_request_, net_log_);
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   cert_verifier_request_.reset();
 
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
+  if (result == OK && policy_enforcer_ &&
+      (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
+    // QUIC does not support OCSP stapling or the CT TLS extension; as a
+    // result, CT can never be verified, thus the result is always empty.
+    ct::CTVerifyResult empty_ct_result;
+    if (!policy_enforcer_->DoesConformToCTEVPolicy(
+            cert_verify_result.verified_cert.get(),
+            SSLConfigService::GetEVCertsWhitelist().get(), empty_ct_result,
+            net_log_)) {
+      verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
+    }
+  }
+
   // TODO(estark): replace 0 below with the port of the connection.
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
       !transport_security_state_->CheckPublicKeyPins(
           HostPortPair(hostname_, 0),
           cert_verify_result.is_issued_by_known_root,
           cert_verify_result.public_key_hashes, cert_.get(),
           cert_verify_result.verified_cert.get(),
           TransportSecurityState::ENABLE_PIN_REPORTS,
           &verify_details_->pinning_failure_log)) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
-  scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
-      SSLConfigService::GetEVCertsWhitelist();
-  if ((cert_status & CERT_STATUS_IS_EV) && ev_whitelist.get() &&
-      ev_whitelist->IsValid()) {
-    const SHA256HashValue fingerprint(
-        X509Certificate::CalculateFingerprint256(cert_->os_cert_handle()));
-
-    UMA_HISTOGRAM_BOOLEAN(
-        "Net.SSL_EVCertificateInWhitelist",
-        ev_whitelist->ContainsCertificateHash(
-            std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
-  }
-
   if (result != OK) {
     std::string error_string = ErrorToString(result);
     error_details_ = StringPrintf("Failed to verify certificate chain: %s",
                                   error_string.c_str());
     DLOG(WARNING) << error_details_;
   }
 
   // Exit DoLoop and return the result to the caller to VerifyProof.
   DCHECK_EQ(STATE_NONE, next_state_);
   return result;
@@ skipping 75 matching lines @@
     DLOG(WARNING) << "VerifyFinal failed";
     return false;
   }
 
   DVLOG(1) << "VerifyFinal success";
   return true;
 }
 
 ProofVerifierChromium::ProofVerifierChromium(
     CertVerifier* cert_verifier,
+    CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state)
     : cert_verifier_(cert_verifier),
-      transport_security_state_(transport_security_state) {
-}
+      cert_policy_enforcer_(cert_policy_enforcer),
+      transport_security_state_(transport_security_state) {}
 
 ProofVerifierChromium::~ProofVerifierChromium() {
   STLDeleteElements(&active_jobs_);
 }
 
 QuicAsyncStatus ProofVerifierChromium::VerifyProof(
     const std::string& hostname,
     const std::string& server_config,
     const std::vector<std::string>& certs,
     const std::string& signature,
     const ProofVerifyContext* verify_context,
     std::string* error_details,
     scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
   if (!verify_context) {
     *error_details = "Missing context";
     return QUIC_FAILURE;
   }
   const ProofVerifyContextChromium* chromium_context =
       reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
-  scoped_ptr<Job> job(new Job(this, cert_verifier_, transport_security_state_,
-                              chromium_context->cert_verify_flags,
-                              chromium_context->net_log));
+  scoped_ptr<Job> job(new Job(
+      this, cert_verifier_, cert_policy_enforcer_, transport_security_state_,
+      chromium_context->cert_verify_flags, chromium_context->net_log));
   QuicAsyncStatus status =
       job->VerifyProof(hostname, server_config, certs, signature, error_details,
                        verify_details, callback);
   if (status == QUIC_PENDING) {
     active_jobs_.insert(job.release());
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net