| Index: net/quic/crypto/proof_verifier_chromium.cc
|
| diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc
|
| index b08e8524f0888f1c2ecfa4bb70b232ba9bf8266d..2d4f168efed3260ec7e70e2e811ce1c07aa12c01 100644
|
| --- a/net/quic/crypto/proof_verifier_chromium.cc
|
| +++ b/net/quic/crypto/proof_verifier_chromium.cc
|
| @@ -17,9 +17,11 @@
|
| #include "net/base/host_port_pair.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/cert/asn1_util.h"
|
| +#include "net/cert/cert_policy_enforcer.h"
|
| #include "net/cert/cert_status_flags.h"
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/cert_verify_result.h"
|
| +#include "net/cert/ct_verify_result.h"
|
| #include "net/cert/x509_certificate.h"
|
| #include "net/cert/x509_util.h"
|
| #include "net/http/transport_security_state.h"
|
| @@ -47,6 +49,7 @@ class ProofVerifierChromium::Job {
|
| public:
|
| Job(ProofVerifierChromium* proof_verifier,
|
| CertVerifier* cert_verifier,
|
| + CertPolicyEnforcer* cert_policy_enforcer,
|
| TransportSecurityState* transport_security_state,
|
| int cert_verify_flags,
|
| const BoundNetLog& net_log);
|
| @@ -84,6 +87,8 @@ class ProofVerifierChromium::Job {
|
| CertVerifier* verifier_;
|
| scoped_ptr<CertVerifier::Request> cert_verifier_request_;
|
|
|
| + CertPolicyEnforcer* policy_enforcer_;
|
| +
|
| TransportSecurityState* transport_security_state_;
|
|
|
| // |hostname| specifies the hostname for which |certs| is a valid chain.
|
| @@ -110,16 +115,17 @@ class ProofVerifierChromium::Job {
|
| ProofVerifierChromium::Job::Job(
|
| ProofVerifierChromium* proof_verifier,
|
| CertVerifier* cert_verifier,
|
| + CertPolicyEnforcer* cert_policy_enforcer,
|
| TransportSecurityState* transport_security_state,
|
| int cert_verify_flags,
|
| const BoundNetLog& net_log)
|
| : proof_verifier_(proof_verifier),
|
| verifier_(cert_verifier),
|
| + policy_enforcer_(cert_policy_enforcer),
|
| transport_security_state_(transport_security_state),
|
| cert_verify_flags_(cert_verify_flags),
|
| next_state_(STATE_NONE),
|
| - net_log_(net_log) {
|
| -}
|
| + net_log_(net_log) {}
|
|
|
| QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof(
|
| const string& hostname,
|
| @@ -244,6 +250,19 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
|
| const CertVerifyResult& cert_verify_result =
|
| verify_details_->cert_verify_result;
|
| const CertStatus cert_status = cert_verify_result.cert_status;
|
| + if (result == OK && policy_enforcer_ &&
|
| + (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
|
| + // QUIC does not support OCSP stapling or the CT TLS extension; as a
|
| + // result, CT can never be verified, thus the result is always empty.
|
| + ct::CTVerifyResult empty_ct_result;
|
| + if (!policy_enforcer_->DoesConformToCTEVPolicy(
|
| + cert_verify_result.verified_cert.get(),
|
| + SSLConfigService::GetEVCertsWhitelist().get(), empty_ct_result,
|
| + net_log_)) {
|
| + verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
|
| + }
|
| + }
|
| +
|
| // TODO(estark): replace 0 below with the port of the connection.
|
| if (transport_security_state_ &&
|
| (result == OK ||
|
| @@ -258,19 +277,6 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
|
| result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| }
|
|
|
| - scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
|
| - SSLConfigService::GetEVCertsWhitelist();
|
| - if ((cert_status & CERT_STATUS_IS_EV) && ev_whitelist.get() &&
|
| - ev_whitelist->IsValid()) {
|
| - const SHA256HashValue fingerprint(
|
| - X509Certificate::CalculateFingerprint256(cert_->os_cert_handle()));
|
| -
|
| - UMA_HISTOGRAM_BOOLEAN(
|
| - "Net.SSL_EVCertificateInWhitelist",
|
| - ev_whitelist->ContainsCertificateHash(
|
| - std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
|
| - }
|
| -
|
| if (result != OK) {
|
| std::string error_string = ErrorToString(result);
|
| error_details_ = StringPrintf("Failed to verify certificate chain: %s",
|
| @@ -366,10 +372,11 @@ bool ProofVerifierChromium::Job::VerifySignature(const string& signed_data,
|
|
|
| ProofVerifierChromium::ProofVerifierChromium(
|
| CertVerifier* cert_verifier,
|
| + CertPolicyEnforcer* cert_policy_enforcer,
|
| TransportSecurityState* transport_security_state)
|
| : cert_verifier_(cert_verifier),
|
| - transport_security_state_(transport_security_state) {
|
| -}
|
| + cert_policy_enforcer_(cert_policy_enforcer),
|
| + transport_security_state_(transport_security_state) {}
|
|
|
| ProofVerifierChromium::~ProofVerifierChromium() {
|
| STLDeleteElements(&active_jobs_);
|
| @@ -390,9 +397,9 @@ QuicAsyncStatus ProofVerifierChromium::VerifyProof(
|
| }
|
| const ProofVerifyContextChromium* chromium_context =
|
| reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
|
| - scoped_ptr<Job> job(new Job(this, cert_verifier_, transport_security_state_,
|
| - chromium_context->cert_verify_flags,
|
| - chromium_context->net_log));
|
| + scoped_ptr<Job> job(new Job(
|
| + this, cert_verifier_, cert_policy_enforcer_, transport_security_state_,
|
| + chromium_context->cert_verify_flags, chromium_context->net_log));
|
| QuicAsyncStatus status =
|
| job->VerifyProof(hostname, server_config, certs, signature, error_details,
|
| verify_details, callback);
|
|
|
Chromium Code Reviews
Issue 1216943003:
Use the CT policy enforcer for QUIC, if specified. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master