QUIC - Code to verify SCT tag with certificate transparency verifier

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/signature_verifier.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
-#include "net/cert/ct_verify_result.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/ssl/ssl_config_service.h"
 
 using base::StringPiece;
 using base::StringPrintf;
 using std::string;
 using std::vector;
 
 namespace net {
 
 ProofVerifyDetails* ProofVerifyDetailsChromium::Clone() const {
   ProofVerifyDetailsChromium* other = new ProofVerifyDetailsChromium;
   other->cert_verify_result = cert_verify_result;
+  other->ct_verify_result = ct_verify_result;
   return other;
 }
 
 // A Job handles the verification of a single proof.  It is owned by the
 // ProofVerifier. If the verification can not complete synchronously, it
 // will notify the ProofVerifier upon completion.
 class ProofVerifierChromium::Job {
  public:
   Job(ProofVerifierChromium* proof_verifier,
       CertVerifier* cert_verifier,
       CertPolicyEnforcer* cert_policy_enforcer,
       TransportSecurityState* transport_security_state,
+      CTVerifier* cert_transparency_verifier,
       int cert_verify_flags,
       const BoundNetLog& net_log);
 
   // Starts the proof verification.  If |QUIC_PENDING| is returned, then
   // |callback| will be invoked asynchronously when the verification completes.
   QuicAsyncStatus VerifyProof(const std::string& hostname,
                               const std::string& server_config,
                               const std::vector<std::string>& certs,
                               const std::string& cert_sct,
                               const std::string& signature,
@@ skipping 21 matching lines @@
   ProofVerifierChromium* proof_verifier_;
 
   // The underlying verifier used for verifying certificates.
   CertVerifier* verifier_;
   scoped_ptr<CertVerifier::Request> cert_verifier_request_;
 
   CertPolicyEnforcer* policy_enforcer_;
 
   TransportSecurityState* transport_security_state_;
 
+  CTVerifier* cert_transparency_verifier_;
+
   // |hostname| specifies the hostname for which |certs| is a valid chain.
   std::string hostname_;
 
   scoped_ptr<ProofVerifierCallback> callback_;
   scoped_ptr<ProofVerifyDetailsChromium> verify_details_;
   std::string error_details_;
 
   // X509Certificate from a chain of DER encoded certificates.
   scoped_refptr<X509Certificate> cert_;
 
   // |cert_verify_flags| is bitwise OR'd of CertVerifier::VerifyFlags and it is
   // passed to CertVerifier::Verify.
   int cert_verify_flags_;
 
   State next_state_;
 
   BoundNetLog net_log_;
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
 
 ProofVerifierChromium::Job::Job(
     ProofVerifierChromium* proof_verifier,
     CertVerifier* cert_verifier,
     CertPolicyEnforcer* cert_policy_enforcer,
     TransportSecurityState* transport_security_state,
+    CTVerifier* cert_transparency_verifier,
     int cert_verify_flags,
     const BoundNetLog& net_log)
     : proof_verifier_(proof_verifier),
       verifier_(cert_verifier),
       policy_enforcer_(cert_policy_enforcer),
       transport_security_state_(transport_security_state),
+      cert_transparency_verifier_(cert_transparency_verifier),
       cert_verify_flags_(cert_verify_flags),
       next_state_(STATE_NONE),
       net_log_(net_log) {}
 
 QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof(
     const string& hostname,
     const string& server_config,
     const vector<string>& certs,
     const std::string& cert_sct,
     const string& signature,
@@ skipping 29 matching lines @@
   }
   cert_ = X509Certificate::CreateFromDERCertChain(cert_pieces);
   if (!cert_.get()) {
     *error_details = "Failed to create certificate chain";
     DLOG(WARNING) << *error_details;
     verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
     *verify_details = verify_details_.Pass();
     return QUIC_FAILURE;
   }
 
+  if (cert_transparency_verifier_ && !cert_sct.empty()) {
+    // Note that this is a completely synchronous operation: The CT Log Verifier
+    // gets all the data it needs for SCT verification and does not do any
+    // external communication.
+    cert_transparency_verifier_->Verify(cert_.get(), std::string(), cert_sct,
+                                        &verify_details_->ct_verify_result,
+                                        net_log_);
+  }
+
   // We call VerifySignature first to avoid copying of server_config and
   // signature.
   if (!VerifySignature(server_config, signature, certs[0])) {
     *error_details = "Failed to verify signature of server config";
     DLOG(WARNING) << *error_details;
     verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
     *verify_details = verify_details_.Pass();
     return QUIC_FAILURE;
   }
 
@@ skipping 61 matching lines @@
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
   cert_verifier_request_.reset();
 
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
   if (result == OK && policy_enforcer_ &&
       (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
-    // QUIC does not support OCSP stapling or the CT TLS extension; as a
-    // result, CT can never be verified, thus the result is always empty.
-    ct::CTVerifyResult empty_ct_result;
     if (!policy_enforcer_->DoesConformToCTEVPolicy(
             cert_verify_result.verified_cert.get(),
-            SSLConfigService::GetEVCertsWhitelist().get(), empty_ct_result,
-            net_log_)) {
+            SSLConfigService::GetEVCertsWhitelist().get(),
+            verify_details_->ct_verify_result, net_log_)) {
       verify_details_->cert_verify_result.cert_status |=
           CERT_STATUS_CT_COMPLIANCE_FAILED;
       verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
     }
   }
 
   // TODO(estark): replace 0 below with the port of the connection.
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
@@ skipping 91 matching lines @@
     return false;
   }
 
   DVLOG(1) << "VerifyFinal success";
   return true;
 }
 
 ProofVerifierChromium::ProofVerifierChromium(
     CertVerifier* cert_verifier,
     CertPolicyEnforcer* cert_policy_enforcer,
-    TransportSecurityState* transport_security_state)
+    TransportSecurityState* transport_security_state,
+    CTVerifier* cert_transparency_verifier)
     : cert_verifier_(cert_verifier),
       cert_policy_enforcer_(cert_policy_enforcer),
-      transport_security_state_(transport_security_state) {}
+      transport_security_state_(transport_security_state),
+      cert_transparency_verifier_(cert_transparency_verifier) {}
 
 ProofVerifierChromium::~ProofVerifierChromium() {
   STLDeleteElements(&active_jobs_);
 }
 
 QuicAsyncStatus ProofVerifierChromium::VerifyProof(
     const std::string& hostname,
     const std::string& server_config,
     const std::vector<std::string>& certs,
     const std::string& cert_sct,
     const std::string& signature,
     const ProofVerifyContext* verify_context,
     std::string* error_details,
     scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
   if (!verify_context) {
     *error_details = "Missing context";
     return QUIC_FAILURE;
   }
   const ProofVerifyContextChromium* chromium_context =
       reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
-  scoped_ptr<Job> job(new Job(
-      this, cert_verifier_, cert_policy_enforcer_, transport_security_state_,
-      chromium_context->cert_verify_flags, chromium_context->net_log));
+  scoped_ptr<Job> job(
+      new Job(this, cert_verifier_, cert_policy_enforcer_,
+              transport_security_state_, cert_transparency_verifier_,
+              chromium_context->cert_verify_flags, chromium_context->net_log));
   QuicAsyncStatus status =
       job->VerifyProof(hostname, server_config, certs, cert_sct, signature,
                        error_details, verify_details, callback);
   if (status == QUIC_PENDING) {
     active_jobs_.insert(job.release());
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net