OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 3107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3118 // Note that this is a completely synchronous operation: The CT Log Verifier | 3118 // Note that this is a completely synchronous operation: The CT Log Verifier |
3119 // gets all the data it needs for SCT verification and does not do any | 3119 // gets all the data it needs for SCT verification and does not do any |
3120 // external communication. | 3120 // external communication. |
3121 cert_transparency_verifier_->Verify( | 3121 cert_transparency_verifier_->Verify( |
3122 server_cert_verify_result_.verified_cert.get(), | 3122 server_cert_verify_result_.verified_cert.get(), |
3123 core_->state().stapled_ocsp_response, | 3123 core_->state().stapled_ocsp_response, |
3124 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); | 3124 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
3125 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3125 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3126 // from the state after verification is complete, to conserve memory. | 3126 // from the state after verification is complete, to conserve memory. |
3127 | 3127 |
3128 if (policy_enforcer_ && | 3128 if (policy_enforcer_) { |
3129 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | |
3130 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 3129 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
3131 SSLConfigService::GetEVCertsWhitelist(); | 3130 SSLConfigService::GetEVCertsWhitelist(); |
3132 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 3131 if (!policy_enforcer_->DoesConformToCertPolicy( |
3133 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 3132 server_cert_verify_result_.verified_cert.get(), |
3134 ct_verify_result_, net_log_)) { | 3133 ct_verify_result_)) { |
3134 server_cert_verify_result_.cert_status |= | |
3135 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
3136 } | |
3137 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && | |
3138 !policy_enforcer_->DoesConformToEVPolicy( | |
3139 server_cert_verify_result_.verified_cert.get(), | |
3140 server_cert_verify_result_.cert_status, ev_whitelist.get(), | |
3141 net_log_)) { | |
Ryan Sleevi
2016/01/22 23:49:41
The interface between these two methods feels wron
estark
2016/01/23 01:38:41
If we're okay with double-validating for EV, that
| |
3135 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 3142 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
3136 VLOG(1) << "EV certificate for " | 3143 VLOG(1) << "EV certificate for " |
3137 << server_cert_verify_result_.verified_cert->subject() | 3144 << server_cert_verify_result_.verified_cert->subject() |
3138 .GetDisplayName() | 3145 .GetDisplayName() |
3139 << " does not conform to CT policy, removing EV status."; | 3146 << " does not conform to CT policy, removing EV status."; |
3140 server_cert_verify_result_.cert_status |= | |
3141 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
3142 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 3147 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
3143 } | 3148 } |
3144 } | 3149 } |
3145 } | 3150 } |
3146 | 3151 |
3147 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3152 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
3148 base::AutoLock auto_lock(lock_); | 3153 base::AutoLock auto_lock(lock_); |
3149 if (valid_thread_id_ != base::kInvalidThreadId) | 3154 if (valid_thread_id_ != base::kInvalidThreadId) |
3150 return; | 3155 return; |
3151 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3156 valid_thread_id_ = base::PlatformThread::CurrentId(); |
(...skipping 26 matching lines...) Expand all Loading... | |
3178 return channel_id_service_; | 3183 return channel_id_service_; |
3179 } | 3184 } |
3180 | 3185 |
3181 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3186 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
3182 if (completed_handshake_) | 3187 if (completed_handshake_) |
3183 return SSL_FAILURE_NONE; | 3188 return SSL_FAILURE_NONE; |
3184 return SSL_FAILURE_UNKNOWN; | 3189 return SSL_FAILURE_UNKNOWN; |
3185 } | 3190 } |
3186 | 3191 |
3187 } // namespace net | 3192 } // namespace net |
OLD | NEW |