| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 282 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 282 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
| 283 cert_verifier_request_.reset(); | 283 cert_verifier_request_.reset(); |
| 284 | 284 |
| 285 const CertVerifyResult& cert_verify_result = | 285 const CertVerifyResult& cert_verify_result = |
| 286 verify_details_->cert_verify_result; | 286 verify_details_->cert_verify_result; |
| 287 const CertStatus cert_status = cert_verify_result.cert_status; | 287 const CertStatus cert_status = cert_verify_result.cert_status; |
| 288 verify_details_->ct_verify_result.ct_policies_applied = | 288 verify_details_->ct_verify_result.ct_policies_applied = |
| 289 (result == OK && policy_enforcer_ != nullptr); | 289 (result == OK && policy_enforcer_ != nullptr); |
| 290 verify_details_->ct_verify_result.ev_policy_compliance = | 290 verify_details_->ct_verify_result.ev_policy_compliance = |
| 291 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 291 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 292 if (result == OK && policy_enforcer_ && | 292 if (result == OK && policy_enforcer_) { |
| 293 (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 293 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
| 294 ct::EVPolicyCompliance ev_policy_compliance = | 294 ct::EVPolicyCompliance ev_policy_compliance = |
| 295 policy_enforcer_->DoesConformToCTEVPolicy( | 295 policy_enforcer_->DoesConformToCTEVPolicy( |
| 296 cert_verify_result.verified_cert.get(), |
| 297 SSLConfigService::GetEVCertsWhitelist().get(), |
| 298 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 299 verify_details_->ct_verify_result.ev_policy_compliance = |
| 300 ev_policy_compliance; |
| 301 if (ev_policy_compliance != |
| 302 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 303 ev_policy_compliance != |
| 304 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 305 ev_policy_compliance != |
| 306 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 307 verify_details_->cert_verify_result.cert_status |= |
| 308 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 309 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 310 } |
| 311 } |
| 312 |
| 313 verify_details_->ct_verify_result.cert_policy_compliance = |
| 314 policy_enforcer_->DoesConformToCertPolicy( |
| 296 cert_verify_result.verified_cert.get(), | 315 cert_verify_result.verified_cert.get(), |
| 297 SSLConfigService::GetEVCertsWhitelist().get(), | |
| 298 verify_details_->ct_verify_result.verified_scts, net_log_); | 316 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 299 verify_details_->ct_verify_result.ev_policy_compliance = | |
| 300 ev_policy_compliance; | |
| 301 if (ev_policy_compliance != | |
| 302 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
| 303 ev_policy_compliance != | |
| 304 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
| 305 ev_policy_compliance != | |
| 306 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
| 307 verify_details_->cert_verify_result.cert_status |= | |
| 308 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 309 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | |
| 310 } | |
| 311 } | 317 } |
| 312 | 318 |
| 313 // TODO(estark): replace 0 below with the port of the connection. | 319 // TODO(estark): replace 0 below with the port of the connection. |
| 314 if (transport_security_state_ && | 320 if (transport_security_state_ && |
| 315 (result == OK || | 321 (result == OK || |
| 316 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 322 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 317 !transport_security_state_->CheckPublicKeyPins( | 323 !transport_security_state_->CheckPublicKeyPins( |
| 318 HostPortPair(hostname_, 0), | 324 HostPortPair(hostname_, 0), |
| 319 cert_verify_result.is_issued_by_known_root, | 325 cert_verify_result.is_issued_by_known_root, |
| 320 cert_verify_result.public_key_hashes, cert_.get(), | 326 cert_verify_result.public_key_hashes, cert_.get(), |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 450 } | 456 } |
| 451 return status; | 457 return status; |
| 452 } | 458 } |
| 453 | 459 |
| 454 void ProofVerifierChromium::OnJobComplete(Job* job) { | 460 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 455 active_jobs_.erase(job); | 461 active_jobs_.erase(job); |
| 456 delete job; | 462 delete job; |
| 457 } | 463 } |
| 458 | 464 |
| 459 } // namespace net | 465 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master