Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(90)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/quic/crypto/proof_verifier_chromium.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/log/net_log_event_type_list.h ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/quic/crypto/proof_verifier_chromium.h" 5 #include "net/quic/crypto/proof_verifier_chromium.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/bind_helpers.h" 10 #include "base/bind_helpers.h"
(...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after
282 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { 282 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
283 cert_verifier_request_.reset(); 283 cert_verifier_request_.reset();
284 284
285 const CertVerifyResult& cert_verify_result = 285 const CertVerifyResult& cert_verify_result =
286 verify_details_->cert_verify_result; 286 verify_details_->cert_verify_result;
287 const CertStatus cert_status = cert_verify_result.cert_status; 287 const CertStatus cert_status = cert_verify_result.cert_status;
288 verify_details_->ct_verify_result.ct_policies_applied = 288 verify_details_->ct_verify_result.ct_policies_applied =
289 (result == OK && policy_enforcer_ != nullptr); 289 (result == OK && policy_enforcer_ != nullptr);
290 verify_details_->ct_verify_result.ev_policy_compliance = 290 verify_details_->ct_verify_result.ev_policy_compliance =
291 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; 291 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
292 if (result == OK && policy_enforcer_ && 292 if (result == OK && policy_enforcer_) {
293 (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { 293 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
294 ct::EVPolicyCompliance ev_policy_compliance = 294 ct::EVPolicyCompliance ev_policy_compliance =
295 policy_enforcer_->DoesConformToCTEVPolicy( 295 policy_enforcer_->DoesConformToCTEVPolicy(
296 cert_verify_result.verified_cert.get(),
297 SSLConfigService::GetEVCertsWhitelist().get(),
298 verify_details_->ct_verify_result.verified_scts, net_log_);
299 verify_details_->ct_verify_result.ev_policy_compliance =
300 ev_policy_compliance;
301 if (ev_policy_compliance !=
302 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
303 ev_policy_compliance !=
304 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
305 ev_policy_compliance !=
306 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
307 verify_details_->cert_verify_result.cert_status |=
308 CERT_STATUS_CT_COMPLIANCE_FAILED;
309 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
310 }
311 }
312
313 verify_details_->ct_verify_result.cert_policy_compliance =
314 policy_enforcer_->DoesConformToCertPolicy(
296 cert_verify_result.verified_cert.get(), 315 cert_verify_result.verified_cert.get(),
297 SSLConfigService::GetEVCertsWhitelist().get(),
298 verify_details_->ct_verify_result.verified_scts, net_log_); 316 verify_details_->ct_verify_result.verified_scts, net_log_);
299 verify_details_->ct_verify_result.ev_policy_compliance =
300 ev_policy_compliance;
301 if (ev_policy_compliance !=
302 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
303 ev_policy_compliance !=
304 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
305 ev_policy_compliance !=
306 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
307 verify_details_->cert_verify_result.cert_status |=
308 CERT_STATUS_CT_COMPLIANCE_FAILED;
309 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
310 }
311 } 317 }
312 318
313 // TODO(estark): replace 0 below with the port of the connection. 319 // TODO(estark): replace 0 below with the port of the connection.
314 if (transport_security_state_ && 320 if (transport_security_state_ &&
315 (result == OK || 321 (result == OK ||
316 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && 322 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
317 !transport_security_state_->CheckPublicKeyPins( 323 !transport_security_state_->CheckPublicKeyPins(
318 HostPortPair(hostname_, 0), 324 HostPortPair(hostname_, 0),
319 cert_verify_result.is_issued_by_known_root, 325 cert_verify_result.is_issued_by_known_root,
320 cert_verify_result.public_key_hashes, cert_.get(), 326 cert_verify_result.public_key_hashes, cert_.get(),
(...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after
450 } 456 }
451 return status; 457 return status;
452 } 458 }
453 459
454 void ProofVerifierChromium::OnJobComplete(Job* job) { 460 void ProofVerifierChromium::OnJobComplete(Job* job) {
455 active_jobs_.erase(job); 461 active_jobs_.erase(job);
456 delete job; 462 delete job;
457 } 463 }
458 464
459 } // namespace net 465 } // namespace net
OLDNEW
« no previous file with comments | « net/log/net_log_event_type_list.h ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698