| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 3116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3127 cert_transparency_verifier_->Verify( | 3127 cert_transparency_verifier_->Verify( |
| 3128 server_cert_verify_result_.verified_cert.get(), | 3128 server_cert_verify_result_.verified_cert.get(), |
| 3129 core_->state().stapled_ocsp_response, | 3129 core_->state().stapled_ocsp_response, |
| 3130 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); | 3130 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
| 3131 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3131 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
| 3132 // from the state after verification is complete, to conserve memory. | 3132 // from the state after verification is complete, to conserve memory. |
| 3133 | 3133 |
| 3134 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); | 3134 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
| 3135 ct_verify_result_.ev_policy_compliance = | 3135 ct_verify_result_.ev_policy_compliance = |
| 3136 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 3136 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 3137 if (policy_enforcer_ && | 3137 if (policy_enforcer_) { |
| 3138 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 3138 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
| 3139 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 3139 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 3140 SSLConfigService::GetEVCertsWhitelist(); | 3140 SSLConfigService::GetEVCertsWhitelist(); |
| 3141 ct::EVPolicyCompliance ev_policy_compliance = | 3141 ct::EVPolicyCompliance ev_policy_compliance = |
| 3142 policy_enforcer_->DoesConformToCTEVPolicy( | 3142 policy_enforcer_->DoesConformToCTEVPolicy( |
| 3143 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 3143 server_cert_verify_result_.verified_cert.get(), |
| 3144 ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); |
| 3145 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; |
| 3146 if (ev_policy_compliance != |
| 3147 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 3148 ev_policy_compliance != |
| 3149 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 3150 ev_policy_compliance != |
| 3151 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 3152 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 3153 VLOG(1) << "EV certificate for " |
| 3154 << server_cert_verify_result_.verified_cert->subject() |
| 3155 .GetDisplayName() |
| 3156 << " does not conform to CT policy, removing EV status."; |
| 3157 server_cert_verify_result_.cert_status |= |
| 3158 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 3159 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 3160 } |
| 3161 } |
| 3162 ct_verify_result_.cert_policy_compliance = |
| 3163 policy_enforcer_->DoesConformToCertPolicy( |
| 3164 server_cert_verify_result_.verified_cert.get(), |
| 3144 ct_verify_result_.verified_scts, net_log_); | 3165 ct_verify_result_.verified_scts, net_log_); |
| 3145 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
| 3146 if (ev_policy_compliance != | |
| 3147 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
| 3148 ev_policy_compliance != | |
| 3149 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
| 3150 ev_policy_compliance != | |
| 3151 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
| 3152 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | |
| 3153 VLOG(1) << "EV certificate for " | |
| 3154 << server_cert_verify_result_.verified_cert->subject() | |
| 3155 .GetDisplayName() | |
| 3156 << " does not conform to CT policy, removing EV status."; | |
| 3157 server_cert_verify_result_.cert_status |= | |
| 3158 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 3159 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
| 3160 } | |
| 3161 } | 3166 } |
| 3162 } | 3167 } |
| 3163 | 3168 |
| 3164 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3169 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
| 3165 base::AutoLock auto_lock(lock_); | 3170 base::AutoLock auto_lock(lock_); |
| 3166 if (valid_thread_id_ != base::kInvalidThreadId) | 3171 if (valid_thread_id_ != base::kInvalidThreadId) |
| 3167 return; | 3172 return; |
| 3168 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3173 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 3169 } | 3174 } |
| 3170 | 3175 |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3206 return core_->GetChannelIDKey(); | 3211 return core_->GetChannelIDKey(); |
| 3207 } | 3212 } |
| 3208 | 3213 |
| 3209 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3214 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
| 3210 if (completed_handshake_) | 3215 if (completed_handshake_) |
| 3211 return SSL_FAILURE_NONE; | 3216 return SSL_FAILURE_NONE; |
| 3212 return SSL_FAILURE_UNKNOWN; | 3217 return SSL_FAILURE_UNKNOWN; |
| 3213 } | 3218 } |
| 3214 | 3219 |
| 3215 } // namespace net | 3220 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1578993003:
Add Expect CT policy that gets checked on all certs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master