Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(679)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix browser tests, kinda hacky :( Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/ct_policy_enforcer.cc ('K') | « net/quic/crypto/proof_verifier_chromium_test.cc ('k') | net/socket/ssl_client_socket_openssl.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index e1a8335055799cda13761e3b1d0fd88015e9b100..1416c77d60b31283a2da58399150c000c9389eba 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -3125,20 +3125,25 @@ void SSLClientSocketNSS::VerifyCT() {
// TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
// from the state after verification is complete, to conserve memory.
- if (policy_enforcer_ &&
- (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
+ if (policy_enforcer_) {
scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
SSLConfigService::GetEVCertsWhitelist();
- if (!policy_enforcer_->DoesConformToCTEVPolicy(
- server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
- ct_verify_result_, net_log_)) {
+ if (!policy_enforcer_->DoesConformToCertPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ ct_verify_result_)) {
+ server_cert_verify_result_.cert_status |=
+ CERT_STATUS_CT_COMPLIANCE_FAILED;
+ }
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&
+ !policy_enforcer_->DoesConformToEVPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ server_cert_verify_result_.cert_status, ev_whitelist.get(),
+ net_log_)) {
Ryan Sleevi 2016/01/22 23:49:41 The interface between these two methods feels wron
estark 2016/01/23 01:38:41 If we're okay with double-validating for EV, that
// TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
VLOG(1) << "EV certificate for "
<< server_cert_verify_result_.verified_cert->subject()
.GetDisplayName()
<< " does not conform to CT policy, removing EV status.";
- server_cert_verify_result_.cert_status |=
- CERT_STATUS_CT_COMPLIANCE_FAILED;
server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
}
}
« net/cert/ct_policy_enforcer.cc ('K') | « net/quic/crypto/proof_verifier_chromium_test.cc ('k') | net/socket/ssl_client_socket_openssl.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698