net/socket/ssl_client_socket_openssl.cc - Issue 1578993003: Add Expect CT policy that gets checked on all certs

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rsleevi nits Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/socket/ssl_client_socket_openssl.cc

diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc

index b92c4a8f7803768aa6bebddff4aa5424c437f9cb..3bb4147a37c060a7dd44af094a6572c1db23592d 100644

--- a/net/socket/ssl_client_socket_openssl.cc

+++ b/net/socket/ssl_client_socket_openssl.cc

@@ -1483,30 +1483,35 @@ void SSLClientSocketOpenSSL::VerifyCT() {

ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);

ct_verify_result_.ev_policy_compliance =

ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;

- if (policy_enforcer_ &&

- (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {

- scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

- SSLConfigService::GetEVCertsWhitelist();

- ct::EVPolicyCompliance ev_policy_compliance =

- policy_enforcer_->DoesConformToCTEVPolicy(

- server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),

- ct_verify_result_.verified_scts, net_log_);

- ct_verify_result_.ev_policy_compliance = ev_policy_compliance;

- if (ev_policy_compliance !=

- ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&

- ev_policy_compliance !=

- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&

- ev_policy_compliance !=

- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {

- // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766

- VLOG(1) << "EV certificate for "

- << server_cert_verify_result_.verified_cert->subject()

- .GetDisplayName()

- << " does not conform to CT policy, removing EV status.";

- server_cert_verify_result_.cert_status |=

- CERT_STATUS_CT_COMPLIANCE_FAILED;

- server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

+ if (policy_enforcer_) {

+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {

+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

+ SSLConfigService::GetEVCertsWhitelist();

+ ct::EVPolicyCompliance ev_policy_compliance =

+ policy_enforcer_->DoesConformToCTEVPolicy(

+ server_cert_verify_result_.verified_cert.get(),

+ ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_);

+ ct_verify_result_.ev_policy_compliance = ev_policy_compliance;

+ if (ev_policy_compliance !=

+ ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&

+ ev_policy_compliance !=

+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&

+ ev_policy_compliance !=

+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {

+ // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766

+ VLOG(1) << "EV certificate for "

+ << server_cert_verify_result_.verified_cert->subject()

+ .GetDisplayName()

+ << " does not conform to CT policy, removing EV status.";

+ server_cert_verify_result_.cert_status |=

+ CERT_STATUS_CT_COMPLIANCE_FAILED;

+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

+ }

}

+ ct_verify_result_.cert_policy_compliance =

+ policy_enforcer_->DoesConformToCertPolicy(

+ server_cert_verify_result_.verified_cert.get(),

+ ct_verify_result_.verified_scts, net_log_);

}

« net/cert/ct_verify_result.cc ('K') | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »