Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(657)

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 1578993003: Add Expect CT policy that gets checked on all certs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_openssl.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 38f2a785bcb16de07688b714787f6f1d7320fc2f..1501c76a651746412cdc345d784750f215e6edb4 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -3134,30 +3134,35 @@ void SSLClientSocketNSS::VerifyCT() {
ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
ct_verify_result_.ev_policy_compliance =
ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
- if (policy_enforcer_ &&
- (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
- scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
- SSLConfigService::GetEVCertsWhitelist();
- ct::EVPolicyCompliance ev_policy_compliance =
- policy_enforcer_->DoesConformToCTEVPolicy(
- server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
- ct_verify_result_.verified_scts, net_log_);
- ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
- if (ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
- ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
- ev_policy_compliance !=
- ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
- // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
- VLOG(1) << "EV certificate for "
- << server_cert_verify_result_.verified_cert->subject()
- .GetDisplayName()
- << " does not conform to CT policy, removing EV status.";
- server_cert_verify_result_.cert_status |=
- CERT_STATUS_CT_COMPLIANCE_FAILED;
- server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+ if (policy_enforcer_) {
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
+ SSLConfigService::GetEVCertsWhitelist();
+ ct::EVPolicyCompliance ev_policy_compliance =
+ policy_enforcer_->DoesConformToCTEVPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_);
+ ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
+ if (ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
+ // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
+ VLOG(1) << "EV certificate for "
+ << server_cert_verify_result_.verified_cert->subject()
+ .GetDisplayName()
+ << " does not conform to CT policy, removing EV status.";
+ server_cert_verify_result_.cert_status |=
+ CERT_STATUS_CT_COMPLIANCE_FAILED;
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
+ }
}
+ ct_verify_result_.cert_policy_compliance =
+ policy_enforcer_->DoesConformToCertPolicy(
+ server_cert_verify_result_.verified_cert.get(),
+ ct_verify_result_.verified_scts, net_log_);
}
}
« no previous file with comments | « net/quic/crypto/proof_verifier_chromium.cc ('k') | net/socket/ssl_client_socket_openssl.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698