OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
11 #include "base/callback_helpers.h" | 11 #include "base/callback_helpers.h" |
12 #include "base/compiler_specific.h" | 12 #include "base/compiler_specific.h" |
13 #include "base/logging.h" | 13 #include "base/logging.h" |
14 #include "base/macros.h" | 14 #include "base/macros.h" |
15 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
16 #include "base/stl_util.h" | 16 #include "base/stl_util.h" |
17 #include "base/strings/stringprintf.h" | 17 #include "base/strings/stringprintf.h" |
18 #include "crypto/signature_verifier.h" | 18 #include "crypto/signature_verifier.h" |
19 #include "net/base/host_port_pair.h" | 19 #include "net/base/host_port_pair.h" |
20 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
21 #include "net/cert/asn1_util.h" | 21 #include "net/cert/asn1_util.h" |
22 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
24 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
25 #include "net/cert/ct_policy_enforcer.h" | 25 #include "net/cert/ct_policy_enforcer.h" |
26 #include "net/cert/ct_policy_status.h" | |
26 #include "net/cert/ct_verifier.h" | 27 #include "net/cert/ct_verifier.h" |
27 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
28 #include "net/cert/x509_util.h" | 29 #include "net/cert/x509_util.h" |
29 #include "net/http/transport_security_state.h" | 30 #include "net/http/transport_security_state.h" |
30 #include "net/log/net_log.h" | 31 #include "net/log/net_log.h" |
31 #include "net/quic/crypto/crypto_protocol.h" | 32 #include "net/quic/crypto/crypto_protocol.h" |
32 #include "net/ssl/ssl_config_service.h" | 33 #include "net/ssl/ssl_config_service.h" |
33 | 34 |
34 using base::StringPiece; | 35 using base::StringPiece; |
35 using base::StringPrintf; | 36 using base::StringPrintf; |
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
277 base::Unretained(this)), | 278 base::Unretained(this)), |
278 &cert_verifier_request_, net_log_); | 279 &cert_verifier_request_, net_log_); |
279 } | 280 } |
280 | 281 |
281 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 282 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
282 cert_verifier_request_.reset(); | 283 cert_verifier_request_.reset(); |
283 | 284 |
284 const CertVerifyResult& cert_verify_result = | 285 const CertVerifyResult& cert_verify_result = |
285 verify_details_->cert_verify_result; | 286 verify_details_->cert_verify_result; |
286 const CertStatus cert_status = cert_verify_result.cert_status; | 287 const CertStatus cert_status = cert_verify_result.cert_status; |
288 verify_details_->ct_verify_result.ct_policies_applied = | |
289 (result == OK && policy_enforcer_ != nullptr); | |
290 verify_details_->ct_verify_result.ev_policy_compliance = | |
291 ct::EV_POLICY_DOES_NOT_APPLY; | |
287 if (result == OK && policy_enforcer_ && | 292 if (result == OK && policy_enforcer_ && |
288 (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 293 (cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
289 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 294 ct::EVPolicyCompliance ev_policy_compliance = |
295 policy_enforcer_->DoesConformToCTEVPolicy( | |
290 cert_verify_result.verified_cert.get(), | 296 cert_verify_result.verified_cert.get(), |
291 SSLConfigService::GetEVCertsWhitelist().get(), | 297 SSLConfigService::GetEVCertsWhitelist().get(), |
292 verify_details_->ct_verify_result, net_log_)) { | 298 verify_details_->ct_verify_result.verified_scts, net_log_); |
299 verify_details_->ct_verify_result.ev_policy_compliance = | |
300 ev_policy_compliance; | |
301 if (ev_policy_compliance != ct::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
302 ev_policy_compliance != ct::EV_POLICY_COMPLIES_VIA_SCTS) { | |
Ryan Sleevi
2016/02/11 02:57:24
Why does DOES_NOT_APPLY not need to be checked her
estark
2016/02/11 04:06:20
Oh, I think we should just be checking for DOES_NO
| |
293 verify_details_->cert_verify_result.cert_status |= | 303 verify_details_->cert_verify_result.cert_status |= |
294 CERT_STATUS_CT_COMPLIANCE_FAILED; | 304 CERT_STATUS_CT_COMPLIANCE_FAILED; |
295 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 305 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
296 } | 306 } |
297 } | 307 } |
298 | 308 |
299 // TODO(estark): replace 0 below with the port of the connection. | 309 // TODO(estark): replace 0 below with the port of the connection. |
300 if (transport_security_state_ && | 310 if (transport_security_state_ && |
301 (result == OK || | 311 (result == OK || |
302 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 312 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
(...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
436 } | 446 } |
437 return status; | 447 return status; |
438 } | 448 } |
439 | 449 |
440 void ProofVerifierChromium::OnJobComplete(Job* job) { | 450 void ProofVerifierChromium::OnJobComplete(Job* job) { |
441 active_jobs_.erase(job); | 451 active_jobs_.erase(job); |
442 delete job; | 452 delete job; |
443 } | 453 } |
444 | 454 |
445 } // namespace net | 455 } // namespace net |
OLD | NEW |