OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
88 #include "crypto/scoped_nss_types.h" | 88 #include "crypto/scoped_nss_types.h" |
89 #include "net/base/address_list.h" | 89 #include "net/base/address_list.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/sockaddr_storage.h" | 92 #include "net/base/sockaddr_storage.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_ev_whitelist.h" | 96 #include "net/cert/ct_ev_whitelist.h" |
97 #include "net/cert/ct_policy_enforcer.h" | 97 #include "net/cert/ct_policy_enforcer.h" |
98 #include "net/cert/ct_policy_status.h" | |
98 #include "net/cert/ct_verifier.h" | 99 #include "net/cert/ct_verifier.h" |
99 #include "net/cert/ct_verify_result.h" | 100 #include "net/cert/ct_verify_result.h" |
100 #include "net/cert/scoped_nss_types.h" | 101 #include "net/cert/scoped_nss_types.h" |
101 #include "net/cert/sct_status_flags.h" | 102 #include "net/cert/sct_status_flags.h" |
102 #include "net/cert/x509_certificate_net_log_param.h" | 103 #include "net/cert/x509_certificate_net_log_param.h" |
103 #include "net/cert/x509_util.h" | 104 #include "net/cert/x509_util.h" |
104 #include "net/cert_net/nss_ocsp.h" | 105 #include "net/cert_net/nss_ocsp.h" |
105 #include "net/dns/dns_util.h" | 106 #include "net/dns/dns_util.h" |
106 #include "net/http/transport_security_state.h" | 107 #include "net/http/transport_security_state.h" |
107 #include "net/log/net_log.h" | 108 #include "net/log/net_log.h" |
(...skipping 2295 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2403 ssl_info->Reset(); | 2404 ssl_info->Reset(); |
2404 if (core_->state().server_cert_chain.empty() || | 2405 if (core_->state().server_cert_chain.empty() || |
2405 !core_->state().server_cert_chain[0]) { | 2406 !core_->state().server_cert_chain[0]) { |
2406 return false; | 2407 return false; |
2407 } | 2408 } |
2408 | 2409 |
2409 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 2410 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
2410 ssl_info->cert = server_cert_verify_result_.verified_cert; | 2411 ssl_info->cert = server_cert_verify_result_.verified_cert; |
2411 ssl_info->unverified_cert = core_->state().server_cert; | 2412 ssl_info->unverified_cert = core_->state().server_cert; |
2412 | 2413 |
2413 AddSCTInfoToSSLInfo(ssl_info); | 2414 AddCTInfoToSSLInfo(ssl_info); |
2414 | 2415 |
2415 ssl_info->connection_status = | 2416 ssl_info->connection_status = |
2416 core_->state().ssl_connection_status; | 2417 core_->state().ssl_connection_status; |
2417 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; | 2418 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; |
2418 ssl_info->is_issued_by_known_root = | 2419 ssl_info->is_issued_by_known_root = |
2419 server_cert_verify_result_.is_issued_by_known_root; | 2420 server_cert_verify_result_.is_issued_by_known_root; |
2420 ssl_info->client_cert_sent = | 2421 ssl_info->client_cert_sent = |
2421 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 2422 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
2422 ssl_info->channel_id_sent = core_->state().channel_id_sent; | 2423 ssl_info->channel_id_sent = core_->state().channel_id_sent; |
2423 ssl_info->pinning_failure_log = pinning_failure_log_; | 2424 ssl_info->pinning_failure_log = pinning_failure_log_; |
(...skipping 695 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3119 // Note that this is a completely synchronous operation: The CT Log Verifier | 3120 // Note that this is a completely synchronous operation: The CT Log Verifier |
3120 // gets all the data it needs for SCT verification and does not do any | 3121 // gets all the data it needs for SCT verification and does not do any |
3121 // external communication. | 3122 // external communication. |
3122 cert_transparency_verifier_->Verify( | 3123 cert_transparency_verifier_->Verify( |
3123 server_cert_verify_result_.verified_cert.get(), | 3124 server_cert_verify_result_.verified_cert.get(), |
3124 core_->state().stapled_ocsp_response, | 3125 core_->state().stapled_ocsp_response, |
3125 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); | 3126 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
3126 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3127 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3127 // from the state after verification is complete, to conserve memory. | 3128 // from the state after verification is complete, to conserve memory. |
3128 | 3129 |
3130 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); | |
3131 ct_verify_result_.ev_policy_compliance = ct::EV_POLICY_DOES_NOT_APPLY; | |
3129 if (policy_enforcer_ && | 3132 if (policy_enforcer_ && |
3130 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 3133 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
3131 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 3134 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
3132 SSLConfigService::GetEVCertsWhitelist(); | 3135 SSLConfigService::GetEVCertsWhitelist(); |
3133 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 3136 ct_verify_result_.ev_policy_compliance = |
Ryan Sleevi
2016/02/18 06:46:52
nit: in the QUIC code, a temporary is used, in thi
estark
2016/02/18 19:24:32
Done -- used a temporary everywhere.
| |
3137 policy_enforcer_->DoesConformToCTEVPolicy( | |
3134 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 3138 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
3135 ct_verify_result_, net_log_)) { | 3139 ct_verify_result_.verified_scts, net_log_); |
3140 if (ct_verify_result_.ev_policy_compliance != | |
3141 ct::EV_POLICY_DOES_NOT_APPLY && | |
3142 ct_verify_result_.ev_policy_compliance != | |
3143 ct::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
3144 ct_verify_result_.ev_policy_compliance != | |
3145 ct::EV_POLICY_COMPLIES_VIA_SCTS) { | |
3136 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 3146 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
3137 VLOG(1) << "EV certificate for " | 3147 VLOG(1) << "EV certificate for " |
3138 << server_cert_verify_result_.verified_cert->subject() | 3148 << server_cert_verify_result_.verified_cert->subject() |
3139 .GetDisplayName() | 3149 .GetDisplayName() |
3140 << " does not conform to CT policy, removing EV status."; | 3150 << " does not conform to CT policy, removing EV status."; |
3141 server_cert_verify_result_.cert_status |= | 3151 server_cert_verify_result_.cert_status |= |
3142 CERT_STATUS_CT_COMPLIANCE_FAILED; | 3152 CERT_STATUS_CT_COMPLIANCE_FAILED; |
3143 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 3153 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
3144 } | 3154 } |
3145 } | 3155 } |
3146 } | 3156 } |
3147 | 3157 |
3148 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3158 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
3149 base::AutoLock auto_lock(lock_); | 3159 base::AutoLock auto_lock(lock_); |
3150 if (valid_thread_id_ != base::kInvalidThreadId) | 3160 if (valid_thread_id_ != base::kInvalidThreadId) |
3151 return; | 3161 return; |
3152 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3162 valid_thread_id_ = base::PlatformThread::CurrentId(); |
3153 } | 3163 } |
3154 | 3164 |
3155 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3165 bool SSLClientSocketNSS::CalledOnValidThread() const { |
3156 EnsureThreadIdAssigned(); | 3166 EnsureThreadIdAssigned(); |
3157 base::AutoLock auto_lock(lock_); | 3167 base::AutoLock auto_lock(lock_); |
3158 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3168 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
3159 } | 3169 } |
3160 | 3170 |
3161 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { | 3171 void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
3162 ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); | 3172 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); |
3163 } | 3173 } |
3164 | 3174 |
3165 // static | 3175 // static |
3166 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { | 3176 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { |
3167 if (next_protos->size() < 2) { | 3177 if (next_protos->size() < 2) { |
3168 return; | 3178 return; |
3169 } | 3179 } |
3170 | 3180 |
3171 NextProto fallback_proto = next_protos->back(); | 3181 NextProto fallback_proto = next_protos->back(); |
3172 for (size_t i = next_protos->size() - 1; i > 0; --i) { | 3182 for (size_t i = next_protos->size() - 1; i > 0; --i) { |
(...skipping 13 matching lines...) Expand all Loading... | |
3186 return ERR_NOT_IMPLEMENTED; | 3196 return ERR_NOT_IMPLEMENTED; |
3187 } | 3197 } |
3188 | 3198 |
3189 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3199 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
3190 if (completed_handshake_) | 3200 if (completed_handshake_) |
3191 return SSL_FAILURE_NONE; | 3201 return SSL_FAILURE_NONE; |
3192 return SSL_FAILURE_UNKNOWN; | 3202 return SSL_FAILURE_UNKNOWN; |
3193 } | 3203 } |
3194 | 3204 |
3195 } // namespace net | 3205 } // namespace net |
OLD | NEW |