| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 2392 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2403 ssl_info->Reset(); | 2403 ssl_info->Reset(); |
| 2404 if (core_->state().server_cert_chain.empty() || | 2404 if (core_->state().server_cert_chain.empty() || |
| 2405 !core_->state().server_cert_chain[0]) { | 2405 !core_->state().server_cert_chain[0]) { |
| 2406 return false; | 2406 return false; |
| 2407 } | 2407 } |
| 2408 | 2408 |
| 2409 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 2409 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
| 2410 ssl_info->cert = server_cert_verify_result_.verified_cert; | 2410 ssl_info->cert = server_cert_verify_result_.verified_cert; |
| 2411 ssl_info->unverified_cert = core_->state().server_cert; | 2411 ssl_info->unverified_cert = core_->state().server_cert; |
| 2412 | 2412 |
| 2413 AddSCTInfoToSSLInfo(ssl_info); | 2413 AddCTInfoToSSLInfo(ssl_info); |
| 2414 | 2414 |
| 2415 ssl_info->connection_status = | 2415 ssl_info->connection_status = |
| 2416 core_->state().ssl_connection_status; | 2416 core_->state().ssl_connection_status; |
| 2417 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; | 2417 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; |
| 2418 ssl_info->is_issued_by_known_root = | 2418 ssl_info->is_issued_by_known_root = |
| 2419 server_cert_verify_result_.is_issued_by_known_root; | 2419 server_cert_verify_result_.is_issued_by_known_root; |
| 2420 ssl_info->client_cert_sent = | 2420 ssl_info->client_cert_sent = |
| 2421 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 2421 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
| 2422 ssl_info->channel_id_sent = core_->state().channel_id_sent; | 2422 ssl_info->channel_id_sent = core_->state().channel_id_sent; |
| 2423 ssl_info->pinning_failure_log = pinning_failure_log_; | 2423 ssl_info->pinning_failure_log = pinning_failure_log_; |
| (...skipping 695 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3119 // Note that this is a completely synchronous operation: The CT Log Verifier | 3119 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 3120 // gets all the data it needs for SCT verification and does not do any | 3120 // gets all the data it needs for SCT verification and does not do any |
| 3121 // external communication. | 3121 // external communication. |
| 3122 cert_transparency_verifier_->Verify( | 3122 cert_transparency_verifier_->Verify( |
| 3123 server_cert_verify_result_.verified_cert.get(), | 3123 server_cert_verify_result_.verified_cert.get(), |
| 3124 core_->state().stapled_ocsp_response, | 3124 core_->state().stapled_ocsp_response, |
| 3125 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); | 3125 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
| 3126 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3126 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
| 3127 // from the state after verification is complete, to conserve memory. | 3127 // from the state after verification is complete, to conserve memory. |
| 3128 | 3128 |
| 3129 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
| 3130 ct_verify_result_.ev_policy_compliance = |
| 3131 CTPolicyEnforcer::EV_POLICY_DOES_NOT_APPLY; |
| 3129 if (policy_enforcer_ && | 3132 if (policy_enforcer_ && |
| 3130 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 3133 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
| 3131 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 3134 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 3132 SSLConfigService::GetEVCertsWhitelist(); | 3135 SSLConfigService::GetEVCertsWhitelist(); |
| 3133 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 3136 ct_verify_result_.ev_policy_compliance = |
| 3137 policy_enforcer_->DoesConformToCTEVPolicy( |
| 3134 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 3138 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
| 3135 ct_verify_result_, net_log_)) { | 3139 ct_verify_result_.verified_scts, net_log_); |
| 3140 if (ct_verify_result_.ev_policy_compliance != |
| 3141 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 3142 ct_verify_result_.ev_policy_compliance != |
| 3143 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 3136 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 3144 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 3137 VLOG(1) << "EV certificate for " | 3145 VLOG(1) << "EV certificate for " |
| 3138 << server_cert_verify_result_.verified_cert->subject() | 3146 << server_cert_verify_result_.verified_cert->subject() |
| 3139 .GetDisplayName() | 3147 .GetDisplayName() |
| 3140 << " does not conform to CT policy, removing EV status."; | 3148 << " does not conform to CT policy, removing EV status."; |
| 3141 server_cert_verify_result_.cert_status |= | 3149 server_cert_verify_result_.cert_status |= |
| 3142 CERT_STATUS_CT_COMPLIANCE_FAILED; | 3150 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 3143 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 3151 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 3144 } | 3152 } |
| 3145 } | 3153 } |
| 3146 } | 3154 } |
| 3147 | 3155 |
| 3148 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3156 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
| 3149 base::AutoLock auto_lock(lock_); | 3157 base::AutoLock auto_lock(lock_); |
| 3150 if (valid_thread_id_ != base::kInvalidThreadId) | 3158 if (valid_thread_id_ != base::kInvalidThreadId) |
| 3151 return; | 3159 return; |
| 3152 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3160 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 3153 } | 3161 } |
| 3154 | 3162 |
| 3155 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3163 bool SSLClientSocketNSS::CalledOnValidThread() const { |
| 3156 EnsureThreadIdAssigned(); | 3164 EnsureThreadIdAssigned(); |
| 3157 base::AutoLock auto_lock(lock_); | 3165 base::AutoLock auto_lock(lock_); |
| 3158 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3166 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
| 3159 } | 3167 } |
| 3160 | 3168 |
| 3161 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { | 3169 void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
| 3162 ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); | 3170 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); |
| 3163 } | 3171 } |
| 3164 | 3172 |
| 3165 // static | 3173 // static |
| 3166 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { | 3174 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { |
| 3167 if (next_protos->size() < 2) { | 3175 if (next_protos->size() < 2) { |
| 3168 return; | 3176 return; |
| 3169 } | 3177 } |
| 3170 | 3178 |
| 3171 NextProto fallback_proto = next_protos->back(); | 3179 NextProto fallback_proto = next_protos->back(); |
| 3172 for (size_t i = next_protos->size() - 1; i > 0; --i) { | 3180 for (size_t i = next_protos->size() - 1; i > 0; --i) { |
| (...skipping 13 matching lines...) Expand all Loading... |
| 3186 return ERR_NOT_IMPLEMENTED; | 3194 return ERR_NOT_IMPLEMENTED; |
| 3187 } | 3195 } |
| 3188 | 3196 |
| 3189 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3197 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
| 3190 if (completed_handshake_) | 3198 if (completed_handshake_) |
| 3191 return SSL_FAILURE_NONE; | 3199 return SSL_FAILURE_NONE; |
| 3192 return SSL_FAILURE_UNKNOWN; | 3200 return SSL_FAILURE_UNKNOWN; |
| 3193 } | 3201 } |
| 3194 | 3202 |
| 3195 } // namespace net | 3203 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1652603002:
Add information to SSLInfo about CT EV policy compliance (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master