OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 2392 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2403 ssl_info->Reset(); | 2403 ssl_info->Reset(); |
2404 if (core_->state().server_cert_chain.empty() || | 2404 if (core_->state().server_cert_chain.empty() || |
2405 !core_->state().server_cert_chain[0]) { | 2405 !core_->state().server_cert_chain[0]) { |
2406 return false; | 2406 return false; |
2407 } | 2407 } |
2408 | 2408 |
2409 ssl_info->cert_status = server_cert_verify_result_.cert_status; | 2409 ssl_info->cert_status = server_cert_verify_result_.cert_status; |
2410 ssl_info->cert = server_cert_verify_result_.verified_cert; | 2410 ssl_info->cert = server_cert_verify_result_.verified_cert; |
2411 ssl_info->unverified_cert = core_->state().server_cert; | 2411 ssl_info->unverified_cert = core_->state().server_cert; |
2412 | 2412 |
2413 AddSCTInfoToSSLInfo(ssl_info); | 2413 AddCTInfoToSSLInfo(ssl_info); |
2414 | 2414 |
2415 ssl_info->connection_status = | 2415 ssl_info->connection_status = |
2416 core_->state().ssl_connection_status; | 2416 core_->state().ssl_connection_status; |
2417 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; | 2417 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; |
2418 ssl_info->is_issued_by_known_root = | 2418 ssl_info->is_issued_by_known_root = |
2419 server_cert_verify_result_.is_issued_by_known_root; | 2419 server_cert_verify_result_.is_issued_by_known_root; |
2420 ssl_info->client_cert_sent = | 2420 ssl_info->client_cert_sent = |
2421 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); | 2421 ssl_config_.send_client_cert && ssl_config_.client_cert.get(); |
2422 ssl_info->channel_id_sent = core_->state().channel_id_sent; | 2422 ssl_info->channel_id_sent = core_->state().channel_id_sent; |
2423 ssl_info->pinning_failure_log = pinning_failure_log_; | 2423 ssl_info->pinning_failure_log = pinning_failure_log_; |
(...skipping 695 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3119 // Note that this is a completely synchronous operation: The CT Log Verifier | 3119 // Note that this is a completely synchronous operation: The CT Log Verifier |
3120 // gets all the data it needs for SCT verification and does not do any | 3120 // gets all the data it needs for SCT verification and does not do any |
3121 // external communication. | 3121 // external communication. |
3122 cert_transparency_verifier_->Verify( | 3122 cert_transparency_verifier_->Verify( |
3123 server_cert_verify_result_.verified_cert.get(), | 3123 server_cert_verify_result_.verified_cert.get(), |
3124 core_->state().stapled_ocsp_response, | 3124 core_->state().stapled_ocsp_response, |
3125 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); | 3125 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
3126 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3126 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3127 // from the state after verification is complete, to conserve memory. | 3127 // from the state after verification is complete, to conserve memory. |
3128 | 3128 |
| 3129 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); |
| 3130 ct_verify_result_.ev_policy_compliance = |
| 3131 CTPolicyEnforcer::EV_POLICY_DOES_NOT_APPLY; |
3129 if (policy_enforcer_ && | 3132 if (policy_enforcer_ && |
3130 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { | 3133 (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { |
3131 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | 3134 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
3132 SSLConfigService::GetEVCertsWhitelist(); | 3135 SSLConfigService::GetEVCertsWhitelist(); |
3133 if (!policy_enforcer_->DoesConformToCTEVPolicy( | 3136 ct_verify_result_.ev_policy_compliance = |
| 3137 policy_enforcer_->DoesConformToCTEVPolicy( |
3134 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | 3138 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
3135 ct_verify_result_, net_log_)) { | 3139 ct_verify_result_.verified_scts, net_log_); |
| 3140 if (ct_verify_result_.ev_policy_compliance != |
| 3141 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 3142 ct_verify_result_.ev_policy_compliance != |
| 3143 CTPolicyEnforcer::EV_POLICY_COMPLIES_VIA_SCTS) { |
3136 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 | 3144 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
3137 VLOG(1) << "EV certificate for " | 3145 VLOG(1) << "EV certificate for " |
3138 << server_cert_verify_result_.verified_cert->subject() | 3146 << server_cert_verify_result_.verified_cert->subject() |
3139 .GetDisplayName() | 3147 .GetDisplayName() |
3140 << " does not conform to CT policy, removing EV status."; | 3148 << " does not conform to CT policy, removing EV status."; |
3141 server_cert_verify_result_.cert_status |= | 3149 server_cert_verify_result_.cert_status |= |
3142 CERT_STATUS_CT_COMPLIANCE_FAILED; | 3150 CERT_STATUS_CT_COMPLIANCE_FAILED; |
3143 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | 3151 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
3144 } | 3152 } |
3145 } | 3153 } |
3146 } | 3154 } |
3147 | 3155 |
3148 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3156 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
3149 base::AutoLock auto_lock(lock_); | 3157 base::AutoLock auto_lock(lock_); |
3150 if (valid_thread_id_ != base::kInvalidThreadId) | 3158 if (valid_thread_id_ != base::kInvalidThreadId) |
3151 return; | 3159 return; |
3152 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3160 valid_thread_id_ = base::PlatformThread::CurrentId(); |
3153 } | 3161 } |
3154 | 3162 |
3155 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3163 bool SSLClientSocketNSS::CalledOnValidThread() const { |
3156 EnsureThreadIdAssigned(); | 3164 EnsureThreadIdAssigned(); |
3157 base::AutoLock auto_lock(lock_); | 3165 base::AutoLock auto_lock(lock_); |
3158 return valid_thread_id_ == base::PlatformThread::CurrentId(); | 3166 return valid_thread_id_ == base::PlatformThread::CurrentId(); |
3159 } | 3167 } |
3160 | 3168 |
3161 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { | 3169 void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { |
3162 ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); | 3170 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); |
3163 } | 3171 } |
3164 | 3172 |
3165 // static | 3173 // static |
3166 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { | 3174 void SSLClientSocketNSS::ReorderNextProtos(NextProtoVector* next_protos) { |
3167 if (next_protos->size() < 2) { | 3175 if (next_protos->size() < 2) { |
3168 return; | 3176 return; |
3169 } | 3177 } |
3170 | 3178 |
3171 NextProto fallback_proto = next_protos->back(); | 3179 NextProto fallback_proto = next_protos->back(); |
3172 for (size_t i = next_protos->size() - 1; i > 0; --i) { | 3180 for (size_t i = next_protos->size() - 1; i > 0; --i) { |
(...skipping 13 matching lines...) Expand all Loading... |
3186 return ERR_NOT_IMPLEMENTED; | 3194 return ERR_NOT_IMPLEMENTED; |
3187 } | 3195 } |
3188 | 3196 |
3189 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { | 3197 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const { |
3190 if (completed_handshake_) | 3198 if (completed_handshake_) |
3191 return SSL_FAILURE_NONE; | 3199 return SSL_FAILURE_NONE; |
3192 return SSL_FAILURE_UNKNOWN; | 3200 return SSL_FAILURE_UNKNOWN; |
3193 } | 3201 } |
3194 | 3202 |
3195 } // namespace net | 3203 } // namespace net |
OLD | NEW |