Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(217)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1652603002: Add information to SSLInfo about CT EV policy compliance (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rsleevi nits Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_openssl.cc
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 501eaefce0a6b16b34b869826966c31882dcc950..6fc1d91f855ddb1dba0deddeb4b4ae871c707a38 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -38,6 +38,7 @@
#include "net/cert/cert_verifier.h"
#include "net/cert/ct_ev_whitelist.h"
#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/ct_policy_status.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/x509_certificate_net_log_param.h"
#include "net/cert/x509_util_openssl.h"
@@ -837,7 +838,7 @@ bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
ssl_info->token_binding_key_param = tb_negotiated_param_;
ssl_info->pinning_failure_log = pinning_failure_log_;
- AddSCTInfoToSSLInfo(ssl_info);
+ AddCTInfoToSSLInfo(ssl_info);
const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
CHECK(cipher);
@@ -1445,13 +1446,24 @@ void SSLClientSocketOpenSSL::VerifyCT() {
server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list,
&ct_verify_result_, net_log_);
+ ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
+ ct_verify_result_.ev_policy_compliance =
+ ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
if (policy_enforcer_ &&
(server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
SSLConfigService::GetEVCertsWhitelist();
- if (!policy_enforcer_->DoesConformToCTEVPolicy(
+ ct::EVPolicyCompliance ev_policy_compliance =
+ policy_enforcer_->DoesConformToCTEVPolicy(
server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),
- ct_verify_result_, net_log_)) {
+ ct_verify_result_.verified_scts, net_log_);
+ ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
+ if (ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
+ ev_policy_compliance !=
+ ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
// TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
VLOG(1) << "EV certificate for "
<< server_cert_verify_result_.verified_cert->subject()
@@ -2113,8 +2125,8 @@ int SSLClientSocketOpenSSL::NewSessionCallback(SSL_SESSION* session) {
return 1;
}
-void SSLClientSocketOpenSSL::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
- ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_);
+void SSLClientSocketOpenSSL::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
+ ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
}
std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const {
« no previous file with comments | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698