blimp/net/exact_match_cert_verifier.cc - Issue 1696563002: Blimp: add support for SSL connections.

Side by Side Diff: blimp/net/exact_match_cert_verifier.cc

Issue 1696563002: Blimp: add support for SSL connections. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Updated "running.md" Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "blimp/net/exact_match_cert_verifier.h"

	6

	7 #include "base/callback.h"

	8 #include "base/macros.h"

	9 #include "base/memory/scoped_ptr.h"

	10 #include "net/base/net_errors.h"

	11 #include "net/cert/cert_verifier.h"

	12 #include "net/cert/cert_verify_result.h"

	13 #include "net/cert/x509_certificate.h"

	14

	15 namespace blimp {

	16

	17 ExactMatchCertVerifier::ExactMatchCertVerifier(

	18 scoped_refptr<net::X509Certificate> engine_cert)

	19 : engine_cert_(std::move(engine_cert)) {}

	20

	21 ExactMatchCertVerifier::~ExactMatchCertVerifier() {}

	22

	23 int ExactMatchCertVerifier::Verify(net::X509Certificate* cert,

	24 const std::string& hostname,

	25 const std::string& ocsp_response,

	26 int flags,

	27 net::CRLSet* crl_set,

	28 net::CertVerifyResult* verify_result,

	29 const net::CompletionCallback& callback,

	30 scoped_ptr<Request>* out_req,

	31 const net::BoundNetLog& net_log) {

	32 verify_result->Reset();

	33 verify_result->verified_cert = cert;

	34

	35 if (!cert->Equals(engine_cert_.get())) {
	Ryan Sleevi 2016/02/25 22:16:25 One thing worth noting: X509Certificate::Equals on One thing worth noting: X509Certificate::Equals only compares the leaf cert, not any intermediates. In thinking through this, I suspect you want to change line 39 to verify_result->verified_cert = engine_cert_; That way you're always saying you verified against the canonical config and not arbitrary (unrelated) intermediates. (hopefully that makes sense) Kevin M 2016/02/26 00:30:04 Yep, that makes sense. Done. Show quoted text On 2016/02/25 22:16:25, Ryan Sleevi wrote: > One thing worth noting: X509Certificate::Equals only compares the leaf cert, not > any intermediates. > > In thinking through this, I suspect you want to change line 39 to > > verify_result->verified_cert = engine_cert_; > > That way you're always saying you verified against the canonical config and not > arbitrary (unrelated) intermediates. > > (hopefully that makes sense) Yep, that makes sense. Done.
	36 verify_result->cert_status = net::CERT_STATUS_INVALID;

	37 return net::ERR_CERT_INVALID;

	38 }

	39

	40 // Attach hashes of \|cert\| to VerifyResult.

	41 net::SHA1HashValue sha1_hash;

	42 sha1_hash =

	43 net::X509Certificate::CalculateFingerprint(cert->os_cert_handle());

	44 verify_result->public_key_hashes.push_back(net::HashValue(sha1_hash));

	45

	46 net::SHA256HashValue sha256_hash;

	47 sha256_hash =

	48 net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle());

	49 verify_result->public_key_hashes.push_back(net::HashValue(sha256_hash));
	Ryan Sleevi 2016/02/25 22:16:25 FWIW, since \|cert->os_cert_handle()\| will always b FWIW, since \|cert->os_cert_handle()\| will always be the same as \|engine_cert_\|, you could totes precompute these and store them next to engine_cert_ e.g. in the ctor engine_cert_hashes_ = ...; and then here verify_result->public_key_hashes = engine_cert_hashes_; Kevin M 2016/02/26 00:30:04 Done. Show quoted text On 2016/02/25 22:16:25, Ryan Sleevi wrote: > FWIW, since \|cert->os_cert_handle()\| will always be the same as \|engine_cert_\|, > you could totes precompute these and store them next to engine_cert_ > > e.g. in the ctor > > engine_cert_hashes_ = ...; > > and then here > > verify_result->public_key_hashes = engine_cert_hashes_; Done.
	50

	51 return net::OK;

	52 }

	53

	54 } // namespace blimp

OLD	NEW