net/socket/ssl_client_socket.h - Issue 173853014: Make OpenSSL UpdateServerCert() OS independent.

Side by Side Diff: net/socket/ssl_client_socket.h

Issue 173853014: Make OpenSSL UpdateServerCert() OS independent. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Added test case for retrieving unverified server cert chain. Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_	5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_

6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_	6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_

7	7

8 #include <string>	8 #include <string>

9	9

10 #include "base/gtest_prod_util.h"	10 #include "base/gtest_prod_util.h"

11 #include "net/base/completion_callback.h"	11 #include "net/base/completion_callback.h"

12 #include "net/base/load_flags.h"	12 #include "net/base/load_flags.h"

13 #include "net/base/net_errors.h"	13 #include "net/base/net_errors.h"

14 #include "net/socket/ssl_socket.h"	14 #include "net/socket/ssl_socket.h"

15 #include "net/socket/stream_socket.h"	15 #include "net/socket/stream_socket.h"

16	16

17 namespace net {	17 namespace net {

18	18

19 class CertVerifier;	19 class CertVerifier;

20 class CTVerifier;	20 class CTVerifier;

21 class ServerBoundCertService;	21 class ServerBoundCertService;

22 class SSLCertRequestInfo;	22 class SSLCertRequestInfo;

23 struct SSLConfig;	23 struct SSLConfig;

24 class SSLInfo;	24 class SSLInfo;

25 class TransportSecurityState;	25 class TransportSecurityState;

	26 class X509Certificate;

26	27

27 // This struct groups together several fields which are used by various	28 // This struct groups together several fields which are used by various

28 // classes related to SSLClientSocket.	29 // classes related to SSLClientSocket.

29 struct SSLClientSocketContext {	30 struct SSLClientSocketContext {

30 SSLClientSocketContext()	31 SSLClientSocketContext()

31 : cert_verifier(NULL),	32 : cert_verifier(NULL),

32 server_bound_cert_service(NULL),	33 server_bound_cert_service(NULL),

33 transport_security_state(NULL),	34 transport_security_state(NULL),

34 cert_transparency_verifier(NULL) {}	35 cert_transparency_verifier(NULL) {}

35	36

(...skipping 119 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
155 ServerBoundCertService* server_bound_cert_service);	156 ServerBoundCertService* server_bound_cert_service);

156	157

157 private:	158 private:

158 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.	159 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.

159 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,	160 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,

160 ConnectSignedCertTimestampsEnabledTLSExtension);	161 ConnectSignedCertTimestampsEnabledTLSExtension);

161 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,	162 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,

162 ConnectSignedCertTimestampsEnabledOCSP);	163 ConnectSignedCertTimestampsEnabledOCSP);

163 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,	164 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,

164 ConnectSignedCertTimestampsDisabled);	165 ConnectSignedCertTimestampsDisabled);

	166 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,

	167 VerifyServerChainProperlyOrdered);

	168

	169 // Returns the certificate chain as presented by server.

	170 // For unit testing only.

	171 virtual const scoped_refptr<X509Certificate> GetUnverifiedServerCertificate()
	wtc 2014/03/10 21:45:34 1. Nit: change "ServerCertificate" to "ServerCertC 1. Nit: change "ServerCertificate" to "ServerCertChain" to make it clear the returned X509Certificate object also contains the CA certificates presented by the server. 2. I am not familiar with this aspect of C++, but it seems strange to see a private virtual method. I would think this needs to be protected to allow subclasses to override this method. Perhaps the "private" keyword just means only this class can call this method, and doesn't care which class can override this method. 3. Nit: in the comment you may want to point out that the cert returned by the GetSSLInfo method is a verified certificate chain, which may be different. This difference may not be obvious to someone unfamiliar with this code. Ryan Sleevi 2014/03/11 00:15:15 Yeah, seems like this should be protected. Show quoted text On 2014/03/10 21:45:34, wtc wrote: > > 1. Nit: change "ServerCertificate" to "ServerCertChain" to make it clear the > returned X509Certificate object also contains the CA certificates presented by > the server. > > 2. I am not familiar with this aspect of C++, but it seems strange to see a > private virtual method. I would think this needs to be protected to allow > subclasses to override this method. Perhaps the "private" keyword just means > only this class can call this method, and doesn't care which class can > override this method. Yeah, seems like this should be protected. Show quoted text > > 3. Nit: in the comment you may want to point out that the cert returned by the > GetSSLInfo method is a verified certificate chain, which may be different. This > difference may not be obvious to someone unfamiliar with this code. haavardm 2014/03/11 18:43:21 It doesn't have to be protected to allow subclasse Show quoted text On 2014/03/10 21:45:34, wtc wrote: > > 1. Nit: change "ServerCertificate" to "ServerCertChain" to make it clear the > returned X509Certificate object also contains the CA certificates presented by > the server. > > 2. I am not familiar with this aspect of C++, but it seems strange to see a > private virtual method. I would think this needs to be protected to allow > subclasses to override this method. Perhaps the "private" keyword just means > only this class can call this method, and doesn't care which class can > override this method. It doesn't have to be protected to allow subclasses to override it, only for letting subclasses call it. Letting it be private here and public in the subclass have the affect that you can call the function if you have a instance of subclass. If you only have a instance of this class you cannot call it. The idea was that no code having a SSLClientSocketOpenSSL instance should be able to call GetUnverifiedServerCertificate(), while it could be interesting for internal socket code to call it when having a nss/openssl instance or one of the test ssl socket implementations. I realize it can be a bit confusing though, so I'll make all of them protected instead. Show quoted text > > 3. Nit: in the comment you may want to point out that the cert returned by the > GetSSLInfo method is a verified certificate chain, which may be different. This > difference may not be obvious to someone unfamiliar with this code. haavardm 2014/03/11 18:43:21 Done. Show quoted text On 2014/03/10 21:45:34, wtc wrote: > > 1. Nit: change "ServerCertificate" to "ServerCertChain" to make it clear the > returned X509Certificate object also contains the CA certificates presented by > the server. > > 2. I am not familiar with this aspect of C++, but it seems strange to see a > private virtual method. I would think this needs to be protected to allow > subclasses to override this method. Perhaps the "private" keyword just means > only this class can call this method, and doesn't care which class can > override this method. > > 3. Nit: in the comment you may want to point out that the cert returned by the > GetSSLInfo method is a verified certificate chain, which may be different. This > difference may not be obvious to someone unfamiliar with this code. Done.
	172 const = 0;

165	173

166 // True if NPN was responded to, independent of selecting SPDY or HTTP.	174 // True if NPN was responded to, independent of selecting SPDY or HTTP.

167 bool was_npn_negotiated_;	175 bool was_npn_negotiated_;

168 // True if NPN successfully negotiated SPDY.	176 // True if NPN successfully negotiated SPDY.

169 bool was_spdy_negotiated_;	177 bool was_spdy_negotiated_;

170 // Protocol that we negotiated with the server.	178 // Protocol that we negotiated with the server.

171 NextProto protocol_negotiated_;	179 NextProto protocol_negotiated_;

172 // True if a channel ID was sent.	180 // True if a channel ID was sent.

173 bool channel_id_sent_;	181 bool channel_id_sent_;

174 // True if SCTs were received via a TLS extension.	182 // True if SCTs were received via a TLS extension.

175 bool signed_cert_timestamps_received_;	183 bool signed_cert_timestamps_received_;

176 // True if a stapled OCSP response was received.	184 // True if a stapled OCSP response was received.

177 bool stapled_ocsp_response_received_;	185 bool stapled_ocsp_response_received_;

178 };	186 };

179	187

180 } // namespace net	188 } // namespace net

181	189

182 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_	190 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_

OLD	NEW

« net/socket/socket_test_util.cc ('K') | « net/socket/socket_test_util.cc ('k') | net/socket/ssl_client_socket_nss.h » ('j') | net/socket/ssl_client_socket_nss.h » ('J')