net/cert/expect_staple_report.cc - Issue 2040513003: Implement Expect-Staple

Side by Side Diff: net/cert/expect_staple_report.cc

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Don't report private certificates Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "expect_staple_report.h"

	6
	estark 2016/06/15 23:51:46 missing a bunch of #includes here missing a bunch of #includes here dadrian 2016/06/16 03:27:23 Done. Show quoted text On 2016/06/15 23:51:46, estark wrote: > missing a bunch of #includes here Done.
	7 namespace net {

	8

	9 namespace {

	10

	11 der::GeneralizedTime ConvertBaseTime(const base::Time& time) {

	12 base::Time::Exploded exploded;

	13 time.UTCExplode(&exploded);

	14

	15 der::GeneralizedTime result;

	16 result.year = exploded.year;

	17 result.month = exploded.month;

	18 result.day = exploded.day_of_month;

	19 result.hours = exploded.hour;

	20 result.minutes = exploded.minute;

	21 result.seconds = exploded.second;

	22 return result;

	23 }

	24

	25 bool CheckOCSPDateValid(const OCSPSingleResponse& response,

	26 const base::Time& verify_time,

	27 const base::TimeDelta& max_age) {

	28 if (response.has_next_update &&

	29 !(response.this_update < response.next_update))

	30 return false;

	31

	32 // Place \|verify_time\| in the bounds.

	33 der::GeneralizedTime verify_time_der = ConvertBaseTime(verify_time);

	34 if (!(response.this_update < verify_time_der))

	35 return false;

	36 if (response.has_next_update && !(verify_time_der < response.next_update))

	37 return false;

	38

	39 // Enforce \|max_age\|.

	40 der::GeneralizedTime lower_bound = ConvertBaseTime(verify_time - max_age);

	41 if (response.this_update < lower_bound)

	42 return false;

	43 return true;

	44 }

	45

	46 bool CompareCertIDToCertificate(const OCSPCertID& cert_id,

	47 const X509Certificate& certificate) {

	48 // TODO(dadrian): Verify name and key hashes. https://crbug.com/620005

	49 der::Input serial(&certificate.serial_number());

	50 return serial == cert_id.serial_number;

	51 }

	52

	53 } // namespace

	54

	55 ExpectStapleReport::ExpectStapleReport() : staple_error_(StapleError::OK) {}

	56

	57 ExpectStapleReport::~ExpectStapleReport() {}

	58

	59 std::unique_ptr<ExpectStapleReport> ExpectStapleReport::FromRawOCSPResponse(

	60 const std::string& raw_response,

	61 const base::Time& verify_time,

	62 const base::TimeDelta& max_age,

	63 const X509Certificate& verified_certificate) {

	64 std::unique_ptr<ExpectStapleReport> out(new ExpectStapleReport);

	65 out->verify_time_ = verify_time;

	66 der::Input response_der(&raw_response);

	67

	68 OCSPResponse response;

	69 if (!ParseOCSPResponse(response_der, &response)) {

	70 out->staple_error_ = StapleError::PARSE_RESPONSE;

	71 return out;

	72 }

	73

	74 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the

	75 // data.

	76 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) {

	77 out->staple_error_ = StapleError::BAD_RESPONSE;

	78 return out;

	79 }

	80

	81 OCSPResponseData response_data;

	82 if (!ParseOCSPResponseData(response.data, &response_data)) {

	83 out->staple_error_ = StapleError::PARSE_RESPONSE_DATA;

	84 return out;

	85 }

	86

	87 bool contains_correct_response = false;

	88 for (const auto& single_response_der : response_data.responses) {

	89 OCSPSingleResponse single_response;

	90 if (!ParseOCSPSingleResponse(single_response_der, &single_response))

	91 continue;

	92 SingleResult single_result;

	93 single_result.status = single_response.cert_status.status;

	94 single_result.is_date_valid =

	95 CheckOCSPDateValid(single_response, verify_time, max_age);

	96 OCSPCertID cert_id;

	97 if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) {

	98 single_result.is_correct_certificate =

	99 CompareCertIDToCertificate(cert_id, verified_certificate);

	100 }

	101 if (single_result.is_date_valid && single_result.is_correct_certificate &&

	102 single_result.status == OCSPCertStatus::Status::GOOD) {

	103 contains_correct_response = true;

	104 }

	105 out->stapled_responses_.push_back(single_result);

	106 }

	107

	108 if (!contains_correct_response) {

	109 out->staple_error_ = StapleError::NO_MATCHING_RESPONSE;

	110 return out;
	estark 2016/06/15 23:51:46 unnecessary unnecessary dadrian 2016/06/16 03:27:23 Done. Show quoted text On 2016/06/15 23:51:46, estark wrote: > unnecessary Done.
	111 }

	112 return out;

	113 }

	114

	115 } // namespace net

OLD	NEW

« net/cert/expect_staple_report.h ('K') | « net/cert/expect_staple_report.h ('k') | net/cert/expect_staple_report_unittest.cc » ('j') | net/cert/expect_staple_report_unittest.cc » ('J')