Implement Expect-Staple

net/cert/cert_verify_proc.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc.h"
 
 #include <stdint.h>
 
 #include <algorithm>
 
@@ skipping 164 matching lines @@
 bool IsPastSHA1DeprecationDate(const X509Certificate& cert) {
   const base::Time& start = cert.valid_start();
   if (start.is_max() || start.is_null())
     return true;
   // 2016-01-01 00:00:00 UTC.
   const base::Time kSHA1DeprecationDate =
       base::Time::FromInternalValue(INT64_C(13096080000000000));
   return start >= kSHA1DeprecationDate;
 }
 
+bool CompareCertIDToCertificate(const OCSPCertID& cert_id,
+                                const X509Certificate& certificate) {
+  // TODO(dadrian): Verify name and key hashes. https://crbug.com/620005
+  der::Input serial(&certificate.serial_number());
+  return serial == cert_id.serial_number;
+}
+
+void CheckOCSP(const std::string& raw_response,
+               CertVerifyResult* verify_result) {
+  verify_result->ocsp.Reset();
+
+  if (raw_response.empty()) {
+    verify_result->ocsp.response_status = OCSPVerifyResult::MISSING;
+    return;
+  }
+  der::Input response_der(&raw_response);
+
+  OCSPResponse response;
+  if (!ParseOCSPResponse(response_der, &response)) {
+    verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE;
+    return;
+  }
+
+  // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the
+  // data.
+  if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) {
+    verify_result->ocsp.response_status = OCSPVerifyResult::BAD_RESPONSE;
+    return;
+  }
+
+  OCSPResponseData response_data;
+  if (!ParseOCSPResponseData(response.data, &response_data)) {
+    verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE_DATA;
+    return;
+  }
+
+  // TODO(svaldez): Unify with GetOCSPCertStatus.
+  bool contains_correct_response = false;
+  verify_result->ocsp.response_status = OCSPVerifyResult::NO_MATCHING_RESPONSE;
+  base::Time verify_time = base::Time::Now();
+  base::TimeDelta max_age = base::TimeDelta::FromDays(7);
+  for (const auto& single_response_der : response_data.responses) {
+    OCSPSingleResponse single_response;
+    OCSPVerifyResult::SingleResult single_result;
+    if (ParseOCSPSingleResponse(single_response_der, &single_response)) {
+      single_result.did_parse = true;
+      single_result.status = single_response.cert_status.status;
+      single_result.is_date_valid =
+          CheckOCSPDateValid(single_response, verify_time, max_age);
+      OCSPCertID cert_id;
+      if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) {
+        single_result.is_correct_certificate =
+            CompareCertIDToCertificate(cert_id, *verify_result->verified_cert);
+      }
+      if (single_result.is_date_valid && single_result.is_correct_certificate) {
+        contains_correct_response = true;
+        if (single_response.cert_status.status >=
+            verify_result->ocsp.cert_status.value_or(
+                OCSPCertStatus::Status::GOOD)) {
+          verify_result->ocsp.cert_status = single_response.cert_status.status;
+        }
+      }
+    }
+    verify_result->ocsp.stapled_responses.push_back(single_result);
+  }
+
+  if (contains_correct_response) {
+    verify_result->ocsp.response_status = OCSPVerifyResult::PROVIDED;
+  }
+  return;

[svaldez, 2016/06/23 14:03:15]

nit: omit.

+}
+
 // Comparison functor used for binary searching whether a given HashValue,
 // which MUST be a SHA-256 hash, is contained with an array of SHA-256
 // hashes.
 struct HashToArrayComparator {
   template <size_t N>
   bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const {
     static_assert(N == crypto::kSHA256Length,
                   "Only SHA-256 hashes are supported");
     return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0;
   }
@@ skipping 56 matching lines @@
   int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,
                           additional_trust_anchors, verify_result);
 
   UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
                         verify_result->common_name_fallback_used);
   if (!verify_result->is_issued_by_known_root) {
     UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",
                           verify_result->common_name_fallback_used);
   }
 
+  // Check OCSP information
+  CheckOCSP(ocsp_response, verify_result);

[svaldez, 2016/06/23 14:03:15]

Should this be done even for blacklisted keys?

+
   // This check is done after VerifyInternal so that VerifyInternal can fill
   // in the list of public key hashes.
   if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
     verify_result->cert_status |= CERT_STATUS_REVOKED;
     rv = MapCertStatusToNetError(verify_result->cert_status);
   }
 
   std::vector<std::string> dns_names, ip_addrs;
   cert->GetSubjectAltName(&dns_names, &ip_addrs);
   if (HasNameConstraintsViolation(verify_result->public_key_hashes,
@@ skipping 305 matching lines @@
     return true;
 
   // For certificates issued after 1 April 2015: 39 months.
   if (start >= time_2015_04_01 && month_diff > 39)
     return true;
 
   return false;
 }
 
 }  // namespace net