net/cert/ocsp_staple.cc - Issue 2040513003: Implement Expect-Staple

Side by Side Diff: net/cert/ocsp_staple.cc

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Remove call to GetSSLInfo Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "ocsp_staple.h"

	6 namespace net {

	7

	8 namespace {

	9

	10 der::GeneralizedTime ConvertBaseTime(const base::Time& time) {

	11 base::Time::Exploded exploded;

	12 time.UTCExplode(&exploded);

	13

	14 der::GeneralizedTime result;

	15 result.year = exploded.year;

	16 result.month = exploded.month;

	17 result.day = exploded.day_of_month;

	18 result.hours = exploded.hour;

	19 result.minutes = exploded.minute;

	20 result.seconds = exploded.second;

	21 return result;

	22 }

	23

	24 bool CheckOCSPDateValid(const OCSPSingleResponse& response,

	25 const base::Time verify_time,
	estark 2016/06/14 02:10:27 nit: pass by reference (and the next arg too) nit: pass by reference (and the next arg too) dadrian 2016/06/14 18:40:00 Done. (Whoops) Show quoted text On 2016/06/14 02:10:27, estark wrote: > nit: pass by reference (and the next arg too) Done. (Whoops)
	26 const base::TimeDelta max_age) {

	27 if (response.has_next_update &&

	28 !(response.this_update < response.next_update))

	29 return false;

	30

	31 // Place verify_time in the bounds
	estark 2016/06/14 02:10:27 nits: period and pipes around verify_time nits: period and pipes around verify_time dadrian 2016/06/14 18:40:00 Done. Show quoted text On 2016/06/14 02:10:27, estark wrote: > nits: period and pipes around verify_time Done.
	32 der::GeneralizedTime verify_time_der = ConvertBaseTime(verify_time);

	33 if (!(response.this_update < verify_time_der))

	34 return false;

	35 if (response.has_next_update && !(verify_time_der < response.next_update))

	36 return false;

	37

	38 // Enforce max age
	estark 2016/06/14 02:10:27 nit: period nit: period dadrian 2016/06/14 18:40:00 Done. Show quoted text On 2016/06/14 02:10:27, estark wrote: > nit: period Done.
	39 der::GeneralizedTime lower_bound = ConvertBaseTime(verify_time - max_age);

	40 if (response.this_update < lower_bound)

	41 return false;

	42 return true;

	43 }

	44

	45 bool CompareCertIDToCertificate(const OCSPCertID& cert_id,

	46 const X509Certificate& certificate) {

	47 // TODO(dadrian): Verify name and key hashes

	48 der::Input serial(&certificate.serial_number());

	49 return serial == cert_id.serial_number;

	50 }

	51

	52 } // namespace

	53

	54 ExpectStapleReport::ExpectStapleReport() : staple_error_(StapleError::OK) {}

	55

	56 ExpectStapleReport::~ExpectStapleReport() {}

	57

	58 std::unique_ptr<ExpectStapleReport> ExpectStapleReport::FromRawOCSPResponse(

	59 const std::string raw_response,

	60 const base::Time& verify_time,

	61 const base::TimeDelta& max_age,

	62 const X509Certificate& verified_certificate) {

	63 std::unique_ptr<ExpectStapleReport> out(new ExpectStapleReport);

	64 out->verify_time_ = verify_time;

	65 der::Input response_der(&raw_response);

	66

	67 OCSPResponse response;

	68 if (!ParseOCSPResponse(response_der, &response)) {

	69 out->staple_error_ = StapleError::PARSE_RESPONSE;

	70 return out;

	71 }

	72

	73 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the

	74 // data.

	75 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) {

	76 out->staple_error_ = StapleError::BAD_RESPONSE;

	77 return out;

	78 }

	79

	80 OCSPResponseData response_data;

	81 if (!ParseOCSPResponseData(response.data, &response_data)) {

	82 out->staple_error_ = StapleError::PARSE_RESPONSE_DATA;

	83 return out;

	84 }

	85

	86 bool contains_correct_response = false;

	87 for (const auto& single_response_der : response_data.responses) {

	88 OCSPSingleResponse single_response;

	89 if (!ParseOCSPSingleResponse(single_response_der, &single_response))

	90 continue;

	91 SingleResult single_result;

	92 single_result.status = single_response.cert_status.status;

	93 single_result.is_date_valid =

	94 CheckOCSPDateValid(single_response, verify_time, max_age);

	95 OCSPCertID cert_id;

	96 if (ParseOCSPCertID(single_response.cert_id_tlv, &cert_id)) {

	97 single_result.is_correct_certificate =

	98 CompareCertIDToCertificate(cert_id, verified_certificate);

	99 }

	100 if (single_result.is_date_valid && single_result.is_correct_certificate &&

	101 single_result.status == OCSPCertStatus::Status::GOOD) {

	102 contains_correct_response = true;

	103 }

	104 out->stapled_responses_.push_back(single_result);

	105 }

	106

	107 if (!contains_correct_response) {

	108 out->staple_error_ = StapleError::NO_MATCHING_RESPONSE;

	109 return out;

	110 }

	111 return out;

	112 }

	113

	114 } // namespace net

OLD	NEW

« net/cert/ocsp_staple.h ('K') | « net/cert/ocsp_staple.h ('k') | net/cert/ocsp_staple_unittest.cc » ('j') | net/cert/ocsp_staple_unittest.cc » ('J')