Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1230)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Don't report private certificates Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/http/transport_security_state_unittest.cc ('K') | « net/socket/ssl_client_socket_impl.h ('k') | net/ssl/ssl_info.h » ('j') | net/ssl/ssl_info.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index bcd66037690e803e7ded9f276660fcd24d328cea..61f23487196c13d4efce580741d33db55baf1580 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -85,6 +85,9 @@ const uint8_t kTbProtocolVersionMinor = 5;
const uint8_t kTbMinProtocolVersionMajor = 0;
const uint8_t kTbMinProtocolVersionMinor = 3;
+// Max age for OCSP responses
+const base::TimeDelta kAgeOneWeek = base::TimeDelta::FromDays(7);
estark 2016/06/15 23:51:47 Unfortunately this constant would have to be dupli
estark 2016/06/15 23:51:47 ditto
estark 2016/06/15 23:51:47 It appears that mozilla::pkix requires responses w
dadrian 2016/06/16 03:27:24 Does QUIC support OCSP stapling? I'm not very fami
dadrian 2016/06/16 03:27:24 1 day seems short, but I have no actual basis for
+
bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
switch (EVP_MD_type(md)) {
case NID_md5_sha1:
@@ -1349,6 +1352,9 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) {
// the connection.
VerifyCT();
+ CheckOCSP(*server_cert_verify_result_.verified_cert, *server_cert_,
+ server_cert_verify_result_.is_issued_by_known_root);
+
DCHECK(!certificate_verified_);
certificate_verified_ = true;
MaybeCacheSession();
@@ -1435,6 +1441,16 @@ void SSLClientSocketImpl::VerifyCT() {
}
}
+void SSLClientSocketImpl::CheckOCSP(
+ const X509Certificate& verified_certificate,
+ const X509Certificate& unverified_certificate,
+ bool is_issued_by_known_root) {
+ base::Time verify_time = base::Time::Now();
+ transport_security_state_->CheckExpectStaple(
+ host_and_port_, verified_certificate, unverified_certificate,
+ is_issued_by_known_root, verify_time, kAgeOneWeek, ocsp_response_);
+}
+
void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
int rv = DoHandshakeLoop(result);
if (rv != ERR_IO_PENDING) {
« net/http/transport_security_state_unittest.cc ('K') | « net/socket/ssl_client_socket_impl.h ('k') | net/ssl/ssl_info.h » ('j') | net/ssl/ssl_info.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698