| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 143 int cert_verify_flags, | 143 int cert_verify_flags, |
| 144 const BoundNetLog& net_log) | 144 const BoundNetLog& net_log) |
| 145 : proof_verifier_(proof_verifier), | 145 : proof_verifier_(proof_verifier), |
| 146 verifier_(cert_verifier), | 146 verifier_(cert_verifier), |
| 147 policy_enforcer_(ct_policy_enforcer), | 147 policy_enforcer_(ct_policy_enforcer), |
| 148 transport_security_state_(transport_security_state), | 148 transport_security_state_(transport_security_state), |
| 149 cert_transparency_verifier_(cert_transparency_verifier), | 149 cert_transparency_verifier_(cert_transparency_verifier), |
| 150 cert_verify_flags_(cert_verify_flags), | 150 cert_verify_flags_(cert_verify_flags), |
| 151 next_state_(STATE_NONE), | 151 next_state_(STATE_NONE), |
| 152 start_time_(base::TimeTicks::Now()), | 152 start_time_(base::TimeTicks::Now()), |
| 153 net_log_(net_log) {} | 153 net_log_(net_log) { |
| 154 DCHECK(proof_verifier_); |
| 155 DCHECK(verifier_); |
| 156 DCHECK(policy_enforcer_); |
| 157 DCHECK(transport_security_state_); |
| 158 DCHECK(cert_transparency_verifier_); |
| 159 } |
| 154 | 160 |
| 155 ProofVerifierChromium::Job::~Job() { | 161 ProofVerifierChromium::Job::~Job() { |
| 156 base::TimeTicks end_time = base::TimeTicks::Now(); | 162 base::TimeTicks end_time = base::TimeTicks::Now(); |
| 157 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime", | 163 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime", |
| 158 end_time - start_time_); | 164 end_time - start_time_); |
| 159 // |hostname_| will always be canonicalized to lowercase. | 165 // |hostname_| will always be canonicalized to lowercase. |
| 160 if (hostname_.compare("www.google.com") == 0) { | 166 if (hostname_.compare("www.google.com") == 0) { |
| 161 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", | 167 UMA_HISTOGRAM_TIMES("Net.QuicSession.VerifyProofTime.google", |
| 162 end_time - start_time_); | 168 end_time - start_time_); |
| 163 } | 169 } |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 204 } | 210 } |
| 205 cert_ = X509Certificate::CreateFromDERCertChain(cert_pieces); | 211 cert_ = X509Certificate::CreateFromDERCertChain(cert_pieces); |
| 206 if (!cert_.get()) { | 212 if (!cert_.get()) { |
| 207 *error_details = "Failed to create certificate chain"; | 213 *error_details = "Failed to create certificate chain"; |
| 208 DLOG(WARNING) << *error_details; | 214 DLOG(WARNING) << *error_details; |
| 209 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; | 215 verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID; |
| 210 *verify_details = std::move(verify_details_); | 216 *verify_details = std::move(verify_details_); |
| 211 return QUIC_FAILURE; | 217 return QUIC_FAILURE; |
| 212 } | 218 } |
| 213 | 219 |
| 214 if (cert_transparency_verifier_ && !cert_sct.empty()) { | 220 if (!cert_sct.empty()) { |
| 215 // Note that this is a completely synchronous operation: The CT Log Verifier | 221 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 216 // gets all the data it needs for SCT verification and does not do any | 222 // gets all the data it needs for SCT verification and does not do any |
| 217 // external communication. | 223 // external communication. |
| 218 cert_transparency_verifier_->Verify(cert_.get(), std::string(), cert_sct, | 224 cert_transparency_verifier_->Verify(cert_.get(), std::string(), cert_sct, |
| 219 &verify_details_->ct_verify_result, | 225 &verify_details_->ct_verify_result, |
| 220 net_log_); | 226 net_log_); |
| 221 } | 227 } |
| 222 | 228 |
| 223 // We call VerifySignature first to avoid copying of server_config and | 229 // We call VerifySignature first to avoid copying of server_config and |
| 224 // signature. | 230 // signature. |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 296 base::Unretained(this)), | 302 base::Unretained(this)), |
| 297 &cert_verifier_request_, net_log_); | 303 &cert_verifier_request_, net_log_); |
| 298 } | 304 } |
| 299 | 305 |
| 300 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 306 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
| 301 cert_verifier_request_.reset(); | 307 cert_verifier_request_.reset(); |
| 302 | 308 |
| 303 const CertVerifyResult& cert_verify_result = | 309 const CertVerifyResult& cert_verify_result = |
| 304 verify_details_->cert_verify_result; | 310 verify_details_->cert_verify_result; |
| 305 const CertStatus cert_status = cert_verify_result.cert_status; | 311 const CertStatus cert_status = cert_verify_result.cert_status; |
| 306 verify_details_->ct_verify_result.ct_policies_applied = | 312 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
| 307 (result == OK && policy_enforcer_ != nullptr); | |
| 308 verify_details_->ct_verify_result.ev_policy_compliance = | 313 verify_details_->ct_verify_result.ev_policy_compliance = |
| 309 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 314 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 310 if (result == OK && policy_enforcer_) { | 315 if (result == OK) { |
| 311 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 316 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
| 312 ct::EVPolicyCompliance ev_policy_compliance = | 317 ct::EVPolicyCompliance ev_policy_compliance = |
| 313 policy_enforcer_->DoesConformToCTEVPolicy( | 318 policy_enforcer_->DoesConformToCTEVPolicy( |
| 314 cert_verify_result.verified_cert.get(), | 319 cert_verify_result.verified_cert.get(), |
| 315 SSLConfigService::GetEVCertsWhitelist().get(), | 320 SSLConfigService::GetEVCertsWhitelist().get(), |
| 316 verify_details_->ct_verify_result.verified_scts, net_log_); | 321 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 317 verify_details_->ct_verify_result.ev_policy_compliance = | 322 verify_details_->ct_verify_result.ev_policy_compliance = |
| 318 ev_policy_compliance; | 323 ev_policy_compliance; |
| 319 if (ev_policy_compliance != | 324 if (ev_policy_compliance != |
| 320 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | 325 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 321 ev_policy_compliance != | 326 ev_policy_compliance != |
| 322 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | 327 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 323 ev_policy_compliance != | 328 ev_policy_compliance != |
| 324 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | 329 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 325 verify_details_->cert_verify_result.cert_status |= | 330 verify_details_->cert_verify_result.cert_status |= |
| 326 CERT_STATUS_CT_COMPLIANCE_FAILED; | 331 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 327 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 332 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 328 } | 333 } |
| 329 } | 334 } |
| 330 | 335 |
| 331 verify_details_->ct_verify_result.cert_policy_compliance = | 336 verify_details_->ct_verify_result.cert_policy_compliance = |
| 332 policy_enforcer_->DoesConformToCertPolicy( | 337 policy_enforcer_->DoesConformToCertPolicy( |
| 333 cert_verify_result.verified_cert.get(), | 338 cert_verify_result.verified_cert.get(), |
| 334 verify_details_->ct_verify_result.verified_scts, net_log_); | 339 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 335 } | 340 } |
| 336 | 341 |
| 337 if (transport_security_state_ && | 342 if ((result == OK || |
| 338 (result == OK || | |
| 339 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 343 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 340 !transport_security_state_->CheckPublicKeyPins( | 344 !transport_security_state_->CheckPublicKeyPins( |
| 341 HostPortPair(hostname_, port_), | 345 HostPortPair(hostname_, port_), |
| 342 cert_verify_result.is_issued_by_known_root, | 346 cert_verify_result.is_issued_by_known_root, |
| 343 cert_verify_result.public_key_hashes, cert_.get(), | 347 cert_verify_result.public_key_hashes, cert_.get(), |
| 344 cert_verify_result.verified_cert.get(), | 348 cert_verify_result.verified_cert.get(), |
| 345 TransportSecurityState::ENABLE_PIN_REPORTS, | 349 TransportSecurityState::ENABLE_PIN_REPORTS, |
| 346 &verify_details_->pinning_failure_log)) { | 350 &verify_details_->pinning_failure_log)) { |
| 347 if (cert_verify_result.is_issued_by_known_root) | 351 if (cert_verify_result.is_issued_by_known_root) |
| 348 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 352 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 433 } | 437 } |
| 434 | 438 |
| 435 ProofVerifierChromium::ProofVerifierChromium( | 439 ProofVerifierChromium::ProofVerifierChromium( |
| 436 CertVerifier* cert_verifier, | 440 CertVerifier* cert_verifier, |
| 437 CTPolicyEnforcer* ct_policy_enforcer, | 441 CTPolicyEnforcer* ct_policy_enforcer, |
| 438 TransportSecurityState* transport_security_state, | 442 TransportSecurityState* transport_security_state, |
| 439 CTVerifier* cert_transparency_verifier) | 443 CTVerifier* cert_transparency_verifier) |
| 440 : cert_verifier_(cert_verifier), | 444 : cert_verifier_(cert_verifier), |
| 441 ct_policy_enforcer_(ct_policy_enforcer), | 445 ct_policy_enforcer_(ct_policy_enforcer), |
| 442 transport_security_state_(transport_security_state), | 446 transport_security_state_(transport_security_state), |
| 443 cert_transparency_verifier_(cert_transparency_verifier) {} | 447 cert_transparency_verifier_(cert_transparency_verifier) { |
| 448 DCHECK(cert_verifier_); |
| 449 DCHECK(ct_policy_enforcer_); |
| 450 DCHECK(transport_security_state_); |
| 451 DCHECK(cert_transparency_verifier_); |
| 452 } |
| 444 | 453 |
| 445 ProofVerifierChromium::~ProofVerifierChromium() { | 454 ProofVerifierChromium::~ProofVerifierChromium() { |
| 446 STLDeleteElements(&active_jobs_); | 455 STLDeleteElements(&active_jobs_); |
| 447 } | 456 } |
| 448 | 457 |
| 449 QuicAsyncStatus ProofVerifierChromium::VerifyProof( | 458 QuicAsyncStatus ProofVerifierChromium::VerifyProof( |
| 450 const std::string& hostname, | 459 const std::string& hostname, |
| 451 const uint16_t port, | 460 const uint16_t port, |
| 452 const std::string& server_config, | 461 const std::string& server_config, |
| 453 QuicVersion quic_version, | 462 QuicVersion quic_version, |
| (...skipping 23 matching lines...) Expand all Loading... |
| 477 } | 486 } |
| 478 return status; | 487 return status; |
| 479 } | 488 } |
| 480 | 489 |
| 481 void ProofVerifierChromium::OnJobComplete(Job* job) { | 490 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 482 active_jobs_.erase(job); | 491 active_jobs_.erase(job); |
| 483 delete job; | 492 delete job; |
| 484 } | 493 } |
| 485 | 494 |
| 486 } // namespace net | 495 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2067843003:
Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master