| Index: remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| index 64579a6e9dc09d851c3edfd198525f86aa6d8051..303aea253d1457db7e60352c3c16a0c6080f25dc 100644
|
| --- a/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| +++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc
|
| @@ -22,6 +22,9 @@
|
| #include "net/cert/cert_status_flags.h"
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/cert_verify_result.h"
|
| +#include "net/cert/ct_policy_enforcer.h"
|
| +#include "net/cert/ct_policy_status.h"
|
| +#include "net/cert/ct_verifier.h"
|
| #include "net/cert/x509_certificate.h"
|
| #include "net/http/transport_security_state.h"
|
| #include "net/socket/client_socket_handle.h"
|
| @@ -62,6 +65,45 @@ class FailingCertVerifier : public net::CertVerifier {
|
| }
|
| };
|
|
|
| +// A CTVerifier which ignores Certificate Transparency information.
|
| +class IgnoresCTVerifier : public net::CTVerifier {
|
| + public:
|
| + IgnoresCTVerifier() = default;
|
| + ~IgnoresCTVerifier() override = default;
|
| +
|
| + int Verify(net::X509Certificate* cert,
|
| + const std::string& stapled_ocsp_response,
|
| + const std::string& sct_list_from_tls_extension,
|
| + net::ct::CTVerifyResult* result,
|
| + const net::BoundNetLog& net_log) override {
|
| + return net::OK;
|
| + }
|
| +
|
| + void SetObserver(Observer* observer) override {}
|
| +};
|
| +
|
| +// A CTPolicyEnforcer that accepts all certificates.
|
| +class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer {
|
| + public:
|
| + IgnoresCTPolicyEnforcer() = default;
|
| + ~IgnoresCTPolicyEnforcer() override = default;
|
| +
|
| + net::ct::CertPolicyCompliance DoesConformToCertPolicy(
|
| + net::X509Certificate* cert,
|
| + const net::SCTList& verified_scts,
|
| + const net::BoundNetLog& net_log) override {
|
| + return net::ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
|
| + }
|
| +
|
| + net::ct::EVPolicyCompliance DoesConformToCTEVPolicy(
|
| + net::X509Certificate* cert,
|
| + const net::ct::EVCertsWhitelist* ev_whitelist,
|
| + const net::SCTList& verified_scts,
|
| + const net::BoundNetLog& net_log) override {
|
| + return net::ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
|
| + }
|
| +};
|
| +
|
| // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed
|
| // to net::SSLClientSocket and net::SSLServerSocket.
|
| class NetStreamSocketAdapter : public net::StreamSocket {
|
| @@ -240,6 +282,8 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
|
| } else {
|
| transport_security_state_.reset(new net::TransportSecurityState);
|
| cert_verifier_.reset(new FailingCertVerifier);
|
| + ct_verifier_.reset(new IgnoresCTVerifier);
|
| + ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer);
|
|
|
| net::SSLConfig::CertAndStatus cert_and_status;
|
| cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID;
|
| @@ -259,6 +303,8 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate(
|
| net::SSLClientSocketContext context;
|
| context.transport_security_state = transport_security_state_.get();
|
| context.cert_verifier = cert_verifier_.get();
|
| + context.cert_transparency_verifier = ct_verifier_.get();
|
| + context.ct_policy_enforcer = ct_policy_enforcer_.get();
|
| std::unique_ptr<net::ClientSocketHandle> socket_handle(
|
| new net::ClientSocketHandle);
|
| socket_handle->SetSocket(
|
|
|
Chromium Code Reviews
Issue 2067843003:
Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master