Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1329)

Issue 2076363002: Introduce the ability to require CT for specific hosts (Closed)

Created:
4 years, 6 months ago by Ryan Sleevi
Modified:
4 years, 5 months ago
CC:
chromium-reviews, cbentzel+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@require_ct_enforcer
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Introduce the ability to require CT for specific hosts Add the ability for TransportSecurityState to determine if a host/certificate/public key hashes is required to supply valid Certificate Transparency information. If so, cause the connection to fail with ERR_SSL_CERTIFICATE_REQUIRED (even when using QUIC). To override the TSS policy decisions with custom logic, this adds the ability to set a RequireCTDelegate on the TSS, which allows hosts to be opted-in or opted-out of the CT requirement. To support this change in enforcement, this also ensures that both public key pins and CT information are checked in parallel, but that the PKP error is treated as more serious than the CT error. BUG=621252 R=davidben@chromium.org, estark@chromium.org, eugenebut@chromium.org Committed: https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777 Cr-Commit-Position: refs/heads/master@{#401801}

Patch Set 1 #

Total comments: 1

Patch Set 2 : Rebased #

Patch Set 3 : Move some cleanups out #

Total comments: 1

Patch Set 4 : Rebased #

Total comments: 12

Patch Set 5 : Rebased #

Patch Set 6 : Add more tests #

Patch Set 7 : CanPool tests #

Total comments: 11

Patch Set 8 : Fixup #

Patch Set 9 : Android is weird #

Unified diffs Side-by-side diffs Delta from patch set Stats (+596 lines, -106 lines) Patch
M ios/web/navigation/crw_session_certificate_policy_manager.mm View 1 2 3 4 1 chunk +1 line, -1 line 0 comments Download
M net/base/net_error_list.h View 1 2 2 chunks +7 lines, -1 line 0 comments Download
M net/cert/cert_status_flags.h View 1 2 1 chunk +1 line, -1 line 0 comments Download
M net/cert/cert_status_flags.cc View 1 2 2 chunks +4 lines, -0 lines 0 comments Download
M net/cert/cert_status_flags_list.h View 1 2 1 chunk +4 lines, -1 line 0 comments Download
M net/http/transport_security_state.h View 1 2 3 4 5 chunks +58 lines, -3 lines 0 comments Download
M net/http/transport_security_state.cc View 1 2 3 4 3 chunks +21 lines, -4 lines 0 comments Download
M net/http/transport_security_state_unittest.cc View 1 2 3 4 5 6 7 3 chunks +74 lines, -0 lines 0 comments Download
M net/quic/crypto/proof_verifier_chromium.cc View 1 2 3 4 3 chunks +18 lines, -5 lines 0 comments Download
M net/quic/crypto/proof_verifier_chromium_test.cc View 1 2 3 4 5 6 7 8 chunks +142 lines, -31 lines 0 comments Download
M net/socket/ssl_client_socket_impl.h View 2 chunks +1 line, -1 line 0 comments Download
M net/socket/ssl_client_socket_impl.cc View 1 2 3 4 4 chunks +70 lines, -58 lines 0 comments Download
M net/socket/ssl_client_socket_unittest.cc View 1 2 3 4 5 2 chunks +101 lines, -0 lines 0 comments Download
M net/spdy/spdy_session.cc View 1 2 3 4 2 chunks +8 lines, -0 lines 0 comments Download
M net/spdy/spdy_session_unittest.cc View 1 2 3 4 5 6 7 8 4 chunks +86 lines, -0 lines 0 comments Download

Messages

Total messages: 47 (19 generated)
Ryan Sleevi
David: Since you got to deal with my rambling yesterday, PTAL Emily: Sanity checking based ...
4 years, 6 months ago (2016-06-18 00:46:43 UTC) #2
mmenke
https://codereview.chromium.org/2076363002/diff/1/net/base/net_error_list.h File net/base/net_error_list.h (right): https://codereview.chromium.org/2076363002/diff/1/net/base/net_error_list.h#newcode378 net/base/net_error_list.h:378: NET_ERROR(SSL_CERTIFICATE_TRANSPARENCY_REQUIRED, -172) Should there be error page text for ...
4 years, 6 months ago (2016-06-18 00:59:29 UTC) #4
estark
lgtm for implementing what we talked about (checking both CT and HPKP, treating HPKP as ...
4 years, 6 months ago (2016-06-20 20:02:35 UTC) #5
mmenke
One other question: Is there a reason we're showing a net error page instead of ...
4 years, 6 months ago (2016-06-20 20:18:31 UTC) #6
Ryan Sleevi
On 2016/06/20 20:18:31, mmenke wrote: > One other question: Is there a reason we're showing ...
4 years, 6 months ago (2016-06-20 20:33:49 UTC) #7
mmenke
On 2016/06/20 20:33:49, Ryan Sleevi wrote: > On 2016/06/20 20:18:31, mmenke wrote: > > One ...
4 years, 6 months ago (2016-06-20 21:07:52 UTC) #8
davidben
On 2016/06/20 20:33:49, Ryan Sleevi wrote: > On 2016/06/20 20:18:31, mmenke wrote: > > One ...
4 years, 6 months ago (2016-06-20 22:04:34 UTC) #10
mmenke
On 2016/06/20 22:04:34, davidben wrote: > On 2016/06/20 20:33:49, Ryan Sleevi wrote: > > On ...
4 years, 6 months ago (2016-06-20 22:07:13 UTC) #11
Ryan Sleevi
On 2016/06/20 22:07:13, mmenke wrote: > Yea, this seems like a cert error, so an ...
4 years, 6 months ago (2016-06-20 23:00:44 UTC) #12
Ryan Sleevi
OK, this should be ready for David's proper review - it introduces the extra CertStatus ...
4 years, 6 months ago (2016-06-21 00:09:34 UTC) #14
davidben
https://codereview.chromium.org/2076363002/diff/60001/net/http/transport_security_state.h File net/http/transport_security_state.h (right): https://codereview.chromium.org/2076363002/diff/60001/net/http/transport_security_state.h#newcode75 net/http/transport_security_state.h:75: DEFAULT, To confirm, the reason DEFAULT is a notion ...
4 years, 6 months ago (2016-06-22 21:44:59 UTC) #15
Ryan Sleevi
https://codereview.chromium.org/2076363002/diff/60001/net/http/transport_security_state.h File net/http/transport_security_state.h (right): https://codereview.chromium.org/2076363002/diff/60001/net/http/transport_security_state.h#newcode75 net/http/transport_security_state.h:75: DEFAULT, On 2016/06/22 21:44:59, davidben wrote: > To confirm, ...
4 years, 6 months ago (2016-06-22 22:07:39 UTC) #16
Ryan Sleevi
David: Added more tests :) Always happy for pushback like that ;)
4 years, 6 months ago (2016-06-23 00:02:40 UTC) #17
davidben
lgtm https://codereview.chromium.org/2076363002/diff/120001/net/quic/crypto/proof_verifier_chromium_test.cc File net/quic/crypto/proof_verifier_chromium_test.cc (right): https://codereview.chromium.org/2076363002/diff/120001/net/quic/crypto/proof_verifier_chromium_test.cc#newcode312 net/quic/crypto/proof_verifier_chromium_test.cc:312: Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); Just to confirm, clobbering the EXPECT_CALL in ...
4 years, 6 months ago (2016-06-23 19:51:43 UTC) #18
Ryan Sleevi
https://codereview.chromium.org/2076363002/diff/120001/net/quic/crypto/proof_verifier_chromium_test.cc File net/quic/crypto/proof_verifier_chromium_test.cc (right): https://codereview.chromium.org/2076363002/diff/120001/net/quic/crypto/proof_verifier_chromium_test.cc#newcode312 net/quic/crypto/proof_verifier_chromium_test.cc:312: Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); On 2016/06/23 19:51:43, davidben wrote: > Just to ...
4 years, 6 months ago (2016-06-23 21:38:31 UTC) #19
Ryan Sleevi
Going to TBR Eugene because this is a no-op change to iOS
4 years, 6 months ago (2016-06-23 21:39:01 UTC) #21
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2076363002/120001
4 years, 6 months ago (2016-06-23 21:39:59 UTC) #25
Eugene But (OOO till 7-30)
ios lgtm
4 years, 6 months ago (2016-06-23 21:46:10 UTC) #26
commit-bot: I haz the power
Try jobs failed on following builders: android_compile_dbg on tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/android_compile_dbg/builds/86444) cast_shell_linux on tryserver.chromium.linux (JOB_FAILED, ...
4 years, 6 months ago (2016-06-23 22:03:00 UTC) #28
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2076363002/140001
4 years, 6 months ago (2016-06-23 22:40:38 UTC) #30
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: android_arm64_dbg_recipe on tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm64_dbg_recipe/builds/86303) linux_android_rel_ng on ...
4 years, 6 months ago (2016-06-23 23:03:27 UTC) #32
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2076363002/160001
4 years, 6 months ago (2016-06-23 23:13:08 UTC) #34
commit-bot: I haz the power
Dry run: This issue passed the CQ dry run.
4 years, 6 months ago (2016-06-24 02:29:35 UTC) #37
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2076363002/160001
4 years, 6 months ago (2016-06-24 02:40:32 UTC) #40
commit-bot: I haz the power
Committed patchset #9 (id:160001)
4 years, 6 months ago (2016-06-24 03:05:36 UTC) #42
commit-bot: I haz the power
Patchset 9 (id:??) landed as https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777 Cr-Commit-Position: refs/heads/master@{#401801}
4 years, 6 months ago (2016-06-24 03:07:13 UTC) #44
eroman
FYI, run tools/metrics/histograms/update_net_error_codes.py after adding a code to net_error_list.h Perhaps that should be added as ...
4 years, 5 months ago (2016-07-14 18:37:45 UTC) #46
davidben
4 years, 5 months ago (2016-07-25 19:08:02 UTC) #47
Message was sent while issue was closed.
On 2016/07/14 18:37:45, eroman wrote:
> FYI, run tools/metrics/histograms/update_net_error_codes.py after adding a
code
> to net_error_list.h
> 
> Perhaps that should be added as a presubmit check...

I suggested this at some point (forget where), but people objected. Though maybe
people won't object this time around? I'd be for it.

Powered by Google App Engine
This is Rietveld 408576698