| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 294 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 | 305 |
| 306 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 306 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
| 307 cert_verifier_request_.reset(); | 307 cert_verifier_request_.reset(); |
| 308 | 308 |
| 309 const CertVerifyResult& cert_verify_result = | 309 const CertVerifyResult& cert_verify_result = |
| 310 verify_details_->cert_verify_result; | 310 verify_details_->cert_verify_result; |
| 311 const CertStatus cert_status = cert_verify_result.cert_status; | 311 const CertStatus cert_status = cert_verify_result.cert_status; |
| 312 verify_details_->ct_verify_result.ct_policies_applied = result == OK; | 312 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
| 313 verify_details_->ct_verify_result.ev_policy_compliance = | 313 verify_details_->ct_verify_result.ev_policy_compliance = |
| 314 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 314 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 315 if (result == OK) { | 315 |
| 316 // If the connection was good, check HPKP and CT status simultaneously, |
| 317 // but prefer to treat the HPKP error as more serious, if there was one. |
| 318 if ((result == OK || |
| 319 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { |
| 316 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 320 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
| 317 ct::EVPolicyCompliance ev_policy_compliance = | 321 ct::EVPolicyCompliance ev_policy_compliance = |
| 318 policy_enforcer_->DoesConformToCTEVPolicy( | 322 policy_enforcer_->DoesConformToCTEVPolicy( |
| 319 cert_verify_result.verified_cert.get(), | 323 cert_verify_result.verified_cert.get(), |
| 320 SSLConfigService::GetEVCertsWhitelist().get(), | 324 SSLConfigService::GetEVCertsWhitelist().get(), |
| 321 verify_details_->ct_verify_result.verified_scts, net_log_); | 325 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 322 verify_details_->ct_verify_result.ev_policy_compliance = | 326 verify_details_->ct_verify_result.ev_policy_compliance = |
| 323 ev_policy_compliance; | 327 ev_policy_compliance; |
| 324 if (ev_policy_compliance != | 328 if (ev_policy_compliance != |
| 325 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | 329 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 326 ev_policy_compliance != | 330 ev_policy_compliance != |
| 327 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | 331 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 328 ev_policy_compliance != | 332 ev_policy_compliance != |
| 329 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | 333 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 330 verify_details_->cert_verify_result.cert_status |= | 334 verify_details_->cert_verify_result.cert_status |= |
| 331 CERT_STATUS_CT_COMPLIANCE_FAILED; | 335 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 332 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 336 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 333 } | 337 } |
| 334 } | 338 } |
| 335 | 339 |
| 336 verify_details_->ct_verify_result.cert_policy_compliance = | 340 verify_details_->ct_verify_result.cert_policy_compliance = |
| 337 policy_enforcer_->DoesConformToCertPolicy( | 341 policy_enforcer_->DoesConformToCertPolicy( |
| 338 cert_verify_result.verified_cert.get(), | 342 cert_verify_result.verified_cert.get(), |
| 339 verify_details_->ct_verify_result.verified_scts, net_log_); | 343 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 340 } | |
| 341 | 344 |
| 342 if ((result == OK || | 345 int ct_result = OK; |
| 343 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 346 if (verify_details_->ct_verify_result.cert_policy_compliance != |
| 344 !transport_security_state_->CheckPublicKeyPins( | 347 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS && |
| 345 HostPortPair(hostname_, port_), | 348 transport_security_state_->ShouldRequireCT( |
| 346 cert_verify_result.is_issued_by_known_root, | 349 hostname_, cert_verify_result.verified_cert.get(), |
| 347 cert_verify_result.public_key_hashes, cert_.get(), | 350 cert_verify_result.public_key_hashes)) { |
| 348 cert_verify_result.verified_cert.get(), | 351 ct_result = ERR_SSL_CERTIFICATE_TRANSPARENCY_REQUIRED; |
| 349 TransportSecurityState::ENABLE_PIN_REPORTS, | 352 } |
| 350 &verify_details_->pinning_failure_log)) { | 353 |
| 351 if (cert_verify_result.is_issued_by_known_root) | 354 if (!transport_security_state_->CheckPublicKeyPins( |
| 352 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 355 HostPortPair(hostname_, port_), |
| 353 else | 356 cert_verify_result.is_issued_by_known_root, |
| 354 verify_details_->pkp_bypassed = true; | 357 cert_verify_result.public_key_hashes, cert_.get(), |
| 358 cert_verify_result.verified_cert.get(), |
| 359 TransportSecurityState::ENABLE_PIN_REPORTS, |
| 360 &verify_details_->pinning_failure_log)) { |
| 361 if (cert_verify_result.is_issued_by_known_root) |
| 362 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 363 else |
| 364 verify_details_->pkp_bypassed = true; |
| 365 } |
| 366 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) |
| 367 result = ct_result; |
| 355 } | 368 } |
| 356 | 369 |
| 357 if (result != OK) { | 370 if (result != OK) { |
| 358 std::string error_string = ErrorToString(result); | 371 std::string error_string = ErrorToString(result); |
| 359 error_details_ = StringPrintf("Failed to verify certificate chain: %s", | 372 error_details_ = StringPrintf("Failed to verify certificate chain: %s", |
| 360 error_string.c_str()); | 373 error_string.c_str()); |
| 361 DLOG(WARNING) << error_details_; | 374 DLOG(WARNING) << error_details_; |
| 362 } | 375 } |
| 363 | 376 |
| 364 // Exit DoLoop and return the result to the caller to VerifyProof. | 377 // Exit DoLoop and return the result to the caller to VerifyProof. |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 486 } | 499 } |
| 487 return status; | 500 return status; |
| 488 } | 501 } |
| 489 | 502 |
| 490 void ProofVerifierChromium::OnJobComplete(Job* job) { | 503 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 491 active_jobs_.erase(job); | 504 active_jobs_.erase(job); |
| 492 delete job; | 505 delete job; |
| 493 } | 506 } |
| 494 | 507 |
| 495 } // namespace net | 508 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2076363002:
Introduce the ability to require CT for specific hosts (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@require_ct_enforcer