| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 294 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 | 305 |
| 306 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 306 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
| 307 cert_verifier_request_.reset(); | 307 cert_verifier_request_.reset(); |
| 308 | 308 |
| 309 const CertVerifyResult& cert_verify_result = | 309 const CertVerifyResult& cert_verify_result = |
| 310 verify_details_->cert_verify_result; | 310 verify_details_->cert_verify_result; |
| 311 const CertStatus cert_status = cert_verify_result.cert_status; | 311 const CertStatus cert_status = cert_verify_result.cert_status; |
| 312 verify_details_->ct_verify_result.ct_policies_applied = result == OK; | 312 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
| 313 verify_details_->ct_verify_result.ev_policy_compliance = | 313 verify_details_->ct_verify_result.ev_policy_compliance = |
| 314 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 314 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 315 if (result == OK) { | 315 |
| 316 // If the connection was good, check HPKP and CT status simultaneously, |
| 317 // but prefer to treat the HPKP error as more serious, if there was one. |
| 318 if ((result == OK || |
| 319 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { |
| 316 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 320 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
| 317 ct::EVPolicyCompliance ev_policy_compliance = | 321 ct::EVPolicyCompliance ev_policy_compliance = |
| 318 policy_enforcer_->DoesConformToCTEVPolicy( | 322 policy_enforcer_->DoesConformToCTEVPolicy( |
| 319 cert_verify_result.verified_cert.get(), | 323 cert_verify_result.verified_cert.get(), |
| 320 SSLConfigService::GetEVCertsWhitelist().get(), | 324 SSLConfigService::GetEVCertsWhitelist().get(), |
| 321 verify_details_->ct_verify_result.verified_scts, net_log_); | 325 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 322 verify_details_->ct_verify_result.ev_policy_compliance = | 326 verify_details_->ct_verify_result.ev_policy_compliance = |
| 323 ev_policy_compliance; | 327 ev_policy_compliance; |
| 324 if (ev_policy_compliance != | 328 if (ev_policy_compliance != |
| 325 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | 329 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 326 ev_policy_compliance != | 330 ev_policy_compliance != |
| 327 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | 331 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 328 ev_policy_compliance != | 332 ev_policy_compliance != |
| 329 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | 333 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 330 verify_details_->cert_verify_result.cert_status |= | 334 verify_details_->cert_verify_result.cert_status |= |
| 331 CERT_STATUS_CT_COMPLIANCE_FAILED; | 335 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 332 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 336 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 333 } | 337 } |
| 334 } | 338 } |
| 335 | 339 |
| 336 verify_details_->ct_verify_result.cert_policy_compliance = | 340 verify_details_->ct_verify_result.cert_policy_compliance = |
| 337 policy_enforcer_->DoesConformToCertPolicy( | 341 policy_enforcer_->DoesConformToCertPolicy( |
| 338 cert_verify_result.verified_cert.get(), | 342 cert_verify_result.verified_cert.get(), |
| 339 verify_details_->ct_verify_result.verified_scts, net_log_); | 343 verify_details_->ct_verify_result.verified_scts, net_log_); |
| 340 } | |
| 341 | 344 |
| 342 if (transport_security_state_ && | 345 int ct_result = OK; |
| 343 (result == OK || | 346 if (verify_details_->ct_verify_result.cert_policy_compliance != |
| 344 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { | 347 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS && |
| 348 transport_security_state_->ShouldRequireCT( |
| 349 hostname_, cert_verify_result.verified_cert.get(), |
| 350 cert_verify_result.public_key_hashes)) { |
| 351 verify_details_->cert_verify_result.cert_status |= |
| 352 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED; |
| 353 ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED; |
| 354 } |
| 355 |
| 345 TransportSecurityState::PKPStatus pin_validity = | 356 TransportSecurityState::PKPStatus pin_validity = |
| 346 transport_security_state_->CheckPublicKeyPins( | 357 transport_security_state_->CheckPublicKeyPins( |
| 347 HostPortPair(hostname_, port_), | 358 HostPortPair(hostname_, port_), |
| 348 cert_verify_result.is_issued_by_known_root, | 359 cert_verify_result.is_issued_by_known_root, |
| 349 cert_verify_result.public_key_hashes, cert_.get(), | 360 cert_verify_result.public_key_hashes, cert_.get(), |
| 350 cert_verify_result.verified_cert.get(), | 361 cert_verify_result.verified_cert.get(), |
| 351 TransportSecurityState::ENABLE_PIN_REPORTS, | 362 TransportSecurityState::ENABLE_PIN_REPORTS, |
| 352 &verify_details_->pinning_failure_log); | 363 &verify_details_->pinning_failure_log); |
| 353 switch (pin_validity) { | 364 switch (pin_validity) { |
| 354 case TransportSecurityState::PKPStatus::VIOLATED: | 365 case TransportSecurityState::PKPStatus::VIOLATED: |
| 355 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 366 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 356 verify_details_->cert_verify_result.cert_status |= | 367 verify_details_->cert_verify_result.cert_status |= |
| 357 CERT_STATUS_PINNED_KEY_MISSING; | 368 CERT_STATUS_PINNED_KEY_MISSING; |
| 358 break; | 369 break; |
| 359 case TransportSecurityState::PKPStatus::BYPASSED: | 370 case TransportSecurityState::PKPStatus::BYPASSED: |
| 360 verify_details_->pkp_bypassed = true; | 371 verify_details_->pkp_bypassed = true; |
| 361 // Fall through. | 372 // Fall through. |
| 362 case TransportSecurityState::PKPStatus::OK: | 373 case TransportSecurityState::PKPStatus::OK: |
| 363 // Do nothing. | 374 // Do nothing. |
| 364 break; | 375 break; |
| 365 } | 376 } |
| 377 if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK) |
| 378 result = ct_result; |
| 366 } | 379 } |
| 367 | 380 |
| 368 if (result != OK) { | 381 if (result != OK) { |
| 369 std::string error_string = ErrorToString(result); | 382 std::string error_string = ErrorToString(result); |
| 370 error_details_ = StringPrintf("Failed to verify certificate chain: %s", | 383 error_details_ = StringPrintf("Failed to verify certificate chain: %s", |
| 371 error_string.c_str()); | 384 error_string.c_str()); |
| 372 DLOG(WARNING) << error_details_; | 385 DLOG(WARNING) << error_details_; |
| 373 } | 386 } |
| 374 | 387 |
| 375 // Exit DoLoop and return the result to the caller to VerifyProof. | 388 // Exit DoLoop and return the result to the caller to VerifyProof. |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 497 } | 510 } |
| 498 return status; | 511 return status; |
| 499 } | 512 } |
| 500 | 513 |
| 501 void ProofVerifierChromium::OnJobComplete(Job* job) { | 514 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 502 active_jobs_.erase(job); | 515 active_jobs_.erase(job); |
| 503 delete job; | 516 delete job; |
| 504 } | 517 } |
| 505 | 518 |
| 506 } // namespace net | 519 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2076363002:
Introduce the ability to require CT for specific hosts (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@require_ct_enforcer