Introduce the ability to require CT for specific hosts

net/quic/crypto/proof_verifier_chromium.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 285 matching lines @@
 
   return verifier_->Verify(
       CertVerifier::RequestParams(cert_, hostname_, cert_verify_flags_,
                                   std::string(), CertificateList()),
       SSLConfigService::GetCRLSet().get(), &verify_details_->cert_verify_result,
       base::Bind(&ProofVerifierChromium::Job::OnIOComplete,
                  base::Unretained(this)),
       &cert_verifier_request_, net_log_);
 }
 
 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {

[davidben, 2016/06/22 21:44:59]

[Wow, I hadn't realized there was this much duplicated code. :-) Now I'm very
convinced that all this stuff needs to get bundled behind some abstraction, be
it CertVerifier or something else.]

[Ryan Sleevi, 2016/06/22 22:07:39]

Yup. I agree :)

   cert_verifier_request_.reset();
 
   const CertVerifyResult& cert_verify_result =
       verify_details_->cert_verify_result;
   const CertStatus cert_status = cert_verify_result.cert_status;
   verify_details_->ct_verify_result.ct_policies_applied = result == OK;
   verify_details_->ct_verify_result.ev_policy_compliance =
       ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
-  if (result == OK) {
+
+  // If the connection was good, check HPKP and CT status simultaneously,
+  // but prefer to treat the HPKP error as more serious, if there was one.
+  if ((result == OK ||
+       (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) {
     if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
       ct::EVPolicyCompliance ev_policy_compliance =
           policy_enforcer_->DoesConformToCTEVPolicy(
               cert_verify_result.verified_cert.get(),
               SSLConfigService::GetEVCertsWhitelist().get(),
               verify_details_->ct_verify_result.verified_scts, net_log_);
       verify_details_->ct_verify_result.ev_policy_compliance =
           ev_policy_compliance;
       if (ev_policy_compliance !=
               ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
           ev_policy_compliance !=
               ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
           ev_policy_compliance !=
               ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
         verify_details_->cert_verify_result.cert_status |=
             CERT_STATUS_CT_COMPLIANCE_FAILED;
         verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
       }
     }
 
     verify_details_->ct_verify_result.cert_policy_compliance =
         policy_enforcer_->DoesConformToCertPolicy(
             cert_verify_result.verified_cert.get(),
             verify_details_->ct_verify_result.verified_scts, net_log_);
-  }
 
-  if ((result == OK ||
-       (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
-      !transport_security_state_->CheckPublicKeyPins(
-          HostPortPair(hostname_, port_),
-          cert_verify_result.is_issued_by_known_root,
-          cert_verify_result.public_key_hashes, cert_.get(),
-          cert_verify_result.verified_cert.get(),
-          TransportSecurityState::ENABLE_PIN_REPORTS,
-          &verify_details_->pinning_failure_log)) {
-    if (cert_verify_result.is_issued_by_known_root) {
+    int ct_result = OK;
+    if (verify_details_->ct_verify_result.cert_policy_compliance !=
+            ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
+        transport_security_state_->ShouldRequireCT(
+            hostname_, cert_verify_result.verified_cert.get(),
+            cert_verify_result.public_key_hashes)) {
       verify_details_->cert_verify_result.cert_status |=
-          CERT_STATUS_PINNED_KEY_MISSING;
-      result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
-    } else {
-      verify_details_->pkp_bypassed = true;
+          CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED;
+      ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
     }
+
+    if (!transport_security_state_->CheckPublicKeyPins(
+            HostPortPair(hostname_, port_),
+            cert_verify_result.is_issued_by_known_root,
+            cert_verify_result.public_key_hashes, cert_.get(),
+            cert_verify_result.verified_cert.get(),
+            TransportSecurityState::ENABLE_PIN_REPORTS,
+            &verify_details_->pinning_failure_log)) {
+      if (cert_verify_result.is_issued_by_known_root) {
+        verify_details_->cert_verify_result.cert_status |=
+            CERT_STATUS_PINNED_KEY_MISSING;
+        result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
+      } else {
+        verify_details_->pkp_bypassed = true;
+      }
+    }
+    if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK)
+      result = ct_result;
   }
 
   if (result != OK) {
     std::string error_string = ErrorToString(result);
     error_details_ = StringPrintf("Failed to verify certificate chain: %s",
                                   error_string.c_str());
     DLOG(WARNING) << error_details_;
   }
 
   // Exit DoLoop and return the result to the caller to VerifyProof.
@@ skipping 121 matching lines @@
   }
   return status;
 }
 
 void ProofVerifierChromium::OnJobComplete(Job* job) {
   active_jobs_.erase(job);
   delete job;
 }
 
 }  // namespace net