| Index: net/quic/crypto/proof_verifier_chromium.cc
|
| diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc
|
| index dde15033f299e2fb1c8cc87d30429cbf155deeda..83ff945f74a44c6e141f08a5e3907d21cb32ce1a 100644
|
| --- a/net/quic/crypto/proof_verifier_chromium.cc
|
| +++ b/net/quic/crypto/proof_verifier_chromium.cc
|
| @@ -312,7 +312,11 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
|
| verify_details_->ct_verify_result.ct_policies_applied = result == OK;
|
| verify_details_->ct_verify_result.ev_policy_compliance =
|
| ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
|
| - if (result == OK) {
|
| +
|
| + // If the connection was good, check HPKP and CT status simultaneously,
|
| + // but prefer to treat the HPKP error as more serious, if there was one.
|
| + if ((result == OK ||
|
| + (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) {
|
| if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
|
| ct::EVPolicyCompliance ev_policy_compliance =
|
| policy_enforcer_->DoesConformToCTEVPolicy(
|
| @@ -337,24 +341,35 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
|
| policy_enforcer_->DoesConformToCertPolicy(
|
| cert_verify_result.verified_cert.get(),
|
| verify_details_->ct_verify_result.verified_scts, net_log_);
|
| - }
|
|
|
| - if ((result == OK ||
|
| - (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
|
| - !transport_security_state_->CheckPublicKeyPins(
|
| - HostPortPair(hostname_, port_),
|
| - cert_verify_result.is_issued_by_known_root,
|
| - cert_verify_result.public_key_hashes, cert_.get(),
|
| - cert_verify_result.verified_cert.get(),
|
| - TransportSecurityState::ENABLE_PIN_REPORTS,
|
| - &verify_details_->pinning_failure_log)) {
|
| - if (cert_verify_result.is_issued_by_known_root) {
|
| + int ct_result = OK;
|
| + if (verify_details_->ct_verify_result.cert_policy_compliance !=
|
| + ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
|
| + transport_security_state_->ShouldRequireCT(
|
| + hostname_, cert_verify_result.verified_cert.get(),
|
| + cert_verify_result.public_key_hashes)) {
|
| verify_details_->cert_verify_result.cert_status |=
|
| - CERT_STATUS_PINNED_KEY_MISSING;
|
| - result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| - } else {
|
| - verify_details_->pkp_bypassed = true;
|
| + CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED;
|
| + ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
|
| + }
|
| +
|
| + if (!transport_security_state_->CheckPublicKeyPins(
|
| + HostPortPair(hostname_, port_),
|
| + cert_verify_result.is_issued_by_known_root,
|
| + cert_verify_result.public_key_hashes, cert_.get(),
|
| + cert_verify_result.verified_cert.get(),
|
| + TransportSecurityState::ENABLE_PIN_REPORTS,
|
| + &verify_details_->pinning_failure_log)) {
|
| + if (cert_verify_result.is_issued_by_known_root) {
|
| + verify_details_->cert_verify_result.cert_status |=
|
| + CERT_STATUS_PINNED_KEY_MISSING;
|
| + result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
|
| + } else {
|
| + verify_details_->pkp_bypassed = true;
|
| + }
|
| }
|
| + if (result != ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN && ct_result != OK)
|
| + result = ct_result;
|
| }
|
|
|
| if (result != OK) {
|
|
|
Chromium Code Reviews
Issue 2076363002:
Introduce the ability to require CT for specific hosts (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@require_ct_enforcer