net/cert/cert_verify_proc.cc - Issue 2100303002: Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform.

Side by Side Diff: net/cert/cert_verify_proc.cc

Issue 2100303002: Add OCSPVerifyResult for tracking stapled OCSP responses cross-platform. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@ocsp-date-check

Patch Set: Comments from estark Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_verify_proc.h"	5 #include "net/cert/cert_verify_proc.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10	10

11 #include "base/metrics/histogram.h"	11 #include "base/metrics/histogram.h"

12 #include "base/metrics/histogram_macros.h"	12 #include "base/metrics/histogram_macros.h"

13 #include "base/sha1.h"	13 #include "base/sha1.h"

14 #include "base/strings/string_util.h"	14 #include "base/strings/string_util.h"

15 #include "base/strings/stringprintf.h"	15 #include "base/strings/stringprintf.h"

16 #include "base/time/time.h"	16 #include "base/time/time.h"

17 #include "build/build_config.h"	17 #include "build/build_config.h"

18 #include "net/base/net_errors.h"	18 #include "net/base/net_errors.h"

19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"	19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

20 #include "net/base/url_util.h"	20 #include "net/base/url_util.h"

21 #include "net/cert/cert_status_flags.h"	21 #include "net/cert/cert_status_flags.h"

22 #include "net/cert/cert_verifier.h"	22 #include "net/cert/cert_verifier.h"

23 #include "net/cert/cert_verify_proc_whitelist.h"	23 #include "net/cert/cert_verify_proc_whitelist.h"

24 #include "net/cert/cert_verify_result.h"	24 #include "net/cert/cert_verify_result.h"

25 #include "net/cert/crl_set.h"	25 #include "net/cert/crl_set.h"

	26 #include "net/cert/internal/parse_ocsp.h"

	27 #include "net/cert/ocsp_revocation_status.h"

26 #include "net/cert/x509_certificate.h"	28 #include "net/cert/x509_certificate.h"

	29 #include "net/der/encode_values.h"

27 #include "url/url_canon.h"	30 #include "url/url_canon.h"

28	31

29 #if defined(USE_NSS_CERTS)	32 #if defined(USE_NSS_CERTS)

30 #include "net/cert/cert_verify_proc_nss.h"	33 #include "net/cert/cert_verify_proc_nss.h"

31 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)	34 #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)

32 #include "net/cert/cert_verify_proc_openssl.h"	35 #include "net/cert/cert_verify_proc_openssl.h"

33 #elif defined(OS_ANDROID)	36 #elif defined(OS_ANDROID)

34 #include "net/cert/cert_verify_proc_android.h"	37 #include "net/cert/cert_verify_proc_android.h"

35 #elif defined(OS_IOS)	38 #elif defined(OS_IOS)

36 #include "net/cert/cert_verify_proc_ios.h"	39 #include "net/cert/cert_verify_proc_ios.h"

(...skipping 138 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
175 bool IsPastSHA1DeprecationDate(const X509Certificate& cert) {	178 bool IsPastSHA1DeprecationDate(const X509Certificate& cert) {

176 const base::Time& start = cert.valid_start();	179 const base::Time& start = cert.valid_start();

177 if (start.is_max() \|\| start.is_null())	180 if (start.is_max() \|\| start.is_null())

178 return true;	181 return true;

179 // 2016-01-01 00:00:00 UTC.	182 // 2016-01-01 00:00:00 UTC.

180 const base::Time kSHA1DeprecationDate =	183 const base::Time kSHA1DeprecationDate =

181 base::Time::FromInternalValue(INT64_C(13096080000000000));	184 base::Time::FromInternalValue(INT64_C(13096080000000000));

182 return start >= kSHA1DeprecationDate;	185 return start >= kSHA1DeprecationDate;

183 }	186 }

184	187

	188 bool CheckCertIDMatchesCertificate(const OCSPCertID& cert_id,
	Ryan Sleevi 2016/07/18 20:08:08 Document Document dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Document Done.
	189 const X509Certificate& certificate) {

	190 // TODO(dadrian): Verify name and key hashes. https://crbug.com/620005

	191 der::Input serial(&certificate.serial_number());

	192 return cert_id.serial_number == serial;

	193 }

	194

	195 void CheckOCSP(const std::string& raw_response,
	Ryan Sleevi 2016/07/18 20:08:08 Document Document dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Document Done.
	196 CertVerifyResult* verify_result) {
	Ryan Sleevi 2016/07/18 20:08:08 Is CertVerifyResult really the right dependency? I Is CertVerifyResult really the right dependency? It looks like you're using it to smuggle two parameters - the output OCSP response, and the cert under inspection. I'd suggest making those inputs explicit (that is, rather than taking the CertVerifyResult directly) dadrian 2016/07/18 22:23:31 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Is CertVerifyResult really the right dependency? It looks like you're using it > to smuggle two parameters - the output OCSP response, and the cert under > inspection. > > I'd suggest making those inputs explicit (that is, rather than taking the > CertVerifyResult directly) Done.
	197 verify_result->ocsp.Reset();
	Ryan Sleevi 2016/07/18 20:08:08 Do we need an explicit reset? Can't you just do a Do we need an explicit reset? Can't you just do a by-val assignment? Is this just cargo-culted from CertVerifyResult? dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Do we need an explicit reset? Can't you just do a by-val assignment? Is this > just cargo-culted from CertVerifyResult? Done.
	198

	199 if (raw_response.empty()) {

	200 verify_result->ocsp.response_status = OCSPVerifyResult::MISSING;

	201 return;

	202 }

	203 der::Input response_der(&raw_response);
	Ryan Sleevi 2016/07/18 20:08:08 move the newline from 204 to 203 :) move the newline from 204 to 203 :) dadrian 2016/07/18 22:23:31 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > move the newline from 204 to 203 :) Done.
	204

	205 OCSPResponse response;

	206 if (!ParseOCSPResponse(response_der, &response)) {

	207 verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE;
	Ryan Sleevi 2016/07/18 20:08:07 Is PARSE_RESPONSE a good name for the enum? How do Is PARSE_RESPONSE a good name for the enum? How does it distinguish from BAD_RESPONSE? Should it be PARSE_ERROR? dadrian 2016/07/18 22:23:32 I changed it to PARSE_RESPONSE_ERROR and PARSE_RES Show quoted text On 2016/07/18 20:08:07, Ryan Sleevi (extremely slow) wrote: > Is PARSE_RESPONSE a good name for the enum? How does it distinguish from > BAD_RESPONSE? > > Should it be PARSE_ERROR? I changed it to PARSE_RESPONSE_ERROR and PARSE_RESPONSE_DATA_ERROR, to distinguish the two cases, while still making it clear it's a parsing error.
	208 return;

	209 }

	210

	211 // If the OCSP response isn't status SUCCESSFUL, don't parse the rest of the

	212 // data.
	Ryan Sleevi 2016/07/18 20:08:07 Could you explain the "why" more? Why is this a 'b Could you explain the "why" more? Why is this a 'bad' response? dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:07, Ryan Sleevi (extremely slow) wrote: > Could you explain the "why" more? Why is this a 'bad' response? Done.
	213 if (response.status != OCSPResponse::ResponseStatus::SUCCESSFUL) {

	214 verify_result->ocsp.response_status = OCSPVerifyResult::BAD_RESPONSE;

	215 return;

	216 }

	217

	218 OCSPResponseData response_data;

	219 if (!ParseOCSPResponseData(response.data, &response_data)) {
	Ryan Sleevi 2016/07/18 20:08:07 This could benefit from documentation, because Par This could benefit from documentation, because ParseOCSPResponse and ParseOCSPResponseData aren't immediately clear about the distinction between these two. For example, citing spec text (as you can see in the other RFC 5280 validation code) is useful to help refresh readers' context about what's happening. dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:07, Ryan Sleevi (extremely slow) wrote: > This could benefit from documentation, because ParseOCSPResponse and > ParseOCSPResponseData aren't immediately clear about the distinction between > these two. For example, citing spec text (as you can see in the other RFC 5280 > validation code) is useful to help refresh readers' context about what's > happening. Done.
	220 verify_result->ocsp.response_status = OCSPVerifyResult::PARSE_RESPONSE_DATA;

	221 return;

	222 }

	223

	224 // If producedAt is outside of the certificate validity period, reject the

	225 // response.

	226 der::GeneralizedTime not_before, not_after;

	227 if (!der::EncodeTimeAsGeneralizedTime(

	228 verify_result->verified_cert->valid_start(), &not_before) \|\|

	229 !der::EncodeTimeAsGeneralizedTime(

	230 verify_result->verified_cert->valid_expiry(), &not_after)) {
	Ryan Sleevi 2016/07/18 20:08:08 Just to make sure I understand: We parse the certi Just to make sure I understand: We parse the certificate validity, and then re-encode the certificate validity? dadrian 2016/07/18 22:23:32 Aren't computers great? :) The other option woul Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Just to make sure I understand: We parse the certificate validity, and then > re-encode the certificate validity? Aren't computers great? :) The other option would be to implement der::EncodeGeneralizedTimeToTime(), but based on previous experience, this would literally take months.
	231 verify_result->ocsp.response_status = OCSPVerifyResult::BAD_PRODUCED_AT;

	232 return;

	233 }

	234 if (response_data.produced_at < not_before \|\|

	235 response_data.produced_at > not_after) {

	236 verify_result->ocsp.response_status = OCSPVerifyResult::BAD_PRODUCED_AT;

	237 return;

	238 }

	239

	240 // TODO(svaldez): Unify with GetOCSPCertStatus.
	Ryan Sleevi 2016/07/18 20:08:08 Is there a Bug #? Is there a Bug #? dadrian 2016/07/18 22:23:32 There is now. https://crbug.com/629249 Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Is there a Bug #? There is now. https://crbug.com/629249
	241 base::Time verify_time = base::Time::Now();

	242 base::TimeDelta max_age = base::TimeDelta::FromDays(7);
	Ryan Sleevi 2016/07/18 20:08:08 Should this be a function-level static constant so Should this be a function-level static constant so it's clearly documented the magic age? dadrian 2016/07/18 22:23:31 Sure? Not sure what the rules are here, but this i Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Should this be a function-level static constant so it's clearly documented the > magic age? Sure? Not sure what the rules are here, but this is buried pretty deep. I'll try to draw it out.
	243 verify_result->ocsp.response_status = OCSPVerifyResult::NO_MATCHING_RESPONSE;

	244 for (const auto& single_response_der : response_data.responses) {
	Ryan Sleevi 2016/07/18 20:08:07 You could do with some high-level documentation ab You could do with some high-level documentation about the logic for matching, and why it's incomplete here. For example for (const auto& single_response_der : response_data.responses) { // Although in most cases there should only be a single response (for the certificate requested), it's // possible the OCSP responder provided statuses for multiple certificates. Look through all the // responses to see if there's a response that matches the \|verify_result->verified_cert\|'s certificate. // This matching is ... } etc dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:07, Ryan Sleevi (extremely slow) wrote: > You could do with some high-level documentation about the logic for matching, > and why it's incomplete here. > > For example > > for (const auto& single_response_der : response_data.responses) { > // Although in most cases there should only be a single response (for the > certificate requested), it's > // possible the OCSP responder provided statuses for multiple certificates. > Look through all the > // responses to see if there's a response that matches the > \|verify_result->verified_cert\|'s certificate. > // This matching is ... > > } > > etc Done.
	245 OCSPSingleResponse single_response;

	246 if (!ParseOCSPSingleResponse(single_response_der, &single_response))

	247 continue;

	248 OCSPCertID cert_id;

	249 if (!ParseOCSPCertID(single_response.cert_id_tlv, &cert_id))

	250 continue;

	251 if (!CheckCertIDMatchesCertificate(cert_id, *verify_result->verified_cert))

	252 continue;

	253 if (!CheckOCSPDateValid(single_response, verify_time, max_age)) {

	254 if (verify_result->ocsp.response_status != OCSPVerifyResult::PROVIDED)
	Ryan Sleevi 2016/07/18 20:08:07 This could benefit from documentation This could benefit from documentation dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:07, Ryan Sleevi (extremely slow) wrote: > This could benefit from documentation Done.
	255 verify_result->ocsp.response_status = OCSPVerifyResult::INVALID_DATE;

	256 continue;

	257 }

	258 verify_result->ocsp.response_status = OCSPVerifyResult::PROVIDED;

	259

	260 OCSPRevocationStatus current_status =

	261 verify_result->ocsp.revocation_status.value_or(

	262 OCSPRevocationStatus::GOOD);

	263 // In the case that we receive multiple responses, we keep only the
	Ryan Sleevi 2016/07/18 20:08:08 Avoid "we" in comments, especially new code. // I Avoid "we" in comments, especially new code. // In the event multiple responses are received, keep the strictest status (REVOKED > UNKNOWN > GOOD) dadrian 2016/07/18 22:23:32 Done. Show quoted text On 2016/07/18 20:08:08, Ryan Sleevi (extremely slow) wrote: > Avoid "we" in comments, especially new code. > > // In the event multiple responses are received, keep the strictest status > (REVOKED > UNKNOWN > GOOD) Done.
	264 // strictest status (REVOKED > UNKNOWN > GOOD).

	265 if (current_status == OCSPRevocationStatus::GOOD \|\|

	266 single_response.cert_status.status == OCSPRevocationStatus::REVOKED) {

	267 verify_result->ocsp.revocation_status =

	268 single_response.cert_status.status;

	269 }

	270 }

	271 }

	272

185 // Comparison functor used for binary searching whether a given HashValue,	273 // Comparison functor used for binary searching whether a given HashValue,

186 // which MUST be a SHA-256 hash, is contained with an array of SHA-256	274 // which MUST be a SHA-256 hash, is contained with an array of SHA-256

187 // hashes.	275 // hashes.

188 struct HashToArrayComparator {	276 struct HashToArrayComparator {

189 template <size_t N>	277 template <size_t N>

190 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const {	278 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const {

191 static_assert(N == crypto::kSHA256Length,	279 static_assert(N == crypto::kSHA256Length,

192 "Only SHA-256 hashes are supported");	280 "Only SHA-256 hashes are supported");

193 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0;	281 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0;

194 }	282 }

(...skipping 56 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
251 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,	339 int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,

252 additional_trust_anchors, verify_result);	340 additional_trust_anchors, verify_result);

253	341

254 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",	342 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",

255 verify_result->common_name_fallback_used);	343 verify_result->common_name_fallback_used);

256 if (!verify_result->is_issued_by_known_root) {	344 if (!verify_result->is_issued_by_known_root) {

257 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",	345 UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",

258 verify_result->common_name_fallback_used);	346 verify_result->common_name_fallback_used);

259 }	347 }

260	348

	349 CheckOCSP(ocsp_response, verify_result);

	350

261 // This check is done after VerifyInternal so that VerifyInternal can fill	351 // This check is done after VerifyInternal so that VerifyInternal can fill

262 // in the list of public key hashes.	352 // in the list of public key hashes.

263 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {	353 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {

264 verify_result->cert_status \|= CERT_STATUS_REVOKED;	354 verify_result->cert_status \|= CERT_STATUS_REVOKED;

265 rv = MapCertStatusToNetError(verify_result->cert_status);	355 rv = MapCertStatusToNetError(verify_result->cert_status);

266 }	356 }

267	357

268 std::vector<std::string> dns_names, ip_addrs;	358 std::vector<std::string> dns_names, ip_addrs;

269 cert->GetSubjectAltName(&dns_names, &ip_addrs);	359 cert->GetSubjectAltName(&dns_names, &ip_addrs);

270 if (HasNameConstraintsViolation(verify_result->public_key_hashes,	360 if (HasNameConstraintsViolation(verify_result->public_key_hashes,

(...skipping 305 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
576 return true;	666 return true;

577	667

578 // For certificates issued after 1 April 2015: 39 months.	668 // For certificates issued after 1 April 2015: 39 months.

579 if (start >= time_2015_04_01 && month_diff > 39)	669 if (start >= time_2015_04_01 && month_diff > 39)

580 return true;	670 return true;

581	671

582 return false;	672 return false;

583 }	673 }

584	674

585 } // namespace net	675 } // namespace net

OLD	NEW

« no previous file with comments | « chrome/browser/chromeos/login/test/https_forwarder.py ('k') | net/cert/cert_verify_result.h » ('j') | net/cert/cert_verify_result.h » ('J')