Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(106)

Side by Side Diff: net/quic/chromium/crypto/proof_verifier_chromium.cc

Issue 2225223002: Certificate Transparency: Change CTVerifyResult to have a single list (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: NetLog int to string Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/bind_helpers.h" 10 #include "base/bind_helpers.h"
(...skipping 379 matching lines...) Expand 10 before | Expand all | Expand 10 after
390 const CertStatus cert_status = cert_verify_result.cert_status; 390 const CertStatus cert_status = cert_verify_result.cert_status;
391 verify_details_->ct_verify_result.ct_policies_applied = result == OK; 391 verify_details_->ct_verify_result.ct_policies_applied = result == OK;
392 verify_details_->ct_verify_result.ev_policy_compliance = 392 verify_details_->ct_verify_result.ev_policy_compliance =
393 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; 393 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
394 394
395 // If the connection was good, check HPKP and CT status simultaneously, 395 // If the connection was good, check HPKP and CT status simultaneously,
396 // but prefer to treat the HPKP error as more serious, if there was one. 396 // but prefer to treat the HPKP error as more serious, if there was one.
397 if (enforce_policy_checking_ && 397 if (enforce_policy_checking_ &&
398 (result == OK || 398 (result == OK ||
399 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { 399 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) {
400 SCTList verified_scts = ct::SCTsMatchingStatus(
401 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK);
400 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { 402 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
401 ct::EVPolicyCompliance ev_policy_compliance = 403 ct::EVPolicyCompliance ev_policy_compliance =
402 policy_enforcer_->DoesConformToCTEVPolicy( 404 policy_enforcer_->DoesConformToCTEVPolicy(
403 cert_verify_result.verified_cert.get(), 405 cert_verify_result.verified_cert.get(),
404 SSLConfigService::GetEVCertsWhitelist().get(), 406 SSLConfigService::GetEVCertsWhitelist().get(), verified_scts,
405 verify_details_->ct_verify_result.verified_scts, net_log_); 407 net_log_);
406 verify_details_->ct_verify_result.ev_policy_compliance = 408 verify_details_->ct_verify_result.ev_policy_compliance =
407 ev_policy_compliance; 409 ev_policy_compliance;
408 if (ev_policy_compliance != 410 if (ev_policy_compliance !=
409 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && 411 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
410 ev_policy_compliance != 412 ev_policy_compliance !=
411 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && 413 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
412 ev_policy_compliance != 414 ev_policy_compliance !=
413 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { 415 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
414 verify_details_->cert_verify_result.cert_status |= 416 verify_details_->cert_verify_result.cert_status |=
415 CERT_STATUS_CT_COMPLIANCE_FAILED; 417 CERT_STATUS_CT_COMPLIANCE_FAILED;
416 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; 418 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
417 } 419 }
418 } 420 }
419 421
420 verify_details_->ct_verify_result.cert_policy_compliance = 422 verify_details_->ct_verify_result.cert_policy_compliance =
421 policy_enforcer_->DoesConformToCertPolicy( 423 policy_enforcer_->DoesConformToCertPolicy(
422 cert_verify_result.verified_cert.get(), 424 cert_verify_result.verified_cert.get(), verified_scts, net_log_);
423 verify_details_->ct_verify_result.verified_scts, net_log_);
424 425
425 int ct_result = OK; 426 int ct_result = OK;
426 if (verify_details_->ct_verify_result.cert_policy_compliance != 427 if (verify_details_->ct_verify_result.cert_policy_compliance !=
427 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS && 428 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
428 transport_security_state_->ShouldRequireCT( 429 transport_security_state_->ShouldRequireCT(
429 hostname_, cert_verify_result.verified_cert.get(), 430 hostname_, cert_verify_result.verified_cert.get(),
430 cert_verify_result.public_key_hashes)) { 431 cert_verify_result.public_key_hashes)) {
431 verify_details_->cert_verify_result.cert_status |= 432 verify_details_->cert_verify_result.cert_status |=
432 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED; 433 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED;
433 ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED; 434 ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED;
(...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after
613 active_jobs_.insert(job.release()); 614 active_jobs_.insert(job.release());
614 return status; 615 return status;
615 } 616 }
616 617
617 void ProofVerifierChromium::OnJobComplete(Job* job) { 618 void ProofVerifierChromium::OnJobComplete(Job* job) {
618 active_jobs_.erase(job); 619 active_jobs_.erase(job);
619 delete job; 620 delete job;
620 } 621 }
621 622
622 } // namespace net 623 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/multi_log_ct_verifier_unittest.cc ('k') | net/quic/chromium/crypto/proof_verifier_chromium_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698