| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 379 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 390 const CertStatus cert_status = cert_verify_result.cert_status; | 390 const CertStatus cert_status = cert_verify_result.cert_status; |
| 391 verify_details_->ct_verify_result.ct_policies_applied = result == OK; | 391 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
| 392 verify_details_->ct_verify_result.ev_policy_compliance = | 392 verify_details_->ct_verify_result.ev_policy_compliance = |
| 393 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | 393 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 394 | 394 |
| 395 // If the connection was good, check HPKP and CT status simultaneously, | 395 // If the connection was good, check HPKP and CT status simultaneously, |
| 396 // but prefer to treat the HPKP error as more serious, if there was one. | 396 // but prefer to treat the HPKP error as more serious, if there was one. |
| 397 if (enforce_policy_checking_ && | 397 if (enforce_policy_checking_ && |
| 398 (result == OK || | 398 (result == OK || |
| 399 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { | 399 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { |
| 400 SCTList verified_scts = ct::SCTsMatchingStatus( |
| 401 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); |
| 400 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | 402 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { |
| 401 ct::EVPolicyCompliance ev_policy_compliance = | 403 ct::EVPolicyCompliance ev_policy_compliance = |
| 402 policy_enforcer_->DoesConformToCTEVPolicy( | 404 policy_enforcer_->DoesConformToCTEVPolicy( |
| 403 cert_verify_result.verified_cert.get(), | 405 cert_verify_result.verified_cert.get(), |
| 404 SSLConfigService::GetEVCertsWhitelist().get(), | 406 SSLConfigService::GetEVCertsWhitelist().get(), verified_scts, |
| 405 verify_details_->ct_verify_result.verified_scts, net_log_); | 407 net_log_); |
| 406 verify_details_->ct_verify_result.ev_policy_compliance = | 408 verify_details_->ct_verify_result.ev_policy_compliance = |
| 407 ev_policy_compliance; | 409 ev_policy_compliance; |
| 408 if (ev_policy_compliance != | 410 if (ev_policy_compliance != |
| 409 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | 411 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && |
| 410 ev_policy_compliance != | 412 ev_policy_compliance != |
| 411 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | 413 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && |
| 412 ev_policy_compliance != | 414 ev_policy_compliance != |
| 413 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | 415 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { |
| 414 verify_details_->cert_verify_result.cert_status |= | 416 verify_details_->cert_verify_result.cert_status |= |
| 415 CERT_STATUS_CT_COMPLIANCE_FAILED; | 417 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 416 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | 418 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 417 } | 419 } |
| 418 } | 420 } |
| 419 | 421 |
| 420 verify_details_->ct_verify_result.cert_policy_compliance = | 422 verify_details_->ct_verify_result.cert_policy_compliance = |
| 421 policy_enforcer_->DoesConformToCertPolicy( | 423 policy_enforcer_->DoesConformToCertPolicy( |
| 422 cert_verify_result.verified_cert.get(), | 424 cert_verify_result.verified_cert.get(), verified_scts, net_log_); |
| 423 verify_details_->ct_verify_result.verified_scts, net_log_); | |
| 424 | 425 |
| 425 int ct_result = OK; | 426 int ct_result = OK; |
| 426 if (verify_details_->ct_verify_result.cert_policy_compliance != | 427 if (verify_details_->ct_verify_result.cert_policy_compliance != |
| 427 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS && | 428 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS && |
| 428 transport_security_state_->ShouldRequireCT( | 429 transport_security_state_->ShouldRequireCT( |
| 429 hostname_, cert_verify_result.verified_cert.get(), | 430 hostname_, cert_verify_result.verified_cert.get(), |
| 430 cert_verify_result.public_key_hashes)) { | 431 cert_verify_result.public_key_hashes)) { |
| 431 verify_details_->cert_verify_result.cert_status |= | 432 verify_details_->cert_verify_result.cert_status |= |
| 432 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED; | 433 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED; |
| 433 ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED; | 434 ct_result = ERR_CERTIFICATE_TRANSPARENCY_REQUIRED; |
| (...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 613 active_jobs_.insert(job.release()); | 614 active_jobs_.insert(job.release()); |
| 614 return status; | 615 return status; |
| 615 } | 616 } |
| 616 | 617 |
| 617 void ProofVerifierChromium::OnJobComplete(Job* job) { | 618 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 618 active_jobs_.erase(job); | 619 active_jobs_.erase(job); |
| 619 delete job; | 620 delete job; |
| 620 } | 621 } |
| 621 | 622 |
| 622 } // namespace net | 623 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2225223002:
Certificate Transparency: Change CTVerifyResult to have a single list (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master