| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc.h" | 5 #include "net/cert/cert_verify_proc.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| 11 #include "base/metrics/histogram.h" | 11 #include "base/metrics/histogram.h" |
| 12 #include "base/metrics/histogram_macros.h" | 12 #include "base/metrics/histogram_macros.h" |
| 13 #include "base/sha1.h" | 13 #include "base/sha1.h" |
| 14 #include "base/strings/string_util.h" | 14 #include "base/strings/string_util.h" |
| 15 #include "base/strings/stringprintf.h" | 15 #include "base/strings/stringprintf.h" |
| 16 #include "base/time/time.h" | 16 #include "base/time/time.h" |
| 17 #include "build/build_config.h" | 17 #include "build/build_config.h" |
| 18 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
| 19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 19 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
| 20 #include "net/base/url_util.h" | 20 #include "net/base/url_util.h" |
| 21 #include "net/cert/asn1_util.h" |
| 21 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
| 22 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
| 23 #include "net/cert/cert_verify_proc_whitelist.h" | 24 #include "net/cert/cert_verify_proc_whitelist.h" |
| 24 #include "net/cert/cert_verify_result.h" | 25 #include "net/cert/cert_verify_result.h" |
| 25 #include "net/cert/crl_set.h" | 26 #include "net/cert/crl_set.h" |
| 26 #include "net/cert/internal/parse_ocsp.h" | 27 #include "net/cert/internal/parse_ocsp.h" |
| 27 #include "net/cert/ocsp_revocation_status.h" | 28 #include "net/cert/ocsp_revocation_status.h" |
| 28 #include "net/cert/x509_certificate.h" | 29 #include "net/cert/x509_certificate.h" |
| 29 #include "net/der/encode_values.h" | 30 #include "net/der/encode_values.h" |
| 30 #include "url/url_canon.h" | 31 #include "url/url_canon.h" |
| (...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 302 current_status = ocsp_result->revocation_status; | 303 current_status = ocsp_result->revocation_status; |
| 303 } | 304 } |
| 304 if (current_status == OCSPRevocationStatus::GOOD || | 305 if (current_status == OCSPRevocationStatus::GOOD || |
| 305 single_response.cert_status.status == OCSPRevocationStatus::REVOKED) { | 306 single_response.cert_status.status == OCSPRevocationStatus::REVOKED) { |
| 306 ocsp_result->revocation_status = single_response.cert_status.status; | 307 ocsp_result->revocation_status = single_response.cert_status.status; |
| 307 } | 308 } |
| 308 ocsp_result->response_status = OCSPVerifyResult::PROVIDED; | 309 ocsp_result->response_status = OCSPVerifyResult::PROVIDED; |
| 309 } | 310 } |
| 310 } | 311 } |
| 311 | 312 |
| 313 // Records histograms indicating whether the certificate |cert|, which |
| 314 // is assumed to have been validated chaining to a private root, |
| 315 // contains the TLS Feature Extension (https://tools.ietf.org/html/rfc7633) and |
| 316 // has valid OCSP information stapled. |
| 317 void RecordTLSFeatureExtensionWithPrivateRoot( |
| 318 X509Certificate* cert, |
| 319 const OCSPVerifyResult& ocsp_result) { |
| 320 std::string cert_der; |
| 321 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &cert_der)) |
| 322 return; |
| 323 |
| 324 // This checks only for the presence of the TLS Feature Extension, but |
| 325 // does not check the feature list, and in particular does not verify that |
| 326 // its value is 'status_request' or 'status_request2'. In practice the |
| 327 // only use of the TLS feature extension is for OCSP stapling, so |
| 328 // don't bother to check the value. |
| 329 bool has_extension = asn1::HasTLSFeatureExtension(cert_der); |
| 330 |
| 331 UMA_HISTOGRAM_BOOLEAN("Net.Certificate.TLSFeatureExtensionWithPrivateRoot", |
| 332 has_extension); |
| 333 if (!has_extension) |
| 334 return; |
| 335 |
| 336 UMA_HISTOGRAM_BOOLEAN( |
| 337 "Net.Certificate.TLSFeatureExtensionWithPrivateRootHasOCSP", |
| 338 (ocsp_result.response_status != OCSPVerifyResult::MISSING)); |
| 339 } |
| 340 |
| 312 // Comparison functor used for binary searching whether a given HashValue, | 341 // Comparison functor used for binary searching whether a given HashValue, |
| 313 // which MUST be a SHA-256 hash, is contained with an array of SHA-256 | 342 // which MUST be a SHA-256 hash, is contained with an array of SHA-256 |
| 314 // hashes. | 343 // hashes. |
| 315 struct HashToArrayComparator { | 344 struct HashToArrayComparator { |
| 316 template <size_t N> | 345 template <size_t N> |
| 317 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const { | 346 bool operator()(const uint8_t(&lhs)[N], const HashValue& rhs) const { |
| 318 static_assert(N == crypto::kSHA256Length, | 347 static_assert(N == crypto::kSHA256Length, |
| 319 "Only SHA-256 hashes are supported"); | 348 "Only SHA-256 hashes are supported"); |
| 320 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0; | 349 return memcmp(lhs, rhs.data(), crypto::kSHA256Length) < 0; |
| 321 } | 350 } |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 465 // now treat it as a warning and do not map it to an error return value. | 494 // now treat it as a warning and do not map it to an error return value. |
| 466 } | 495 } |
| 467 | 496 |
| 468 // Flag certificates using too long validity periods. | 497 // Flag certificates using too long validity periods. |
| 469 if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { | 498 if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { |
| 470 verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG; | 499 verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG; |
| 471 if (rv == OK) | 500 if (rv == OK) |
| 472 rv = MapCertStatusToNetError(verify_result->cert_status); | 501 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 473 } | 502 } |
| 474 | 503 |
| 504 // Record a histogram for the presence of the TLS feature extension in |
| 505 // a certificate chaining to a private root. |
| 506 if (rv == OK && !verify_result->is_issued_by_known_root) |
| 507 RecordTLSFeatureExtensionWithPrivateRoot(cert, verify_result->ocsp_result); |
| 508 |
| 475 return rv; | 509 return rv; |
| 476 } | 510 } |
| 477 | 511 |
| 478 // static | 512 // static |
| 479 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { | 513 bool CertVerifyProc::IsBlacklisted(X509Certificate* cert) { |
| 480 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus | 514 // CloudFlare revoked all certificates issued prior to April 2nd, 2014. Thus |
| 481 // all certificates where the CN ends with ".cloudflare.com" with a prior | 515 // all certificates where the CN ends with ".cloudflare.com" with a prior |
| 482 // issuance date are rejected. | 516 // issuance date are rejected. |
| 483 // | 517 // |
| 484 // The old certs had a lifetime of five years, so this can be removed April | 518 // The old certs had a lifetime of five years, so this can be removed April |
| (...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 709 return true; | 743 return true; |
| 710 | 744 |
| 711 // For certificates issued after 1 April 2015: 39 months. | 745 // For certificates issued after 1 April 2015: 39 months. |
| 712 if (start >= time_2015_04_01 && month_diff > 39) | 746 if (start >= time_2015_04_01 && month_diff > 39) |
| 713 return true; | 747 return true; |
| 714 | 748 |
| 715 return false; | 749 return false; |
| 716 } | 750 } |
| 717 | 751 |
| 718 } // namespace net | 752 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2436233002:
Record UMA metrics for Must-Staple certificates on private roots (Closed)
