CT: Adding preliminary Certificate Transparency support to Chromium.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 75 matching lines @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/nss_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
@@ skipping 2638 matching lines @@
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       cert_verifier_(context.cert_verifier),
       server_bound_cert_service_(context.server_bound_cert_service),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       completed_handshake_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
       net_log_(transport_->socket()->NetLog()),
       transport_security_state_(context.transport_security_state),
+      cert_transparency_verifier_(context.cert_transparency_verifier),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
   InitCore();
   LeaveFunction("");
 }
 
 SSLClientSocketNSS::~SSLClientSocketNSS() {
   EnterFunction("");
   Disconnect();
   LeaveFunction("");
@@ skipping 500 matching lines @@
       case STATE_HANDSHAKE_COMPLETE:
         rv = DoHandshakeComplete(rv);
         break;
       case STATE_VERIFY_CERT:
         DCHECK(rv == OK);
         rv = DoVerifyCert(rv);
         break;
       case STATE_VERIFY_CERT_COMPLETE:
         rv = DoVerifyCertComplete(rv);
         break;
+      case STATE_VERIFY_CT:
+        rv = DoVerifyCT(rv);
+        break;
+      case STATE_VERIFY_CT_COMPLETE:
+        rv = DoVerifyCTComplete(rv);
+        break;
       case STATE_NONE:
       default:
         rv = ERR_UNEXPECTED;
         LOG(DFATAL) << "unexpected state " << state;
         break;
     }
   } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
   LeaveFunction("");
   return rv;
 }
@@ skipping 16 matching lines @@
     // SSL handshake is completed. Let's verify the certificate.
     GotoState(STATE_VERIFY_CERT);
     // Done!
   }
   set_channel_id_sent(core_->state().channel_id_sent);
 
   LeaveFunction(result);
   return result;
 }
 
-
 int SSLClientSocketNSS::DoVerifyCert(int result) {
   DCHECK(!core_->state().server_cert_chain.empty());
   DCHECK(core_->state().server_cert_chain[0]);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
   // If the certificate is expected to be bad we can use the expectation as
   // the cert status.
   base::StringPiece der_cert(
       reinterpret_cast<char*>(
@@ skipping 63 matching lines @@
   // is fixed, we need to  avoid using the NSS database for non-essential
   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
   // http://crbug.com/15630 for more info.
 
   // TODO(hclam): Skip logging if server cert was expected to be bad because
   // |server_cert_verify_result_| doesn't contain all the information about
   // the cert.
   if (result == OK)
     LogConnectionTypeMetrics();
 
-  completed_handshake_ = true;
-
 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
   // Take care of any mandates for public key pinning.
   //
   // Pinning is only enabled for official builds to make sure that others don't
   // end up with pins that cannot be easily updated.
   //
   // TODO(agl): We might have an issue here where a request for foo.example.com
   // merges into a SPDY connection to www.example.com, and gets a different
   // certificate.
 
@@ skipping 27 matching lines @@
         result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
         UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
         TransportSecurityState::ReportUMAOnPinFailure(host);
       } else {
         UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
       }
     }
   }
 #endif
 
+  if (result == OK) {
+    // Only check Certificate Transparency if there were no other errors with
+    // the connection.
+    GotoState(STATE_VERIFY_CT);
+    return OK;
+  }
+
+  completed_handshake_ = true;
+
   // Exit DoHandshakeLoop and return the result to the caller to Connect.
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
   return result;
 }
 
+int SSLClientSocketNSS::DoVerifyCT(int result) {
+  GotoState(STATE_VERIFY_CT_COMPLETE);
+
+  if (!cert_transparency_verifier_)
+    return OK;
+
+  // XXX(rsleevi): Not actually async-safe (using base::Unretained and giving
+  // the raw pointer up). Need to use WeakPtr<> so that this can be cancelled,
+  // but without requiring the opaque request handles of CertVerifier.
+  return cert_transparency_verifier_->Verify(
+      core_->state().server_cert,
+      server_cert_verify_result_.verified_cert,
+      &ct_verify_result_,
+      base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
+                 base::Unretained(this)),
+      net_log_);
+}
+
+int SSLClientSocketNSS::DoVerifyCTComplete(int result) {
+  VLOG(1) << "CT Verification complete: result " << result <<
+          " Unverified scts: " << ct_verify_result_.unverified_scts.size() <<
+          " Verified scts: " << ct_verify_result_.verified_scts.size() <<
+          " scts from unknown logs: " <<
+          ct_verify_result_.unknown_logs_scts.size();
+  if (ct_verify_result_.unverified_scts.empty() &&
+      ct_verify_result_.unknown_logs_scts.empty() &&
+      ct_verify_result_.verified_scts.empty()) {
+    return OK;
+  }
+
+  // XXX(eranm): Saving CT state in cert_status bits is a temporary solution,
+  // until the SCTs themselves are threaded into the SSLInfo (as well as into
+  // the HTTP cache). Using a status flag is a cheap way to persist the
+  // SCT status.
+  server_cert_verify_result_.cert_status |= CERT_STATUS_HAS_ANY_SCT;
+
+  if (!ct_verify_result_.verified_scts.empty() && result == OK) {
+    // Found some valid SCTs - good
+    server_cert_verify_result_.cert_status |=
+        CERT_STATUS_HAS_VALID_SCT | CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG;
+  } else if (!ct_verify_result_.unverified_scts.empty()) {
+    server_cert_verify_result_.cert_status |=
+        CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG;
+  }
+
+  completed_handshake_ = true;
+
+  DCHECK_EQ(STATE_NONE, next_handshake_state_);
+
+  return OK;
+}
+
 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
   UpdateConnectionTypeHistograms(CONNECTION_SSL);
   int ssl_version = SSLConnectionStatusToVersion(
       core_->state().ssl_connection_status);
   switch (ssl_version) {
     case SSL_CONNECTION_VERSION_SSL2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);
       break;
     case SSL_CONNECTION_VERSION_SSL3:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3);
@@ skipping 21 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net