| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/callback_helpers.h" | 10 #include "base/callback_helpers.h" |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 DCHECK(cert); | 90 DCHECK(cert); |
| 91 DCHECK(output_scts); | 91 DCHECK(output_scts); |
| 92 | 92 |
| 93 output_scts->clear(); | 93 output_scts->clear(); |
| 94 | 94 |
| 95 std::string embedded_scts; | 95 std::string embedded_scts; |
| 96 if (!cert->GetIntermediateCertificates().empty() && | 96 if (!cert->GetIntermediateCertificates().empty() && |
| 97 ct::ExtractEmbeddedSCTList( | 97 ct::ExtractEmbeddedSCTList( |
| 98 cert->os_cert_handle(), | 98 cert->os_cert_handle(), |
| 99 &embedded_scts)) { | 99 &embedded_scts)) { |
| 100 ct::LogEntry precert_entry; | 100 ct::SignedEntryData precert_entry; |
| 101 | 101 |
| 102 if (ct::GetPrecertLogEntry(cert->os_cert_handle(), | 102 if (ct::GetPrecertSignedEntry(cert->os_cert_handle(), |
| 103 cert->GetIntermediateCertificates().front(), | 103 cert->GetIntermediateCertificates().front(), |
| 104 &precert_entry)) { | 104 &precert_entry)) { |
| 105 VerifySCTs(embedded_scts, precert_entry, | 105 VerifySCTs(embedded_scts, precert_entry, |
| 106 ct::SignedCertificateTimestamp::SCT_EMBEDDED, cert, | 106 ct::SignedCertificateTimestamp::SCT_EMBEDDED, cert, |
| 107 output_scts); | 107 output_scts); |
| 108 } | 108 } |
| 109 } | 109 } |
| 110 | 110 |
| 111 std::string sct_list_from_ocsp; | 111 std::string sct_list_from_ocsp; |
| 112 if (!stapled_ocsp_response.empty() && | 112 if (!stapled_ocsp_response.empty() && |
| 113 !cert->GetIntermediateCertificates().empty()) { | 113 !cert->GetIntermediateCertificates().empty()) { |
| 114 ct::ExtractSCTListFromOCSPResponse( | 114 ct::ExtractSCTListFromOCSPResponse( |
| 115 cert->GetIntermediateCertificates().front(), cert->serial_number(), | 115 cert->GetIntermediateCertificates().front(), cert->serial_number(), |
| 116 stapled_ocsp_response, &sct_list_from_ocsp); | 116 stapled_ocsp_response, &sct_list_from_ocsp); |
| 117 } | 117 } |
| 118 | 118 |
| 119 // Log to Net Log, after extracting SCTs but before possibly failing on | 119 // Log to Net Log, after extracting SCTs but before possibly failing on |
| 120 // X.509 entry creation. | 120 // X.509 entry creation. |
| 121 NetLogParametersCallback net_log_callback = | 121 NetLogParametersCallback net_log_callback = |
| 122 base::Bind(&NetLogRawSignedCertificateTimestampCallback, embedded_scts, | 122 base::Bind(&NetLogRawSignedCertificateTimestampCallback, embedded_scts, |
| 123 sct_list_from_ocsp, sct_list_from_tls_extension); | 123 sct_list_from_ocsp, sct_list_from_tls_extension); |
| 124 | 124 |
| 125 net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED, | 125 net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED, |
| 126 net_log_callback); | 126 net_log_callback); |
| 127 | 127 |
| 128 ct::LogEntry x509_entry; | 128 ct::SignedEntryData x509_entry; |
| 129 if (ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) { | 129 if (ct::GetX509SignedEntry(cert->os_cert_handle(), &x509_entry)) { |
| 130 VerifySCTs(sct_list_from_ocsp, x509_entry, | 130 VerifySCTs(sct_list_from_ocsp, x509_entry, |
| 131 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, cert, | 131 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, cert, |
| 132 output_scts); | 132 output_scts); |
| 133 | 133 |
| 134 VerifySCTs(sct_list_from_tls_extension, x509_entry, | 134 VerifySCTs(sct_list_from_tls_extension, x509_entry, |
| 135 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, cert, | 135 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, cert, |
| 136 output_scts); | 136 output_scts); |
| 137 } | 137 } |
| 138 | 138 |
| 139 NetLogParametersCallback net_log_checked_callback = | 139 NetLogParametersCallback net_log_checked_callback = |
| 140 base::Bind(&NetLogSignedCertificateTimestampCallback, output_scts); | 140 base::Bind(&NetLogSignedCertificateTimestampCallback, output_scts); |
| 141 | 141 |
| 142 net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED, | 142 net_log.AddEvent(NetLogEventType::SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED, |
| 143 net_log_checked_callback); | 143 net_log_checked_callback); |
| 144 | 144 |
| 145 LogNumSCTsToUMA(*output_scts); | 145 LogNumSCTsToUMA(*output_scts); |
| 146 } | 146 } |
| 147 | 147 |
| 148 void MultiLogCTVerifier::VerifySCTs( | 148 void MultiLogCTVerifier::VerifySCTs( |
| 149 base::StringPiece encoded_sct_list, | 149 base::StringPiece encoded_sct_list, |
| 150 const ct::LogEntry& expected_entry, | 150 const ct::SignedEntryData& expected_entry, |
| 151 ct::SignedCertificateTimestamp::Origin origin, | 151 ct::SignedCertificateTimestamp::Origin origin, |
| 152 X509Certificate* cert, | 152 X509Certificate* cert, |
| 153 SignedCertificateTimestampAndStatusList* output_scts) { | 153 SignedCertificateTimestampAndStatusList* output_scts) { |
| 154 if (logs_.empty()) | 154 if (logs_.empty()) |
| 155 return; | 155 return; |
| 156 | 156 |
| 157 std::vector<base::StringPiece> sct_list; | 157 std::vector<base::StringPiece> sct_list; |
| 158 | 158 |
| 159 if (!ct::DecodeSCTList(encoded_sct_list, &sct_list)) | 159 if (!ct::DecodeSCTList(encoded_sct_list, &sct_list)) |
| 160 return; | 160 return; |
| 161 | 161 |
| 162 for (std::vector<base::StringPiece>::const_iterator it = sct_list.begin(); | 162 for (std::vector<base::StringPiece>::const_iterator it = sct_list.begin(); |
| 163 it != sct_list.end(); ++it) { | 163 it != sct_list.end(); ++it) { |
| 164 base::StringPiece encoded_sct(*it); | 164 base::StringPiece encoded_sct(*it); |
| 165 LogSCTOriginToUMA(origin); | 165 LogSCTOriginToUMA(origin); |
| 166 | 166 |
| 167 scoped_refptr<ct::SignedCertificateTimestamp> decoded_sct; | 167 scoped_refptr<ct::SignedCertificateTimestamp> decoded_sct; |
| 168 if (!DecodeSignedCertificateTimestamp(&encoded_sct, &decoded_sct)) { | 168 if (!DecodeSignedCertificateTimestamp(&encoded_sct, &decoded_sct)) { |
| 169 LogSCTStatusToUMA(ct::SCT_STATUS_NONE); | 169 LogSCTStatusToUMA(ct::SCT_STATUS_NONE); |
| 170 continue; | 170 continue; |
| 171 } | 171 } |
| 172 decoded_sct->origin = origin; | 172 decoded_sct->origin = origin; |
| 173 | 173 |
| 174 VerifySingleSCT(decoded_sct, expected_entry, cert, output_scts); | 174 VerifySingleSCT(decoded_sct, expected_entry, cert, output_scts); |
| 175 } | 175 } |
| 176 } | 176 } |
| 177 | 177 |
| 178 bool MultiLogCTVerifier::VerifySingleSCT( | 178 bool MultiLogCTVerifier::VerifySingleSCT( |
| 179 scoped_refptr<ct::SignedCertificateTimestamp> sct, | 179 scoped_refptr<ct::SignedCertificateTimestamp> sct, |
| 180 const ct::LogEntry& expected_entry, | 180 const ct::SignedEntryData& expected_entry, |
| 181 X509Certificate* cert, | 181 X509Certificate* cert, |
| 182 SignedCertificateTimestampAndStatusList* output_scts) { | 182 SignedCertificateTimestampAndStatusList* output_scts) { |
| 183 // Assume this SCT is untrusted until proven otherwise. | 183 // Assume this SCT is untrusted until proven otherwise. |
| 184 const auto& it = logs_.find(sct->log_id); | 184 const auto& it = logs_.find(sct->log_id); |
| 185 if (it == logs_.end()) { | 185 if (it == logs_.end()) { |
| 186 DVLOG(1) << "SCT does not match any known log."; | 186 DVLOG(1) << "SCT does not match any known log."; |
| 187 AddSCTAndLogStatus(sct, ct::SCT_STATUS_LOG_UNKNOWN, output_scts); | 187 AddSCTAndLogStatus(sct, ct::SCT_STATUS_LOG_UNKNOWN, output_scts); |
| 188 return false; | 188 return false; |
| 189 } | 189 } |
| 190 | 190 |
| (...skipping 12 matching lines...) Expand all Loading... |
| 203 return false; | 203 return false; |
| 204 } | 204 } |
| 205 | 205 |
| 206 AddSCTAndLogStatus(sct, ct::SCT_STATUS_OK, output_scts); | 206 AddSCTAndLogStatus(sct, ct::SCT_STATUS_OK, output_scts); |
| 207 if (observer_) | 207 if (observer_) |
| 208 observer_->OnSCTVerified(cert, sct.get()); | 208 observer_->OnSCTVerified(cert, sct.get()); |
| 209 return true; | 209 return true; |
| 210 } | 210 } |
| 211 | 211 |
| 212 } // namespace net | 212 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2824983002:
Rename net::ct::LogEntry to SignedEntryData and clarify the comment. (Closed)
