Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(865)

Side by Side Diff: net/quic/chromium/crypto/proof_verifier_chromium.cc

Issue 2937563002: Remove the EV Certs Whitelist (Closed)
Patch Set: Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/bind_helpers.h" 10 #include "base/bind_helpers.h"
(...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after
378 &cert_verifier_request_, net_log_); 378 &cert_verifier_request_, net_log_);
379 } 379 }
380 380
381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { 381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
382 cert_verifier_request_.reset(); 382 cert_verifier_request_.reset();
383 383
384 const CertVerifyResult& cert_verify_result = 384 const CertVerifyResult& cert_verify_result =
385 verify_details_->cert_verify_result; 385 verify_details_->cert_verify_result;
386 const CertStatus cert_status = cert_verify_result.cert_status; 386 const CertStatus cert_status = cert_verify_result.cert_status;
387 verify_details_->ct_verify_result.ct_policies_applied = result == OK; 387 verify_details_->ct_verify_result.ct_policies_applied = result == OK;
388 verify_details_->ct_verify_result.ev_policy_compliance =
389 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
390 388
391 // If the connection was good, check HPKP and CT status simultaneously, 389 // If the connection was good, check HPKP and CT status simultaneously,
392 // but prefer to treat the HPKP error as more serious, if there was one. 390 // but prefer to treat the HPKP error as more serious, if there was one.
393 if (enforce_policy_checking_ && 391 if (enforce_policy_checking_ &&
394 (result == OK || 392 (result == OK ||
395 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { 393 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) {
396 SCTList verified_scts = ct::SCTsMatchingStatus( 394 SCTList verified_scts = ct::SCTsMatchingStatus(
397 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); 395 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK);
398 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) {
399 ct::EVPolicyCompliance ev_policy_compliance =
400 policy_enforcer_->DoesConformToCTEVPolicy(
401 cert_verify_result.verified_cert.get(),
402 SSLConfigService::GetEVCertsWhitelist().get(), verified_scts,
403 net_log_);
404 verify_details_->ct_verify_result.ev_policy_compliance =
405 ev_policy_compliance;
406 if (ev_policy_compliance !=
407 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
408 ev_policy_compliance !=
409 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
410 ev_policy_compliance !=
411 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
412 verify_details_->cert_verify_result.cert_status |=
413 CERT_STATUS_CT_COMPLIANCE_FAILED;
414 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
415 }
416 }
417 396
418 verify_details_->ct_verify_result.cert_policy_compliance = 397 verify_details_->ct_verify_result.cert_policy_compliance =
419 policy_enforcer_->DoesConformToCertPolicy( 398 policy_enforcer_->DoesConformToCertPolicy(
420 cert_verify_result.verified_cert.get(), verified_scts, net_log_); 399 cert_verify_result.verified_cert.get(), verified_scts, net_log_);
400 if ((verify_details_->cert_verify_result.cert_status & CERT_STATUS_IS_EV) &&
401 (verify_details_->ct_verify_result.cert_policy_compliance !=
402 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)) {
403 verify_details_->cert_verify_result.cert_status |=
404 CERT_STATUS_CT_COMPLIANCE_FAILED;
405 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV;
406 }
421 407
422 int ct_result = OK; 408 int ct_result = OK;
423 if (transport_security_state_->CheckCTRequirements( 409 if (transport_security_state_->CheckCTRequirements(
424 HostPortPair(hostname_, port_), 410 HostPortPair(hostname_, port_),
425 cert_verify_result.is_issued_by_known_root, 411 cert_verify_result.is_issued_by_known_root,
426 cert_verify_result.public_key_hashes, 412 cert_verify_result.public_key_hashes,
427 cert_verify_result.verified_cert.get(), cert_.get(), 413 cert_verify_result.verified_cert.get(), cert_.get(),
428 verify_details_->ct_verify_result.scts, 414 verify_details_->ct_verify_result.scts,
429 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, 415 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
430 verify_details_->ct_verify_result.cert_policy_compliance) != 416 verify_details_->ct_verify_result.cert_policy_compliance) !=
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after
609 active_jobs_[job_ptr] = std::move(job); 595 active_jobs_[job_ptr] = std::move(job);
610 } 596 }
611 return status; 597 return status;
612 } 598 }
613 599
614 void ProofVerifierChromium::OnJobComplete(Job* job) { 600 void ProofVerifierChromium::OnJobComplete(Job* job) {
615 active_jobs_.erase(job); 601 active_jobs_.erase(job);
616 } 602 }
617 603
618 } // namespace net 604 } // namespace net
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698