OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
(...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
378 &cert_verifier_request_, net_log_); | 378 &cert_verifier_request_, net_log_); |
379 } | 379 } |
380 | 380 |
381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
382 cert_verifier_request_.reset(); | 382 cert_verifier_request_.reset(); |
383 | 383 |
384 const CertVerifyResult& cert_verify_result = | 384 const CertVerifyResult& cert_verify_result = |
385 verify_details_->cert_verify_result; | 385 verify_details_->cert_verify_result; |
386 const CertStatus cert_status = cert_verify_result.cert_status; | 386 const CertStatus cert_status = cert_verify_result.cert_status; |
387 verify_details_->ct_verify_result.ct_policies_applied = result == OK; | 387 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
388 verify_details_->ct_verify_result.ev_policy_compliance = | |
389 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
390 | 388 |
391 // If the connection was good, check HPKP and CT status simultaneously, | 389 // If the connection was good, check HPKP and CT status simultaneously, |
392 // but prefer to treat the HPKP error as more serious, if there was one. | 390 // but prefer to treat the HPKP error as more serious, if there was one. |
393 if (enforce_policy_checking_ && | 391 if (enforce_policy_checking_ && |
394 (result == OK || | 392 (result == OK || |
395 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { | 393 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { |
396 SCTList verified_scts = ct::SCTsMatchingStatus( | 394 SCTList verified_scts = ct::SCTsMatchingStatus( |
397 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); | 395 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); |
398 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | |
399 ct::EVPolicyCompliance ev_policy_compliance = | |
400 policy_enforcer_->DoesConformToCTEVPolicy( | |
401 cert_verify_result.verified_cert.get(), | |
402 SSLConfigService::GetEVCertsWhitelist().get(), verified_scts, | |
403 net_log_); | |
404 verify_details_->ct_verify_result.ev_policy_compliance = | |
405 ev_policy_compliance; | |
406 if (ev_policy_compliance != | |
407 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
408 ev_policy_compliance != | |
409 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
410 ev_policy_compliance != | |
411 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
412 verify_details_->cert_verify_result.cert_status |= | |
413 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
414 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | |
415 } | |
416 } | |
417 | 396 |
418 verify_details_->ct_verify_result.cert_policy_compliance = | 397 verify_details_->ct_verify_result.cert_policy_compliance = |
419 policy_enforcer_->DoesConformToCertPolicy( | 398 policy_enforcer_->DoesConformToCertPolicy( |
420 cert_verify_result.verified_cert.get(), verified_scts, net_log_); | 399 cert_verify_result.verified_cert.get(), verified_scts, net_log_); |
| 400 if ((verify_details_->cert_verify_result.cert_status & CERT_STATUS_IS_EV) && |
| 401 (verify_details_->ct_verify_result.cert_policy_compliance != |
| 402 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)) { |
| 403 verify_details_->cert_verify_result.cert_status |= |
| 404 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 405 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 406 } |
421 | 407 |
422 int ct_result = OK; | 408 int ct_result = OK; |
423 if (transport_security_state_->CheckCTRequirements( | 409 if (transport_security_state_->CheckCTRequirements( |
424 HostPortPair(hostname_, port_), | 410 HostPortPair(hostname_, port_), |
425 cert_verify_result.is_issued_by_known_root, | 411 cert_verify_result.is_issued_by_known_root, |
426 cert_verify_result.public_key_hashes, | 412 cert_verify_result.public_key_hashes, |
427 cert_verify_result.verified_cert.get(), cert_.get(), | 413 cert_verify_result.verified_cert.get(), cert_.get(), |
428 verify_details_->ct_verify_result.scts, | 414 verify_details_->ct_verify_result.scts, |
429 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 415 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
430 verify_details_->ct_verify_result.cert_policy_compliance) != | 416 verify_details_->ct_verify_result.cert_policy_compliance) != |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
609 active_jobs_[job_ptr] = std::move(job); | 595 active_jobs_[job_ptr] = std::move(job); |
610 } | 596 } |
611 return status; | 597 return status; |
612 } | 598 } |
613 | 599 |
614 void ProofVerifierChromium::OnJobComplete(Job* job) { | 600 void ProofVerifierChromium::OnJobComplete(Job* job) { |
615 active_jobs_.erase(job); | 601 active_jobs_.erase(job); |
616 } | 602 } |
617 | 603 |
618 } // namespace net | 604 } // namespace net |
OLD | NEW |