| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" | 5 #include "net/quic/chromium/crypto/proof_verifier_chromium.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 378 &cert_verifier_request_, net_log_); | 378 &cert_verifier_request_, net_log_); |
| 379 } | 379 } |
| 380 | 380 |
| 381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { | 381 int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { |
| 382 cert_verifier_request_.reset(); | 382 cert_verifier_request_.reset(); |
| 383 | 383 |
| 384 const CertVerifyResult& cert_verify_result = | 384 const CertVerifyResult& cert_verify_result = |
| 385 verify_details_->cert_verify_result; | 385 verify_details_->cert_verify_result; |
| 386 const CertStatus cert_status = cert_verify_result.cert_status; | 386 const CertStatus cert_status = cert_verify_result.cert_status; |
| 387 verify_details_->ct_verify_result.ct_policies_applied = result == OK; | 387 verify_details_->ct_verify_result.ct_policies_applied = result == OK; |
| 388 verify_details_->ct_verify_result.ev_policy_compliance = | |
| 389 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
| 390 | 388 |
| 391 // If the connection was good, check HPKP and CT status simultaneously, | 389 // If the connection was good, check HPKP and CT status simultaneously, |
| 392 // but prefer to treat the HPKP error as more serious, if there was one. | 390 // but prefer to treat the HPKP error as more serious, if there was one. |
| 393 if (enforce_policy_checking_ && | 391 if (enforce_policy_checking_ && |
| 394 (result == OK || | 392 (result == OK || |
| 395 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { | 393 (IsCertificateError(result) && IsCertStatusMinorError(cert_status)))) { |
| 396 SCTList verified_scts = ct::SCTsMatchingStatus( | 394 SCTList verified_scts = ct::SCTsMatchingStatus( |
| 397 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); | 395 verify_details_->ct_verify_result.scts, ct::SCT_STATUS_OK); |
| 398 if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { | |
| 399 ct::EVPolicyCompliance ev_policy_compliance = | |
| 400 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 401 cert_verify_result.verified_cert.get(), | |
| 402 SSLConfigService::GetEVCertsWhitelist().get(), verified_scts, | |
| 403 net_log_); | |
| 404 verify_details_->ct_verify_result.ev_policy_compliance = | |
| 405 ev_policy_compliance; | |
| 406 if (ev_policy_compliance != | |
| 407 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
| 408 ev_policy_compliance != | |
| 409 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
| 410 ev_policy_compliance != | |
| 411 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
| 412 verify_details_->cert_verify_result.cert_status |= | |
| 413 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 414 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; | |
| 415 } | |
| 416 } | |
| 417 | 396 |
| 418 verify_details_->ct_verify_result.cert_policy_compliance = | 397 verify_details_->ct_verify_result.cert_policy_compliance = |
| 419 policy_enforcer_->DoesConformToCertPolicy( | 398 policy_enforcer_->DoesConformToCertPolicy( |
| 420 cert_verify_result.verified_cert.get(), verified_scts, net_log_); | 399 cert_verify_result.verified_cert.get(), verified_scts, net_log_); |
| 400 if ((verify_details_->cert_verify_result.cert_status & CERT_STATUS_IS_EV) && |
| 401 (verify_details_->ct_verify_result.cert_policy_compliance != |
| 402 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)) { |
| 403 verify_details_->cert_verify_result.cert_status |= |
| 404 CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 405 verify_details_->cert_verify_result.cert_status &= ~CERT_STATUS_IS_EV; |
| 406 } |
| 421 | 407 |
| 422 int ct_result = OK; | 408 int ct_result = OK; |
| 423 if (transport_security_state_->CheckCTRequirements( | 409 if (transport_security_state_->CheckCTRequirements( |
| 424 HostPortPair(hostname_, port_), | 410 HostPortPair(hostname_, port_), |
| 425 cert_verify_result.is_issued_by_known_root, | 411 cert_verify_result.is_issued_by_known_root, |
| 426 cert_verify_result.public_key_hashes, | 412 cert_verify_result.public_key_hashes, |
| 427 cert_verify_result.verified_cert.get(), cert_.get(), | 413 cert_verify_result.verified_cert.get(), cert_.get(), |
| 428 verify_details_->ct_verify_result.scts, | 414 verify_details_->ct_verify_result.scts, |
| 429 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 415 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 430 verify_details_->ct_verify_result.cert_policy_compliance) != | 416 verify_details_->ct_verify_result.cert_policy_compliance) != |
| (...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 609 active_jobs_[job_ptr] = std::move(job); | 595 active_jobs_[job_ptr] = std::move(job); |
| 610 } | 596 } |
| 611 return status; | 597 return status; |
| 612 } | 598 } |
| 613 | 599 |
| 614 void ProofVerifierChromium::OnJobComplete(Job* job) { | 600 void ProofVerifierChromium::OnJobComplete(Job* job) { |
| 615 active_jobs_.erase(job); | 601 active_jobs_.erase(job); |
| 616 } | 602 } |
| 617 | 603 |
| 618 } // namespace net | 604 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
