| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include "base/threading/thread_local.h" | 26 #include "base/threading/thread_local.h" |
| 27 #include "base/trace_event/process_memory_dump.h" | 27 #include "base/trace_event/process_memory_dump.h" |
| 28 #include "base/trace_event/trace_event.h" | 28 #include "base/trace_event/trace_event.h" |
| 29 #include "base/values.h" | 29 #include "base/values.h" |
| 30 #include "crypto/ec_private_key.h" | 30 #include "crypto/ec_private_key.h" |
| 31 #include "crypto/openssl_util.h" | 31 #include "crypto/openssl_util.h" |
| 32 #include "net/base/ip_address.h" | 32 #include "net/base/ip_address.h" |
| 33 #include "net/base/net_errors.h" | 33 #include "net/base/net_errors.h" |
| 34 #include "net/base/trace_constants.h" | 34 #include "net/base/trace_constants.h" |
| 35 #include "net/cert/cert_verifier.h" | 35 #include "net/cert/cert_verifier.h" |
| 36 #include "net/cert/ct_ev_whitelist.h" | |
| 37 #include "net/cert/ct_policy_enforcer.h" | 36 #include "net/cert/ct_policy_enforcer.h" |
| 38 #include "net/cert/ct_policy_status.h" | 37 #include "net/cert/ct_policy_status.h" |
| 39 #include "net/cert/ct_verifier.h" | 38 #include "net/cert/ct_verifier.h" |
| 40 #include "net/cert/x509_certificate_net_log_param.h" | 39 #include "net/cert/x509_certificate_net_log_param.h" |
| 41 #include "net/cert/x509_util.h" | 40 #include "net/cert/x509_util.h" |
| 42 #include "net/http/transport_security_state.h" | 41 #include "net/http/transport_security_state.h" |
| 43 #include "net/log/net_log.h" | 42 #include "net/log/net_log.h" |
| 44 #include "net/log/net_log_event_type.h" | 43 #include "net/log/net_log_event_type.h" |
| 45 #include "net/log/net_log_parameters_callback.h" | 44 #include "net/log/net_log_parameters_callback.h" |
| 46 #include "net/ssl/ssl_cert_request_info.h" | 45 #include "net/ssl/ssl_cert_request_info.h" |
| (...skipping 1484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1531 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); | 1530 reinterpret_cast<const char*>(ocsp_response_raw), ocsp_response_len); |
| 1532 | 1531 |
| 1533 // Note that this is a completely synchronous operation: The CT Log Verifier | 1532 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 1534 // gets all the data it needs for SCT verification and does not do any | 1533 // gets all the data it needs for SCT verification and does not do any |
| 1535 // external communication. | 1534 // external communication. |
| 1536 cert_transparency_verifier_->Verify( | 1535 cert_transparency_verifier_->Verify( |
| 1537 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, | 1536 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, |
| 1538 &ct_verify_result_.scts, net_log_); | 1537 &ct_verify_result_.scts, net_log_); |
| 1539 | 1538 |
| 1540 ct_verify_result_.ct_policies_applied = true; | 1539 ct_verify_result_.ct_policies_applied = true; |
| 1541 ct_verify_result_.ev_policy_compliance = | |
| 1542 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; | |
| 1543 | 1540 |
| 1544 SCTList verified_scts = | 1541 SCTList verified_scts = |
| 1545 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); | 1542 ct::SCTsMatchingStatus(ct_verify_result_.scts, ct::SCT_STATUS_OK); |
| 1546 | 1543 |
| 1547 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
| 1548 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
| 1549 SSLConfigService::GetEVCertsWhitelist(); | |
| 1550 ct::EVPolicyCompliance ev_policy_compliance = | |
| 1551 policy_enforcer_->DoesConformToCTEVPolicy( | |
| 1552 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | |
| 1553 verified_scts, net_log_); | |
| 1554 ct_verify_result_.ev_policy_compliance = ev_policy_compliance; | |
| 1555 if (ev_policy_compliance != | |
| 1556 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && | |
| 1557 ev_policy_compliance != | |
| 1558 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && | |
| 1559 ev_policy_compliance != | |
| 1560 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { | |
| 1561 server_cert_verify_result_.cert_status |= | |
| 1562 CERT_STATUS_CT_COMPLIANCE_FAILED; | |
| 1563 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
| 1564 } | |
| 1565 } | |
| 1566 ct_verify_result_.cert_policy_compliance = | 1544 ct_verify_result_.cert_policy_compliance = |
| 1567 policy_enforcer_->DoesConformToCertPolicy( | 1545 policy_enforcer_->DoesConformToCertPolicy( |
| 1568 server_cert_verify_result_.verified_cert.get(), verified_scts, | 1546 server_cert_verify_result_.verified_cert.get(), verified_scts, |
| 1569 net_log_); | 1547 net_log_); |
| 1548 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
| 1549 (ct_verify_result_.cert_policy_compliance != |
| 1550 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)) { |
| 1551 server_cert_verify_result_.cert_status |= CERT_STATUS_CT_COMPLIANCE_FAILED; |
| 1552 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 1553 } |
| 1570 | 1554 |
| 1571 if (transport_security_state_->CheckCTRequirements( | 1555 if (transport_security_state_->CheckCTRequirements( |
| 1572 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, | 1556 host_and_port_, server_cert_verify_result_.is_issued_by_known_root, |
| 1573 server_cert_verify_result_.public_key_hashes, | 1557 server_cert_verify_result_.public_key_hashes, |
| 1574 server_cert_verify_result_.verified_cert.get(), server_cert_.get(), | 1558 server_cert_verify_result_.verified_cert.get(), server_cert_.get(), |
| 1575 ct_verify_result_.scts, | 1559 ct_verify_result_.scts, |
| 1576 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, | 1560 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS, |
| 1577 ct_verify_result_.cert_policy_compliance) != | 1561 ct_verify_result_.cert_policy_compliance) != |
| 1578 TransportSecurityState::CT_REQUIREMENTS_MET) { | 1562 TransportSecurityState::CT_REQUIREMENTS_MET) { |
| 1579 server_cert_verify_result_.cert_status |= | 1563 server_cert_verify_result_.cert_status |= |
| (...skipping 399 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1979 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && | 1963 if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED && |
| 1980 !certificate_requested_) { | 1964 !certificate_requested_) { |
| 1981 net_error = ERR_SSL_PROTOCOL_ERROR; | 1965 net_error = ERR_SSL_PROTOCOL_ERROR; |
| 1982 } | 1966 } |
| 1983 } | 1967 } |
| 1984 | 1968 |
| 1985 return net_error; | 1969 return net_error; |
| 1986 } | 1970 } |
| 1987 | 1971 |
| 1988 } // namespace net | 1972 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
