OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 3484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3495 &ct_verify_result_, | 3495 &ct_verify_result_, |
3496 net_log_); | 3496 net_log_); |
3497 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3497 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3498 // from the state after verification is complete, to conserve memory. | 3498 // from the state after verification is complete, to conserve memory. |
3499 | 3499 |
3500 VLOG(1) << "CT Verification complete: result " << result | 3500 VLOG(1) << "CT Verification complete: result " << result |
3501 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3501 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
3502 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3502 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
3503 << " scts from unknown logs: " | 3503 << " scts from unknown logs: " |
3504 << ct_verify_result_.unknown_logs_scts.size(); | 3504 << ct_verify_result_.unknown_logs_scts.size(); |
3505 | |
3506 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && | |
3507 (!cert_transparency_verifier_->DoesConformToCTEVPolicy( | |
3508 server_cert_verify_result_.verified_cert, ct_verify_result_))) { | |
3509 VLOG(1) << "EV certificate without enough SCTs, removing EV status."; | |
3510 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
3511 } | |
Ryan Sleevi
2014/08/05 22:19:10
Another sign of layering concern is that this logi
Eran Messeri
2014/10/20 17:26:30
I've created a new class, CertPolicyEnforcer, whic
| |
3505 } | 3512 } |
3506 | 3513 |
3507 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { | 3514 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |
3508 UpdateConnectionTypeHistograms(CONNECTION_SSL); | 3515 UpdateConnectionTypeHistograms(CONNECTION_SSL); |
3509 int ssl_version = SSLConnectionStatusToVersion( | 3516 int ssl_version = SSLConnectionStatusToVersion( |
3510 core_->state().ssl_connection_status); | 3517 core_->state().ssl_connection_status); |
3511 switch (ssl_version) { | 3518 switch (ssl_version) { |
3512 case SSL_CONNECTION_VERSION_SSL2: | 3519 case SSL_CONNECTION_VERSION_SSL2: |
3513 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); | 3520 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); |
3514 break; | 3521 break; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3565 scoped_refptr<X509Certificate> | 3572 scoped_refptr<X509Certificate> |
3566 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3573 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
3567 return core_->state().server_cert.get(); | 3574 return core_->state().server_cert.get(); |
3568 } | 3575 } |
3569 | 3576 |
3570 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3577 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
3571 return channel_id_service_; | 3578 return channel_id_service_; |
3572 } | 3579 } |
3573 | 3580 |
3574 } // namespace net | 3581 } // namespace net |
OLD | NEW |