Chromium Code Reviews Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/io_thread.h" | 5 #include "chrome/browser/io_thread.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/base64.h" | 9 #include "base/base64.h" |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 46 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_pref s.h" | 46 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_pref s.h" |
| 47 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_prot ocol.h" | 47 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_prot ocol.h" |
| 48 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_sett ings.h" | 48 #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_sett ings.h" |
| 49 #include "components/data_reduction_proxy/core/common/data_reduction_proxy_param s.h" | 49 #include "components/data_reduction_proxy/core/common/data_reduction_proxy_param s.h" |
| 50 #include "components/policy/core/common/policy_service.h" | 50 #include "components/policy/core/common/policy_service.h" |
| 51 #include "components/variations/variations_associated_data.h" | 51 #include "components/variations/variations_associated_data.h" |
| 52 #include "content/public/browser/browser_thread.h" | 52 #include "content/public/browser/browser_thread.h" |
| 53 #include "content/public/browser/cookie_store_factory.h" | 53 #include "content/public/browser/cookie_store_factory.h" |
| 54 #include "net/base/host_mapping_rules.h" | 54 #include "net/base/host_mapping_rules.h" |
| 55 #include "net/base/net_util.h" | 55 #include "net/base/net_util.h" |
| 56 #include "net/cert/cert_policy_enforcer.h" | |
| 56 #include "net/cert/cert_verifier.h" | 57 #include "net/cert/cert_verifier.h" |
| 57 #include "net/cert/cert_verify_proc.h" | 58 #include "net/cert/cert_verify_proc.h" |
| 58 #include "net/cert/ct_known_logs.h" | 59 #include "net/cert/ct_known_logs.h" |
| 60 #include "net/cert/ct_known_logs_static.h" | |
| 59 #include "net/cert/ct_log_verifier.h" | 61 #include "net/cert/ct_log_verifier.h" |
| 60 #include "net/cert/ct_verifier.h" | 62 #include "net/cert/ct_verifier.h" |
| 61 #include "net/cert/multi_log_ct_verifier.h" | 63 #include "net/cert/multi_log_ct_verifier.h" |
| 62 #include "net/cert/multi_threaded_cert_verifier.h" | 64 #include "net/cert/multi_threaded_cert_verifier.h" |
| 63 #include "net/cookies/cookie_store.h" | 65 #include "net/cookies/cookie_store.h" |
| 64 #include "net/dns/host_cache.h" | 66 #include "net/dns/host_cache.h" |
| 65 #include "net/dns/host_resolver.h" | 67 #include "net/dns/host_resolver.h" |
| 66 #include "net/dns/mapped_host_resolver.h" | 68 #include "net/dns/mapped_host_resolver.h" |
| 67 #include "net/ftp/ftp_network_layer.h" | 69 #include "net/ftp/ftp_network_layer.h" |
| 68 #include "net/http/http_auth_filter.h" | 70 #include "net/http/http_auth_filter.h" |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 234 // TODO(willchan): Remove proxy script fetcher context since it's not necessary | 236 // TODO(willchan): Remove proxy script fetcher context since it's not necessary |
| 235 // now that I got rid of refcounting URLRequestContexts. | 237 // now that I got rid of refcounting URLRequestContexts. |
| 236 // See IOThread::Globals for details. | 238 // See IOThread::Globals for details. |
| 237 net::URLRequestContext* | 239 net::URLRequestContext* |
| 238 ConstructProxyScriptFetcherContext(IOThread::Globals* globals, | 240 ConstructProxyScriptFetcherContext(IOThread::Globals* globals, |
| 239 net::NetLog* net_log) { | 241 net::NetLog* net_log) { |
| 240 net::URLRequestContext* context = new net::URLRequestContext; | 242 net::URLRequestContext* context = new net::URLRequestContext; |
| 241 context->set_net_log(net_log); | 243 context->set_net_log(net_log); |
| 242 context->set_host_resolver(globals->host_resolver.get()); | 244 context->set_host_resolver(globals->host_resolver.get()); |
| 243 context->set_cert_verifier(globals->cert_verifier.get()); | 245 context->set_cert_verifier(globals->cert_verifier.get()); |
| 246 context->set_cert_policy_enforcer(globals->cert_policy_enforcer.get()); | |
| 244 context->set_transport_security_state( | 247 context->set_transport_security_state( |
| 245 globals->transport_security_state.get()); | 248 globals->transport_security_state.get()); |
| 246 context->set_cert_transparency_verifier( | 249 context->set_cert_transparency_verifier( |
| 247 globals->cert_transparency_verifier.get()); | 250 globals->cert_transparency_verifier.get()); |
| 248 context->set_http_auth_handler_factory( | 251 context->set_http_auth_handler_factory( |
| 249 globals->http_auth_handler_factory.get()); | 252 globals->http_auth_handler_factory.get()); |
| 250 context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get()); | 253 context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get()); |
| 251 context->set_http_transaction_factory( | 254 context->set_http_transaction_factory( |
| 252 globals->proxy_script_fetcher_http_transaction_factory.get()); | 255 globals->proxy_script_fetcher_http_transaction_factory.get()); |
| 253 context->set_job_factory( | 256 context->set_job_factory( |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 264 return context; | 267 return context; |
| 265 } | 268 } |
| 266 | 269 |
| 267 net::URLRequestContext* | 270 net::URLRequestContext* |
| 268 ConstructSystemRequestContext(IOThread::Globals* globals, | 271 ConstructSystemRequestContext(IOThread::Globals* globals, |
| 269 net::NetLog* net_log) { | 272 net::NetLog* net_log) { |
| 270 net::URLRequestContext* context = new SystemURLRequestContext; | 273 net::URLRequestContext* context = new SystemURLRequestContext; |
| 271 context->set_net_log(net_log); | 274 context->set_net_log(net_log); |
| 272 context->set_host_resolver(globals->host_resolver.get()); | 275 context->set_host_resolver(globals->host_resolver.get()); |
| 273 context->set_cert_verifier(globals->cert_verifier.get()); | 276 context->set_cert_verifier(globals->cert_verifier.get()); |
| 277 context->set_cert_policy_enforcer(globals->cert_policy_enforcer.get()); | |
| 274 context->set_transport_security_state( | 278 context->set_transport_security_state( |
| 275 globals->transport_security_state.get()); | 279 globals->transport_security_state.get()); |
| 276 context->set_cert_transparency_verifier( | 280 context->set_cert_transparency_verifier( |
| 277 globals->cert_transparency_verifier.get()); | 281 globals->cert_transparency_verifier.get()); |
| 278 context->set_http_auth_handler_factory( | 282 context->set_http_auth_handler_factory( |
| 279 globals->http_auth_handler_factory.get()); | 283 globals->http_auth_handler_factory.get()); |
| 280 context->set_proxy_service(globals->system_proxy_service.get()); | 284 context->set_proxy_service(globals->system_proxy_service.get()); |
| 281 context->set_http_transaction_factory( | 285 context->set_http_transaction_factory( |
| 282 globals->system_http_transaction_factory.get()); | 286 globals->system_http_transaction_factory.get()); |
| 283 context->set_job_factory(globals->system_url_request_job_factory.get()); | 287 context->set_job_factory(globals->system_url_request_job_factory.get()); |
| (...skipping 348 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 632 &ct_public_key_data)) | 636 &ct_public_key_data)) |
| 633 << "Unable to decode CT public key."; | 637 << "Unable to decode CT public key."; |
| 634 scoped_ptr<net::CTLogVerifier> external_log_verifier( | 638 scoped_ptr<net::CTLogVerifier> external_log_verifier( |
| 635 net::CTLogVerifier::Create(ct_public_key_data, log_description)); | 639 net::CTLogVerifier::Create(ct_public_key_data, log_description)); |
| 636 CHECK(external_log_verifier) << "Unable to parse CT public key."; | 640 CHECK(external_log_verifier) << "Unable to parse CT public key."; |
| 637 VLOG(1) << "Adding log with description " << log_description; | 641 VLOG(1) << "Adding log with description " << log_description; |
| 638 ct_verifier->AddLog(external_log_verifier.Pass()); | 642 ct_verifier->AddLog(external_log_verifier.Pass()); |
| 639 } | 643 } |
| 640 } | 644 } |
| 641 | 645 |
| 646 net::CertPolicyEnforcer* policy_enforcer = NULL; | |
| 647 // TODO(eranm): In M41 Certificate Transparency presence will be required | |
| 648 // by for EV certificates. Remove this flag for M41. | |
|
Ryan Sleevi
2014/11/06 00:16:43
While I know the delays have been due to my review
Eran Messeri
2014/11/20 11:49:56
Per our offline discussion, this patch will be imm
| |
| 649 if (command_line.HasSwitch(switches::kRequireCTForEV)) { | |
| 650 policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, true); | |
| 651 } else { | |
| 652 policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, false); | |
| 653 } | |
| 654 globals_->cert_policy_enforcer.reset(policy_enforcer); | |
| 655 | |
| 642 globals_->ssl_config_service = GetSSLConfigService(); | 656 globals_->ssl_config_service = GetSSLConfigService(); |
| 643 | 657 |
| 644 SetupDataReductionProxy(network_delegate); | 658 SetupDataReductionProxy(network_delegate); |
| 645 | 659 |
| 646 globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory( | 660 globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory( |
| 647 globals_->host_resolver.get())); | 661 globals_->host_resolver.get())); |
| 648 globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl()); | 662 globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl()); |
| 649 // For the ProxyScriptFetcher, we use a direct ProxyService. | 663 // For the ProxyScriptFetcher, we use a direct ProxyService. |
| 650 globals_->proxy_script_fetcher_proxy_service.reset( | 664 globals_->proxy_script_fetcher_proxy_service.reset( |
| 651 net::ProxyService::CreateDirectWithNetLog(net_log_)); | 665 net::ProxyService::CreateDirectWithNetLog(net_log_)); |
| (...skipping 336 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 988 net::HttpNetworkSession::Params* params) { | 1002 net::HttpNetworkSession::Params* params) { |
| 989 InitializeNetworkSessionParamsFromGlobals(*globals_, params); | 1003 InitializeNetworkSessionParamsFromGlobals(*globals_, params); |
| 990 } | 1004 } |
| 991 | 1005 |
| 992 // static | 1006 // static |
| 993 void IOThread::InitializeNetworkSessionParamsFromGlobals( | 1007 void IOThread::InitializeNetworkSessionParamsFromGlobals( |
| 994 const IOThread::Globals& globals, | 1008 const IOThread::Globals& globals, |
| 995 net::HttpNetworkSession::Params* params) { | 1009 net::HttpNetworkSession::Params* params) { |
| 996 params->host_resolver = globals.host_resolver.get(); | 1010 params->host_resolver = globals.host_resolver.get(); |
| 997 params->cert_verifier = globals.cert_verifier.get(); | 1011 params->cert_verifier = globals.cert_verifier.get(); |
| 1012 params->cert_policy_enforcer = globals.cert_policy_enforcer.get(); | |
| 998 params->channel_id_service = globals.system_channel_id_service.get(); | 1013 params->channel_id_service = globals.system_channel_id_service.get(); |
| 999 params->transport_security_state = globals.transport_security_state.get(); | 1014 params->transport_security_state = globals.transport_security_state.get(); |
| 1000 params->ssl_config_service = globals.ssl_config_service.get(); | 1015 params->ssl_config_service = globals.ssl_config_service.get(); |
| 1001 params->http_auth_handler_factory = globals.http_auth_handler_factory.get(); | 1016 params->http_auth_handler_factory = globals.http_auth_handler_factory.get(); |
| 1002 params->http_server_properties = | 1017 params->http_server_properties = |
| 1003 globals.http_server_properties->GetWeakPtr(); | 1018 globals.http_server_properties->GetWeakPtr(); |
| 1004 params->network_delegate = globals.system_network_delegate.get(); | 1019 params->network_delegate = globals.system_network_delegate.get(); |
| 1005 params->host_mapping_rules = globals.host_mapping_rules.get(); | 1020 params->host_mapping_rules = globals.host_mapping_rules.get(); |
| 1006 params->enable_ssl_connect_job_waiting = | 1021 params->enable_ssl_connect_job_waiting = |
| 1007 globals.enable_ssl_connect_job_waiting; | 1022 globals.enable_ssl_connect_job_waiting; |
| (...skipping 437 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1445 net::QuicVersionVector supported_versions = net::QuicSupportedVersions(); | 1460 net::QuicVersionVector supported_versions = net::QuicSupportedVersions(); |
| 1446 for (size_t i = 0; i < supported_versions.size(); ++i) { | 1461 for (size_t i = 0; i < supported_versions.size(); ++i) { |
| 1447 net::QuicVersion version = supported_versions[i]; | 1462 net::QuicVersion version = supported_versions[i]; |
| 1448 if (net::QuicVersionToString(version) == quic_version) { | 1463 if (net::QuicVersionToString(version) == quic_version) { |
| 1449 return version; | 1464 return version; |
| 1450 } | 1465 } |
| 1451 } | 1466 } |
| 1452 | 1467 |
| 1453 return net::QUIC_VERSION_UNSUPPORTED; | 1468 return net::QUIC_VERSION_UNSUPPORTED; |
| 1454 } | 1469 } |
| OLD | NEW |
