net/socket/ssl_client_socket_nss.cc - Issue 422063004: Certificate Transparency: Require SCTs for EV certificates.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fixing pointer type and tests Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 74 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
85 #include "crypto/nss_util_internal.h"	85 #include "crypto/nss_util_internal.h"

86 #include "crypto/rsa_private_key.h"	86 #include "crypto/rsa_private_key.h"

87 #include "crypto/scoped_nss_types.h"	87 #include "crypto/scoped_nss_types.h"

88 #include "net/base/address_list.h"	88 #include "net/base/address_list.h"

89 #include "net/base/connection_type_histograms.h"	89 #include "net/base/connection_type_histograms.h"

90 #include "net/base/dns_util.h"	90 #include "net/base/dns_util.h"

91 #include "net/base/io_buffer.h"	91 #include "net/base/io_buffer.h"

92 #include "net/base/net_errors.h"	92 #include "net/base/net_errors.h"

93 #include "net/base/net_log.h"	93 #include "net/base/net_log.h"

94 #include "net/cert/asn1_util.h"	94 #include "net/cert/asn1_util.h"

	95 #include "net/cert/cert_policy_enforcer.h"

95 #include "net/cert/cert_status_flags.h"	96 #include "net/cert/cert_status_flags.h"

96 #include "net/cert/cert_verifier.h"	97 #include "net/cert/cert_verifier.h"

97 #include "net/cert/ct_ev_whitelist.h"	98 #include "net/cert/ct_ev_whitelist.h"

98 #include "net/cert/ct_verifier.h"	99 #include "net/cert/ct_verifier.h"

99 #include "net/cert/ct_verify_result.h"	100 #include "net/cert/ct_verify_result.h"

100 #include "net/cert/scoped_nss_types.h"	101 #include "net/cert/scoped_nss_types.h"

101 #include "net/cert/sct_status_flags.h"	102 #include "net/cert/sct_status_flags.h"

102 #include "net/cert/single_request_cert_verifier.h"	103 #include "net/cert/single_request_cert_verifier.h"

103 #include "net/cert/x509_certificate_net_log_param.h"	104 #include "net/cert/x509_certificate_net_log_param.h"

104 #include "net/cert/x509_util.h"	105 #include "net/cert/x509_util.h"

(...skipping 2714 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2819 ssl_config_(ssl_config),	2820 ssl_config_(ssl_config),

2820 cert_verifier_(context.cert_verifier),	2821 cert_verifier_(context.cert_verifier),

2821 cert_transparency_verifier_(context.cert_transparency_verifier),	2822 cert_transparency_verifier_(context.cert_transparency_verifier),

2822 channel_id_service_(context.channel_id_service),	2823 channel_id_service_(context.channel_id_service),

2823 ssl_session_cache_shard_(context.ssl_session_cache_shard),	2824 ssl_session_cache_shard_(context.ssl_session_cache_shard),

2824 completed_handshake_(false),	2825 completed_handshake_(false),

2825 next_handshake_state_(STATE_NONE),	2826 next_handshake_state_(STATE_NONE),

2826 nss_fd_(NULL),	2827 nss_fd_(NULL),

2827 net_log_(transport_->socket()->NetLog()),	2828 net_log_(transport_->socket()->NetLog()),

2828 transport_security_state_(context.transport_security_state),	2829 transport_security_state_(context.transport_security_state),

	2830 policy_enforcer_(context.cert_policy_enforcer),

2829 valid_thread_id_(base::kInvalidThreadId) {	2831 valid_thread_id_(base::kInvalidThreadId) {

2830 EnterFunction("");	2832 EnterFunction("");

2831 InitCore();	2833 InitCore();

2832 LeaveFunction("");	2834 LeaveFunction("");

2833 }	2835 }

2834	2836

2835 SSLClientSocketNSS::~SSLClientSocketNSS() {	2837 SSLClientSocketNSS::~SSLClientSocketNSS() {

2836 EnterFunction("");	2838 EnterFunction("");

2837 Disconnect();	2839 Disconnect();

2838 LeaveFunction("");	2840 LeaveFunction("");

(...skipping 661 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3500 (result == OK \|\|	3502 (result == OK \|\|

3501 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&	3503 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&

3502 !transport_security_state_->CheckPublicKeyPins(	3504 !transport_security_state_->CheckPublicKeyPins(

3503 host_and_port_.host(),	3505 host_and_port_.host(),

3504 server_cert_verify_result_.is_issued_by_known_root,	3506 server_cert_verify_result_.is_issued_by_known_root,

3505 server_cert_verify_result_.public_key_hashes,	3507 server_cert_verify_result_.public_key_hashes,

3506 &pinning_failure_log_)) {	3508 &pinning_failure_log_)) {

3507 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;	3509 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

3508 }	3510 }

3509	3511

3510 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

3511 SSLConfigService::GetEVCertsWhitelist();

3512 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {

3513 if (ev_whitelist.get() && ev_whitelist->IsValid()) {

3514 const SHA256HashValue fingerprint(

3515 X509Certificate::CalculateFingerprint256(

3516 server_cert_verify_result_.verified_cert->os_cert_handle()));

3517

3518 UMA_HISTOGRAM_BOOLEAN(

3519 "Net.SSL_EVCertificateInWhitelist",

3520 ev_whitelist->ContainsCertificateHash(

3521 std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));

3522 }

3523 }

3524

3525 if (result == OK) {	3512 if (result == OK) {

3526 // Only check Certificate Transparency if there were no other errors with	3513 // Only check Certificate Transparency if there were no other errors with

3527 // the connection.	3514 // the connection.

3528 VerifyCT();	3515 VerifyCT();

3529	3516

3530 // Only cache the session if the certificate verified successfully.	3517 // Only cache the session if the certificate verified successfully.

3531 core_->CacheSessionIfNecessary();	3518 core_->CacheSessionIfNecessary();

3532 }	3519 }

3533	3520

3534 completed_handshake_ = true;	3521 completed_handshake_ = true;

(...skipping 17 matching lines...) Expand all Loading...
3552 &ct_verify_result_,	3539 &ct_verify_result_,

3553 net_log_);	3540 net_log_);

3554 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension	3541 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension

3555 // from the state after verification is complete, to conserve memory.	3542 // from the state after verification is complete, to conserve memory.

3556	3543

3557 VLOG(1) << "CT Verification complete: result " << result	3544 VLOG(1) << "CT Verification complete: result " << result

3558 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()	3545 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()

3559 << " Verified scts: " << ct_verify_result_.verified_scts.size()	3546 << " Verified scts: " << ct_verify_result_.verified_scts.size()

3560 << " scts from unknown logs: "	3547 << " scts from unknown logs: "

3561 << ct_verify_result_.unknown_logs_scts.size();	3548 << ct_verify_result_.unknown_logs_scts.size();

	3549

	3550 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&

	3551 (policy_enforcer_)) {
	Ryan Sleevi 2014/11/06 00:16:43 Let's make sure we 'fail closed', which also addre Let's make sure we 'fail closed', which also addresses Matt's concern re: contexts if (!policy_enforcer) { server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; } else { .... } This guarantees we'll never grant EV for anything that doesn't go through the CT check, and everything that does can just have it disabled if necessary (Finch or bool, tomato tomato) Eran Messeri 2014/11/20 11:49:56 Done. Show quoted text On 2014/11/06 00:16:43, Ryan Sleevi (OOO until 11-18) wrote: > Let's make sure we 'fail closed', which also addresses Matt's concern re: > contexts > > if (!policy_enforcer) { > server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; > } else { > .... > } > > This guarantees we'll never grant EV for anything that doesn't go through the CT > check, and everything that does can just have it disabled if necessary (Finch or > bool, tomato tomato) Done.
	3552 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

	3553 SSLConfigService::GetEVCertsWhitelist();

	3554

	3555 if (!policy_enforcer_->DoesConformToCTEVPolicy(

	3556 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(),

	3557 ct_verify_result_)) {

	3558 VLOG(1) << "EV certificate without enough SCTs, removing EV status.";

	3559 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

	3560 }

	3561 }

3562 }	3562 }

3563	3563

3564 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {	3564 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {

3565 UpdateConnectionTypeHistograms(CONNECTION_SSL);	3565 UpdateConnectionTypeHistograms(CONNECTION_SSL);

3566 int ssl_version = SSLConnectionStatusToVersion(	3566 int ssl_version = SSLConnectionStatusToVersion(

3567 core_->state().ssl_connection_status);	3567 core_->state().ssl_connection_status);

3568 switch (ssl_version) {	3568 switch (ssl_version) {

3569 case SSL_CONNECTION_VERSION_SSL2:	3569 case SSL_CONNECTION_VERSION_SSL2:

3570 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);	3570 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);

3571 break;	3571 break;

(...skipping 50 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3622 scoped_refptr<X509Certificate>	3622 scoped_refptr<X509Certificate>

3623 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {	3623 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {

3624 return core_->state().server_cert.get();	3624 return core_->state().server_cert.get();

3625 }	3625 }

3626	3626

3627 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {	3627 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {

3628 return channel_id_service_;	3628 return channel_id_service_;

3629 }	3629 }

3630	3630

3631 } // namespace net	3631 } // namespace net

OLD	NEW

« net/cert/cert_policy_enforcer.cc ('K') | « net/socket/ssl_client_socket_nss.h ('k') | net/socket/ssl_client_socket_openssl.h » ('j') | net/socket/ssl_client_socket_openssl.cc » ('J')