Chromium Code Reviews Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/err.h> | 12 #include <openssl/err.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 | 14 |
| 15 #include "base/bind.h" | 15 #include "base/bind.h" |
| 16 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
| 17 #include "base/environment.h" | 17 #include "base/environment.h" |
| 18 #include "base/memory/singleton.h" | 18 #include "base/memory/singleton.h" |
| 19 #include "base/metrics/histogram.h" | 19 #include "base/metrics/histogram.h" |
| 20 #include "base/strings/string_piece.h" | 20 #include "base/strings/string_piece.h" |
| 21 #include "base/synchronization/lock.h" | 21 #include "base/synchronization/lock.h" |
| 22 #include "crypto/ec_private_key.h" | 22 #include "crypto/ec_private_key.h" |
| 23 #include "crypto/openssl_util.h" | 23 #include "crypto/openssl_util.h" |
| 24 #include "crypto/scoped_openssl_types.h" | 24 #include "crypto/scoped_openssl_types.h" |
| 25 #include "net/base/net_errors.h" | 25 #include "net/base/net_errors.h" |
| 26 #include "net/cert/cert_policy_enforcer.h" | |
| 26 #include "net/cert/cert_verifier.h" | 27 #include "net/cert/cert_verifier.h" |
| 27 #include "net/cert/ct_ev_whitelist.h" | 28 #include "net/cert/ct_ev_whitelist.h" |
| 28 #include "net/cert/ct_verifier.h" | 29 #include "net/cert/ct_verifier.h" |
| 29 #include "net/cert/single_request_cert_verifier.h" | 30 #include "net/cert/single_request_cert_verifier.h" |
| 30 #include "net/cert/x509_certificate_net_log_param.h" | 31 #include "net/cert/x509_certificate_net_log_param.h" |
| 31 #include "net/cert/x509_util_openssl.h" | 32 #include "net/cert/x509_util_openssl.h" |
| 32 #include "net/http/transport_security_state.h" | 33 #include "net/http/transport_security_state.h" |
| 33 #include "net/socket/ssl_session_cache_openssl.h" | 34 #include "net/socket/ssl_session_cache_openssl.h" |
| 34 #include "net/ssl/ssl_cert_request_info.h" | 35 #include "net/ssl/ssl_cert_request_info.h" |
| 35 #include "net/ssl/ssl_connection_status_flags.h" | 36 #include "net/ssl/ssl_connection_status_flags.h" |
| (...skipping 319 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 355 host_and_port_(host_and_port), | 356 host_and_port_(host_and_port), |
| 356 ssl_config_(ssl_config), | 357 ssl_config_(ssl_config), |
| 357 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 358 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 358 trying_cached_session_(false), | 359 trying_cached_session_(false), |
| 359 next_handshake_state_(STATE_NONE), | 360 next_handshake_state_(STATE_NONE), |
| 360 npn_status_(kNextProtoUnsupported), | 361 npn_status_(kNextProtoUnsupported), |
| 361 channel_id_xtn_negotiated_(false), | 362 channel_id_xtn_negotiated_(false), |
| 362 handshake_succeeded_(false), | 363 handshake_succeeded_(false), |
| 363 marked_session_as_good_(false), | 364 marked_session_as_good_(false), |
| 364 transport_security_state_(context.transport_security_state), | 365 transport_security_state_(context.transport_security_state), |
| 366 policy_enforcer_(context.cert_policy_enforcer), | |
| 365 net_log_(transport_->socket()->NetLog()), | 367 net_log_(transport_->socket()->NetLog()), |
| 366 weak_factory_(this) { | 368 weak_factory_(this) { |
| 367 } | 369 } |
| 368 | 370 |
| 369 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { | 371 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() { |
| 370 Disconnect(); | 372 Disconnect(); |
| 371 } | 373 } |
| 372 | 374 |
| 373 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { | 375 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { |
| 374 std::string result = host_and_port_.ToString(); | 376 std::string result = host_and_port_.ToString(); |
| (...skipping 725 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1100 (result == OK || | 1102 (result == OK || |
| 1101 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 1103 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 1102 !transport_security_state_->CheckPublicKeyPins( | 1104 !transport_security_state_->CheckPublicKeyPins( |
| 1103 host_and_port_.host(), | 1105 host_and_port_.host(), |
| 1104 server_cert_verify_result_.is_issued_by_known_root, | 1106 server_cert_verify_result_.is_issued_by_known_root, |
| 1105 server_cert_verify_result_.public_key_hashes, | 1107 server_cert_verify_result_.public_key_hashes, |
| 1106 &pinning_failure_log_)) { | 1108 &pinning_failure_log_)) { |
| 1107 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 1109 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 1108 } | 1110 } |
| 1109 | 1111 |
| 1110 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
| 1111 SSLConfigService::GetEVCertsWhitelist(); | |
| 1112 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
| 1113 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
| 1114 const SHA256HashValue fingerprint( | |
| 1115 X509Certificate::CalculateFingerprint256( | |
| 1116 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
| 1117 | |
| 1118 UMA_HISTOGRAM_BOOLEAN( | |
| 1119 "Net.SSL_EVCertificateInWhitelist", | |
| 1120 ev_whitelist->ContainsCertificateHash( | |
| 1121 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
| 1122 } | |
| 1123 } | |
| 1124 | |
| 1125 if (result == OK) { | 1112 if (result == OK) { |
| 1126 // Only check Certificate Transparency if there were no other errors with | 1113 // Only check Certificate Transparency if there were no other errors with |
| 1127 // the connection. | 1114 // the connection. |
| 1128 VerifyCT(); | 1115 VerifyCT(); |
| 1129 | 1116 |
| 1130 // TODO(joth): Work out if we need to remember the intermediate CA certs | 1117 // TODO(joth): Work out if we need to remember the intermediate CA certs |
| 1131 // when the server sends them to us, and do so here. | 1118 // when the server sends them to us, and do so here. |
| 1132 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); | 1119 SSLContext::GetInstance()->session_cache()->MarkSSLSessionAsGood(ssl_); |
| 1133 marked_session_as_good_ = true; | 1120 marked_session_as_good_ = true; |
| 1134 CheckIfHandshakeFinished(); | 1121 CheckIfHandshakeFinished(); |
| (...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1191 // external communication. | 1178 // external communication. |
| 1192 int result = cert_transparency_verifier_->Verify( | 1179 int result = cert_transparency_verifier_->Verify( |
| 1193 server_cert_verify_result_.verified_cert.get(), | 1180 server_cert_verify_result_.verified_cert.get(), |
| 1194 ocsp_response, sct_list, &ct_verify_result_, net_log_); | 1181 ocsp_response, sct_list, &ct_verify_result_, net_log_); |
| 1195 | 1182 |
| 1196 VLOG(1) << "CT Verification complete: result " << result | 1183 VLOG(1) << "CT Verification complete: result " << result |
| 1197 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 1184 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
| 1198 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 1185 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
| 1199 << " scts from unknown logs: " | 1186 << " scts from unknown logs: " |
| 1200 << ct_verify_result_.unknown_logs_scts.size(); | 1187 << ct_verify_result_.unknown_logs_scts.size(); |
| 1188 | |
| 1189 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && | |
| 1190 (policy_enforcer_)) { | |
| 1191 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
| 1192 SSLConfigService::GetEVCertsWhitelist(); | |
| 1193 | |
| 1194 if (!policy_enforcer_->DoesConformToCTEVPolicy( | |
| 1195 server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), | |
| 1196 ct_verify_result_)) { | |
| 1197 VLOG(1) << "EV certificate without enough SCTs, removing EV status."; | |
| 1198 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
| 1199 } | |
| 1200 } | |
|
Ryan Sleevi
2014/11/06 00:16:43
ditto here
Eran Messeri
2014/11/20 11:49:56
Done.
| |
| 1201 } | 1201 } |
| 1202 | 1202 |
| 1203 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { | 1203 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) { |
| 1204 int rv = DoHandshakeLoop(result); | 1204 int rv = DoHandshakeLoop(result); |
| 1205 if (rv != ERR_IO_PENDING) { | 1205 if (rv != ERR_IO_PENDING) { |
| 1206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); | 1206 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); |
| 1207 DoConnectCallback(rv); | 1207 DoConnectCallback(rv); |
| 1208 } | 1208 } |
| 1209 } | 1209 } |
| 1210 | 1210 |
| (...skipping 607 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1818 ct::SCT_STATUS_LOG_UNKNOWN)); | 1818 ct::SCT_STATUS_LOG_UNKNOWN)); |
| 1819 } | 1819 } |
| 1820 } | 1820 } |
| 1821 | 1821 |
| 1822 scoped_refptr<X509Certificate> | 1822 scoped_refptr<X509Certificate> |
| 1823 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { | 1823 SSLClientSocketOpenSSL::GetUnverifiedServerCertificateChain() const { |
| 1824 return server_cert_; | 1824 return server_cert_; |
| 1825 } | 1825 } |
| 1826 | 1826 |
| 1827 } // namespace net | 1827 } // namespace net |
| OLD | NEW |
