net/socket/ssl_client_socket_nss.cc - Issue 422063004: Certificate Transparency: Require SCTs for EV certificates.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Added missing include Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 73 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
84 #include "crypto/nss_util.h"	84 #include "crypto/nss_util.h"

85 #include "crypto/nss_util_internal.h"	85 #include "crypto/nss_util_internal.h"

86 #include "crypto/rsa_private_key.h"	86 #include "crypto/rsa_private_key.h"

87 #include "crypto/scoped_nss_types.h"	87 #include "crypto/scoped_nss_types.h"

88 #include "net/base/address_list.h"	88 #include "net/base/address_list.h"

89 #include "net/base/dns_util.h"	89 #include "net/base/dns_util.h"

90 #include "net/base/io_buffer.h"	90 #include "net/base/io_buffer.h"

91 #include "net/base/net_errors.h"	91 #include "net/base/net_errors.h"

92 #include "net/base/net_log.h"	92 #include "net/base/net_log.h"

93 #include "net/cert/asn1_util.h"	93 #include "net/cert/asn1_util.h"

	94 #include "net/cert/cert_policy_enforcer.h"

94 #include "net/cert/cert_status_flags.h"	95 #include "net/cert/cert_status_flags.h"

95 #include "net/cert/cert_verifier.h"	96 #include "net/cert/cert_verifier.h"

96 #include "net/cert/ct_ev_whitelist.h"	97 #include "net/cert/ct_ev_whitelist.h"

97 #include "net/cert/ct_verifier.h"	98 #include "net/cert/ct_verifier.h"

98 #include "net/cert/ct_verify_result.h"	99 #include "net/cert/ct_verify_result.h"

99 #include "net/cert/scoped_nss_types.h"	100 #include "net/cert/scoped_nss_types.h"

100 #include "net/cert/sct_status_flags.h"	101 #include "net/cert/sct_status_flags.h"

101 #include "net/cert/single_request_cert_verifier.h"	102 #include "net/cert/single_request_cert_verifier.h"

102 #include "net/cert/x509_certificate_net_log_param.h"	103 #include "net/cert/x509_certificate_net_log_param.h"

103 #include "net/cert/x509_util.h"	104 #include "net/cert/x509_util.h"

(...skipping 2723 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2827 ssl_config_(ssl_config),	2828 ssl_config_(ssl_config),

2828 cert_verifier_(context.cert_verifier),	2829 cert_verifier_(context.cert_verifier),

2829 cert_transparency_verifier_(context.cert_transparency_verifier),	2830 cert_transparency_verifier_(context.cert_transparency_verifier),

2830 channel_id_service_(context.channel_id_service),	2831 channel_id_service_(context.channel_id_service),

2831 ssl_session_cache_shard_(context.ssl_session_cache_shard),	2832 ssl_session_cache_shard_(context.ssl_session_cache_shard),

2832 completed_handshake_(false),	2833 completed_handshake_(false),

2833 next_handshake_state_(STATE_NONE),	2834 next_handshake_state_(STATE_NONE),

2834 nss_fd_(NULL),	2835 nss_fd_(NULL),

2835 net_log_(transport_->socket()->NetLog()),	2836 net_log_(transport_->socket()->NetLog()),

2836 transport_security_state_(context.transport_security_state),	2837 transport_security_state_(context.transport_security_state),

	2838 policy_enforcer_(context.cert_policy_enforcer),

2837 valid_thread_id_(base::kInvalidThreadId) {	2839 valid_thread_id_(base::kInvalidThreadId) {

2838 EnterFunction("");	2840 EnterFunction("");

2839 InitCore();	2841 InitCore();

2840 LeaveFunction("");	2842 LeaveFunction("");

2841 }	2843 }

2842	2844

2843 SSLClientSocketNSS::~SSLClientSocketNSS() {	2845 SSLClientSocketNSS::~SSLClientSocketNSS() {

2844 EnterFunction("");	2846 EnterFunction("");

2845 Disconnect();	2847 Disconnect();

2846 LeaveFunction("");	2848 LeaveFunction("");

(...skipping 664 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3511 (result == OK \|\|	3513 (result == OK \|\|

3512 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&	3514 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&

3513 !transport_security_state_->CheckPublicKeyPins(	3515 !transport_security_state_->CheckPublicKeyPins(

3514 host_and_port_.host(),	3516 host_and_port_.host(),

3515 server_cert_verify_result_.is_issued_by_known_root,	3517 server_cert_verify_result_.is_issued_by_known_root,

3516 server_cert_verify_result_.public_key_hashes,	3518 server_cert_verify_result_.public_key_hashes,

3517 &pinning_failure_log_)) {	3519 &pinning_failure_log_)) {

3518 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;	3520 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;

3519 }	3521 }

3520	3522

3521 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

3522 SSLConfigService::GetEVCertsWhitelist();

3523 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {

3524 if (ev_whitelist.get() && ev_whitelist->IsValid()) {

3525 const SHA256HashValue fingerprint(

3526 X509Certificate::CalculateFingerprint256(

3527 server_cert_verify_result_.verified_cert->os_cert_handle()));

3528

3529 UMA_HISTOGRAM_BOOLEAN(

3530 "Net.SSL_EVCertificateInWhitelist",

3531 ev_whitelist->ContainsCertificateHash(

3532 std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));

3533 }

3534 }

3535

3536 if (result == OK) {	3523 if (result == OK) {

3537 // Only check Certificate Transparency if there were no other errors with	3524 // Only check Certificate Transparency if there were no other errors with

3538 // the connection.	3525 // the connection.

3539 VerifyCT();	3526 VerifyCT();

3540	3527

3541 // Only cache the session if the certificate verified successfully.	3528 // Only cache the session if the certificate verified successfully.

3542 core_->CacheSessionIfNecessary();	3529 core_->CacheSessionIfNecessary();

3543 }	3530 }

3544	3531

3545 completed_handshake_ = true;	3532 completed_handshake_ = true;

(...skipping 16 matching lines...) Expand all Loading...
3562 core_->state().sct_list_from_tls_extension,	3549 core_->state().sct_list_from_tls_extension,

3563 &ct_verify_result_,	3550 &ct_verify_result_,

3564 net_log_);	3551 net_log_);

3565 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension	3552 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension

3566 // from the state after verification is complete, to conserve memory.	3553 // from the state after verification is complete, to conserve memory.

3567	3554

3568 VLOG(1) << "CT Verification complete: result " << result	3555 VLOG(1) << "CT Verification complete: result " << result

3569 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()	3556 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()

3570 << " Verified scts: " << ct_verify_result_.verified_scts.size()	3557 << " Verified scts: " << ct_verify_result_.verified_scts.size()

3571 << " scts from unknown logs: "	3558 << " scts from unknown logs: "

3572 << ct_verify_result_.unknown_logs_scts.size();	3559 << ct_verify_result_.unknown_logs_scts.size();
	Ryan Sleevi 2014/11/28 15:27:44 This is all NetLogged right now - we should be nuk This is all NetLogged right now - we should be nuking this VLOG. Eran Messeri 2014/12/01 13:59:03 Done. Show quoted text On 2014/11/28 15:27:44, Ryan Sleevi wrote: > This is all NetLogged right now - we should be nuking this VLOG. Done.
	3560

	3561 if (!policy_enforcer_) {

	3562 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

	3563 } else {

	3564 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {

	3565 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =

	3566 SSLConfigService::GetEVCertsWhitelist();

	3567 if (!policy_enforcer_->DoesConformToCTEVPolicy(

	3568 server_cert_verify_result_.verified_cert.get(),

	3569 ev_whitelist.get(), ct_verify_result_)) {

	3570 VLOG(1) << "EV certificate for "

	3571 << server_cert_verify_result_.verified_cert->subject()

	3572 .GetDisplayName()

	3573 << " does not conform to CT policy, removing EV status.";
	Ryan Sleevi 2014/11/28 15:27:44 NetLog NetLog Eran Messeri 2014/12/01 13:59:03 Done (added TODO with bug#). Show quoted text On 2014/11/28 15:27:44, Ryan Sleevi wrote: > NetLog Done (added TODO with bug#).
	3574 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

	3575 }

	3576 }

	3577 }

3573 }	3578 }

3574	3579

3575 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {	3580 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {

3576 base::AutoLock auto_lock(lock_);	3581 base::AutoLock auto_lock(lock_);

3577 if (valid_thread_id_ != base::kInvalidThreadId)	3582 if (valid_thread_id_ != base::kInvalidThreadId)

3578 return;	3583 return;

3579 valid_thread_id_ = base::PlatformThread::CurrentId();	3584 valid_thread_id_ = base::PlatformThread::CurrentId();

3580 }	3585 }

3581	3586

3582 bool SSLClientSocketNSS::CalledOnValidThread() const {	3587 bool SSLClientSocketNSS::CalledOnValidThread() const {

(...skipping 27 matching lines...) Expand all Loading...
3610 scoped_refptr<X509Certificate>	3615 scoped_refptr<X509Certificate>

3611 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {	3616 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {

3612 return core_->state().server_cert.get();	3617 return core_->state().server_cert.get();

3613 }	3618 }

3614	3619

3615 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {	3620 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {

3616 return channel_id_service_;	3621 return channel_id_service_;

3617 }	3622 }

3618	3623

3619 } // namespace net	3624 } // namespace net

OLD	NEW

« net/cert/cert_policy_enforcer_unittest.cc ('K') | « net/socket/ssl_client_socket_nss.h ('k') | net/socket/ssl_client_socket_openssl.h » ('j') | net/socket/ssl_client_socket_openssl.cc » ('J')