OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
84 #include "crypto/nss_util.h" | 84 #include "crypto/nss_util.h" |
85 #include "crypto/nss_util_internal.h" | 85 #include "crypto/nss_util_internal.h" |
86 #include "crypto/rsa_private_key.h" | 86 #include "crypto/rsa_private_key.h" |
87 #include "crypto/scoped_nss_types.h" | 87 #include "crypto/scoped_nss_types.h" |
88 #include "net/base/address_list.h" | 88 #include "net/base/address_list.h" |
89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_policy_enforcer.h" | |
94 #include "net/cert/cert_status_flags.h" | 95 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 96 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_ev_whitelist.h" | 97 #include "net/cert/ct_ev_whitelist.h" |
97 #include "net/cert/ct_verifier.h" | 98 #include "net/cert/ct_verifier.h" |
98 #include "net/cert/ct_verify_result.h" | 99 #include "net/cert/ct_verify_result.h" |
99 #include "net/cert/scoped_nss_types.h" | 100 #include "net/cert/scoped_nss_types.h" |
100 #include "net/cert/sct_status_flags.h" | 101 #include "net/cert/sct_status_flags.h" |
101 #include "net/cert/single_request_cert_verifier.h" | 102 #include "net/cert/single_request_cert_verifier.h" |
102 #include "net/cert/x509_certificate_net_log_param.h" | 103 #include "net/cert/x509_certificate_net_log_param.h" |
103 #include "net/cert/x509_util.h" | 104 #include "net/cert/x509_util.h" |
(...skipping 2723 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2827 ssl_config_(ssl_config), | 2828 ssl_config_(ssl_config), |
2828 cert_verifier_(context.cert_verifier), | 2829 cert_verifier_(context.cert_verifier), |
2829 cert_transparency_verifier_(context.cert_transparency_verifier), | 2830 cert_transparency_verifier_(context.cert_transparency_verifier), |
2830 channel_id_service_(context.channel_id_service), | 2831 channel_id_service_(context.channel_id_service), |
2831 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 2832 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
2832 completed_handshake_(false), | 2833 completed_handshake_(false), |
2833 next_handshake_state_(STATE_NONE), | 2834 next_handshake_state_(STATE_NONE), |
2834 nss_fd_(NULL), | 2835 nss_fd_(NULL), |
2835 net_log_(transport_->socket()->NetLog()), | 2836 net_log_(transport_->socket()->NetLog()), |
2836 transport_security_state_(context.transport_security_state), | 2837 transport_security_state_(context.transport_security_state), |
2838 policy_enforcer_(context.cert_policy_enforcer), | |
2837 valid_thread_id_(base::kInvalidThreadId) { | 2839 valid_thread_id_(base::kInvalidThreadId) { |
2838 EnterFunction(""); | 2840 EnterFunction(""); |
2839 InitCore(); | 2841 InitCore(); |
2840 LeaveFunction(""); | 2842 LeaveFunction(""); |
2841 } | 2843 } |
2842 | 2844 |
2843 SSLClientSocketNSS::~SSLClientSocketNSS() { | 2845 SSLClientSocketNSS::~SSLClientSocketNSS() { |
2844 EnterFunction(""); | 2846 EnterFunction(""); |
2845 Disconnect(); | 2847 Disconnect(); |
2846 LeaveFunction(""); | 2848 LeaveFunction(""); |
(...skipping 664 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3511 (result == OK || | 3513 (result == OK || |
3512 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3514 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
3513 !transport_security_state_->CheckPublicKeyPins( | 3515 !transport_security_state_->CheckPublicKeyPins( |
3514 host_and_port_.host(), | 3516 host_and_port_.host(), |
3515 server_cert_verify_result_.is_issued_by_known_root, | 3517 server_cert_verify_result_.is_issued_by_known_root, |
3516 server_cert_verify_result_.public_key_hashes, | 3518 server_cert_verify_result_.public_key_hashes, |
3517 &pinning_failure_log_)) { | 3519 &pinning_failure_log_)) { |
3518 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 3520 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
3519 } | 3521 } |
3520 | 3522 |
3521 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
3522 SSLConfigService::GetEVCertsWhitelist(); | |
3523 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
3524 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
3525 const SHA256HashValue fingerprint( | |
3526 X509Certificate::CalculateFingerprint256( | |
3527 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
3528 | |
3529 UMA_HISTOGRAM_BOOLEAN( | |
3530 "Net.SSL_EVCertificateInWhitelist", | |
3531 ev_whitelist->ContainsCertificateHash( | |
3532 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
3533 } | |
3534 } | |
3535 | |
3536 if (result == OK) { | 3523 if (result == OK) { |
3537 // Only check Certificate Transparency if there were no other errors with | 3524 // Only check Certificate Transparency if there were no other errors with |
3538 // the connection. | 3525 // the connection. |
3539 VerifyCT(); | 3526 VerifyCT(); |
3540 | 3527 |
3541 // Only cache the session if the certificate verified successfully. | 3528 // Only cache the session if the certificate verified successfully. |
3542 core_->CacheSessionIfNecessary(); | 3529 core_->CacheSessionIfNecessary(); |
3543 } | 3530 } |
3544 | 3531 |
3545 completed_handshake_ = true; | 3532 completed_handshake_ = true; |
(...skipping 16 matching lines...) Expand all Loading... | |
3562 core_->state().sct_list_from_tls_extension, | 3549 core_->state().sct_list_from_tls_extension, |
3563 &ct_verify_result_, | 3550 &ct_verify_result_, |
3564 net_log_); | 3551 net_log_); |
3565 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3552 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
3566 // from the state after verification is complete, to conserve memory. | 3553 // from the state after verification is complete, to conserve memory. |
3567 | 3554 |
3568 VLOG(1) << "CT Verification complete: result " << result | 3555 VLOG(1) << "CT Verification complete: result " << result |
3569 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3556 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() |
3570 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3557 << " Verified scts: " << ct_verify_result_.verified_scts.size() |
3571 << " scts from unknown logs: " | 3558 << " scts from unknown logs: " |
3572 << ct_verify_result_.unknown_logs_scts.size(); | 3559 << ct_verify_result_.unknown_logs_scts.size(); |
Ryan Sleevi
2014/11/28 15:27:44
This is all NetLogged right now - we should be nuk
Eran Messeri
2014/12/01 13:59:03
Done.
| |
3560 | |
3561 if (!policy_enforcer_) { | |
3562 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
3563 } else { | |
3564 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
3565 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
3566 SSLConfigService::GetEVCertsWhitelist(); | |
3567 if (!policy_enforcer_->DoesConformToCTEVPolicy( | |
3568 server_cert_verify_result_.verified_cert.get(), | |
3569 ev_whitelist.get(), ct_verify_result_)) { | |
3570 VLOG(1) << "EV certificate for " | |
3571 << server_cert_verify_result_.verified_cert->subject() | |
3572 .GetDisplayName() | |
3573 << " does not conform to CT policy, removing EV status."; | |
Ryan Sleevi
2014/11/28 15:27:44
NetLog
Eran Messeri
2014/12/01 13:59:03
Done (added TODO with bug#).
| |
3574 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; | |
3575 } | |
3576 } | |
3577 } | |
3573 } | 3578 } |
3574 | 3579 |
3575 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3580 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
3576 base::AutoLock auto_lock(lock_); | 3581 base::AutoLock auto_lock(lock_); |
3577 if (valid_thread_id_ != base::kInvalidThreadId) | 3582 if (valid_thread_id_ != base::kInvalidThreadId) |
3578 return; | 3583 return; |
3579 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3584 valid_thread_id_ = base::PlatformThread::CurrentId(); |
3580 } | 3585 } |
3581 | 3586 |
3582 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3587 bool SSLClientSocketNSS::CalledOnValidThread() const { |
(...skipping 27 matching lines...) Expand all Loading... | |
3610 scoped_refptr<X509Certificate> | 3615 scoped_refptr<X509Certificate> |
3611 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3616 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
3612 return core_->state().server_cert.get(); | 3617 return core_->state().server_cert.get(); |
3613 } | 3618 } |
3614 | 3619 |
3615 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3620 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
3616 return channel_id_service_; | 3621 return channel_id_service_; |
3617 } | 3622 } |
3618 | 3623 |
3619 } // namespace net | 3624 } // namespace net |
OLD | NEW |