| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 84 #include "crypto/nss_util.h" | 84 #include "crypto/nss_util.h" |
| 85 #include "crypto/nss_util_internal.h" | 85 #include "crypto/nss_util_internal.h" |
| 86 #include "crypto/rsa_private_key.h" | 86 #include "crypto/rsa_private_key.h" |
| 87 #include "crypto/scoped_nss_types.h" | 87 #include "crypto/scoped_nss_types.h" |
| 88 #include "net/base/address_list.h" | 88 #include "net/base/address_list.h" |
| 89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
| 90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
| 91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
| 92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
| 93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
| 94 #include "net/cert/cert_policy_enforcer.h" |
| 94 #include "net/cert/cert_status_flags.h" | 95 #include "net/cert/cert_status_flags.h" |
| 95 #include "net/cert/cert_verifier.h" | 96 #include "net/cert/cert_verifier.h" |
| 96 #include "net/cert/ct_ev_whitelist.h" | 97 #include "net/cert/ct_ev_whitelist.h" |
| 97 #include "net/cert/ct_verifier.h" | 98 #include "net/cert/ct_verifier.h" |
| 98 #include "net/cert/ct_verify_result.h" | 99 #include "net/cert/ct_verify_result.h" |
| 99 #include "net/cert/scoped_nss_types.h" | 100 #include "net/cert/scoped_nss_types.h" |
| 100 #include "net/cert/sct_status_flags.h" | 101 #include "net/cert/sct_status_flags.h" |
| 101 #include "net/cert/single_request_cert_verifier.h" | 102 #include "net/cert/single_request_cert_verifier.h" |
| 102 #include "net/cert/x509_certificate_net_log_param.h" | 103 #include "net/cert/x509_certificate_net_log_param.h" |
| 103 #include "net/cert/x509_util.h" | 104 #include "net/cert/x509_util.h" |
| (...skipping 2720 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2824 ssl_config_(ssl_config), | 2825 ssl_config_(ssl_config), |
| 2825 cert_verifier_(context.cert_verifier), | 2826 cert_verifier_(context.cert_verifier), |
| 2826 cert_transparency_verifier_(context.cert_transparency_verifier), | 2827 cert_transparency_verifier_(context.cert_transparency_verifier), |
| 2827 channel_id_service_(context.channel_id_service), | 2828 channel_id_service_(context.channel_id_service), |
| 2828 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 2829 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 2829 completed_handshake_(false), | 2830 completed_handshake_(false), |
| 2830 next_handshake_state_(STATE_NONE), | 2831 next_handshake_state_(STATE_NONE), |
| 2831 nss_fd_(NULL), | 2832 nss_fd_(NULL), |
| 2832 net_log_(transport_->socket()->NetLog()), | 2833 net_log_(transport_->socket()->NetLog()), |
| 2833 transport_security_state_(context.transport_security_state), | 2834 transport_security_state_(context.transport_security_state), |
| 2835 policy_enforcer_(context.cert_policy_enforcer), |
| 2834 valid_thread_id_(base::kInvalidThreadId) { | 2836 valid_thread_id_(base::kInvalidThreadId) { |
| 2835 EnterFunction(""); | 2837 EnterFunction(""); |
| 2836 InitCore(); | 2838 InitCore(); |
| 2837 LeaveFunction(""); | 2839 LeaveFunction(""); |
| 2838 } | 2840 } |
| 2839 | 2841 |
| 2840 SSLClientSocketNSS::~SSLClientSocketNSS() { | 2842 SSLClientSocketNSS::~SSLClientSocketNSS() { |
| 2841 EnterFunction(""); | 2843 EnterFunction(""); |
| 2842 Disconnect(); | 2844 Disconnect(); |
| 2843 LeaveFunction(""); | 2845 LeaveFunction(""); |
| (...skipping 677 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3521 (result == OK || | 3523 (result == OK || |
| 3522 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3524 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 3523 !transport_security_state_->CheckPublicKeyPins( | 3525 !transport_security_state_->CheckPublicKeyPins( |
| 3524 host_and_port_.host(), | 3526 host_and_port_.host(), |
| 3525 server_cert_verify_result_.is_issued_by_known_root, | 3527 server_cert_verify_result_.is_issued_by_known_root, |
| 3526 server_cert_verify_result_.public_key_hashes, | 3528 server_cert_verify_result_.public_key_hashes, |
| 3527 &pinning_failure_log_)) { | 3529 &pinning_failure_log_)) { |
| 3528 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 3530 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 3529 } | 3531 } |
| 3530 | 3532 |
| 3531 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = | |
| 3532 SSLConfigService::GetEVCertsWhitelist(); | |
| 3533 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
| 3534 if (ev_whitelist.get() && ev_whitelist->IsValid()) { | |
| 3535 const SHA256HashValue fingerprint( | |
| 3536 X509Certificate::CalculateFingerprint256( | |
| 3537 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
| 3538 | |
| 3539 UMA_HISTOGRAM_BOOLEAN( | |
| 3540 "Net.SSL_EVCertificateInWhitelist", | |
| 3541 ev_whitelist->ContainsCertificateHash( | |
| 3542 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
| 3543 } | |
| 3544 } | |
| 3545 | |
| 3546 if (result == OK) { | 3533 if (result == OK) { |
| 3547 // Only check Certificate Transparency if there were no other errors with | 3534 // Only check Certificate Transparency if there were no other errors with |
| 3548 // the connection. | 3535 // the connection. |
| 3549 VerifyCT(); | 3536 VerifyCT(); |
| 3550 | 3537 |
| 3551 // Only cache the session if the certificate verified successfully. | 3538 // Only cache the session if the certificate verified successfully. |
| 3552 core_->CacheSessionIfNecessary(); | 3539 core_->CacheSessionIfNecessary(); |
| 3553 } | 3540 } |
| 3554 | 3541 |
| 3555 completed_handshake_ = true; | 3542 completed_handshake_ = true; |
| 3556 | 3543 |
| 3557 // Exit DoHandshakeLoop and return the result to the caller to Connect. | 3544 // Exit DoHandshakeLoop and return the result to the caller to Connect. |
| 3558 DCHECK_EQ(STATE_NONE, next_handshake_state_); | 3545 DCHECK_EQ(STATE_NONE, next_handshake_state_); |
| 3559 return result; | 3546 return result; |
| 3560 } | 3547 } |
| 3561 | 3548 |
| 3562 void SSLClientSocketNSS::VerifyCT() { | 3549 void SSLClientSocketNSS::VerifyCT() { |
| 3563 if (!cert_transparency_verifier_) | 3550 if (!cert_transparency_verifier_) |
| 3564 return; | 3551 return; |
| 3565 | 3552 |
| 3566 // Note that this is a completely synchronous operation: The CT Log Verifier | 3553 // Note that this is a completely synchronous operation: The CT Log Verifier |
| 3567 // gets all the data it needs for SCT verification and does not do any | 3554 // gets all the data it needs for SCT verification and does not do any |
| 3568 // external communication. | 3555 // external communication. |
| 3569 int result = cert_transparency_verifier_->Verify( | 3556 cert_transparency_verifier_->Verify( |
| 3570 server_cert_verify_result_.verified_cert.get(), | 3557 server_cert_verify_result_.verified_cert.get(), |
| 3571 core_->state().stapled_ocsp_response, | 3558 core_->state().stapled_ocsp_response, |
| 3572 core_->state().sct_list_from_tls_extension, | 3559 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); |
| 3573 &ct_verify_result_, | |
| 3574 net_log_); | |
| 3575 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension | 3560 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension |
| 3576 // from the state after verification is complete, to conserve memory. | 3561 // from the state after verification is complete, to conserve memory. |
| 3577 | 3562 |
| 3578 VLOG(1) << "CT Verification complete: result " << result | 3563 if (!policy_enforcer_) { |
| 3579 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() | 3564 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 3580 << " Verified scts: " << ct_verify_result_.verified_scts.size() | 3565 } else { |
| 3581 << " scts from unknown logs: " | 3566 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
| 3582 << ct_verify_result_.unknown_logs_scts.size(); | 3567 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
| 3568 SSLConfigService::GetEVCertsWhitelist(); |
| 3569 if (!policy_enforcer_->DoesConformToCTEVPolicy( |
| 3570 server_cert_verify_result_.verified_cert.get(), |
| 3571 ev_whitelist.get(), ct_verify_result_)) { |
| 3572 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 |
| 3573 VLOG(1) << "EV certificate for " |
| 3574 << server_cert_verify_result_.verified_cert->subject() |
| 3575 .GetDisplayName() |
| 3576 << " does not conform to CT policy, removing EV status."; |
| 3577 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
| 3578 } |
| 3579 } |
| 3580 } |
| 3583 } | 3581 } |
| 3584 | 3582 |
| 3585 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { | 3583 void SSLClientSocketNSS::EnsureThreadIdAssigned() const { |
| 3586 base::AutoLock auto_lock(lock_); | 3584 base::AutoLock auto_lock(lock_); |
| 3587 if (valid_thread_id_ != base::kInvalidThreadId) | 3585 if (valid_thread_id_ != base::kInvalidThreadId) |
| 3588 return; | 3586 return; |
| 3589 valid_thread_id_ = base::PlatformThread::CurrentId(); | 3587 valid_thread_id_ = base::PlatformThread::CurrentId(); |
| 3590 } | 3588 } |
| 3591 | 3589 |
| 3592 bool SSLClientSocketNSS::CalledOnValidThread() const { | 3590 bool SSLClientSocketNSS::CalledOnValidThread() const { |
| (...skipping 27 matching lines...) Expand all Loading... |
| 3620 scoped_refptr<X509Certificate> | 3618 scoped_refptr<X509Certificate> |
| 3621 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3619 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3622 return core_->state().server_cert.get(); | 3620 return core_->state().server_cert.get(); |
| 3623 } | 3621 } |
| 3624 | 3622 |
| 3625 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3623 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3626 return channel_id_service_; | 3624 return channel_id_service_; |
| 3627 } | 3625 } |
| 3628 | 3626 |
| 3629 } // namespace net | 3627 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master