Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(149)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: datatype issues addressed. Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ct_verifier.h ('K') | « net/socket/ssl_client_socket_nss.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after
85 #include "crypto/nss_util_internal.h" 85 #include "crypto/nss_util_internal.h"
86 #include "crypto/rsa_private_key.h" 86 #include "crypto/rsa_private_key.h"
87 #include "crypto/scoped_nss_types.h" 87 #include "crypto/scoped_nss_types.h"
88 #include "net/base/address_list.h" 88 #include "net/base/address_list.h"
89 #include "net/base/connection_type_histograms.h" 89 #include "net/base/connection_type_histograms.h"
90 #include "net/base/dns_util.h" 90 #include "net/base/dns_util.h"
91 #include "net/base/io_buffer.h" 91 #include "net/base/io_buffer.h"
92 #include "net/base/net_errors.h" 92 #include "net/base/net_errors.h"
93 #include "net/base/net_log.h" 93 #include "net/base/net_log.h"
94 #include "net/cert/asn1_util.h" 94 #include "net/cert/asn1_util.h"
95 #include "net/cert/cert_policy_enforcer.h"
95 #include "net/cert/cert_status_flags.h" 96 #include "net/cert/cert_status_flags.h"
96 #include "net/cert/cert_verifier.h" 97 #include "net/cert/cert_verifier.h"
97 #include "net/cert/ct_objects_extractor.h" 98 #include "net/cert/ct_objects_extractor.h"
98 #include "net/cert/ct_verifier.h" 99 #include "net/cert/ct_verifier.h"
99 #include "net/cert/ct_verify_result.h" 100 #include "net/cert/ct_verify_result.h"
100 #include "net/cert/scoped_nss_types.h" 101 #include "net/cert/scoped_nss_types.h"
101 #include "net/cert/sct_status_flags.h" 102 #include "net/cert/sct_status_flags.h"
102 #include "net/cert/single_request_cert_verifier.h" 103 #include "net/cert/single_request_cert_verifier.h"
103 #include "net/cert/x509_certificate_net_log_param.h" 104 #include "net/cert/x509_certificate_net_log_param.h"
104 #include "net/cert/x509_util.h" 105 #include "net/cert/x509_util.h"
(...skipping 2695 matching lines...) Expand 10 before | Expand all | Expand 10 after
2800 ssl_config_(ssl_config), 2801 ssl_config_(ssl_config),
2801 cert_verifier_(context.cert_verifier), 2802 cert_verifier_(context.cert_verifier),
2802 cert_transparency_verifier_(context.cert_transparency_verifier), 2803 cert_transparency_verifier_(context.cert_transparency_verifier),
2803 channel_id_service_(context.channel_id_service), 2804 channel_id_service_(context.channel_id_service),
2804 ssl_session_cache_shard_(context.ssl_session_cache_shard), 2805 ssl_session_cache_shard_(context.ssl_session_cache_shard),
2805 completed_handshake_(false), 2806 completed_handshake_(false),
2806 next_handshake_state_(STATE_NONE), 2807 next_handshake_state_(STATE_NONE),
2807 nss_fd_(NULL), 2808 nss_fd_(NULL),
2808 net_log_(transport_->socket()->NetLog()), 2809 net_log_(transport_->socket()->NetLog()),
2809 transport_security_state_(context.transport_security_state), 2810 transport_security_state_(context.transport_security_state),
2811 policy_enforcer_(new CertPolicyEnforcer(
Ryan Sleevi 2014/10/22 19:48:36 This should be passed in, not created.
Eran Messeri 2014/10/24 12:12:36 Done. It's passed *all* the way from the IOThread.
2812 cert_transparency_verifier_
2813 ? cert_transparency_verifier_->GetNumKnownLogs()
2814 : 0)),
2810 valid_thread_id_(base::kInvalidThreadId) { 2815 valid_thread_id_(base::kInvalidThreadId) {
2811 EnterFunction(""); 2816 EnterFunction("");
2812 InitCore(); 2817 InitCore();
2813 LeaveFunction(""); 2818 LeaveFunction("");
2814 } 2819 }
2815 2820
2816 SSLClientSocketNSS::~SSLClientSocketNSS() { 2821 SSLClientSocketNSS::~SSLClientSocketNSS() {
2817 EnterFunction(""); 2822 EnterFunction("");
2818 Disconnect(); 2823 Disconnect();
2819 LeaveFunction(""); 2824 LeaveFunction("");
(...skipping 698 matching lines...) Expand 10 before | Expand all | Expand 10 after
3518 &ct_verify_result_, 3523 &ct_verify_result_,
3519 net_log_); 3524 net_log_);
3520 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension 3525 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
3521 // from the state after verification is complete, to conserve memory. 3526 // from the state after verification is complete, to conserve memory.
3522 3527
3523 VLOG(1) << "CT Verification complete: result " << result 3528 VLOG(1) << "CT Verification complete: result " << result
3524 << " Invalid scts: " << ct_verify_result_.invalid_scts.size() 3529 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
3525 << " Verified scts: " << ct_verify_result_.verified_scts.size() 3530 << " Verified scts: " << ct_verify_result_.verified_scts.size()
3526 << " scts from unknown logs: " 3531 << " scts from unknown logs: "
3527 << ct_verify_result_.unknown_logs_scts.size(); 3532 << ct_verify_result_.unknown_logs_scts.size();
3533
3534 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&
3535 (!policy_enforcer_->DoesConformToCTEVPolicy(
3536 server_cert_verify_result_.verified_cert.get(), ct_verify_result_))) {
3537 VLOG(1) << "EV certificate without enough SCTs, removing EV status.";
3538 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
3539 }
3528 } 3540 }
3529 3541
3530 void SSLClientSocketNSS::LogConnectionTypeMetrics() const { 3542 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
3531 UpdateConnectionTypeHistograms(CONNECTION_SSL); 3543 UpdateConnectionTypeHistograms(CONNECTION_SSL);
3532 int ssl_version = SSLConnectionStatusToVersion( 3544 int ssl_version = SSLConnectionStatusToVersion(
3533 core_->state().ssl_connection_status); 3545 core_->state().ssl_connection_status);
3534 switch (ssl_version) { 3546 switch (ssl_version) {
3535 case SSL_CONNECTION_VERSION_SSL2: 3547 case SSL_CONNECTION_VERSION_SSL2:
3536 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); 3548 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);
3537 break; 3549 break;
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
3588 scoped_refptr<X509Certificate> 3600 scoped_refptr<X509Certificate>
3589 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { 3601 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3590 return core_->state().server_cert.get(); 3602 return core_->state().server_cert.get();
3591 } 3603 }
3592 3604
3593 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { 3605 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
3594 return channel_id_service_; 3606 return channel_id_service_;
3595 } 3607 }
3596 3608
3597 } // namespace net 3609 } // namespace net
OLDNEW
« net/cert/ct_verifier.h ('K') | « net/socket/ssl_client_socket_nss.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698