net/socket/ssl_client_socket_nss.cc - Issue 422063004: Certificate Transparency: Require SCTs for EV certificates.

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 422063004: Certificate Transparency: Require SCTs for EV certificates. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Refining policy based on discussion with rsleevi Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/socket/ssl_client_socket_nss.cc

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc

index 83a4d62a746cf6ceefd327917f1af3ae106546fb..5479039618671e7c88c5225bd414661115f1325f 100644

--- a/net/socket/ssl_client_socket_nss.cc

+++ b/net/socket/ssl_client_socket_nss.cc

@@ -3502,6 +3502,13 @@ void SSLClientSocketNSS::VerifyCT() {

<< " Verified scts: " << ct_verify_result_.verified_scts.size()

<< " scts from unknown logs: "

<< ct_verify_result_.unknown_logs_scts.size();

+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) &&

+ (!cert_transparency_verifier_->DoesConformToCTEVPolicy(

+ server_cert_verify_result_.verified_cert, ct_verify_result_))) {

+ VLOG(1) << "EV certificate without enough SCTs, removing EV status.";

+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;

+ }

Ryan Sleevi 2014/08/05 22:19:10 Another sign of layering concern is that this logi

Eran Messeri 2014/10/20 17:26:30 I've created a new class, CertPolicyEnforcer, whic

}

void SSLClientSocketNSS::LogConnectionTypeMetrics() const {

« net/cert/multi_log_ct_verifier.cc ('K') | « net/cert/multi_log_ct_verifier_unittest.cc ('k') | no next file » | no next file with comments »