Index: net/socket/ssl_client_socket_nss.cc |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
index a7821b2fe4fca6214e1119c2f1f35bd5d8ae02c8..e8ea56b3156e1c997bcd2f2d3a4d44d8513df282 100644 |
--- a/net/socket/ssl_client_socket_nss.cc |
+++ b/net/socket/ssl_client_socket_nss.cc |
@@ -92,6 +92,7 @@ |
#include "net/base/net_errors.h" |
#include "net/base/net_log.h" |
#include "net/cert/asn1_util.h" |
+#include "net/cert/cert_policy_enforcer.h" |
#include "net/cert/cert_status_flags.h" |
#include "net/cert/cert_verifier.h" |
#include "net/cert/ct_ev_whitelist.h" |
@@ -2826,6 +2827,7 @@ SSLClientSocketNSS::SSLClientSocketNSS( |
nss_fd_(NULL), |
net_log_(transport_->socket()->NetLog()), |
transport_security_state_(context.transport_security_state), |
+ policy_enforcer_(context.cert_policy_enforcer), |
valid_thread_id_(base::kInvalidThreadId) { |
EnterFunction(""); |
InitCore(); |
@@ -3507,21 +3509,6 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { |
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
} |
- scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
- SSLConfigService::GetEVCertsWhitelist(); |
- if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
- if (ev_whitelist.get() && ev_whitelist->IsValid()) { |
- const SHA256HashValue fingerprint( |
- X509Certificate::CalculateFingerprint256( |
- server_cert_verify_result_.verified_cert->os_cert_handle())); |
- |
- UMA_HISTOGRAM_BOOLEAN( |
- "Net.SSL_EVCertificateInWhitelist", |
- ev_whitelist->ContainsCertificateHash( |
- std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); |
- } |
- } |
- |
if (result == OK) { |
// Only check Certificate Transparency if there were no other errors with |
// the connection. |
@@ -3559,6 +3546,19 @@ void SSLClientSocketNSS::VerifyCT() { |
<< " Verified scts: " << ct_verify_result_.verified_scts.size() |
<< " scts from unknown logs: " |
<< ct_verify_result_.unknown_logs_scts.size(); |
+ |
+ if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) && |
+ (policy_enforcer_)) { |
Ryan Sleevi
2014/11/06 00:16:43
Let's make sure we 'fail closed', which also addre
Eran Messeri
2014/11/20 11:49:56
Done.
|
+ scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = |
+ SSLConfigService::GetEVCertsWhitelist(); |
+ |
+ if (!policy_enforcer_->DoesConformToCTEVPolicy( |
+ server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), |
+ ct_verify_result_)) { |
+ VLOG(1) << "EV certificate without enough SCTs, removing EV status."; |
+ server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; |
+ } |
+ } |
} |
void SSLClientSocketNSS::LogConnectionTypeMetrics() const { |