Chromium Code Reviews Chromium Code Reviews
Issue 462543002:
Certificate Transparency: Code for unpacking EV cert hashes whitelist (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 86 #include "crypto/scoped_nss_types.h" | 86 #include "crypto/scoped_nss_types.h" |
| 87 #include "net/base/address_list.h" | 87 #include "net/base/address_list.h" |
| 88 #include "net/base/connection_type_histograms.h" | 88 #include "net/base/connection_type_histograms.h" |
| 89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
| 90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
| 91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
| 92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
| 93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
| 94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
| 95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
| 96 #include "net/cert/ct_ev_whitelist.h" | |
| 96 #include "net/cert/ct_objects_extractor.h" | 97 #include "net/cert/ct_objects_extractor.h" |
| 97 #include "net/cert/ct_verifier.h" | 98 #include "net/cert/ct_verifier.h" |
| 98 #include "net/cert/ct_verify_result.h" | 99 #include "net/cert/ct_verify_result.h" |
| 99 #include "net/cert/scoped_nss_types.h" | 100 #include "net/cert/scoped_nss_types.h" |
| 100 #include "net/cert/sct_status_flags.h" | 101 #include "net/cert/sct_status_flags.h" |
| 101 #include "net/cert/single_request_cert_verifier.h" | 102 #include "net/cert/single_request_cert_verifier.h" |
| 102 #include "net/cert/x509_certificate_net_log_param.h" | 103 #include "net/cert/x509_certificate_net_log_param.h" |
| 103 #include "net/cert/x509_util.h" | 104 #include "net/cert/x509_util.h" |
| 104 #include "net/http/transport_security_state.h" | 105 #include "net/http/transport_security_state.h" |
| 105 #include "net/ocsp/nss_ocsp.h" | 106 #include "net/ocsp/nss_ocsp.h" |
| (...skipping 3329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3435 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3436 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
| 3436 !transport_security_state_->CheckPublicKeyPins( | 3437 !transport_security_state_->CheckPublicKeyPins( |
| 3437 host_and_port_.host(), | 3438 host_and_port_.host(), |
| 3438 sni_available, | 3439 sni_available, |
| 3439 server_cert_verify_result_.is_issued_by_known_root, | 3440 server_cert_verify_result_.is_issued_by_known_root, |
| 3440 server_cert_verify_result_.public_key_hashes, | 3441 server_cert_verify_result_.public_key_hashes, |
| 3441 &pinning_failure_log_)) { | 3442 &pinning_failure_log_)) { |
| 3442 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 3443 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| 3443 } | 3444 } |
| 3444 | 3445 |
| 3446 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
| 3447 // fingerprint certificate | |
|
wtc
2014/08/20 19:04:22
Nit: this comment can be omitted because it merely
Eran Messeri
2014/09/02 12:20:23
Done.
| |
| 3448 const SHA256HashValue fingerprint(X509Certificate::CalculateFingerprint256( | |
| 3449 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
| 3450 | |
| 3451 UMA_HISTOGRAM_BOOLEAN( | |
| 3452 "Net.SSL_EVCertificateInWhitelist", | |
| 3453 ct::IsCertificateHashInWhitelist( | |
| 3454 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
| 3455 } | |
| 3456 | |
| 3445 if (result == OK) { | 3457 if (result == OK) { |
| 3446 // Only check Certificate Transparency if there were no other errors with | 3458 // Only check Certificate Transparency if there were no other errors with |
| 3447 // the connection. | 3459 // the connection. |
| 3448 VerifyCT(); | 3460 VerifyCT(); |
| 3449 | 3461 |
| 3450 // Only cache the session if the certificate verified successfully. | 3462 // Only cache the session if the certificate verified successfully. |
| 3451 core_->CacheSessionIfNecessary(); | 3463 core_->CacheSessionIfNecessary(); |
| 3452 } | 3464 } |
| 3453 | 3465 |
| 3454 completed_handshake_ = true; | 3466 completed_handshake_ = true; |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3542 scoped_refptr<X509Certificate> | 3554 scoped_refptr<X509Certificate> |
| 3543 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3555 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3544 return core_->state().server_cert.get(); | 3556 return core_->state().server_cert.get(); |
| 3545 } | 3557 } |
| 3546 | 3558 |
| 3547 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3559 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3548 return channel_id_service_; | 3560 return channel_id_service_; |
| 3549 } | 3561 } |
| 3550 | 3562 |
| 3551 } // namespace net | 3563 } // namespace net |
| OLD | NEW |
