OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
8 | 8 |
9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
86 #include "crypto/scoped_nss_types.h" | 86 #include "crypto/scoped_nss_types.h" |
87 #include "net/base/address_list.h" | 87 #include "net/base/address_list.h" |
88 #include "net/base/connection_type_histograms.h" | 88 #include "net/base/connection_type_histograms.h" |
89 #include "net/base/dns_util.h" | 89 #include "net/base/dns_util.h" |
90 #include "net/base/io_buffer.h" | 90 #include "net/base/io_buffer.h" |
91 #include "net/base/net_errors.h" | 91 #include "net/base/net_errors.h" |
92 #include "net/base/net_log.h" | 92 #include "net/base/net_log.h" |
93 #include "net/cert/asn1_util.h" | 93 #include "net/cert/asn1_util.h" |
94 #include "net/cert/cert_status_flags.h" | 94 #include "net/cert/cert_status_flags.h" |
95 #include "net/cert/cert_verifier.h" | 95 #include "net/cert/cert_verifier.h" |
96 #include "net/cert/ct_ev_whitelist.h" | |
96 #include "net/cert/ct_objects_extractor.h" | 97 #include "net/cert/ct_objects_extractor.h" |
97 #include "net/cert/ct_verifier.h" | 98 #include "net/cert/ct_verifier.h" |
98 #include "net/cert/ct_verify_result.h" | 99 #include "net/cert/ct_verify_result.h" |
99 #include "net/cert/scoped_nss_types.h" | 100 #include "net/cert/scoped_nss_types.h" |
100 #include "net/cert/sct_status_flags.h" | 101 #include "net/cert/sct_status_flags.h" |
101 #include "net/cert/single_request_cert_verifier.h" | 102 #include "net/cert/single_request_cert_verifier.h" |
102 #include "net/cert/x509_certificate_net_log_param.h" | 103 #include "net/cert/x509_certificate_net_log_param.h" |
103 #include "net/cert/x509_util.h" | 104 #include "net/cert/x509_util.h" |
104 #include "net/http/transport_security_state.h" | 105 #include "net/http/transport_security_state.h" |
105 #include "net/ocsp/nss_ocsp.h" | 106 #include "net/ocsp/nss_ocsp.h" |
(...skipping 3310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3416 (result == OK || | 3417 (result == OK || |
3417 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 3418 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && |
3418 !transport_security_state_->CheckPublicKeyPins( | 3419 !transport_security_state_->CheckPublicKeyPins( |
3419 host_and_port_.host(), | 3420 host_and_port_.host(), |
3420 server_cert_verify_result_.is_issued_by_known_root, | 3421 server_cert_verify_result_.is_issued_by_known_root, |
3421 server_cert_verify_result_.public_key_hashes, | 3422 server_cert_verify_result_.public_key_hashes, |
3422 &pinning_failure_log_)) { | 3423 &pinning_failure_log_)) { |
3423 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 3424 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
3424 } | 3425 } |
3425 | 3426 |
3427 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { | |
Ryan Sleevi
2014/10/01 20:15:43
BUG: Need this logic for OpenSSL. Easy to forget t
Eran Messeri
2014/10/03 12:00:11
For now I copied the logic as-is to ssl_client_soc
| |
3428 if (ssl_config_.ev_certs_whitelist->IsValid()) { | |
Ryan Sleevi
2014/10/01 20:15:43
Should ev_certs_whitelist just be optional, the sa
Eran Messeri
2014/10/03 12:00:11
Done. Note that the IsValid method on the EVCertsW
| |
3429 const SHA256HashValue fingerprint( | |
3430 X509Certificate::CalculateFingerprint256( | |
3431 server_cert_verify_result_.verified_cert->os_cert_handle())); | |
3432 | |
3433 UMA_HISTOGRAM_BOOLEAN( | |
3434 "Net.SSL_EVCertificateInWhitelist", | |
3435 ssl_config_.ev_certs_whitelist->ContainsCertificateHash( | |
3436 std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); | |
3437 } | |
3438 } | |
3439 | |
3426 if (result == OK) { | 3440 if (result == OK) { |
3427 // Only check Certificate Transparency if there were no other errors with | 3441 // Only check Certificate Transparency if there were no other errors with |
3428 // the connection. | 3442 // the connection. |
3429 VerifyCT(); | 3443 VerifyCT(); |
3430 | 3444 |
3431 // Only cache the session if the certificate verified successfully. | 3445 // Only cache the session if the certificate verified successfully. |
3432 core_->CacheSessionIfNecessary(); | 3446 core_->CacheSessionIfNecessary(); |
3433 } | 3447 } |
3434 | 3448 |
3435 completed_handshake_ = true; | 3449 completed_handshake_ = true; |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3523 scoped_refptr<X509Certificate> | 3537 scoped_refptr<X509Certificate> |
3524 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3538 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
3525 return core_->state().server_cert.get(); | 3539 return core_->state().server_cert.get(); |
3526 } | 3540 } |
3527 | 3541 |
3528 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3542 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
3529 return channel_id_service_; | 3543 return channel_id_service_; |
3530 } | 3544 } |
3531 | 3545 |
3532 } // namespace net | 3546 } // namespace net |
OLD | NEW |