Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 75 matching lines @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_objects_extractor.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/ocsp/nss_ocsp.h"
@@ skipping 3310 matching lines @@
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
       !transport_security_state_->CheckPublicKeyPins(
           host_and_port_.host(),
           server_cert_verify_result_.is_issued_by_known_root,
           server_cert_verify_result_.public_key_hashes,
           &pinning_failure_log_)) {
     result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
   }
 
+  if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {

[Ryan Sleevi, 2014/10/01 20:15:43]

BUG: Need this logic for OpenSSL. Easy to forget to change both places.

[Eran Messeri, 2014/10/03 12:00:11]

For now I copied the logic as-is to ssl_client_socket_openssl, once there's a
clear plan on how to unify policy-related checks I'll move the code.

+    if (ssl_config_.ev_certs_whitelist->IsValid()) {

[Ryan Sleevi, 2014/10/01 20:15:43]

Should ev_certs_whitelist just be optional, the same as it is with CRLSets?

[Eran Messeri, 2014/10/03 12:00:11]

Done. Note that the IsValid method on the EVCertsWhitelist remained because the
EVCertsWhitelist instances are immutable, so in order to figure out if we should
replace the existing EVCertsWhitelist instance with a newly-created one (from
fresh data)  the IsValid method is used.

+      const SHA256HashValue fingerprint(
+          X509Certificate::CalculateFingerprint256(
+              server_cert_verify_result_.verified_cert->os_cert_handle()));
+
+      UMA_HISTOGRAM_BOOLEAN(
+          "Net.SSL_EVCertificateInWhitelist",
+          ssl_config_.ev_certs_whitelist->ContainsCertificateHash(
+              std::string(reinterpret_cast<const char*>(fingerprint.data), 8)));
+    }
+  }
+
   if (result == OK) {
     // Only check Certificate Transparency if there were no other errors with
     // the connection.
     VerifyCT();
 
     // Only cache the session if the certificate verified successfully.
     core_->CacheSessionIfNecessary();
   }
 
   completed_handshake_ = true;
@@ skipping 87 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net