Chromium Code Reviews Chromium Code Reviews
Issue 547603002:
Certificate Transparency: Code for unpacking EV cert hashes whitelist (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/socket/ssl_client_socket_nss.cc |
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
| index c5869fc3503a5ddfa53abb1b9ba0aecbabbfb442..f6e065b65a9e6dfdd24dda5bec71e0bd645c70ff 100644 |
| --- a/net/socket/ssl_client_socket_nss.cc |
| +++ b/net/socket/ssl_client_socket_nss.cc |
| @@ -93,6 +93,7 @@ |
| #include "net/cert/asn1_util.h" |
| #include "net/cert/cert_status_flags.h" |
| #include "net/cert/cert_verifier.h" |
| +#include "net/cert/ct_ev_whitelist.h" |
| #include "net/cert/ct_objects_extractor.h" |
| #include "net/cert/ct_verifier.h" |
| #include "net/cert/ct_verify_result.h" |
| @@ -3423,6 +3424,19 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { |
| result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; |
| } |
| + if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { |
|
Ryan Sleevi
2014/10/01 20:15:43
BUG: Need this logic for OpenSSL. Easy to forget t
Eran Messeri
2014/10/03 12:00:11
For now I copied the logic as-is to ssl_client_soc
|
| + if (ssl_config_.ev_certs_whitelist->IsValid()) { |
|
Ryan Sleevi
2014/10/01 20:15:43
Should ev_certs_whitelist just be optional, the sa
Eran Messeri
2014/10/03 12:00:11
Done. Note that the IsValid method on the EVCertsW
|
| + const SHA256HashValue fingerprint( |
| + X509Certificate::CalculateFingerprint256( |
| + server_cert_verify_result_.verified_cert->os_cert_handle())); |
| + |
| + UMA_HISTOGRAM_BOOLEAN( |
| + "Net.SSL_EVCertificateInWhitelist", |
| + ssl_config_.ev_certs_whitelist->ContainsCertificateHash( |
| + std::string(reinterpret_cast<const char*>(fingerprint.data), 8))); |
| + } |
| + } |
| + |
| if (result == OK) { |
| // Only check Certificate Transparency if there were no other errors with |
| // the connection. |
