extensions/browser/api/cast_channel/cast_socket.cc - Issue 694123002: Limit lifetime of self-signed certificate used for TLS on Cast channel

Side by Side Diff: extensions/browser/api/cast_channel/cast_socket.cc

Issue 694123002: Limit lifetime of self-signed certificate used for TLS on Cast channel (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Simplify the change. No need to make a new X509Certificate object. Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "extensions/browser/api/cast_channel/cast_socket.h"	5 #include "extensions/browser/api/cast_channel/cast_socket.h"

6	6

7 #include <stdlib.h>	7 #include <stdlib.h>

8 #include <string.h>	8 #include <string.h>

9	9

10 #include "base/bind.h"	10 #include "base/bind.h"

(...skipping 145 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
156 bool CastSocket::ExtractPeerCert(std::string* cert) {	156 bool CastSocket::ExtractPeerCert(std::string* cert) {

157 DCHECK(cert);	157 DCHECK(cert);

158 DCHECK(peer_cert_.empty());	158 DCHECK(peer_cert_.empty());

159 net::SSLInfo ssl_info;	159 net::SSLInfo ssl_info;

160 if (!socket_->GetSSLInfo(&ssl_info) \|\| !ssl_info.cert.get()) {	160 if (!socket_->GetSSLInfo(&ssl_info) \|\| !ssl_info.cert.get()) {

161 return false;	161 return false;

162 }	162 }

163	163

164 logger_->LogSocketEvent(channel_id_, proto::SSL_INFO_OBTAINED);	164 logger_->LogSocketEvent(channel_id_, proto::SSL_INFO_OBTAINED);

165	165

	166 // we need to ensure that the peer cert (which is self-signed) doesn't have an
	mark a. foltz 2014/11/21 00:14:53 Nit: Start sentence with "Ensure" Nit: Start sentence with "Ensure"
	167 // excessive life-time (i.e. no more than 2 days).

	168 base::Time expiry = ssl_info.cert->valid_expiry();

	169 if (expiry.is_null() \|\|

	170 expiry > base::Time::Now() + base::TimeDelta::FromDays(2)) {
	mark a. foltz 2014/11/21 00:14:53 Please declare a constant for "2" for the maximum Please declare a constant for "2" for the maximum lifetime in days.
	171 LOG(ERROR) << "Peer cert has excessive lifetime. expiry=" << expiry;
	mark a. foltz 2014/11/21 00:14:53 We'll want to log a socket event for an expired ce We'll want to log a socket event for an expired cert. - Add an enum value SSL_CERT_EXPIRED to the proto here: https://code.google.com/p/chromium/codesearch#chromium/src/extensions/common/... - Call logger_->LogSocketEventWithDetails(channel_id_, SSL_CERT_EXPIRED, ...) with the expiry time as the detail message Kevin Marshall 2014/11/21 00:41:13 Also log the IP endpoint. Also log the IP endpoint.
	172 return false;

	173 }

	174

166 bool result = net::X509Certificate::GetDEREncoded(	175 bool result = net::X509Certificate::GetDEREncoded(

167 ssl_info.cert->os_cert_handle(), cert);	176 ssl_info.cert->os_cert_handle(), cert);

168 if (result) {	177 if (result) {

169 VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate: "	178 VLOG_WITH_CONNECTION(1) << "Successfully extracted peer certificate: "

170 << *cert;	179 << *cert;
	mark a. foltz 2014/11/21 00:14:53 Can you please remove the << cert line while you Can you please remove the << cert line while you are here? This dumps binary data into the text log which is not very helpful.
171 }	180 }

172	181

173 logger_->LogSocketEventWithRv(	182 logger_->LogSocketEventWithRv(

174 channel_id_, proto::DER_ENCODED_CERT_OBTAIN, result ? 1 : 0);	183 channel_id_, proto::DER_ENCODED_CERT_OBTAIN, result ? 1 : 0);

175 return result;	184 return result;

176 }	185 }

177	186

178 bool CastSocket::VerifyChallengeReply() {	187 bool CastSocket::VerifyChallengeReply() {

179 AuthResult result = AuthenticateChallengeReply(*challenge_reply_, peer_cert_);	188 AuthResult result = AuthenticateChallengeReply(*challenge_reply_, peer_cert_);

180 logger_->LogSocketChallengeReplyEvent(channel_id_, result);	189 logger_->LogSocketChallengeReplyEvent(channel_id_, result);

(...skipping 696 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
877 }	886 }

878	887

879 CastSocket::WriteRequest::~WriteRequest() {	888 CastSocket::WriteRequest::~WriteRequest() {

880 }	889 }

881	890

882 } // namespace cast_channel	891 } // namespace cast_channel

883 } // namespace core_api	892 } // namespace core_api

884 } // namespace extensions	893 } // namespace extensions

885	894

886 #undef VLOG_WITH_CONNECTION	895 #undef VLOG_WITH_CONNECTION

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »