Chromium Code Reviews Chromium Code Reviews
Issue 76443006:
Certificate Transparency: Threading the CT verifier into the SSL client socket. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/io_thread.h" | 5 #include "chrome/browser/io_thread.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/base64.h" | |
| 9 #include "base/bind.h" | 10 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 11 #include "base/bind_helpers.h" |
| 11 #include "base/command_line.h" | 12 #include "base/command_line.h" |
| 12 #include "base/compiler_specific.h" | 13 #include "base/compiler_specific.h" |
| 13 #include "base/debug/leak_tracker.h" | 14 #include "base/debug/leak_tracker.h" |
| 14 #include "base/debug/trace_event.h" | 15 #include "base/debug/trace_event.h" |
| 15 #include "base/logging.h" | 16 #include "base/logging.h" |
| 16 #include "base/metrics/field_trial.h" | 17 #include "base/metrics/field_trial.h" |
| 17 #include "base/prefs/pref_registry_simple.h" | 18 #include "base/prefs/pref_registry_simple.h" |
| 18 #include "base/prefs/pref_service.h" | 19 #include "base/prefs/pref_service.h" |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 43 #include "chrome/browser/policy/policy_service.h" | 44 #include "chrome/browser/policy/policy_service.h" |
| 44 #include "chrome/common/chrome_switches.h" | 45 #include "chrome/common/chrome_switches.h" |
| 45 #include "chrome/common/pref_names.h" | 46 #include "chrome/common/pref_names.h" |
| 46 #include "chrome/common/url_constants.h" | 47 #include "chrome/common/url_constants.h" |
| 47 #include "content/public/browser/browser_thread.h" | 48 #include "content/public/browser/browser_thread.h" |
| 48 #include "net/base/host_mapping_rules.h" | 49 #include "net/base/host_mapping_rules.h" |
| 49 #include "net/base/net_util.h" | 50 #include "net/base/net_util.h" |
| 50 #include "net/base/network_time_notifier.h" | 51 #include "net/base/network_time_notifier.h" |
| 51 #include "net/base/sdch_manager.h" | 52 #include "net/base/sdch_manager.h" |
| 52 #include "net/cert/cert_verifier.h" | 53 #include "net/cert/cert_verifier.h" |
| 54 #include "net/cert/ct_known_logs_keys.h" | |
| 55 #include "net/cert/ct_verifier.h" | |
| 53 #include "net/cookies/cookie_monster.h" | 56 #include "net/cookies/cookie_monster.h" |
| 54 #include "net/dns/host_cache.h" | 57 #include "net/dns/host_cache.h" |
| 55 #include "net/dns/host_resolver.h" | 58 #include "net/dns/host_resolver.h" |
| 56 #include "net/dns/mapped_host_resolver.h" | 59 #include "net/dns/mapped_host_resolver.h" |
| 57 #include "net/ftp/ftp_network_layer.h" | 60 #include "net/ftp/ftp_network_layer.h" |
| 58 #include "net/http/http_auth_filter.h" | 61 #include "net/http/http_auth_filter.h" |
| 59 #include "net/http/http_auth_handler_factory.h" | 62 #include "net/http/http_auth_handler_factory.h" |
| 60 #include "net/http/http_network_layer.h" | 63 #include "net/http/http_network_layer.h" |
| 61 #include "net/http/http_server_properties_impl.h" | 64 #include "net/http/http_server_properties_impl.h" |
| 62 #include "net/proxy/proxy_config_service.h" | 65 #include "net/proxy/proxy_config_service.h" |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 75 #include "net/websockets/websocket_job.h" | 78 #include "net/websockets/websocket_job.h" |
| 76 | 79 |
| 77 #if defined(OS_WIN) | 80 #if defined(OS_WIN) |
| 78 #include "win8/util/win8_util.h" | 81 #include "win8/util/win8_util.h" |
| 79 #endif | 82 #endif |
| 80 | 83 |
| 81 #if defined(ENABLE_CONFIGURATION_POLICY) | 84 #if defined(ENABLE_CONFIGURATION_POLICY) |
| 82 #include "policy/policy_constants.h" | 85 #include "policy/policy_constants.h" |
| 83 #endif | 86 #endif |
| 84 | 87 |
| 88 #if !defined(USE_OPENSSL) | |
| 89 #include "net/cert/ct_log_verifier.h" | |
| 90 #include "net/cert/multi_log_ct_verifier.h" | |
| 91 #endif | |
| 92 | |
| 85 #if defined(USE_NSS) || defined(OS_IOS) | 93 #if defined(USE_NSS) || defined(OS_IOS) |
| 86 #include "net/ocsp/nss_ocsp.h" | 94 #include "net/ocsp/nss_ocsp.h" |
| 87 #endif | 95 #endif |
| 88 | 96 |
| 89 #if !defined(OS_IOS) && !defined(OS_ANDROID) | 97 #if !defined(OS_IOS) && !defined(OS_ANDROID) |
| 90 #include "net/proxy/proxy_resolver_v8.h" | 98 #include "net/proxy/proxy_resolver_v8.h" |
| 91 #endif | 99 #endif |
| 92 | 100 |
| 93 #if defined(OS_ANDROID) || defined(OS_IOS) | 101 #if defined(OS_ANDROID) || defined(OS_IOS) |
| 94 #include "chrome/browser/net/spdyproxy/data_reduction_proxy_settings.h" | 102 #include "chrome/browser/net/spdyproxy/data_reduction_proxy_settings.h" |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 197 // See IOThread::Globals for details. | 205 // See IOThread::Globals for details. |
| 198 net::URLRequestContext* | 206 net::URLRequestContext* |
| 199 ConstructProxyScriptFetcherContext(IOThread::Globals* globals, | 207 ConstructProxyScriptFetcherContext(IOThread::Globals* globals, |
| 200 net::NetLog* net_log) { | 208 net::NetLog* net_log) { |
| 201 net::URLRequestContext* context = new net::URLRequestContext; | 209 net::URLRequestContext* context = new net::URLRequestContext; |
| 202 context->set_net_log(net_log); | 210 context->set_net_log(net_log); |
| 203 context->set_host_resolver(globals->host_resolver.get()); | 211 context->set_host_resolver(globals->host_resolver.get()); |
| 204 context->set_cert_verifier(globals->cert_verifier.get()); | 212 context->set_cert_verifier(globals->cert_verifier.get()); |
| 205 context->set_transport_security_state( | 213 context->set_transport_security_state( |
| 206 globals->transport_security_state.get()); | 214 globals->transport_security_state.get()); |
| 215 context->set_cert_transparency_verifier( | |
| 216 globals->cert_transparency_verifier.get()); | |
| 207 context->set_http_auth_handler_factory( | 217 context->set_http_auth_handler_factory( |
| 208 globals->http_auth_handler_factory.get()); | 218 globals->http_auth_handler_factory.get()); |
| 209 context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get()); | 219 context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get()); |
| 210 context->set_http_transaction_factory( | 220 context->set_http_transaction_factory( |
| 211 globals->proxy_script_fetcher_http_transaction_factory.get()); | 221 globals->proxy_script_fetcher_http_transaction_factory.get()); |
| 212 context->set_job_factory( | 222 context->set_job_factory( |
| 213 globals->proxy_script_fetcher_url_request_job_factory.get()); | 223 globals->proxy_script_fetcher_url_request_job_factory.get()); |
| 214 context->set_cookie_store(globals->system_cookie_store.get()); | 224 context->set_cookie_store(globals->system_cookie_store.get()); |
| 215 context->set_server_bound_cert_service( | 225 context->set_server_bound_cert_service( |
| 216 globals->system_server_bound_cert_service.get()); | 226 globals->system_server_bound_cert_service.get()); |
| 217 context->set_network_delegate(globals->system_network_delegate.get()); | 227 context->set_network_delegate(globals->system_network_delegate.get()); |
| 218 context->set_http_user_agent_settings( | 228 context->set_http_user_agent_settings( |
| 219 globals->http_user_agent_settings.get()); | 229 globals->http_user_agent_settings.get()); |
| 220 // TODO(rtenneti): We should probably use HttpServerPropertiesManager for the | 230 // TODO(rtenneti): We should probably use HttpServerPropertiesManager for the |
| 221 // system URLRequestContext too. There's no reason this should be tied to a | 231 // system URLRequestContext too. There's no reason this should be tied to a |
| 222 // profile. | 232 // profile. |
| 223 return context; | 233 return context; |
| 224 } | 234 } |
| 225 | 235 |
| 226 net::URLRequestContext* | 236 net::URLRequestContext* |
| 227 ConstructSystemRequestContext(IOThread::Globals* globals, | 237 ConstructSystemRequestContext(IOThread::Globals* globals, |
| 228 net::NetLog* net_log) { | 238 net::NetLog* net_log) { |
| 229 net::URLRequestContext* context = new SystemURLRequestContext; | 239 net::URLRequestContext* context = new SystemURLRequestContext; |
| 230 context->set_net_log(net_log); | 240 context->set_net_log(net_log); |
| 231 context->set_host_resolver(globals->host_resolver.get()); | 241 context->set_host_resolver(globals->host_resolver.get()); |
| 232 context->set_cert_verifier(globals->cert_verifier.get()); | 242 context->set_cert_verifier(globals->cert_verifier.get()); |
| 233 context->set_transport_security_state( | 243 context->set_transport_security_state( |
| 234 globals->transport_security_state.get()); | 244 globals->transport_security_state.get()); |
| 245 context->set_cert_transparency_verifier( | |
| 246 globals->cert_transparency_verifier.get()); | |
| 235 context->set_http_auth_handler_factory( | 247 context->set_http_auth_handler_factory( |
| 236 globals->http_auth_handler_factory.get()); | 248 globals->http_auth_handler_factory.get()); |
| 237 context->set_proxy_service(globals->system_proxy_service.get()); | 249 context->set_proxy_service(globals->system_proxy_service.get()); |
| 238 context->set_http_transaction_factory( | 250 context->set_http_transaction_factory( |
| 239 globals->system_http_transaction_factory.get()); | 251 globals->system_http_transaction_factory.get()); |
| 240 context->set_cookie_store(globals->system_cookie_store.get()); | 252 context->set_cookie_store(globals->system_cookie_store.get()); |
| 241 context->set_server_bound_cert_service( | 253 context->set_server_bound_cert_service( |
| 242 globals->system_server_bound_cert_service.get()); | 254 globals->system_server_bound_cert_service.get()); |
| 243 context->set_throttler_manager(globals->throttler_manager.get()); | 255 context->set_throttler_manager(globals->throttler_manager.get()); |
| 244 context->set_network_delegate(globals->system_network_delegate.get()); | 256 context->set_network_delegate(globals->system_network_delegate.get()); |
| (...skipping 275 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 520 &system_enable_referrers_); | 532 &system_enable_referrers_); |
| 521 if (command_line.HasSwitch(switches::kEnableClientHints)) | 533 if (command_line.HasSwitch(switches::kEnableClientHints)) |
| 522 network_delegate->SetEnableClientHints(); | 534 network_delegate->SetEnableClientHints(); |
| 523 if (command_line.HasSwitch(switches::kDisableExtensionsHttpThrottling)) | 535 if (command_line.HasSwitch(switches::kDisableExtensionsHttpThrottling)) |
| 524 network_delegate->NeverThrottleRequests(); | 536 network_delegate->NeverThrottleRequests(); |
| 525 globals_->system_network_delegate.reset(network_delegate); | 537 globals_->system_network_delegate.reset(network_delegate); |
| 526 globals_->host_resolver = CreateGlobalHostResolver(net_log_); | 538 globals_->host_resolver = CreateGlobalHostResolver(net_log_); |
| 527 UpdateDnsClientEnabled(); | 539 UpdateDnsClientEnabled(); |
| 528 globals_->cert_verifier.reset(net::CertVerifier::CreateDefault()); | 540 globals_->cert_verifier.reset(net::CertVerifier::CreateDefault()); |
| 529 globals_->transport_security_state.reset(new net::TransportSecurityState()); | 541 globals_->transport_security_state.reset(new net::TransportSecurityState()); |
| 542 #if !defined(USE_OPENSSL) | |
| 543 // For now, Certificate Transparency is only implemented for platforms | |
| 544 // that use NSS. | |
| 545 net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier(); | |
| 546 globals_->cert_transparency_verifier.reset(ct_verifier); | |
| 547 // Add built-in logs | |
| 548 base::StringPiece google_pilot_log_key( | |
| 549 net::kGooglePilotLogKey, net::kGooglePilotLogKeyLength); | |
| 550 scoped_ptr<net::CTLogVerifier> google_pilot_log( | |
| 551 net::CTLogVerifier::Create( | |
| 552 google_pilot_log_key, net::kGooglePilotLogName)); | |
| 553 ct_verifier->AddLog(google_pilot_log.Pass()); | |
| 554 | |
| 555 base::StringPiece google_test_log_key( | |
| 556 net::kGoogleTestLogKey, net::kGoogleTestLogKeyLength); | |
| 557 scoped_ptr<net::CTLogVerifier> google_test_log( | |
| 558 net::CTLogVerifier::Create( | |
| 559 google_test_log_key, net::kGoogleTestLogName)); | |
| 560 ct_verifier->AddLog(google_test_log.Pass()); | |
| 561 #endif | |
| 530 globals_->ssl_config_service = GetSSLConfigService(); | 562 globals_->ssl_config_service = GetSSLConfigService(); |
| 531 #if defined(OS_ANDROID) || defined(OS_IOS) | 563 #if defined(OS_ANDROID) || defined(OS_IOS) |
| 532 if (DataReductionProxySettings::IsDataReductionProxyAllowed()) { | 564 if (DataReductionProxySettings::IsDataReductionProxyAllowed()) { |
| 533 spdyproxy_auth_origins_ = | 565 spdyproxy_auth_origins_ = |
| 534 DataReductionProxySettings::GetDataReductionProxies(); | 566 DataReductionProxySettings::GetDataReductionProxies(); |
| 535 } | 567 } |
| 536 #endif // defined(OS_ANDROID) || defined(OS_IOS) | 568 #endif // defined(OS_ANDROID) || defined(OS_IOS) |
| 569 #if !defined(USE_OPENSSL) | |
| 570 if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) { | |
| 571 std::string switch_value = command_line.GetSwitchValueASCII( | |
| 572 switches::kCertificateTransparencyLog); | |
| 573 size_t delim_pos = switch_value.find(":"); | |
| 574 if (delim_pos == std::string::npos) { | |
| 575 LOG(DFATAL) << "CT log description not provided (switch format" << | |
| 576 " is 'description:base64_key')"; | |
|
Ryan Sleevi
2013/11/25 06:49:31
The DFATAL seems inappropriate here. The people mo
Eran M. (Google)
2013/11/25 17:18:33
I thought DFATAL crashes?
| |
| 577 } | |
| 578 std::string log_description(switch_value.substr(0, delim_pos)); | |
| 579 std::string ct_public_key_data; | |
| 580 if (!base::Base64Decode(switch_value.substr(delim_pos + 1), | |
| 581 &ct_public_key_data)) { | |
| 582 LOG(DFATAL) << "Unable to decode CT public key."; | |
| 583 } else { | |
| 584 scoped_ptr<net::CTLogVerifier> external_log_verifier( | |
| 585 net::CTLogVerifier::Create(ct_public_key_data, log_description)); | |
| 586 if (!external_log_verifier) { | |
| 587 LOG(DFATAL) << "Unable to parse CT public key."; | |
| 588 } else { | |
| 589 LOG(INFO) << "Using Certificate Transparency log: " << log_description; | |
|
Ryan Sleevi
2013/11/25 06:49:31
There's a push against LOG(INFO) in Chrome code, a
Eran M. (Google)
2013/11/25 17:18:33
Done.
| |
| 590 ct_verifier->AddLog(external_log_verifier.Pass()); | |
| 591 } | |
| 592 } | |
| 593 } | |
| 594 #else | |
| 595 if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) { | |
| 596 LOG(DFATAL) << "Certificate Transparency is not yet supported in Chrome " | |
| 597 << "builds using OpenSSL". | |
| 598 } | |
| 599 #endif | |
| 537 globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory( | 600 globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory( |
| 538 globals_->host_resolver.get())); | 601 globals_->host_resolver.get())); |
| 539 globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl()); | 602 globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl()); |
| 540 // For the ProxyScriptFetcher, we use a direct ProxyService. | 603 // For the ProxyScriptFetcher, we use a direct ProxyService. |
| 541 globals_->proxy_script_fetcher_proxy_service.reset( | 604 globals_->proxy_script_fetcher_proxy_service.reset( |
| 542 net::ProxyService::CreateDirectWithNetLog(net_log_)); | 605 net::ProxyService::CreateDirectWithNetLog(net_log_)); |
| 543 // In-memory cookie store. | 606 // In-memory cookie store. |
| 544 globals_->system_cookie_store = new net::CookieMonster(NULL, NULL); | 607 globals_->system_cookie_store = new net::CookieMonster(NULL, NULL); |
| 545 // In-memory server bound cert store. | 608 // In-memory server bound cert store. |
| 546 globals_->system_server_bound_cert_service.reset( | 609 globals_->system_server_bound_cert_service.reset( |
| (...skipping 481 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1028 if (command_line.HasSwitch(switches::kDisableQuicHttps)) | 1091 if (command_line.HasSwitch(switches::kDisableQuicHttps)) |
| 1029 return false; | 1092 return false; |
| 1030 | 1093 |
| 1031 if (command_line.HasSwitch(switches::kEnableQuicHttps)) | 1094 if (command_line.HasSwitch(switches::kEnableQuicHttps)) |
| 1032 return true; | 1095 return true; |
| 1033 | 1096 |
| 1034 // HTTPS over QUIC should only be enabled if we are in the https | 1097 // HTTPS over QUIC should only be enabled if we are in the https |
| 1035 // field trial group. | 1098 // field trial group. |
| 1036 return quic_trial_group == kQuicFieldTrialHttpsEnabledGroupName; | 1099 return quic_trial_group == kQuicFieldTrialHttpsEnabledGroupName; |
| 1037 } | 1100 } |
| OLD | NEW |
