OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
6 | 6 |
7 #include "net/base/net_errors.h" | 7 #include "net/base/net_errors.h" |
8 #include "net/cert/ct_log_verifier.h" | 8 #include "net/cert/ct_log_verifier.h" |
9 #include "net/cert/ct_objects_extractor.h" | 9 #include "net/cert/ct_objects_extractor.h" |
10 #include "net/cert/ct_serialization.h" | 10 #include "net/cert/ct_serialization.h" |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
53 cert->GetIntermediateCertificates().front(), | 53 cert->GetIntermediateCertificates().front(), |
54 &precert_entry) && | 54 &precert_entry) && |
55 VerifySCTs( | 55 VerifySCTs( |
56 embedded_scts, | 56 embedded_scts, |
57 precert_entry, | 57 precert_entry, |
58 ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 58 ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
59 result); | 59 result); |
60 } | 60 } |
61 | 61 |
62 ct::LogEntry x509_entry; | 62 ct::LogEntry x509_entry; |
63 if (!ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) | 63 if (ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) { |
64 return has_verified_scts ? OK : ERR_FAILED; | 64 has_verified_scts |= VerifySCTs( |
| 65 sct_list_from_ocsp, |
| 66 x509_entry, |
| 67 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 68 result); |
65 | 69 |
66 has_verified_scts |= VerifySCTs( | 70 has_verified_scts |= VerifySCTs( |
67 sct_list_from_ocsp, | 71 sct_list_from_tls_extension, |
68 x509_entry, | 72 x509_entry, |
69 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 73 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, |
70 result); | 74 result); |
71 | 75 } |
72 has_verified_scts |= VerifySCTs( | |
73 sct_list_from_tls_extension, | |
74 x509_entry, | |
75 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, | |
76 result); | |
77 | 76 |
78 if (has_verified_scts) | 77 if (has_verified_scts) |
79 return OK; | 78 return OK; |
80 | 79 |
81 return ERR_FAILED; | 80 return ERR_CT_NO_SCTS_VERIFIED_OK; |
82 } | 81 } |
83 | 82 |
84 bool MultiLogCTVerifier::VerifySCTs( | 83 bool MultiLogCTVerifier::VerifySCTs( |
85 const std::string& encoded_sct_list, | 84 const std::string& encoded_sct_list, |
86 const ct::LogEntry& expected_entry, | 85 const ct::LogEntry& expected_entry, |
87 ct::SignedCertificateTimestamp::Origin origin, | 86 ct::SignedCertificateTimestamp::Origin origin, |
88 ct::CTVerifyResult* result) { | 87 ct::CTVerifyResult* result) { |
89 if (logs_.empty()) | 88 if (logs_.empty()) |
90 return false; | 89 return false; |
91 | 90 |
(...skipping 20 matching lines...) Expand all Loading... |
112 | 111 |
113 return verified; | 112 return verified; |
114 } | 113 } |
115 | 114 |
116 bool MultiLogCTVerifier::VerifySingleSCT( | 115 bool MultiLogCTVerifier::VerifySingleSCT( |
117 scoped_refptr<ct::SignedCertificateTimestamp> sct, | 116 scoped_refptr<ct::SignedCertificateTimestamp> sct, |
118 const ct::LogEntry& expected_entry, | 117 const ct::LogEntry& expected_entry, |
119 ct::CTVerifyResult* result) { | 118 ct::CTVerifyResult* result) { |
120 | 119 |
121 // Assume this SCT is untrusted until proven otherwise. | 120 // Assume this SCT is untrusted until proven otherwise. |
122 | |
123 IDToLogMap::iterator it = logs_.find(sct->log_id); | 121 IDToLogMap::iterator it = logs_.find(sct->log_id); |
124 if (it == logs_.end()) { | 122 if (it == logs_.end()) { |
125 DVLOG(1) << "SCT does not match any known log."; | 123 DVLOG(1) << "SCT does not match any known log."; |
126 result->unknown_logs_scts.push_back(sct); | 124 result->unknown_logs_scts.push_back(sct); |
127 return false; | 125 return false; |
128 } | 126 } |
129 | 127 |
130 if (!it->second->Verify(expected_entry, *sct)) { | 128 if (!it->second->Verify(expected_entry, *sct)) { |
131 DVLOG(1) << "Unable to verify SCT signature."; | 129 DVLOG(1) << "Unable to verify SCT signature."; |
132 result->unverified_scts.push_back(sct); | 130 result->unverified_scts.push_back(sct); |
133 return false; | 131 return false; |
134 } | 132 } |
135 | 133 |
136 // SCT verified ok, just make sure the timestamp is legitimate. | 134 // SCT verified ok, just make sure the timestamp is legitimate. |
137 if (sct->timestamp > base::Time::Now()) { | 135 if (sct->timestamp > base::Time::Now()) { |
138 DVLOG(1) << "SCT is from the future!"; | 136 DVLOG(1) << "SCT is from the future!"; |
139 result->unverified_scts.push_back(sct); | 137 result->unverified_scts.push_back(sct); |
140 return false; | 138 return false; |
141 } | 139 } |
142 | 140 |
143 result->verified_scts.push_back(sct); | 141 result->verified_scts.push_back(sct); |
144 return true; | 142 return true; |
145 } | 143 } |
146 | 144 |
147 } // namespace net | 145 } // namespace net |
OLD | NEW |