Index: chrome/browser/io_thread.cc |
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc |
index d72cefcc0e90ece0987c7a9fde7e1f3d488e97ae..37f3e67229ddfd42851785d95a7b900c8af7f48a 100644 |
--- a/chrome/browser/io_thread.cc |
+++ b/chrome/browser/io_thread.cc |
@@ -6,6 +6,7 @@ |
#include <vector> |
+#include "base/base64.h" |
#include "base/bind.h" |
#include "base/bind_helpers.h" |
#include "base/command_line.h" |
@@ -50,6 +51,8 @@ |
#include "net/base/network_time_notifier.h" |
#include "net/base/sdch_manager.h" |
#include "net/cert/cert_verifier.h" |
+#include "net/cert/ct_known_logs_keys.h" |
+#include "net/cert/ct_verifier.h" |
#include "net/cookies/cookie_monster.h" |
#include "net/dns/host_cache.h" |
#include "net/dns/host_resolver.h" |
@@ -82,6 +85,11 @@ |
#include "policy/policy_constants.h" |
#endif |
+#if !defined(USE_OPENSSL) |
+#include "net/cert/ct_log_verifier.h" |
+#include "net/cert/multi_log_ct_verifier.h" |
+#endif |
+ |
#if defined(USE_NSS) || defined(OS_IOS) |
#include "net/ocsp/nss_ocsp.h" |
#endif |
@@ -204,6 +212,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals, |
context->set_cert_verifier(globals->cert_verifier.get()); |
context->set_transport_security_state( |
globals->transport_security_state.get()); |
+ context->set_cert_transparency_verifier( |
+ globals->cert_transparency_verifier.get()); |
context->set_http_auth_handler_factory( |
globals->http_auth_handler_factory.get()); |
context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get()); |
@@ -232,6 +242,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals, |
context->set_cert_verifier(globals->cert_verifier.get()); |
context->set_transport_security_state( |
globals->transport_security_state.get()); |
+ context->set_cert_transparency_verifier( |
+ globals->cert_transparency_verifier.get()); |
context->set_http_auth_handler_factory( |
globals->http_auth_handler_factory.get()); |
context->set_proxy_service(globals->system_proxy_service.get()); |
@@ -527,6 +539,26 @@ void IOThread::InitAsync() { |
UpdateDnsClientEnabled(); |
globals_->cert_verifier.reset(net::CertVerifier::CreateDefault()); |
globals_->transport_security_state.reset(new net::TransportSecurityState()); |
+#if !defined(USE_OPENSSL) |
+ // For now, Certificate Transparency is only implemented for platforms |
+ // that use NSS. |
+ net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier(); |
+ globals_->cert_transparency_verifier.reset(ct_verifier); |
+ // Add built-in logs |
+ base::StringPiece google_pilot_log_key( |
+ net::kGooglePilotLogKey, net::kGooglePilotLogKeyLength); |
+ scoped_ptr<net::CTLogVerifier> google_pilot_log( |
+ net::CTLogVerifier::Create( |
+ google_pilot_log_key, net::kGooglePilotLogName)); |
+ ct_verifier->AddLog(google_pilot_log.Pass()); |
+ |
+ base::StringPiece google_test_log_key( |
+ net::kGoogleTestLogKey, net::kGoogleTestLogKeyLength); |
+ scoped_ptr<net::CTLogVerifier> google_test_log( |
+ net::CTLogVerifier::Create( |
+ google_test_log_key, net::kGoogleTestLogName)); |
+ ct_verifier->AddLog(google_test_log.Pass()); |
+#endif |
globals_->ssl_config_service = GetSSLConfigService(); |
#if defined(OS_ANDROID) || defined(OS_IOS) |
if (DataReductionProxySettings::IsDataReductionProxyAllowed()) { |
@@ -534,6 +566,37 @@ void IOThread::InitAsync() { |
DataReductionProxySettings::GetDataReductionProxies(); |
} |
#endif // defined(OS_ANDROID) || defined(OS_IOS) |
+#if !defined(USE_OPENSSL) |
+ if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) { |
+ std::string switch_value = command_line.GetSwitchValueASCII( |
+ switches::kCertificateTransparencyLog); |
+ size_t delim_pos = switch_value.find(":"); |
+ if (delim_pos == std::string::npos) { |
+ LOG(DFATAL) << "CT log description not provided (switch format" << |
+ " is 'description:base64_key')"; |
Ryan Sleevi
2013/11/25 06:49:31
The DFATAL seems inappropriate here. The people mo
Eran M. (Google)
2013/11/25 17:18:33
I thought DFATAL crashes?
|
+ } |
+ std::string log_description(switch_value.substr(0, delim_pos)); |
+ std::string ct_public_key_data; |
+ if (!base::Base64Decode(switch_value.substr(delim_pos + 1), |
+ &ct_public_key_data)) { |
+ LOG(DFATAL) << "Unable to decode CT public key."; |
+ } else { |
+ scoped_ptr<net::CTLogVerifier> external_log_verifier( |
+ net::CTLogVerifier::Create(ct_public_key_data, log_description)); |
+ if (!external_log_verifier) { |
+ LOG(DFATAL) << "Unable to parse CT public key."; |
+ } else { |
+ LOG(INFO) << "Using Certificate Transparency log: " << log_description; |
Ryan Sleevi
2013/11/25 06:49:31
There's a push against LOG(INFO) in Chrome code, a
Eran M. (Google)
2013/11/25 17:18:33
Done.
|
+ ct_verifier->AddLog(external_log_verifier.Pass()); |
+ } |
+ } |
+ } |
+#else |
+ if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) { |
+ LOG(DFATAL) << "Certificate Transparency is not yet supported in Chrome " |
+ << "builds using OpenSSL". |
+ } |
+#endif |
globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory( |
globals_->host_resolver.get())); |
globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl()); |