Certificate Transparency: Threading the CT verifier into the SSL client socket.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index d72cefcc0e90ece0987c7a9fde7e1f3d488e97ae..37f3e67229ddfd42851785d95a7b900c8af7f48a 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -6,6 +6,7 @@
 
 #include <vector>
 
+#include "base/base64.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ -50,6 +51,8 @@
 #include "net/base/network_time_notifier.h"
 #include "net/base/sdch_manager.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_known_logs_keys.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
@@ -82,6 +85,11 @@
 #include "policy/policy_constants.h"
 #endif
 
+#if !defined(USE_OPENSSL)
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/multi_log_ct_verifier.h"
+#endif
+
 #if defined(USE_NSS) || defined(OS_IOS)
 #include "net/ocsp/nss_ocsp.h"
 #endif
@@ -204,6 +212,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get());
@@ -232,6 +242,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->system_proxy_service.get());
@@ -527,6 +539,26 @@ void IOThread::InitAsync() {
   UpdateDnsClientEnabled();
   globals_->cert_verifier.reset(net::CertVerifier::CreateDefault());
   globals_->transport_security_state.reset(new net::TransportSecurityState());
+#if !defined(USE_OPENSSL)
+  // For now, Certificate Transparency is only implemented for platforms
+  // that use NSS.
+  net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier();
+  globals_->cert_transparency_verifier.reset(ct_verifier);
+  // Add built-in logs
+  base::StringPiece google_pilot_log_key(
+      net::kGooglePilotLogKey, net::kGooglePilotLogKeyLength);
+  scoped_ptr<net::CTLogVerifier> google_pilot_log(
+      net::CTLogVerifier::Create(
+        google_pilot_log_key, net::kGooglePilotLogName));
+  ct_verifier->AddLog(google_pilot_log.Pass());
+
+  base::StringPiece google_test_log_key(
+      net::kGoogleTestLogKey, net::kGoogleTestLogKeyLength);
+  scoped_ptr<net::CTLogVerifier> google_test_log(
+      net::CTLogVerifier::Create(
+        google_test_log_key, net::kGoogleTestLogName));
+  ct_verifier->AddLog(google_test_log.Pass());
+#endif
   globals_->ssl_config_service = GetSSLConfigService();
 #if defined(OS_ANDROID) || defined(OS_IOS)
   if (DataReductionProxySettings::IsDataReductionProxyAllowed()) {
@@ -534,6 +566,37 @@ void IOThread::InitAsync() {
         DataReductionProxySettings::GetDataReductionProxies();
   }
 #endif  // defined(OS_ANDROID) || defined(OS_IOS)
+#if !defined(USE_OPENSSL)
+  if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) {
+    std::string switch_value = command_line.GetSwitchValueASCII(
+        switches::kCertificateTransparencyLog);
+    size_t delim_pos = switch_value.find(":");
+    if (delim_pos == std::string::npos) {
+      LOG(DFATAL) << "CT log description not provided (switch format" <<
+                  " is 'description:base64_key')";

[Ryan Sleevi, 2013/11/25 06:49:31]

The DFATAL seems inappropriate here. The people most likely to get it wrong are
end users, and this won't really do anything special.

It seems like there are two possible behaviours here for invalid switches:
1) Ignore; fall back to default log. Let this be surfaced through net-internals,
and if logged, always at a LOG(ERROR).
2) Crash (aka CHECK), so indicate they've supplied the wrong value.

[Eran M. (Google), 2013/11/25 17:18:33]

I thought DFATAL crashes? 

+    }
+    std::string log_description(switch_value.substr(0, delim_pos));
+    std::string ct_public_key_data;
+    if (!base::Base64Decode(switch_value.substr(delim_pos + 1),
+                            &ct_public_key_data)) {
+      LOG(DFATAL) << "Unable to decode CT public key.";
+    } else {
+      scoped_ptr<net::CTLogVerifier> external_log_verifier(
+          net::CTLogVerifier::Create(ct_public_key_data, log_description));
+      if (!external_log_verifier) {
+        LOG(DFATAL) << "Unable to parse CT public key.";
+      } else {
+        LOG(INFO) << "Using Certificate Transparency log: " << log_description;

[Ryan Sleevi, 2013/11/25 06:49:31]

There's a push against LOG(INFO) in Chrome code, and reasonably so. Since this
is (or is going to be) surfaced through chrome://net-internals, let's drop this
entirely.

[Eran M. (Google), 2013/11/25 17:18:33]

Done.

+        ct_verifier->AddLog(external_log_verifier.Pass());
+      }
+    }
+  }
+#else
+  if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) {
+    LOG(DFATAL) << "Certificate Transparency is not yet supported in Chrome "
+                << "builds using OpenSSL".
+  }
+#endif
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
   globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl());