Certificate Transparency: Threading the CT verifier into the SSL client socket.

chrome/browser/io_thread.cc

Index: chrome/browser/io_thread.cc
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
index d72cefcc0e90ece0987c7a9fde7e1f3d488e97ae..2e770bc022aad2779c0b6e8510fa78b520d94ec9 100644
--- a/chrome/browser/io_thread.cc
+++ b/chrome/browser/io_thread.cc
@@ -6,6 +6,7 @@
 
 #include <vector>
 
+#include "base/base64.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
@@ -50,6 +51,8 @@
 #include "net/base/network_time_notifier.h"
 #include "net/base/sdch_manager.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_known_logs_keys.h"
+#include "net/cert/ct_verifier.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
@@ -82,6 +85,11 @@
 #include "policy/policy_constants.h"
 #endif
 
+#if !defined(USE_OPENSSL)
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/multi_log_ct_verifier.h"
+#endif
+
 #if defined(USE_NSS) || defined(OS_IOS)
 #include "net/ocsp/nss_ocsp.h"
 #endif
@@ -204,6 +212,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get());
@@ -232,6 +242,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
   context->set_cert_verifier(globals->cert_verifier.get());
   context->set_transport_security_state(
       globals->transport_security_state.get());
+  context->set_cert_transparency_verifier(
+      globals->cert_transparency_verifier.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->system_proxy_service.get());
@@ -527,6 +539,26 @@ void IOThread::InitAsync() {
   UpdateDnsClientEnabled();
   globals_->cert_verifier.reset(net::CertVerifier::CreateDefault());
   globals_->transport_security_state.reset(new net::TransportSecurityState());
+#if !defined(USE_OPENSSL)
+  // For now, Certificate Transparency is only implemented for platforms
+  // that use NSS.
+  net::MultiLogCTVerifier* ct_verifier = new net::MultiLogCTVerifier();
+  globals_->cert_transparency_verifier.reset(ct_verifier);
+  // Add built-in logs
+  base::StringPiece google_pilot_log_key(
+      net::kGooglePilotLogKey, net::kGooglePilotLogKeyLength);
+  scoped_ptr<net::CTLogVerifier> google_pilot_log(
+      net::CTLogVerifier::Create(
+        google_pilot_log_key, net::kGooglePilotLogName));
+  ct_verifier->AddLog(google_pilot_log.Pass());
+
+  base::StringPiece google_test_log_key(
+      net::kGoogleTestLogKey, net::kGoogleTestLogKeyLength);
+  scoped_ptr<net::CTLogVerifier> google_test_log(
+      net::CTLogVerifier::Create(
+        google_test_log_key, net::kGoogleTestLogName));
+  ct_verifier->AddLog(google_test_log.Pass());
+#endif
   globals_->ssl_config_service = GetSSLConfigService();
 #if defined(OS_ANDROID) || defined(OS_IOS)
   if (DataReductionProxySettings::IsDataReductionProxyAllowed()) {
@@ -534,6 +566,30 @@ void IOThread::InitAsync() {
         DataReductionProxySettings::GetDataReductionProxies();
   }
 #endif  // defined(OS_ANDROID) || defined(OS_IOS)
+#if !defined(USE_OPENSSL)

[wtc, 2013/11/26 01:47:23]

Why don't you combine this #if block with the #if block on lines 542-561?

[Eran M. (Google), 2013/11/26 14:45:53]

Done.

+  if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) {
+    std::string switch_value = command_line.GetSwitchValueASCII(
+        switches::kCertificateTransparencyLog);
+    size_t delim_pos = switch_value.find(":");
+    CHECK(delim_pos != std::string::npos)
+      <<"CT log description not provided (switch format"
+      << " is 'description:base64_key')";

[wtc, 2013/11/26 01:47:23]

Line continuations are indented by four spaces.

Add a space after the << on line 575.

Nit: you can take advantage of C-preprocessor's concatenation of string literals
and use only one << operator:

    CHECK(delim_pos != std::string::npos)
        << "CT log description not provided (switch format"
           " is 'description:base64_key')";

[Eran M. (Google), 2013/11/26 14:45:53]

Done.

+    std::string log_description(switch_value.substr(0, delim_pos));
+    std::string ct_public_key_data;
+    CHECK(base::Base64Decode(
+          switch_value.substr(delim_pos + 1),
+          &ct_public_key_data)) << "Unable to decode CT public key.";
+    scoped_ptr<net::CTLogVerifier> external_log_verifier(
+        net::CTLogVerifier::Create(ct_public_key_data, log_description));
+    CHECK(external_log_verifier) << "Unable to parse CT public key.";
+    ct_verifier->AddLog(external_log_verifier.Pass());
+  }
+#else
+  if (command_line.HasSwitch(switches::kCertificateTransparencyLog)) {
+    LOG(DFATAL) << "Certificate Transparency is not yet supported in Chrome "
+                << "builds using OpenSSL.";

[wtc, 2013/11/26 01:47:23]

Nit: same here: one << operator call is enough. The string literals will be
concatenated by the C preprocessor.

[Eran M. (Google), 2013/11/26 14:45:53]

Done.

+  }
+#endif
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
   globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl());