Chromium Code Reviews Chromium Code Reviews
Issue 86503002:
Certificate Transparency: Logging SCTs to the NetLog. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | |
| 8 #include "base/callback_helpers.h" | |
| 7 #include "net/base/net_errors.h" | 9 #include "net/base/net_errors.h" |
| 10 #include "net/base/net_log.h" | |
| 8 #include "net/cert/ct_log_verifier.h" | 11 #include "net/cert/ct_log_verifier.h" |
| 9 #include "net/cert/ct_objects_extractor.h" | 12 #include "net/cert/ct_objects_extractor.h" |
| 10 #include "net/cert/ct_serialization.h" | 13 #include "net/cert/ct_serialization.h" |
| 14 #include "net/cert/ct_signed_certificate_timestamp_log_param.h" | |
| 11 #include "net/cert/ct_verify_result.h" | 15 #include "net/cert/ct_verify_result.h" |
| 12 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
| 13 | 17 |
| 14 namespace net { | 18 namespace net { |
| 15 | 19 |
| 16 MultiLogCTVerifier::MultiLogCTVerifier() { } | 20 MultiLogCTVerifier::MultiLogCTVerifier() { } |
| 17 | 21 |
| 18 MultiLogCTVerifier::~MultiLogCTVerifier() { } | 22 MultiLogCTVerifier::~MultiLogCTVerifier() { } |
| 19 | 23 |
| 20 void MultiLogCTVerifier::AddLog(scoped_ptr<CTLogVerifier> log_verifier) { | 24 void MultiLogCTVerifier::AddLog(scoped_ptr<CTLogVerifier> log_verifier) { |
| 21 DCHECK(log_verifier); | 25 DCHECK(log_verifier); |
| 22 if (!log_verifier) | 26 if (!log_verifier) |
| 23 return; | 27 return; |
| 24 | 28 |
| 25 linked_ptr<CTLogVerifier> log(log_verifier.release()); | 29 linked_ptr<CTLogVerifier> log(log_verifier.release()); |
| 26 logs_[log->key_id()] = log; | 30 logs_[log->key_id()] = log; |
| 27 } | 31 } |
| 28 | 32 |
| 29 int MultiLogCTVerifier::Verify( | 33 int MultiLogCTVerifier::Verify( |
| 30 X509Certificate* cert, | 34 X509Certificate* cert, |
| 31 const std::string& sct_list_from_ocsp, | 35 const std::string& sct_list_from_ocsp, |
| 32 const std::string& sct_list_from_tls_extension, | 36 const std::string& sct_list_from_tls_extension, |
| 33 ct::CTVerifyResult* result) { | 37 ct::CTVerifyResult* result, |
| 38 const BoundNetLog& net_log) { | |
| 34 DCHECK(cert); | 39 DCHECK(cert); |
| 35 DCHECK(result); | 40 DCHECK(result); |
| 36 | 41 |
| 37 result->verified_scts.clear(); | 42 result->verified_scts.clear(); |
| 38 result->unverified_scts.clear(); | 43 result->unverified_scts.clear(); |
| 39 result->unknown_logs_scts.clear(); | 44 result->unknown_logs_scts.clear(); |
| 40 | 45 |
| 41 bool has_verified_scts = false; | 46 bool has_verified_scts = false; |
| 42 | 47 |
| 43 std::string embedded_scts; | 48 std::string embedded_scts; |
| 44 if (!cert->GetIntermediateCertificates().empty() && | 49 if (!cert->GetIntermediateCertificates().empty() && |
| 45 ct::ExtractEmbeddedSCTList( | 50 ct::ExtractEmbeddedSCTList( |
| 46 cert->os_cert_handle(), | 51 cert->os_cert_handle(), |
| 47 &embedded_scts)) { | 52 &embedded_scts)) { |
| 48 ct::LogEntry precert_entry; | 53 ct::LogEntry precert_entry; |
| 49 | 54 |
| 50 has_verified_scts = | 55 has_verified_scts = |
| 51 ct::GetPrecertLogEntry( | 56 ct::GetPrecertLogEntry( |
| 52 cert->os_cert_handle(), | 57 cert->os_cert_handle(), |
| 53 cert->GetIntermediateCertificates().front(), | 58 cert->GetIntermediateCertificates().front(), |
| 54 &precert_entry) && | 59 &precert_entry) && |
| 55 VerifySCTs( | 60 VerifySCTs( |
| 56 embedded_scts, | 61 embedded_scts, |
| 57 precert_entry, | 62 precert_entry, |
| 58 ct::SignedCertificateTimestamp::SCT_EMBEDDED, | 63 ct::SignedCertificateTimestamp::SCT_EMBEDDED, |
| 59 result); | 64 result); |
| 60 } | 65 } |
| 61 | 66 |
| 67 // Log to Net Log here, after extracting embedded SCTs but before | |
| 68 // possibly failing on X.509 entry creation. | |
| 69 NetLog::ParametersCallback net_log_callback = | |
| 70 base::Bind(&NetLogRawSignedCertificateTimestampCallback, | |
|
eroman
2013/11/27 20:39:55
[optional] I suggest inlining this into the AddEve
Eran M. (Google)
2013/11/27 22:08:50
With bound callbacks I find it slightly clearer to
| |
| 71 &embedded_scts, &sct_list_from_ocsp, &sct_list_from_tls_extension); | |
| 72 | |
| 73 net_log.AddEvent( | |
| 74 NetLog::TYPE_SSL_SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED, | |
| 75 net_log_callback); | |
| 76 | |
| 62 ct::LogEntry x509_entry; | 77 ct::LogEntry x509_entry; |
| 63 if (!ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) | 78 if (!ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) |
| 64 return has_verified_scts ? OK : ERR_CT_LOG_ENTRY_CREATION_FAILED; | 79 return has_verified_scts ? OK : ERR_CT_LOG_ENTRY_CREATION_FAILED; |
| 65 | 80 |
| 66 has_verified_scts |= VerifySCTs( | 81 has_verified_scts |= VerifySCTs( |
| 67 sct_list_from_ocsp, | 82 sct_list_from_ocsp, |
| 68 x509_entry, | 83 x509_entry, |
| 69 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, | 84 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE, |
| 70 result); | 85 result); |
| 71 | 86 |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 139 DVLOG(1) << "SCT is from the future!"; | 154 DVLOG(1) << "SCT is from the future!"; |
| 140 result->unverified_scts.push_back(sct); | 155 result->unverified_scts.push_back(sct); |
| 141 return false; | 156 return false; |
| 142 } | 157 } |
| 143 | 158 |
| 144 result->verified_scts.push_back(sct); | 159 result->verified_scts.push_back(sct); |
| 145 return true; | 160 return true; |
| 146 } | 161 } |
| 147 | 162 |
| 148 } // namespace net | 163 } // namespace net |
| OLD | NEW |
