Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(82)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 86503002: Certificate Transparency: Logging SCTs to the NetLog. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Addressing review comments Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/cert/multi_log_ct_verifier.cc ('K') | « net/net.gyp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
86 #include "crypto/scoped_nss_types.h" 86 #include "crypto/scoped_nss_types.h"
87 #include "net/base/address_list.h" 87 #include "net/base/address_list.h"
88 #include "net/base/connection_type_histograms.h" 88 #include "net/base/connection_type_histograms.h"
89 #include "net/base/dns_util.h" 89 #include "net/base/dns_util.h"
90 #include "net/base/io_buffer.h" 90 #include "net/base/io_buffer.h"
91 #include "net/base/net_errors.h" 91 #include "net/base/net_errors.h"
92 #include "net/base/net_log.h" 92 #include "net/base/net_log.h"
93 #include "net/cert/asn1_util.h" 93 #include "net/cert/asn1_util.h"
94 #include "net/cert/cert_status_flags.h" 94 #include "net/cert/cert_status_flags.h"
95 #include "net/cert/cert_verifier.h" 95 #include "net/cert/cert_verifier.h"
96 #include "net/cert/ct_signed_certificate_timestamp_log_param.h"
96 #include "net/cert/ct_verifier.h" 97 #include "net/cert/ct_verifier.h"
97 #include "net/cert/scoped_nss_types.h" 98 #include "net/cert/scoped_nss_types.h"
98 #include "net/cert/single_request_cert_verifier.h" 99 #include "net/cert/single_request_cert_verifier.h"
99 #include "net/cert/x509_certificate_net_log_param.h" 100 #include "net/cert/x509_certificate_net_log_param.h"
100 #include "net/cert/x509_util.h" 101 #include "net/cert/x509_util.h"
101 #include "net/http/transport_security_state.h" 102 #include "net/http/transport_security_state.h"
102 #include "net/ocsp/nss_ocsp.h" 103 #include "net/ocsp/nss_ocsp.h"
103 #include "net/socket/client_socket_handle.h" 104 #include "net/socket/client_socket_handle.h"
104 #include "net/socket/nss_ssl_util.h" 105 #include "net/socket/nss_ssl_util.h"
105 #include "net/socket/ssl_error_params.h" 106 #include "net/socket/ssl_error_params.h"
(...skipping 3368 matching lines...) Expand 10 before | Expand all | Expand 10 after
3474 if (!cert_transparency_verifier_) 3475 if (!cert_transparency_verifier_)
3475 return; 3476 return;
3476 3477
3477 // Note that this is a completely synchronous operation: The CT Log Verifier 3478 // Note that this is a completely synchronous operation: The CT Log Verifier
3478 // gets all the data it needs for SCT verification and does not do any 3479 // gets all the data it needs for SCT verification and does not do any
3479 // external communication. 3480 // external communication.
3480 int result = cert_transparency_verifier_->Verify( 3481 int result = cert_transparency_verifier_->Verify(
3481 server_cert_verify_result_.verified_cert, 3482 server_cert_verify_result_.verified_cert,
3482 std::string(), // SCT list from OCSP response 3483 std::string(), // SCT list from OCSP response
3483 std::string(), // SCT list from TLS extension 3484 std::string(), // SCT list from TLS extension
3484 &ct_verify_result_); 3485 &ct_verify_result_,
3486 net_log_);
3485 3487
3486 VLOG(1) << "CT Verification complete: result " << result 3488 VLOG(1) << "CT Verification complete: result " << result
3487 << " Unverified scts: " << ct_verify_result_.unverified_scts.size() 3489 << " Unverified scts: " << ct_verify_result_.unverified_scts.size()
3488 << " Verified scts: " << ct_verify_result_.verified_scts.size() 3490 << " Verified scts: " << ct_verify_result_.verified_scts.size()
3489 << " scts from unknown logs: " 3491 << " scts from unknown logs: "
3490 << ct_verify_result_.unknown_logs_scts.size(); 3492 << ct_verify_result_.unknown_logs_scts.size();
3491 3493
3494 NetLog::ParametersCallback net_log_callback =
3495 base::Bind(&NetLogSignedCertificateTimestampCallback,
3496 &ct_verify_result_);
3497
3498 net_log_.AddEvent(
3499 NetLog::TYPE_SSL_SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED,
wtc 2013/11/27 16:00:58 1. I think this event should be added inside the c
Eran M. (Google) 2013/11/27 22:08:50 1. Done. 2. Yes, I want to distinct "verified val
3500 net_log_callback);
3492 if (!ct_verify_result_.unverified_scts.empty() || 3501 if (!ct_verify_result_.unverified_scts.empty() ||
3493 !ct_verify_result_.unknown_logs_scts.empty() || 3502 !ct_verify_result_.unknown_logs_scts.empty() ||
3494 !ct_verify_result_.verified_scts.empty()) { 3503 !ct_verify_result_.verified_scts.empty()) {
3504
wtc 2013/11/27 16:00:58 Nit: delete this blank line. I would also add a b
Eran M. (Google) 2013/11/27 22:08:50 Done.
3495 // Saving CT state in cert_status bits, in addition to the SCTs themselves 3505 // Saving CT state in cert_status bits, in addition to the SCTs themselves
3496 // (which will be threaded into the SSLInfo, as well as into the HTTP 3506 // (which will be threaded into the SSLInfo, as well as into the HTTP
3497 // cache). 3507 // cache).
3498 // This persists the CT status and simplifies UI code for figuring out 3508 // This persists the CT status and simplifies UI code for figuring out
3499 // the right CT info to display. 3509 // the right CT info to display.
3500 int ct_state; 3510 int ct_state;
3501 if (!ct_verify_result_.verified_scts.empty() && result == OK) 3511 if (!ct_verify_result_.verified_scts.empty() && result == OK)
3502 ct_state = CERT_TRANSPARENCY_SCT_VALIDATED_OK; 3512 ct_state = CERT_TRANSPARENCY_SCT_VALIDATED_OK;
3503 else if (!ct_verify_result_.unverified_scts.empty()) 3513 else if (!ct_verify_result_.unverified_scts.empty())
3504 ct_state = CERT_TRANSPARENCY_SCT_FAILED_VALIDATION; 3514 ct_state = CERT_TRANSPARENCY_SCT_FAILED_VALIDATION;
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
3548 EnsureThreadIdAssigned(); 3558 EnsureThreadIdAssigned();
3549 base::AutoLock auto_lock(lock_); 3559 base::AutoLock auto_lock(lock_);
3550 return valid_thread_id_ == base::PlatformThread::CurrentId(); 3560 return valid_thread_id_ == base::PlatformThread::CurrentId();
3551 } 3561 }
3552 3562
3553 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { 3563 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3554 return server_bound_cert_service_; 3564 return server_bound_cert_service_;
3555 } 3565 }
3556 3566
3557 } // namespace net 3567 } // namespace net
OLDNEW
« net/cert/multi_log_ct_verifier.cc ('K') | « net/net.gyp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698