net/cert/multi_log_ct_verifier.cc - Issue 86503002: Certificate Transparency: Logging SCTs to the NetLog.

Side by Side Diff: net/cert/multi_log_ct_verifier.cc

Issue 86503002: Certificate Transparency: Logging SCTs to the NetLog. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Address *all* comments Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« net/cert/ct_signed_certificate_timestamp_log_param.cc ('K') | « net/cert/multi_log_ct_verifier.h ('k') | net/cert/multi_log_ct_verifier_unittest.cc » ('j') | net/cert/multi_log_ct_verifier_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/multi_log_ct_verifier.h"	5 #include "net/cert/multi_log_ct_verifier.h"

6	6

	7 #include "base/bind.h"

	8 #include "base/callback_helpers.h"

7 #include "net/base/net_errors.h"	9 #include "net/base/net_errors.h"

	10 #include "net/base/net_log.h"

8 #include "net/cert/ct_log_verifier.h"	11 #include "net/cert/ct_log_verifier.h"

9 #include "net/cert/ct_objects_extractor.h"	12 #include "net/cert/ct_objects_extractor.h"

10 #include "net/cert/ct_serialization.h"	13 #include "net/cert/ct_serialization.h"

	14 #include "net/cert/ct_signed_certificate_timestamp_log_param.h"

11 #include "net/cert/ct_verify_result.h"	15 #include "net/cert/ct_verify_result.h"

12 #include "net/cert/x509_certificate.h"	16 #include "net/cert/x509_certificate.h"

13	17

14 namespace net {	18 namespace net {

15	19

16 MultiLogCTVerifier::MultiLogCTVerifier() { }	20 MultiLogCTVerifier::MultiLogCTVerifier() { }

17	21

18 MultiLogCTVerifier::~MultiLogCTVerifier() { }	22 MultiLogCTVerifier::~MultiLogCTVerifier() { }

19	23

20 void MultiLogCTVerifier::AddLog(scoped_ptr<CTLogVerifier> log_verifier) {	24 void MultiLogCTVerifier::AddLog(scoped_ptr<CTLogVerifier> log_verifier) {

21 DCHECK(log_verifier);	25 DCHECK(log_verifier);

22 if (!log_verifier)	26 if (!log_verifier)

23 return;	27 return;

24	28

25 linked_ptr<CTLogVerifier> log(log_verifier.release());	29 linked_ptr<CTLogVerifier> log(log_verifier.release());

26 logs_[log->key_id()] = log;	30 logs_[log->key_id()] = log;

27 }	31 }

28	32

29 int MultiLogCTVerifier::Verify(	33 int MultiLogCTVerifier::Verify(

30 X509Certificate* cert,	34 X509Certificate* cert,

31 const std::string& sct_list_from_ocsp,	35 const std::string& sct_list_from_ocsp,

32 const std::string& sct_list_from_tls_extension,	36 const std::string& sct_list_from_tls_extension,

33 ct::CTVerifyResult* result) {	37 ct::CTVerifyResult* result,

	38 const BoundNetLog& net_log) {

34 DCHECK(cert);	39 DCHECK(cert);

35 DCHECK(result);	40 DCHECK(result);

36	41

37 result->verified_scts.clear();	42 result->verified_scts.clear();

38 result->unverified_scts.clear();	43 result->unverified_scts.clear();

39 result->unknown_logs_scts.clear();	44 result->unknown_logs_scts.clear();

40	45

41 bool has_verified_scts = false;	46 bool has_verified_scts = false;

42	47

43 std::string embedded_scts;	48 std::string embedded_scts;

44 if (!cert->GetIntermediateCertificates().empty() &&	49 if (!cert->GetIntermediateCertificates().empty() &&

45 ct::ExtractEmbeddedSCTList(	50 ct::ExtractEmbeddedSCTList(

46 cert->os_cert_handle(),	51 cert->os_cert_handle(),

47 &embedded_scts)) {	52 &embedded_scts)) {

48 ct::LogEntry precert_entry;	53 ct::LogEntry precert_entry;

49	54

50 has_verified_scts =	55 has_verified_scts =

51 ct::GetPrecertLogEntry(	56 ct::GetPrecertLogEntry(

52 cert->os_cert_handle(),	57 cert->os_cert_handle(),

53 cert->GetIntermediateCertificates().front(),	58 cert->GetIntermediateCertificates().front(),

54 &precert_entry) &&	59 &precert_entry) &&

55 VerifySCTs(	60 VerifySCTs(

56 embedded_scts,	61 embedded_scts,

57 precert_entry,	62 precert_entry,

58 ct::SignedCertificateTimestamp::SCT_EMBEDDED,	63 ct::SignedCertificateTimestamp::SCT_EMBEDDED,

59 result);	64 result);

60 }	65 }

61	66

	67 // Log to Net Log here, after extracting embedded SCTs but before
	eroman 2013/11/27 22:33:46 nit: Remove "here," nit: Remove "here," Eran M. (Google) 2013/11/29 11:14:44 Done. Show quoted text On 2013/11/27 22:33:46, eroman wrote: > nit: Remove "here," Done.
	68 // possibly failing on X.509 entry creation.

	69 NetLog::ParametersCallback net_log_callback =

	70 base::Bind(&NetLogRawSignedCertificateTimestampCallback,
	eroman 2013/11/27 22:33:46 style: Indent continued lines by 4. style: Indent continued lines by 4. Eran M. (Google) 2013/11/29 11:14:44 Done. Show quoted text On 2013/11/27 22:33:46, eroman wrote: > style: Indent continued lines by 4. Done. Eran M. (Google) 2013/11/29 11:14:44 Done. Show quoted text On 2013/11/27 22:33:46, eroman wrote: > style: Indent continued lines by 4. Done.
	71 &embedded_scts, &sct_list_from_ocsp, &sct_list_from_tls_extension);

	72

	73 net_log.AddEvent(

	74 NetLog::TYPE_SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED,

	75 net_log_callback);

	76

62 ct::LogEntry x509_entry;	77 ct::LogEntry x509_entry;

63 if (!ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry))	78 if (ct::GetX509LogEntry(cert->os_cert_handle(), &x509_entry)) {

64 return has_verified_scts ? OK : ERR_FAILED;	79 has_verified_scts \|= VerifySCTs(

	80 sct_list_from_ocsp,

	81 x509_entry,

	82 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,

	83 result);

65	84

66 has_verified_scts \|= VerifySCTs(	85 has_verified_scts \|= VerifySCTs(

67 sct_list_from_ocsp,	86 sct_list_from_tls_extension,

68 x509_entry,	87 x509_entry,

69 ct::SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,	88 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,

70 result);	89 result);

	90 }

71	91

72 has_verified_scts \|= VerifySCTs(	92 NetLog::ParametersCallback net_log_checked_callback =

73 sct_list_from_tls_extension,	93 base::Bind(&NetLogSignedCertificateTimestampCallback, result);
	eroman 2013/11/27 22:33:46 indent continued lines by 4. indent continued lines by 4. Eran M. (Google) 2013/11/29 11:14:44 Done. Show quoted text On 2013/11/27 22:33:46, eroman wrote: > indent continued lines by 4. Done.
74 x509_entry,	94

75 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,	95 net_log.AddEvent(

76 result);	96 NetLog::TYPE_SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED,

	97 net_log_checked_callback);

77	98

78 if (has_verified_scts)	99 if (has_verified_scts)

79 return OK;	100 return OK;

80	101

81 return ERR_FAILED;	102 return ERR_FAILED;

82 }	103 }

83	104

84 bool MultiLogCTVerifier::VerifySCTs(	105 bool MultiLogCTVerifier::VerifySCTs(

85 const std::string& encoded_sct_list,	106 const std::string& encoded_sct_list,

86 const ct::LogEntry& expected_entry,	107 const ct::LogEntry& expected_entry,

(...skipping 50 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
137 DVLOG(1) << "SCT is from the future!";	158 DVLOG(1) << "SCT is from the future!";

138 result->unverified_scts.push_back(sct);	159 result->unverified_scts.push_back(sct);

139 return false;	160 return false;

140 }	161 }

141	162

142 result->verified_scts.push_back(sct);	163 result->verified_scts.push_back(sct);

143 return true;	164 return true;

144 }	165 }

145	166

146 } // namespace net	167 } // namespace net

OLD	NEW