SignedCertificateTimestamp storing & serialization code.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 76 matching lines @@
 #include "net/base/address_list.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_verifier.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
+#include "net/cert/sct_status_flags.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/nss_ssl_util.h"
 #include "net/socket/ssl_error_params.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
@@ skipping 2688 matching lines @@
 bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   EnterFunction("");
   ssl_info->Reset();
   if (core_->state().server_cert_chain.empty() ||
       !core_->state().server_cert_chain[0]) {
     return false;
   }
 
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->cert = server_cert_verify_result_.verified_cert;
+
+  AddSCTInfoToSSLInfo(ssl_info);
+
   ssl_info->connection_status =
       core_->state().ssl_connection_status;
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
   for (HashValueVector::const_iterator i = side_pinned_public_keys_.begin();
        i != side_pinned_public_keys_.end(); ++i) {
     ssl_info->public_key_hashes.push_back(*i);
   }
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->client_cert_sent =
@@ skipping 673 matching lines @@
   // external communication
   return cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert,
       std::string(), // SCT list from OCSP stapling response
       std::string(),  // SCT list from TLS handshake
       &ct_verify_result_);
 }
 
 int SSLClientSocketNSS::DoVerifyCTComplete(int result) {
   VLOG(1) << "CT Verification complete: result " << result
-          << " Unverified scts: " << ct_verify_result_.unverified_scts.size()
+          << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
           << " Verified scts: " << ct_verify_result_.verified_scts.size()
           << " scts from unknown logs: "
           << ct_verify_result_.unknown_logs_scts.size();
 
-  if (!ct_verify_result_.unverified_scts.empty() ||
+  if (!ct_verify_result_.invalid_scts.empty() ||
       !ct_verify_result_.unknown_logs_scts.empty() ||
       !ct_verify_result_.verified_scts.empty()) {
 
     // Saving CT state in cert_status bits, in addition to the SCTs themselves
     // (which will be threaded into the SSLInfo, as well as into the HTTP
     // cache).
     // This persists the CT status and simplifies UI code for figuring out
     // the right CT info to display.
     bool has_verified_scts = !ct_verify_result_.verified_scts.empty() &&
         result == OK;
-    if (has_verified_scts || !ct_verify_result_.unverified_scts.empty()) {
+    if (has_verified_scts || !ct_verify_result_.invalid_scts.empty()) {
       // Found SCTs from a known log.
       server_cert_verify_result_.cert_status =
         CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG;
       if (has_verified_scts) {
         server_cert_verify_result_.cert_status |= CERT_STATUS_HAS_GOOD_SCT;
       }
     } else {
       DCHECK(!ct_verify_result_.unknown_logs_scts.empty());
       // When this bit is set but CERT_STATUS_HAS_SCT_FROM_KNOWN_LOG isn't
       // that implies SCTs from unknown logs.
@@ skipping 36 matching lines @@
     return;
   valid_thread_id_ = base::PlatformThread::CurrentId();
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
+void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
+  for (ct::SCTList::const_iterator iter =
+       ct_verify_result_.verified_scts.begin();
+       iter != ct_verify_result_.verified_scts.end(); ++iter) {
+    ssl_info->signed_certificate_timestamps.push_back(
+        SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_OK));
+  }
+  for (ct::SCTList::const_iterator iter =
+       ct_verify_result_.invalid_scts.begin();
+       iter != ct_verify_result_.invalid_scts.end(); ++iter) {
+    ssl_info->signed_certificate_timestamps.push_back(
+        SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_INVALID));
+  }
+  for (ct::SCTList::const_iterator iter =
+       ct_verify_result_.unknown_logs_scts.begin();
+       iter != ct_verify_result_.unknown_logs_scts.end(); ++iter) {
+    ssl_info->signed_certificate_timestamps.push_back(
+        SignedCertificateTimestampAndStatus(*iter,
+                                            ct::SCT_STATUS_LOG_UNKNOWN));
+  }
+}
+
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net