net/cert/ct_objects_extractor_nss.cc - Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses

Side by Side Diff: net/cert/ct_objects_extractor_nss.cc

Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts

Patch Set: review comments Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/ct_objects_extractor.h"	5 #include "net/cert/ct_objects_extractor.h"

6	6

7 #include <cert.h>	7 #include <cert.h>

8 #include <secasn1.h>	8 #include <secasn1.h>

9 #include <secitem.h>	9 #include <secitem.h>

10 #include <secoid.h>	10 #include <secoid.h>

(...skipping 251 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
262 std::string encoded;	262 std::string encoded;

263 if (!X509Certificate::GetDEREncoded(leaf, &encoded))	263 if (!X509Certificate::GetDEREncoded(leaf, &encoded))

264 return false;	264 return false;

265	265

266 result->Reset();	266 result->Reset();

267 result->type = ct::LogEntry::LOG_ENTRY_TYPE_X509;	267 result->type = ct::LogEntry::LOG_ENTRY_TYPE_X509;

268 result->leaf_certificate.swap(encoded);	268 result->leaf_certificate.swap(encoded);

269 return true;	269 return true;

270 }	270 }

271	271

	272 bool ExtractSCTListFromOCSPResponse(X509Certificate::OSCertHandle leaf,

	273 const std::string& ocsp_response,

	274 std::string* sct_list) {

	275 DCHECK(leaf);

	276 NSSCertWrapper leaf_cert(leaf);
	wtc 2013/12/03 21:04:25 Nit: this is an expensive way to get the serial nu Nit: this is an expensive way to get the serial number from the OSCertHandle \|leaf\|. NSSCertWrapper will not only decode the certificate but also add it to NSS's internal hash tables of certificates. This is OK for now. You can consider copying the first few lines of code from SeekToSPKI in net/cert/asn1_util.cc. (X509Certificate::GetDEREncoded can be used to get the DER-encoded certificate.) Also, if you actually have an X509Certificate object, you can use the serial_number() getter method. Update: I found that the two callers of this function (the unit test and ssl_client_socket_nss.cc) have an X509Certificate object. So I suggest that you change this function to take \|cert_serial_number\| instead of \|leaf\| as input, and change the callers to pass X509Certificate::serial_number() to this function. However, having \|leaf\| gives us more flexibility because we will be able to get the issuer from \|leaf\| for more accurate matching. ekasper 2013/12/04 19:25:15 I wasn't really thinking what I was doing :/ I've Show quoted text On 2013/12/03 21:04:25, wtc wrote: > > Nit: this is an expensive way to get the serial number from the OSCertHandle > \|leaf\|. NSSCertWrapper will not only decode the certificate but also add it to > NSS's internal hash tables of certificates. > > This is OK for now. You can consider copying the first few lines of code from > SeekToSPKI in net/cert/asn1_util.cc. (X509Certificate::GetDEREncoded can be used > to get the DER-encoded certificate.) Also, if you actually have an > X509Certificate object, you can use the serial_number() getter method. > > Update: I found that the two callers of this function (the unit test and > ssl_client_socket_nss.cc) have an X509Certificate object. So I suggest that you > change this function to take \|cert_serial_number\| instead of \|leaf\| as input, > and change the callers to pass X509Certificate::serial_number() to this > function. > > However, having \|leaf\| gives us more flexibility because we will be able to get > the issuer from \|leaf\| for more accurate matching. I wasn't really thinking what I was doing :/ I've changed it to take a serial number and, separately, an issuer.
	277 sct_list->clear();

	278 base::StringPiece serial_number = base::StringPiece(

	279 reinterpret_cast<char*>(leaf_cert.cert->serialNumber.data),

	280 leaf_cert.cert->serialNumber.len);

	281 base::StringPiece sct_list_out;

	282 if (!asn1::ExtractSCTExtensionFromOCSPResponse(ocsp_response,
	Ryan Sleevi 2013/12/03 21:03:18 We should be using the NSS ASN.1 functions for thi We should be using the NSS ASN.1 functions for this. ekasper 2013/12/04 19:25:15 Done... Show quoted text On 2013/12/03 21:03:18, Ryan Sleevi wrote: > We should be using the NSS ASN.1 functions for this. Done...
	283 serial_number,

	284 &sct_list_out))

	285 return false;
	wtc 2013/12/03 21:04:25 Nit: add curly braces. Nit: add curly braces.
	286

	287 *sct_list = sct_list_out.as_string();

	288 return true;

	289 }

	290

272 } // namespace ct	291 } // namespace ct

273	292

274 } // namespace net	293 } // namespace net

OLD	NEW

« net/cert/ct_objects_extractor.h ('K') | « net/cert/ct_objects_extractor.h ('k') | net/cert/ct_objects_extractor_openssl.cc » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')