Extract Certificate Transparency SCTs from stapled OCSP responses

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 75 matching lines @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_objects_extractor.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
@@ skipping 305 matching lines @@
   HandshakeState() { Reset(); }
 
   void Reset() {
     next_proto_status = SSLClientSocket::kNextProtoUnsupported;
     next_proto.clear();
     server_protos.clear();
     channel_id_sent = false;
     server_cert_chain.Reset(NULL);
     server_cert = NULL;
     sct_list_from_tls_extension.clear();
+    sct_list_from_ocsp_stapling.clear();
     resumed_handshake = false;
     ssl_connection_status = 0;
   }
 
   // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
   // negotiated protocol stored in |next_proto|.
   SSLClientSocket::NextProtoStatus next_proto_status;
   std::string next_proto;
   // If the server supports NPN, the protocols supported by the server.
   std::string server_protos;
@@ skipping 11 matching lines @@
   // chain (|server_cert_chain|) and then converted into a platform-specific
   // X509Certificate object (|server_cert|). It's possible for some
   // certificates to be successfully parsed by NSS, and not by the platform
   // libraries (i.e.: when running within a sandbox, different parsing
   // algorithms, etc), so it's not safe to assume that |server_cert| will
   // always be non-NULL.
   PeerCertificateChain server_cert_chain;
   scoped_refptr<X509Certificate> server_cert;
   // SignedCertificateTimestampList received via TLS extension (RFC 6962).
   std::string sct_list_from_tls_extension;
+  // SignedCertificateTimestampList received in a stapled OCSP response
+  // (RFC 6962).
+  std::string sct_list_from_ocsp_stapling;
 
   // True if the current handshake was the result of TLS session resumption.
   bool resumed_handshake;
 
   // The negotiated security parameters (TLS version, cipher, extensions) of
   // the SSL connection.
   int ssl_connection_status;
 };
 
 // Client-side error mapping functions.
@@ skipping 291 matching lines @@
   // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
   // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
   // and an error code otherwise.
   // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
   // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
   // takes ownership of the |*cert| and |*key|.
   int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
 
   // Updates the NSS and platform specific certificates.
   void UpdateServerCert();
-  // Update the nss_handshake_state_ with SignedCertificateTimestampLists
-  // received in the handshake, via a TLS extension or (to be implemented)
-  // OCSP stapling.
+  // Update the nss_handshake_state_ with the SignedCertificateTimestampList
+  // received in the handshake via a TLS extension.
   void UpdateSignedCertTimestamps();
+#ifdef SSL_ENABLE_OCSP_STAPLING

[Ryan Sleevi, 2013/12/03 21:03:18]

1) This should be #if defined
2) We shouldn't be using an ifdef here, because this will always be true given
our build time requirements (NSS 3.14.3+, but always using our own libssl)

[wtc, 2013/12/03 21:04:25]

Nit: can you take the opportunity to remove all #ifdef SSL_ENABLE_OCSP_STAPLING
from this file?

We used to be careful about that, so that we can compile this file against an
older version of the system NSS SSL library. But we no longer support that.

[ekasper, 2013/12/04 19:25:15]

Done.

+  // Update the OCSP response cache with the stapled response received in the
+  // handshake, and update nss_handshake_state_ with
+  // the SignedCertificateTimestampList received in the stapled OCSP response.
+  void UpdateStapledOCSPResponse();
+#endif
   // Updates the nss_handshake_state_ with the negotiated security parameters.
   void UpdateConnectionStatus();
   // Record histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupportOnNSSTaskRunner();
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
 
   ////////////////////////////////////////////////////////////////////////////
@@ skipping 879 matching lines @@
   SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
   if (rv == SECSuccess && last_handshake_resumed) {
     nss_handshake_state_.resumed_handshake = true;
   } else {
     nss_handshake_state_.resumed_handshake = false;
   }
 
   RecordChannelIDSupportOnNSSTaskRunner();
   UpdateServerCert();
   UpdateSignedCertTimestamps();
+#ifdef SSL_ENABLE_OCSP_STAPLING
+  UpdateStapledOCSPResponse();
+#endif
   UpdateConnectionStatus();
   UpdateNextProto();
 
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
@@ skipping 151 matching lines @@
     // so that we won't try to resume the non-client-authenticated session in
     // the next handshake.  This will cause the server to ask for a client
     // cert again.
     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
   } else if (rv == SECSuccess) {
     if (!handshake_callback_called_) {
       false_started_ = true;
       HandshakeSucceeded();
     }
-
-    // TODO(wtc): move this block of code to OwnAuthCertHandler.
-  #if defined(SSL_ENABLE_OCSP_STAPLING)
-    // TODO(agl): figure out how to plumb an OCSP response into the Mac
-    // system library and update IsOCSPStaplingSupported for Mac.
-    if (IsOCSPStaplingSupported()) {
-      const SECItemArray* ocsp_responses =
-          SSL_PeerStapledOCSPResponses(nss_fd_);
-      if (ocsp_responses->len) {
-  #if defined(OS_WIN)
-        if (nss_handshake_state_.server_cert) {
-          CRYPT_DATA_BLOB ocsp_response_blob;
-          ocsp_response_blob.cbData = ocsp_responses->items[0].len;
-          ocsp_response_blob.pbData = ocsp_responses->items[0].data;
-          BOOL ok = CertSetCertificateContextProperty(
-              nss_handshake_state_.server_cert->os_cert_handle(),
-              CERT_OCSP_RESPONSE_PROP_ID,
-              CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
-              &ocsp_response_blob);
-          if (!ok) {
-            VLOG(1) << "Failed to set OCSP response property: "
-                    << GetLastError();
-          }
-        }
-  #elif defined(USE_NSS)
-        CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
-            GetCacheOCSPResponseFromSideChannelFunction();
-
-        cache_ocsp_response(
-            CERT_GetDefaultCertDB(),
-            nss_handshake_state_.server_cert_chain[0], PR_Now(),
-            &ocsp_responses->items[0], NULL);
-  #endif
-      }
-    }
-  #endif
-    // Done!
   } else {
     PRErrorCode prerr = PR_GetError();
     net_error = HandleNSSError(prerr, true);
 
     // Some network devices that inspect application-layer packets seem to
     // inject TCP reset packets to break the connections when they see
     // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
     //
     // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or
     // 1.2. We don't lose much in this fallback because the explicit IV for CBC
@@ skipping 545 matching lines @@
       SSL_PeerSignedCertTimestamps(nss_fd_);
 
   if (!signed_cert_timestamps || !signed_cert_timestamps->len)
     return;
 
   nss_handshake_state_.sct_list_from_tls_extension = std::string(
       reinterpret_cast<char*>(signed_cert_timestamps->data),
       signed_cert_timestamps->len);
 }
 
+#ifdef SSL_ENABLE_OCSP_STAPLING
+void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
+  const SECItemArray* ocsp_responses =
+      SSL_PeerStapledOCSPResponses(nss_fd_);
+  if (!ocsp_responses || !ocsp_responses->len)
+    return;
+
+  if (ssl_config_.signed_cert_timestamps_enabled &&
+      nss_handshake_state_.server_cert) {
+    std::string ocsp_response(
+        reinterpret_cast<char*>(ocsp_responses->items[0].data),
+        ocsp_responses->items[0].len);

[wtc, 2013/12/03 21:04:25]

We are copying an OCSP response here. This seems to argue for changing
ct::ExtractSCTListFromOCSPResponse() to take a base::StringPiece instead of a
std::string as the |ocsp_response| input.

[ekasper, 2013/12/04 19:25:15]

This has changed - I now store the raw response and parse it differently, later
on.

+    ct::ExtractSCTListFromOCSPResponse(
+        nss_handshake_state_.server_cert->os_cert_handle(),
+        ocsp_response,
+        &nss_handshake_state_.sct_list_from_ocsp_stapling);
+  }
+  // TODO(agl): figure out how to plumb an OCSP response into the Mac
+  // system library and update IsOCSPStaplingSupported for Mac.
+  if (IsOCSPStaplingSupported()) {
+  #if defined(OS_WIN)
+    if (nss_handshake_state_.server_cert) {

[wtc, 2013/12/03 21:04:25]

Hmm... I wonder why we check nss_handshake_state_.server_cert for null in the
OS_WIN case but not in the USE_NSS case.

This comes from the original code, so you don't need to deal with this.

[Ryan Sleevi, 2013/12/03 21:07:15]

Because Windows will fail to parse certificates that don't map into Windows
structures (eg: FILETIME date ranges), but NSS will.

http://crbug.com/91341

Also, Chromoting (which doesn't have and can't use CAPI), but did use this code
with pseudotcpsocket

+      CRYPT_DATA_BLOB ocsp_response_blob;
+      ocsp_response_blob.cbData = ocsp_responses->items[0].len;
+      ocsp_response_blob.pbData = ocsp_responses->items[0].data;
+      BOOL ok = CertSetCertificateContextProperty(
+          nss_handshake_state_.server_cert->os_cert_handle(),
+          CERT_OCSP_RESPONSE_PROP_ID,
+          CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
+          &ocsp_response_blob);
+      if (!ok) {
+        VLOG(1) << "Failed to set OCSP response property: "
+                << GetLastError();
+      }
+    }
+  #elif defined(USE_NSS)
+    CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
+        GetCacheOCSPResponseFromSideChannelFunction();
+
+    cache_ocsp_response(
+        CERT_GetDefaultCertDB(),
+        nss_handshake_state_.server_cert_chain[0], PR_Now(),
+        &ocsp_responses->items[0], NULL);
+  #endif
+  }  // IsOCSPStaplingSupported()
+}
+#endif
+
 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
   SSLChannelInfo channel_info;
   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
                                     &channel_info, sizeof(channel_info));
   if (ok == SECSuccess &&
       channel_info.length == sizeof(channel_info) &&
       channel_info.cipherSuite) {
     nss_handshake_state_.ssl_connection_status |=
         (static_cast<int>(channel_info.cipherSuite) &
          SSL_CONNECTION_CIPHERSUITE_MASK) <<
@@ skipping 737 matching lines @@
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
 #ifdef SSL_ENABLE_OCSP_STAPLING
-  if (IsOCSPStaplingSupported()) {
-    rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
-    if (rv != SECSuccess) {
-      LogFailedNSSFunction(net_log_, "SSL_OptionSet",
-                           "SSL_ENABLE_OCSP_STAPLING");
-    }
+  // Request OCSP stapling even on platforms that don't support it, in
+  // order to extract Certificate Transparency information.
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
+                     (IsOCSPStaplingSupported() ||
+                      ssl_config_.signed_cert_timestamps_enabled));
+  if (rv != SECSuccess) {
+    LogFailedNSSFunction(net_log_, "SSL_OptionSet",
+                         "SSL_ENABLE_OCSP_STAPLING");
   }
 #endif
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
                      ssl_config_.signed_cert_timestamps_enabled);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet",
                          "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
   }
 
@@ skipping 136 matching lines @@
 int SSLClientSocketNSS::DoHandshakeComplete(int result) {
   EnterFunction(result);
 
   if (result == OK) {
     // SSL handshake is completed. Let's verify the certificate.
     GotoState(STATE_VERIFY_CERT);
     // Done!
   }
   set_channel_id_sent(core_->state().channel_id_sent);
   set_signed_cert_timestamps_received(
-      !core_->state().sct_list_from_tls_extension.empty());
+      !core_->state().sct_list_from_tls_extension.empty() ||
+      !core_->state().sct_list_from_ocsp_stapling.empty());
 
   LeaveFunction(result);
   return result;
 }
 
 int SSLClientSocketNSS::DoVerifyCert(int result) {
   DCHECK(!core_->state().server_cert_chain.empty());
   DCHECK(core_->state().server_cert_chain[0]);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
@@ skipping 137 matching lines @@
 
 void SSLClientSocketNSS::VerifyCT() {
   if (!cert_transparency_verifier_)
     return;
 
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
   int result = cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert,
-      std::string(), // SCT list from OCSP response
-      std::string(),  // SCT list from TLS extension
+      core_->state().sct_list_from_ocsp_stapling,
+      core_->state().sct_list_from_tls_extension,
       &ct_verify_result_,
       net_log_);
 
   VLOG(1) << "CT Verification complete: result " << result
           << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
           << " Verified scts: " << ct_verify_result_.verified_scts.size()
           << " scts from unknown logs: "
           << ct_verify_result_.unknown_logs_scts.size();
 }
 
@@ skipping 53 matching lines @@
         SignedCertificateTimestampAndStatus(*iter,
                                             ct::SCT_STATUS_LOG_UNKNOWN));
   }
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net