Extract Certificate Transparency SCTs from stapled OCSP responses

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 75 matching lines @@
 #include "crypto/scoped_nss_types.h"
 #include "net/base/address_list.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_objects_extractor.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/single_request_cert_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util.h"
 #include "net/http/transport_security_state.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/socket/client_socket_handle.h"
@@ skipping 305 matching lines @@
   HandshakeState() { Reset(); }
 
   void Reset() {
     next_proto_status = SSLClientSocket::kNextProtoUnsupported;
     next_proto.clear();
     server_protos.clear();
     channel_id_sent = false;
     server_cert_chain.Reset(NULL);
     server_cert = NULL;
     sct_list_from_tls_extension.clear();
+    stapled_ocsp_response.clear();
     resumed_handshake = false;
     ssl_connection_status = 0;
   }
 
   // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
   // negotiated protocol stored in |next_proto|.
   SSLClientSocket::NextProtoStatus next_proto_status;
   std::string next_proto;
   // If the server supports NPN, the protocols supported by the server.
   std::string server_protos;
@@ skipping 11 matching lines @@
   // chain (|server_cert_chain|) and then converted into a platform-specific
   // X509Certificate object (|server_cert|). It's possible for some
   // certificates to be successfully parsed by NSS, and not by the platform
   // libraries (i.e.: when running within a sandbox, different parsing
   // algorithms, etc), so it's not safe to assume that |server_cert| will
   // always be non-NULL.
   PeerCertificateChain server_cert_chain;
   scoped_refptr<X509Certificate> server_cert;
   // SignedCertificateTimestampList received via TLS extension (RFC 6962).
   std::string sct_list_from_tls_extension;
+  // Stapled OCSP response received.
+  std::string stapled_ocsp_response;
 
   // True if the current handshake was the result of TLS session resumption.
   bool resumed_handshake;
 
   // The negotiated security parameters (TLS version, cipher, extensions) of
   // the SSL connection.
   int ssl_connection_status;
 };
 
 // Client-side error mapping functions.
@@ skipping 291 matching lines @@
   // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
   // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
   // and an error code otherwise.
   // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
   // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
   // takes ownership of the |*cert| and |*key|.
   int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
 
   // Updates the NSS and platform specific certificates.
   void UpdateServerCert();
-  // Update the nss_handshake_state_ with SignedCertificateTimestampLists
-  // received in the handshake, via a TLS extension or (to be implemented)
-  // OCSP stapling.
+  // Update the nss_handshake_state_ with the SignedCertificateTimestampList
+  // received in the handshake via a TLS extension.
   void UpdateSignedCertTimestamps();
+  // Update the OCSP response cache with the stapled response received in the
+  // handshake, and update nss_handshake_state_ with
+  // the SignedCertificateTimestampList received in the stapled OCSP response.
+  void UpdateStapledOCSPResponse();
   // Updates the nss_handshake_state_ with the negotiated security parameters.
   void UpdateConnectionStatus();
   // Record histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupportOnNSSTaskRunner();
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
 
   ////////////////////////////////////////////////////////////////////////////
@@ skipping 879 matching lines @@
   SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
   if (rv == SECSuccess && last_handshake_resumed) {
     nss_handshake_state_.resumed_handshake = true;
   } else {
     nss_handshake_state_.resumed_handshake = false;
   }
 
   RecordChannelIDSupportOnNSSTaskRunner();
   UpdateServerCert();
   UpdateSignedCertTimestamps();
+  UpdateStapledOCSPResponse();
   UpdateConnectionStatus();
   UpdateNextProto();
 
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
@@ skipping 151 matching lines @@
     // so that we won't try to resume the non-client-authenticated session in
     // the next handshake.  This will cause the server to ask for a client
     // cert again.
     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
   } else if (rv == SECSuccess) {
     if (!handshake_callback_called_) {
       false_started_ = true;
       HandshakeSucceeded();
     }
-
-    // TODO(wtc): move this block of code to OwnAuthCertHandler.
-  #if defined(SSL_ENABLE_OCSP_STAPLING)
-    // TODO(agl): figure out how to plumb an OCSP response into the Mac
-    // system library and update IsOCSPStaplingSupported for Mac.
-    if (IsOCSPStaplingSupported()) {
-      const SECItemArray* ocsp_responses =
-          SSL_PeerStapledOCSPResponses(nss_fd_);
-      if (ocsp_responses->len) {
-  #if defined(OS_WIN)
-        if (nss_handshake_state_.server_cert) {
-          CRYPT_DATA_BLOB ocsp_response_blob;
-          ocsp_response_blob.cbData = ocsp_responses->items[0].len;
-          ocsp_response_blob.pbData = ocsp_responses->items[0].data;
-          BOOL ok = CertSetCertificateContextProperty(
-              nss_handshake_state_.server_cert->os_cert_handle(),
-              CERT_OCSP_RESPONSE_PROP_ID,
-              CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
-              &ocsp_response_blob);
-          if (!ok) {
-            VLOG(1) << "Failed to set OCSP response property: "
-                    << GetLastError();
-          }
-        }
-  #elif defined(USE_NSS)
-        CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
-            GetCacheOCSPResponseFromSideChannelFunction();
-
-        cache_ocsp_response(
-            CERT_GetDefaultCertDB(),
-            nss_handshake_state_.server_cert_chain[0], PR_Now(),
-            &ocsp_responses->items[0], NULL);
-  #endif
-      }
-    }
-  #endif
-    // Done!
   } else {
     PRErrorCode prerr = PR_GetError();
     net_error = HandleNSSError(prerr, true);
 
     // Some network devices that inspect application-layer packets seem to
     // inject TCP reset packets to break the connections when they see
     // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
     //
     // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or
     // 1.2. We don't lose much in this fallback because the explicit IV for CBC
@@ skipping 545 matching lines @@
       SSL_PeerSignedCertTimestamps(nss_fd_);
 
   if (!signed_cert_timestamps || !signed_cert_timestamps->len)
     return;
 
   nss_handshake_state_.sct_list_from_tls_extension = std::string(
       reinterpret_cast<char*>(signed_cert_timestamps->data),
       signed_cert_timestamps->len);
 }
 
+void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
+  const SECItemArray* ocsp_responses =
+      SSL_PeerStapledOCSPResponses(nss_fd_);
+  if (!ocsp_responses || !ocsp_responses->len)
+    return;
+
+  nss_handshake_state_.stapled_ocsp_response = std::string(
+      reinterpret_cast<char*>(ocsp_responses->items[0].data),
+      ocsp_responses->items[0].len);
+
+  // TODO(agl): figure out how to plumb an OCSP response into the Mac
+  // system library and update IsOCSPStaplingSupported for Mac.
+  if (IsOCSPStaplingSupported()) {
+  #if defined(OS_WIN)
+    if (nss_handshake_state_.server_cert) {
+      CRYPT_DATA_BLOB ocsp_response_blob;
+      ocsp_response_blob.cbData = ocsp_responses->items[0].len;
+      ocsp_response_blob.pbData = ocsp_responses->items[0].data;
+      BOOL ok = CertSetCertificateContextProperty(
+          nss_handshake_state_.server_cert->os_cert_handle(),
+          CERT_OCSP_RESPONSE_PROP_ID,
+          CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
+          &ocsp_response_blob);
+      if (!ok) {
+        VLOG(1) << "Failed to set OCSP response property: "
+                << GetLastError();
+      }
+    }
+  #elif defined(USE_NSS)
+    CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
+        GetCacheOCSPResponseFromSideChannelFunction();
+
+    cache_ocsp_response(
+        CERT_GetDefaultCertDB(),
+        nss_handshake_state_.server_cert_chain[0], PR_Now(),
+        &ocsp_responses->items[0], NULL);
+  #endif
+  }  // IsOCSPStaplingSupported()
+}
+
 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
   SSLChannelInfo channel_info;
   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
                                     &channel_info, sizeof(channel_info));
   if (ok == SECSuccess &&
       channel_info.length == sizeof(channel_info) &&
       channel_info.cipherSuite) {
     nss_handshake_state_.ssl_connection_status |=
         (static_cast<int>(channel_info.cipherSuite) &
          SSL_CONNECTION_CIPHERSUITE_MASK) <<
@@ skipping 746 matching lines @@
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
 #ifdef SSL_ENABLE_OCSP_STAPLING
-  if (IsOCSPStaplingSupported()) {
-    rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
-    if (rv != SECSuccess) {
-      LogFailedNSSFunction(net_log_, "SSL_OptionSet",
-                           "SSL_ENABLE_OCSP_STAPLING");
-    }
+  // Request OCSP stapling even on platforms that don't support it, in
+  // order to extract Certificate Transparency information.
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
+                     (IsOCSPStaplingSupported() ||
+                      ssl_config_.signed_cert_timestamps_enabled));
+  if (rv != SECSuccess) {
+    LogFailedNSSFunction(net_log_, "SSL_OptionSet",
+                         "SSL_ENABLE_OCSP_STAPLING");
   }
 #endif
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
                      ssl_config_.signed_cert_timestamps_enabled);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet",
                          "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
   }
 
@@ skipping 137 matching lines @@
   EnterFunction(result);
 
   if (result == OK) {
     // SSL handshake is completed. Let's verify the certificate.
     GotoState(STATE_VERIFY_CERT);
     // Done!
   }
   set_channel_id_sent(core_->state().channel_id_sent);
   set_signed_cert_timestamps_received(
       !core_->state().sct_list_from_tls_extension.empty());
+  set_stapled_ocsp_response_received(
+      !core_->state().stapled_ocsp_response.empty());
 
   LeaveFunction(result);
   return result;
 }
 
 int SSLClientSocketNSS::DoVerifyCert(int result) {
   DCHECK(!core_->state().server_cert_chain.empty());
   DCHECK(core_->state().server_cert_chain[0]);
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
@@ skipping 137 matching lines @@
 
 void SSLClientSocketNSS::VerifyCT() {
   if (!cert_transparency_verifier_)
     return;
 
   // Note that this is a completely synchronous operation: The CT Log Verifier
   // gets all the data it needs for SCT verification and does not do any
   // external communication.
   int result = cert_transparency_verifier_->Verify(
       server_cert_verify_result_.verified_cert,
-      std::string(), // SCT list from OCSP response
+      core_->state().stapled_ocsp_response,
       core_->state().sct_list_from_tls_extension,
       &ct_verify_result_,
       net_log_);
+  // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
+  // from the state after verification is complete, to conserve memory.
 
   VLOG(1) << "CT Verification complete: result " << result
           << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
           << " Verified scts: " << ct_verify_result_.verified_scts.size()
           << " scts from unknown logs: "
           << ct_verify_result_.unknown_logs_scts.size();
 }
 
 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
   UpdateConnectionTypeHistograms(CONNECTION_SSL);
@@ skipping 51 matching lines @@
         SignedCertificateTimestampAndStatus(*iter,
                                             ct::SCT_STATUS_LOG_UNKNOWN));
   }
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net