Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(402)

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 92443002: Extract Certificate Transparency SCTs from stapled OCSP responses (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts
Patch Set: Fix C++11 compile error Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 081596237ae76923ab97bd97bb48a8df8876bf7a..dbf64afad1ded2566bd92f598b5bef87e8f44fde 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -93,6 +93,7 @@
#include "net/cert/asn1_util.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verifier.h"
+#include "net/cert/ct_objects_extractor.h"
#include "net/cert/ct_verifier.h"
#include "net/cert/ct_verify_result.h"
#include "net/cert/scoped_nss_types.h"
@@ -418,6 +419,7 @@ struct HandshakeState {
server_cert_chain.Reset(NULL);
server_cert = NULL;
sct_list_from_tls_extension.clear();
+ stapled_ocsp_response.clear();
resumed_handshake = false;
ssl_connection_status = 0;
}
@@ -449,6 +451,8 @@ struct HandshakeState {
scoped_refptr<X509Certificate> server_cert;
// SignedCertificateTimestampList received via TLS extension (RFC 6962).
std::string sct_list_from_tls_extension;
+ // Stapled OCSP response received.
+ std::string stapled_ocsp_response;
// True if the current handshake was the result of TLS session resumption.
bool resumed_handshake;
@@ -760,10 +764,13 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
// Updates the NSS and platform specific certificates.
void UpdateServerCert();
- // Update the nss_handshake_state_ with SignedCertificateTimestampLists
- // received in the handshake, via a TLS extension or (to be implemented)
- // OCSP stapling.
+ // Update the nss_handshake_state_ with the SignedCertificateTimestampList
+ // received in the handshake via a TLS extension.
void UpdateSignedCertTimestamps();
+ // Update the OCSP response cache with the stapled response received in the
+ // handshake, and update nss_handshake_state_ with
+ // the SignedCertificateTimestampList received in the stapled OCSP response.
+ void UpdateStapledOCSPResponse();
// Updates the nss_handshake_state_ with the negotiated security parameters.
void UpdateConnectionStatus();
// Record histograms for channel id support during full handshakes - resumed
@@ -1663,6 +1670,7 @@ void SSLClientSocketNSS::Core::HandshakeSucceeded() {
RecordChannelIDSupportOnNSSTaskRunner();
UpdateServerCert();
UpdateSignedCertTimestamps();
+ UpdateStapledOCSPResponse();
UpdateConnectionStatus();
UpdateNextProto();
@@ -1834,43 +1842,6 @@ int SSLClientSocketNSS::Core::DoHandshake() {
false_started_ = true;
HandshakeSucceeded();
}
-
- // TODO(wtc): move this block of code to OwnAuthCertHandler.
- #if defined(SSL_ENABLE_OCSP_STAPLING)
- // TODO(agl): figure out how to plumb an OCSP response into the Mac
- // system library and update IsOCSPStaplingSupported for Mac.
- if (IsOCSPStaplingSupported()) {
- const SECItemArray* ocsp_responses =
- SSL_PeerStapledOCSPResponses(nss_fd_);
- if (ocsp_responses->len) {
- #if defined(OS_WIN)
- if (nss_handshake_state_.server_cert) {
- CRYPT_DATA_BLOB ocsp_response_blob;
- ocsp_response_blob.cbData = ocsp_responses->items[0].len;
- ocsp_response_blob.pbData = ocsp_responses->items[0].data;
- BOOL ok = CertSetCertificateContextProperty(
- nss_handshake_state_.server_cert->os_cert_handle(),
- CERT_OCSP_RESPONSE_PROP_ID,
- CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
- &ocsp_response_blob);
- if (!ok) {
- VLOG(1) << "Failed to set OCSP response property: "
- << GetLastError();
- }
- }
- #elif defined(USE_NSS)
- CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
- GetCacheOCSPResponseFromSideChannelFunction();
-
- cache_ocsp_response(
- CERT_GetDefaultCertDB(),
- nss_handshake_state_.server_cert_chain[0], PR_Now(),
- &ocsp_responses->items[0], NULL);
- #endif
- }
- }
- #endif
- // Done!
} else {
PRErrorCode prerr = PR_GetError();
net_error = HandleNSSError(prerr, true);
@@ -2436,6 +2407,46 @@ void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() {
signed_cert_timestamps->len);
}
+void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
+ const SECItemArray* ocsp_responses =
+ SSL_PeerStapledOCSPResponses(nss_fd_);
+ if (!ocsp_responses || !ocsp_responses->len)
+ return;
+
+ nss_handshake_state_.stapled_ocsp_response = std::string(
+ reinterpret_cast<char*>(ocsp_responses->items[0].data),
+ ocsp_responses->items[0].len);
+
+ // TODO(agl): figure out how to plumb an OCSP response into the Mac
+ // system library and update IsOCSPStaplingSupported for Mac.
+ if (IsOCSPStaplingSupported()) {
+ #if defined(OS_WIN)
+ if (nss_handshake_state_.server_cert) {
+ CRYPT_DATA_BLOB ocsp_response_blob;
+ ocsp_response_blob.cbData = ocsp_responses->items[0].len;
+ ocsp_response_blob.pbData = ocsp_responses->items[0].data;
+ BOOL ok = CertSetCertificateContextProperty(
+ nss_handshake_state_.server_cert->os_cert_handle(),
+ CERT_OCSP_RESPONSE_PROP_ID,
+ CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
+ &ocsp_response_blob);
+ if (!ok) {
+ VLOG(1) << "Failed to set OCSP response property: "
+ << GetLastError();
+ }
+ }
+ #elif defined(USE_NSS)
+ CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
+ GetCacheOCSPResponseFromSideChannelFunction();
+
+ cache_ocsp_response(
+ CERT_GetDefaultCertDB(),
+ nss_handshake_state_.server_cert_chain[0], PR_Now(),
+ &ocsp_responses->items[0], NULL);
+ #endif
+ } // IsOCSPStaplingSupported()
+}
+
void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
SSLChannelInfo channel_info;
SECStatus ok = SSL_GetChannelInfo(nss_fd_,
@@ -3202,12 +3213,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
// Added in NSS 3.15
#ifdef SSL_ENABLE_OCSP_STAPLING
- if (IsOCSPStaplingSupported()) {
- rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
- if (rv != SECSuccess) {
- LogFailedNSSFunction(net_log_, "SSL_OptionSet",
- "SSL_ENABLE_OCSP_STAPLING");
- }
+ // Request OCSP stapling even on platforms that don't support it, in
+ // order to extract Certificate Transparency information.
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
+ (IsOCSPStaplingSupported() ||
+ ssl_config_.signed_cert_timestamps_enabled));
+ if (rv != SECSuccess) {
+ LogFailedNSSFunction(net_log_, "SSL_OptionSet",
+ "SSL_ENABLE_OCSP_STAPLING");
}
#endif
@@ -3365,6 +3378,8 @@ int SSLClientSocketNSS::DoHandshakeComplete(int result) {
set_channel_id_sent(core_->state().channel_id_sent);
set_signed_cert_timestamps_received(
!core_->state().sct_list_from_tls_extension.empty());
+ set_stapled_ocsp_response_received(
+ !core_->state().stapled_ocsp_response.empty());
LeaveFunction(result);
return result;
@@ -3522,10 +3537,12 @@ void SSLClientSocketNSS::VerifyCT() {
// external communication.
int result = cert_transparency_verifier_->Verify(
server_cert_verify_result_.verified_cert,
- std::string(), // SCT list from OCSP response
+ core_->state().stapled_ocsp_response,
core_->state().sct_list_from_tls_extension,
&ct_verify_result_,
net_log_);
+ // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
+ // from the state after verification is complete, to conserve memory.
VLOG(1) << "CT Verification complete: result " << result
<< " Invalid scts: " << ct_verify_result_.invalid_scts.size()
« no previous file with comments | « net/socket/ssl_client_socket.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698