diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc index 1731e1281ce824..211557c09451e4 100644 --- a/chrome/browser/io_thread.cc +++ b/chrome/browser/io_thread.cc @@ -978,6 +978,7 @@ net::URLRequestContext* IOThread::ConstructSystemRequestContext( globals->transport_security_state.get()); context->set_cert_transparency_verifier( globals->cert_transparency_verifier.get()); + context->set_ct_policy_enforcer(globals->ct_policy_enforcer.get()); context->set_ssl_config_service(globals->ssl_config_service.get()); context->set_http_auth_handler_factory( globals->http_auth_handler_factory.get()); @@ -1033,6 +1034,7 @@ net::URLRequestContext* IOThread::ConstructProxyScriptFetcherContext( globals->transport_security_state.get()); context->set_cert_transparency_verifier( globals->cert_transparency_verifier.get()); + context->set_ct_policy_enforcer(globals->ct_policy_enforcer.get()); context->set_ssl_config_service(globals->ssl_config_service.get()); context->set_http_auth_handler_factory( globals->http_auth_handler_factory.get()); diff --git a/chrome/browser/profiles/off_the_record_profile_io_data.cc b/chrome/browser/profiles/off_the_record_profile_io_data.cc index eb3b13d5f2afab..b25643224e7f3d 100644 --- a/chrome/browser/profiles/off_the_record_profile_io_data.cc +++ b/chrome/browser/profiles/off_the_record_profile_io_data.cc @@ -205,6 +205,10 @@ void OffTheRecordProfileIOData::InitializeInternal( ApplyProfileParamsToContext(main_context); main_context->set_transport_security_state(transport_security_state()); + main_context->set_cert_transparency_verifier( + io_thread_globals->cert_transparency_verifier.get()); + main_context->set_ct_policy_enforcer( + io_thread_globals->ct_policy_enforcer.get()); main_context->set_net_log(io_thread->net_log()); @@ -218,8 +222,6 @@ void OffTheRecordProfileIOData::InitializeInternal( io_thread_globals->http_auth_handler_factory.get()); main_context->set_proxy_service(proxy_service()); - main_context->set_cert_transparency_verifier( - io_thread_globals->cert_transparency_verifier.get()); main_context->set_backoff_manager( io_thread_globals->url_request_backoff_manager.get()); diff --git a/chrome/browser/profiles/profile_impl_io_data.cc b/chrome/browser/profiles/profile_impl_io_data.cc index 3d2aadbe1642c9..2885394c109d17 100644 --- a/chrome/browser/profiles/profile_impl_io_data.cc +++ b/chrome/browser/profiles/profile_impl_io_data.cc @@ -461,6 +461,8 @@ void ProfileImplIOData::InitializeInternal( http_server_properties_manager_->InitializeOnNetworkThread(); main_context->set_transport_security_state(transport_security_state()); + main_context->set_ct_policy_enforcer( + io_thread_globals->ct_policy_enforcer.get()); main_context->set_net_log(io_thread->net_log()); @@ -576,6 +578,8 @@ void ProfileImplIOData:: ApplyProfileParamsToContext(extensions_context); extensions_context->set_transport_security_state(transport_security_state()); + extensions_context->set_ct_policy_enforcer( + io_thread_globals->ct_policy_enforcer.get()); extensions_context->set_net_log(io_thread->net_log()); diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h index bb1575007cc2ed..cd8843524cb390 100644 --- a/chrome/browser/profiles/profile_io_data.h +++ b/chrome/browser/profiles/profile_io_data.h @@ -74,6 +74,7 @@ namespace net { class CertVerifier; class ChannelIDService; class CookieStore; +class CTVerifier; class FtpTransactionFactory; class HttpServerProperties; class HttpTransactionFactory; diff --git a/chromecast/browser/url_request_context_factory.cc b/chromecast/browser/url_request_context_factory.cc index e743412dc4cf5c..b7c118be63b1fe 100644 --- a/chromecast/browser/url_request_context_factory.cc +++ b/chromecast/browser/url_request_context_factory.cc @@ -21,6 +21,8 @@ #include "content/public/common/content_switches.h" #include "content/public/common/url_constants.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/cert_net/nss_ocsp.h" #include "net/cookies/cookie_store.h" #include "net/dns/host_resolver.h" @@ -201,12 +203,12 @@ void URLRequestContextFactory::InitializeSystemContextDependencies() { return; host_resolver_ = net::HostResolver::CreateDefaultResolver(NULL); - cert_verifier_ = net::CertVerifier::CreateDefault(); - ssl_config_service_ = new net::SSLConfigServiceDefaults; - transport_security_state_.reset(new net::TransportSecurityState()); + cert_transparency_verifier_.reset(new net::MultiLogCTVerifier()); + ct_policy_enforcer_.reset(new net::CTPolicyEnforcer()); + http_auth_handler_factory_ = net::HttpAuthHandlerFactory::CreateDefault(host_resolver_.get()); @@ -289,6 +291,8 @@ void URLRequestContextFactory::PopulateNetworkSessionParams( params->channel_id_service = channel_id_service_.get(); params->ssl_config_service = ssl_config_service_.get(); params->transport_security_state = transport_security_state_.get(); + params->cert_transparency_verifier = cert_transparency_verifier_.get(); + params->ct_policy_enforcer = ct_policy_enforcer_.get(); params->http_auth_handler_factory = http_auth_handler_factory_.get(); params->http_server_properties = http_server_properties_.get(); params->ignore_certificate_errors = ignore_certificate_errors; diff --git a/chromecast/browser/url_request_context_factory.h b/chromecast/browser/url_request_context_factory.h index b0fca40524156c..4cf106bdf1f8e5 100644 --- a/chromecast/browser/url_request_context_factory.h +++ b/chromecast/browser/url_request_context_factory.h @@ -102,6 +102,8 @@ class URLRequestContextFactory { std::unique_ptr cert_verifier_; scoped_refptr ssl_config_service_; std::unique_ptr transport_security_state_; + std::unique_ptr cert_transparency_verifier_; + std::unique_ptr ct_policy_enforcer_; std::unique_ptr proxy_config_service_; std::unique_ptr proxy_service_; std::unique_ptr http_auth_handler_factory_; diff --git a/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc b/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc index 8dde061e128a2c..23dea67f2cc68f 100644 --- a/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc +++ b/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc @@ -334,6 +334,9 @@ int32_t PepperTCPSocketMessageFilter::OnMsgSSLHandshake( ssl_context.cert_verifier = ssl_context_helper_->GetCertVerifier(); ssl_context.transport_security_state = ssl_context_helper_->GetTransportSecurityState(); + ssl_context.cert_transparency_verifier = + ssl_context_helper_->GetCertTransparencyVerifier(); + ssl_context.ct_policy_enforcer = ssl_context_helper_->GetCTPolicyEnforcer(); ssl_socket_ = factory->CreateSSLClientSocket( std::move(handle), host_port_pair, ssl_context_helper_->ssl_config(), ssl_context); diff --git a/content/browser/renderer_host/pepper/ssl_context_helper.cc b/content/browser/renderer_host/pepper/ssl_context_helper.cc index aed882303916cb..0596302ce3a640 100644 --- a/content/browser/renderer_host/pepper/ssl_context_helper.cc +++ b/content/browser/renderer_host/pepper/ssl_context_helper.cc @@ -5,6 +5,8 @@ #include "content/browser/renderer_host/pepper/ssl_context_helper.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/http/transport_security_state.h" namespace content { @@ -25,4 +27,16 @@ net::TransportSecurityState* SSLContextHelper::GetTransportSecurityState() { return transport_security_state_.get(); } +net::CTVerifier* SSLContextHelper::GetCertTransparencyVerifier() { + if (!cert_transparency_verifier_) + cert_transparency_verifier_.reset(new net::MultiLogCTVerifier()); + return cert_transparency_verifier_.get(); +} + +net::CTPolicyEnforcer* SSLContextHelper::GetCTPolicyEnforcer() { + if (!ct_policy_enforcer_) + ct_policy_enforcer_.reset(new net::CTPolicyEnforcer()); + return ct_policy_enforcer_.get(); +} + } // namespace content diff --git a/content/browser/renderer_host/pepper/ssl_context_helper.h b/content/browser/renderer_host/pepper/ssl_context_helper.h index c83afa42331476..d2b880ec96e3d3 100644 --- a/content/browser/renderer_host/pepper/ssl_context_helper.h +++ b/content/browser/renderer_host/pepper/ssl_context_helper.h @@ -13,6 +13,8 @@ namespace net { class CertVerifier; +class CTPolicyEnforcer; +class CTVerifier; class TransportSecurityState; } @@ -24,6 +26,8 @@ class SSLContextHelper : public base::RefCounted { net::CertVerifier* GetCertVerifier(); net::TransportSecurityState* GetTransportSecurityState(); + net::CTVerifier* GetCertTransparencyVerifier(); + net::CTPolicyEnforcer* GetCTPolicyEnforcer(); const net::SSLConfig& ssl_config() { return ssl_config_; } private: @@ -36,6 +40,12 @@ class SSLContextHelper : public base::RefCounted { // This is lazily created. Users should use GetTransportSecurityState to // retrieve it. std::unique_ptr transport_security_state_; + // This is lazily created. Users should use GetCertTransparencyVerifier to + // retrieve it. + std::unique_ptr cert_transparency_verifier_; + // This is lazily created. Users should use GetCTPolicyEnforcer to + // retrieve it. + std::unique_ptr ct_policy_enforcer_; // The default SSL configuration settings are used, as opposed to Chrome's SSL // settings. diff --git a/content/shell/browser/shell_url_request_context_getter.cc b/content/shell/browser/shell_url_request_context_getter.cc index 5b853c690b0604..3c6782ffd0eaed 100644 --- a/content/shell/browser/shell_url_request_context_getter.cc +++ b/content/shell/browser/shell_url_request_context_getter.cc @@ -26,6 +26,8 @@ #include "content/shell/common/shell_switches.h" #include "net/base/cache_type.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/cookies/cookie_monster.h" #include "net/dns/host_resolver.h" #include "net/dns/mapped_host_resolver.h" @@ -139,6 +141,10 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { storage_->set_cert_verifier(net::CertVerifier::CreateDefault()); storage_->set_transport_security_state( base::WrapUnique(new net::TransportSecurityState)); + storage_->set_cert_transparency_verifier( + base::WrapUnique(new net::MultiLogCTVerifier)); + storage_->set_ct_policy_enforcer( + base::WrapUnique(new net::CTPolicyEnforcer)); storage_->set_proxy_service(GetProxyService()); storage_->set_ssl_config_service(new net::SSLConfigServiceDefaults); storage_->set_http_auth_handler_factory( @@ -165,6 +171,10 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { url_request_context_->cert_verifier(); network_session_params.transport_security_state = url_request_context_->transport_security_state(); + network_session_params.cert_transparency_verifier = + url_request_context_->cert_transparency_verifier(); + network_session_params.ct_policy_enforcer = + url_request_context_->ct_policy_enforcer(); network_session_params.channel_id_service = url_request_context_->channel_id_service(); network_session_params.proxy_service = diff --git a/extensions/browser/api/socket/socket_api.cc b/extensions/browser/api/socket/socket_api.cc index 65ecf6004055f2..714766bcd9fd03 100644 --- a/extensions/browser/api/socket/socket_api.cc +++ b/extensions/browser/api/socket/socket_api.cc @@ -1073,11 +1073,11 @@ void SocketSecureFunction::AsyncWorkStart() { url_request_getter_->GetURLRequestContext(); TLSSocket::UpgradeSocketToTLS( - socket, - url_request_context->ssl_config_service(), + socket, url_request_context->ssl_config_service(), url_request_context->cert_verifier(), url_request_context->transport_security_state(), - extension_id(), + url_request_context->cert_transparency_verifier(), + url_request_context->ct_policy_enforcer(), extension_id(), params_->options.get(), base::Bind(&SocketSecureFunction::TlsConnectDone, this)); } diff --git a/extensions/browser/api/socket/tls_socket.cc b/extensions/browser/api/socket/tls_socket.cc index 686d37f5ba8110..f9df61032a1738 100644 --- a/extensions/browser/api/socket/tls_socket.cc +++ b/extensions/browser/api/socket/tls_socket.cc @@ -181,6 +181,8 @@ void TLSSocket::UpgradeSocketToTLS( scoped_refptr ssl_config_service, net::CertVerifier* cert_verifier, net::TransportSecurityState* transport_security_state, + net::CTVerifier* ct_verifier, + net::CTPolicyEnforcer* ct_policy_enforcer, const std::string& extension_id, api::socket::SecureOptions* options, const TLSSocket::SecureCallback& callback) { @@ -241,6 +243,8 @@ void TLSSocket::UpgradeSocketToTLS( net::SSLClientSocketContext context; context.cert_verifier = cert_verifier; context.transport_security_state = transport_security_state; + context.cert_transparency_verifier = ct_verifier; + context.ct_policy_enforcer = ct_policy_enforcer; // Fill in the SSL socket params. net::SSLConfig ssl_config; diff --git a/extensions/browser/api/socket/tls_socket.h b/extensions/browser/api/socket/tls_socket.h index 2f7a683efb4634..61825343193e7f 100644 --- a/extensions/browser/api/socket/tls_socket.h +++ b/extensions/browser/api/socket/tls_socket.h @@ -17,6 +17,8 @@ namespace net { class Socket; class CertVerifier; +class CTPolicyEnforcer; +class CTVerifier; class TransportSecurityState; } @@ -98,6 +100,8 @@ class TLSSocket : public ResumableTCPSocket { scoped_refptr config_service, net::CertVerifier* cert_verifier, net::TransportSecurityState* transport_security_state, + net::CTVerifier* ct_verifier, + net::CTPolicyEnforcer* ct_policy_enforcer, const std::string& extension_id, api::socket::SecureOptions* options, const SecureCallback& callback); diff --git a/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc b/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc index cea70b0074b7c3..be8e45d1c08979 100644 --- a/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc +++ b/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc @@ -517,12 +517,11 @@ void SocketsTcpSecureFunction::AsyncWorkStart() { } TLSSocket::UpgradeSocketToTLS( - socket, - url_request_context->ssl_config_service(), + socket, url_request_context->ssl_config_service(), url_request_context->cert_verifier(), url_request_context->transport_security_state(), - extension_id(), - &legacy_params, + url_request_context->cert_transparency_verifier(), + url_request_context->ct_policy_enforcer(), extension_id(), &legacy_params, base::Bind(&SocketsTcpSecureFunction::TlsConnectDone, this)); } diff --git a/google_apis/gcm/tools/mcs_probe.cc b/google_apis/gcm/tools/mcs_probe.cc index cf078e670ba980..afc16b59876e3c 100644 --- a/google_apis/gcm/tools/mcs_probe.cc +++ b/google_apis/gcm/tools/mcs_probe.cc @@ -41,6 +41,8 @@ #include "google_apis/gcm/monitoring/fake_gcm_stats_recorder.h" #include "net/base/host_mapping_rules.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/host_resolver.h" #include "net/http/http_auth_handler_factory.h" #include "net/http/http_auth_preferences.h" @@ -250,6 +252,8 @@ class MCSProbe { std::unique_ptr cert_verifier_; std::unique_ptr system_channel_id_service_; std::unique_ptr transport_security_state_; + std::unique_ptr cert_transparency_verifier_; + std::unique_ptr ct_policy_enforcer_; MCSProbeAuthPreferences http_auth_preferences_; std::unique_ptr http_auth_handler_factory_; std::unique_ptr http_server_properties_; @@ -399,6 +403,8 @@ void MCSProbe::InitializeNetworkState() { base::WorkerPool::GetTaskRunner(true))); transport_security_state_.reset(new net::TransportSecurityState()); + cert_transparency_verifier_.reset(new net::MultiLogCTVerifier()); + ct_policy_enforcer_.reset(new net::CTPolicyEnforcer()); http_auth_handler_factory_ = net::HttpAuthHandlerRegistryFactory::Create( &http_auth_preferences_, host_resolver_.get()); http_server_properties_.reset(new net::HttpServerPropertiesImpl()); @@ -412,6 +418,8 @@ void MCSProbe::BuildNetworkSession() { session_params.cert_verifier = cert_verifier_.get(); session_params.channel_id_service = system_channel_id_service_.get(); session_params.transport_security_state = transport_security_state_.get(); + session_params.cert_transparency_verifier = cert_transparency_verifier_.get(); + session_params.ct_policy_enforcer = ct_policy_enforcer_.get(); session_params.ssl_config_service = new net::SSLConfigServiceDefaults(); session_params.http_auth_handler_factory = http_auth_handler_factory_.get(); session_params.http_server_properties = http_server_properties_.get(); diff --git a/ios/crnet/crnet_environment.mm b/ios/crnet/crnet_environment.mm index e61bead8dfa4c7..b971a9b3231173 100644 --- a/ios/crnet/crnet_environment.mm +++ b/ios/crnet/crnet_environment.mm @@ -37,6 +37,8 @@ #include "net/base/network_change_notifier.h" #include "net/base/sdch_manager.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/cookies/cookie_store.h" #include "net/http/http_auth_handler_factory.h" #include "net/http/http_cache.h" @@ -385,6 +387,8 @@ bool IsRequestSupported(NSURLRequest* request) override { main_context_->set_ssl_config_service(new net::SSLConfigServiceDefaults); main_context_->set_transport_security_state( new net::TransportSecurityState()); + main_context_->set_cert_transparency_verifier(new net::MultiLogCTVerifier()); + main_context_->set_ct_policy_enforcer(new net::CTPolicyEnforcer()); http_server_properties_.reset(new net::HttpServerPropertiesImpl()); main_context_->set_http_server_properties(http_server_properties_.get()); // TODO(rdsmith): Note that the ".release()" calls below are leaking diff --git a/ios/web/shell/shell_url_request_context_getter.mm b/ios/web/shell/shell_url_request_context_getter.mm index eeb855ecc1f584..3440a612146b36 100644 --- a/ios/web/shell/shell_url_request_context_getter.mm +++ b/ios/web/shell/shell_url_request_context_getter.mm @@ -19,6 +19,8 @@ #include "ios/web/shell/shell_network_delegate.h" #include "net/base/cache_type.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/host_resolver.h" #include "net/extras/sqlite/sqlite_persistent_cookie_store.h" #include "net/http/http_auth_handler_factory.h" @@ -99,6 +101,10 @@ storage_->set_transport_security_state( base::WrapUnique(new net::TransportSecurityState())); + storage_->set_cert_transparency_verifier( + base::WrapUnique(new net::MultiLogCTVerifier)); + storage_->set_ct_policy_enforcer( + base::WrapUnique(new net::CTPolicyEnforcer)); transport_security_persister_.reset(new net::TransportSecurityPersister( url_request_context_->transport_security_state(), base_path_, file_task_runner_, false)); @@ -121,6 +127,10 @@ url_request_context_->cert_verifier(); network_session_params.transport_security_state = url_request_context_->transport_security_state(); + network_session_params.cert_transparency_verifier = + url_request_context_->cert_transparency_verifier(); + network_session_params.ct_policy_enforcer = + url_request_context_->ct_policy_enforcer(); network_session_params.channel_id_service = url_request_context_->channel_id_service(); network_session_params.net_log = url_request_context_->net_log(); diff --git a/jingle/glue/proxy_resolving_client_socket.cc b/jingle/glue/proxy_resolving_client_socket.cc index 9e3e61350608f2..cc31edb55b1106 100644 --- a/jingle/glue/proxy_resolving_client_socket.cc +++ b/jingle/glue/proxy_resolving_client_socket.cc @@ -62,6 +62,9 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket( session_params.cert_verifier = request_context->cert_verifier(); session_params.transport_security_state = request_context->transport_security_state(); + session_params.cert_transparency_verifier = + request_context->cert_transparency_verifier(); + session_params.ct_policy_enforcer = request_context->ct_policy_enforcer(); // TODO(rkn): This is NULL because ChannelIDService is not thread safe. session_params.channel_id_service = NULL; session_params.proxy_service = request_context->proxy_service(); diff --git a/net/cert/ct_verifier.h b/net/cert/ct_verifier.h index f2a223e0cee610..cdc81c91cb450b 100644 --- a/net/cert/ct_verifier.h +++ b/net/cert/ct_verifier.h @@ -21,7 +21,6 @@ class CTLogVerifier; class X509Certificate; // Interface for verifying Signed Certificate Timestamps over a certificate. -// The only known (non-test) implementation currently is MultiLogCTVerifier. class NET_EXPORT CTVerifier { public: class NET_EXPORT Observer { diff --git a/net/cert_net/cert_net_fetcher_impl_unittest.cc b/net/cert_net/cert_net_fetcher_impl_unittest.cc index 42fe60de8f7e46..d8c257b4cb218e 100644 --- a/net/cert_net/cert_net_fetcher_impl_unittest.cc +++ b/net/cert_net/cert_net_fetcher_impl_unittest.cc @@ -10,7 +10,9 @@ #include "base/compiler_specific.h" #include "base/memory/ptr_util.h" #include "base/run_loop.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_server_properties_impl.h" #include "net/test/embedded_test_server/embedded_test_server.h" @@ -40,6 +42,9 @@ class RequestContext : public URLRequestContext { storage_.set_cert_verifier(base::WrapUnique(new MockCertVerifier)); storage_.set_transport_security_state( base::WrapUnique(new TransportSecurityState)); + storage_.set_cert_transparency_verifier( + base::WrapUnique(new MultiLogCTVerifier)); + storage_.set_ct_policy_enforcer(base::WrapUnique(new CTPolicyEnforcer)); storage_.set_proxy_service(ProxyService::CreateFixed(no_proxy)); storage_.set_ssl_config_service(new SSLConfigServiceDefaults); storage_.set_http_server_properties( @@ -49,6 +54,8 @@ class RequestContext : public URLRequestContext { params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); params.transport_security_state = transport_security_state(); + params.cert_transparency_verifier = cert_transparency_verifier(); + params.ct_policy_enforcer = ct_policy_enforcer(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); params.http_server_properties = http_server_properties(); diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc index bab57ccfa3dcae..19fb17c323f076 100644 --- a/net/http/http_network_layer_unittest.cc +++ b/net/http/http_network_layer_unittest.cc @@ -7,7 +7,9 @@ #include #include "base/strings/stringprintf.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" @@ -42,6 +44,8 @@ class HttpNetworkLayerTest : public PlatformTest { session_params.host_resolver = &host_resolver_; session_params.cert_verifier = cert_verifier_.get(); session_params.transport_security_state = transport_security_state_.get(); + session_params.cert_transparency_verifier = &ct_verifier_; + session_params.ct_policy_enforcer = &ct_policy_enforcer_; session_params.proxy_service = proxy_service_.get(); session_params.ssl_config_service = ssl_config_service_.get(); session_params.http_server_properties = &http_server_properties_; @@ -257,6 +261,8 @@ class HttpNetworkLayerTest : public PlatformTest { MockHostResolver host_resolver_; std::unique_ptr cert_verifier_; std::unique_ptr transport_security_state_; + MultiLogCTVerifier ct_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; std::unique_ptr proxy_service_; const scoped_refptr ssl_config_service_; std::unique_ptr network_session_; diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index 2c56cd98cd393a..d39b05903565e0 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -75,10 +75,10 @@ HttpNetworkSession::Params::Params() : client_socket_factory(NULL), host_resolver(NULL), cert_verifier(NULL), - ct_policy_enforcer(NULL), channel_id_service(NULL), transport_security_state(NULL), cert_transparency_verifier(NULL), + ct_policy_enforcer(NULL), proxy_service(NULL), ssl_config_service(NULL), http_auth_handler_factory(NULL), diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h index 79524212924dad..1270ce52d1b778 100644 --- a/net/http/http_network_session.h +++ b/net/http/http_network_session.h @@ -69,10 +69,10 @@ class NET_EXPORT HttpNetworkSession ClientSocketFactory* client_socket_factory; HostResolver* host_resolver; CertVerifier* cert_verifier; - CTPolicyEnforcer* ct_policy_enforcer; ChannelIDService* channel_id_service; TransportSecurityState* transport_security_state; CTVerifier* cert_transparency_verifier; + CTPolicyEnforcer* ct_policy_enforcer; ProxyService* proxy_service; SSLConfigService* ssl_config_service; HttpAuthHandlerFactory* http_auth_handler_factory; diff --git a/net/http/http_network_transaction_ssl_unittest.cc b/net/http/http_network_transaction_ssl_unittest.cc index 499689c0ea4db8..88148aa992bddc 100644 --- a/net/http/http_network_transaction_ssl_unittest.cc +++ b/net/http/http_network_transaction_ssl_unittest.cc @@ -9,6 +9,9 @@ #include "base/memory/ptr_util.h" #include "base/memory/ref_counted.h" #include "net/base/request_priority.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_auth_handler_mock.h" #include "net/http/http_network_session.h" @@ -86,7 +89,10 @@ class HttpNetworkTransactionSSLTest : public testing::Test { session_params_.client_socket_factory = &mock_socket_factory_; session_params_.host_resolver = &mock_resolver_; session_params_.http_server_properties = &http_server_properties_; + session_params_.cert_verifier = &cert_verifier_; session_params_.transport_security_state = &transport_security_state_; + session_params_.cert_transparency_verifier = &ct_verifier_; + session_params_.ct_policy_enforcer = &ct_policy_enforcer_; } HttpRequestInfo* GetRequestInfo(const std::string& url) { @@ -108,7 +114,10 @@ class HttpNetworkTransactionSSLTest : public testing::Test { MockClientSocketFactory mock_socket_factory_; MockHostResolver mock_resolver_; HttpServerPropertiesImpl http_server_properties_; + MockCertVerifier cert_verifier_; TransportSecurityState transport_security_state_; + MultiLogCTVerifier ct_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; HttpNetworkSession::Params session_params_; std::vector> request_info_vector_; }; diff --git a/net/http/http_response_body_drainer_unittest.cc b/net/http/http_response_body_drainer_unittest.cc index fdaa3155853ea5..920e14442bcc36 100644 --- a/net/http/http_response_body_drainer_unittest.cc +++ b/net/http/http_response_body_drainer_unittest.cc @@ -19,6 +19,9 @@ #include "net/base/io_buffer.h" #include "net/base/net_errors.h" #include "net/base/test_completion_callback.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" #include "net/http/http_stream.h" @@ -230,26 +233,31 @@ class HttpResponseBodyDrainerTest : public testing::Test { : proxy_service_(ProxyService::CreateDirect()), ssl_config_service_(new SSLConfigServiceDefaults), http_server_properties_(new HttpServerPropertiesImpl()), - transport_security_state_(new TransportSecurityState()), session_(CreateNetworkSession()), mock_stream_(new MockHttpStream(&result_waiter_)), drainer_(new HttpResponseBodyDrainer(mock_stream_)) {} ~HttpResponseBodyDrainerTest() override {} - HttpNetworkSession* CreateNetworkSession() const { + HttpNetworkSession* CreateNetworkSession() { HttpNetworkSession::Params params; params.proxy_service = proxy_service_.get(); params.ssl_config_service = ssl_config_service_.get(); params.http_server_properties = http_server_properties_.get(); - params.transport_security_state = transport_security_state_.get(); + params.cert_verifier = &cert_verifier_; + params.transport_security_state = &transport_security_state_; + params.cert_transparency_verifier = &ct_verifier_; + params.ct_policy_enforcer = &ct_policy_enforcer_; return new HttpNetworkSession(params); } std::unique_ptr proxy_service_; scoped_refptr ssl_config_service_; std::unique_ptr http_server_properties_; - std::unique_ptr transport_security_state_; + MockCertVerifier cert_verifier_; + TransportSecurityState transport_security_state_; + MultiLogCTVerifier ct_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; const std::unique_ptr session_; CloseResultWaiter result_waiter_; MockHttpStream* const mock_stream_; // Owned by |drainer_|. diff --git a/net/http/http_stream_factory_impl_unittest.cc b/net/http/http_stream_factory_impl_unittest.cc index 943528a698fbdd..13d01151b00f50 100644 --- a/net/http/http_stream_factory_impl_unittest.cc +++ b/net/http/http_stream_factory_impl_unittest.cc @@ -15,7 +15,9 @@ #include "net/base/port_util.h" #include "net/base/test_completion_callback.h" #include "net/base/test_data_directory.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/bidirectional_stream_impl.h" #include "net/http/bidirectional_stream_request_info.h" @@ -362,7 +364,10 @@ template class CapturePreconnectsSocketPool : public ParentPool { public: CapturePreconnectsSocketPool(HostResolver* host_resolver, - CertVerifier* cert_verifier); + CertVerifier* cert_verifier, + TransportSecurityState* transport_security_state, + CTVerifier* cert_transparency_verifier, + CTPolicyEnforcer* ct_policy_enforcer); int last_num_streams() const { return last_num_streams_; @@ -429,29 +434,37 @@ CapturePreconnectsSSLSocketPool; template CapturePreconnectsSocketPool::CapturePreconnectsSocketPool( HostResolver* host_resolver, - CertVerifier* /* cert_verifier */) + CertVerifier*, + TransportSecurityState*, + CTVerifier*, + CTPolicyEnforcer*) : ParentPool(0, 0, host_resolver, nullptr, nullptr, nullptr), last_num_streams_(-1) {} template <> CapturePreconnectsHttpProxySocketPool::CapturePreconnectsSocketPool( - HostResolver* /* host_resolver */, - CertVerifier* /* cert_verifier */) + HostResolver*, + CertVerifier*, + TransportSecurityState*, + CTVerifier*, + CTPolicyEnforcer*) : HttpProxyClientSocketPool(0, 0, nullptr, nullptr, nullptr), - last_num_streams_(-1) { -} + last_num_streams_(-1) {} template <> CapturePreconnectsSSLSocketPool::CapturePreconnectsSocketPool( HostResolver* /* host_resolver */, - CertVerifier* cert_verifier) + CertVerifier* cert_verifier, + TransportSecurityState* transport_security_state, + CTVerifier* cert_transparency_verifier, + CTPolicyEnforcer* ct_policy_enforcer) : SSLClientSocketPool(0, 0, cert_verifier, - nullptr, // channel_id_store - nullptr, // transport_security_state - nullptr, // cert_transparency_verifier - nullptr, // ct_policy_enforcer + nullptr, // channel_id_store + transport_security_state, + cert_transparency_verifier, + ct_policy_enforcer, std::string(), // ssl_session_cache_shard nullptr, // deterministic_socket_factory nullptr, // transport_socket_pool @@ -459,8 +472,7 @@ CapturePreconnectsSSLSocketPool::CapturePreconnectsSocketPool( nullptr, nullptr, // ssl_config_service nullptr), // net_log - last_num_streams_(-1) { -} + last_num_streams_(-1) {} class HttpStreamFactoryTest : public ::testing::Test, public ::testing::WithParamInterface { @@ -480,12 +492,16 @@ TEST_P(HttpStreamFactoryTest, PreconnectDirect) { HttpNetworkSessionPeer peer(session.get()); CapturePreconnectsTransportSocketPool* transport_conn_pool = new CapturePreconnectsTransportSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); CapturePreconnectsSSLSocketPool* ssl_conn_pool = new CapturePreconnectsSSLSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetTransportSocketPool(transport_conn_pool); @@ -509,12 +525,16 @@ TEST_P(HttpStreamFactoryTest, PreconnectHttpProxy) { HostPortPair proxy_host("http_proxy", 80); CapturePreconnectsHttpProxySocketPool* http_proxy_pool = new CapturePreconnectsHttpProxySocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); CapturePreconnectsSSLSocketPool* ssl_conn_pool = new CapturePreconnectsSSLSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetSocketPoolForHTTPProxy(proxy_host, http_proxy_pool); @@ -538,12 +558,16 @@ TEST_P(HttpStreamFactoryTest, PreconnectSocksProxy) { HostPortPair proxy_host("socks_proxy", 1080); CapturePreconnectsSOCKSSocketPool* socks_proxy_pool = new CapturePreconnectsSOCKSSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); CapturePreconnectsSSLSocketPool* ssl_conn_pool = new CapturePreconnectsSSLSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetSocketPoolForSOCKSProxy(proxy_host, socks_proxy_pool); @@ -573,12 +597,16 @@ TEST_P(HttpStreamFactoryTest, PreconnectDirectWithExistingSpdySession) { CapturePreconnectsTransportSocketPool* transport_conn_pool = new CapturePreconnectsTransportSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); CapturePreconnectsSSLSocketPool* ssl_conn_pool = new CapturePreconnectsSSLSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetTransportSocketPool(transport_conn_pool); @@ -607,8 +635,10 @@ TEST_P(HttpStreamFactoryTest, PreconnectUnsafePort) { HttpNetworkSessionPeer peer(session.get()); CapturePreconnectsTransportSocketPool* transport_conn_pool = new CapturePreconnectsTransportSocketPool( - session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetTransportSocketPool(transport_conn_pool); @@ -691,8 +721,14 @@ TEST_P(HttpStreamFactoryTest, UnreachableQuicProxyMarkedAsBad) { params.client_socket_factory = &socket_factory; MockHostResolver host_resolver; params.host_resolver = &host_resolver; + MockCertVerifier cert_verifier; + params.cert_verifier = &cert_verifier; TransportSecurityState transport_security_state; params.transport_security_state = &transport_security_state; + MultiLogCTVerifier ct_verifier; + params.cert_transparency_verifier = &ct_verifier; + CTPolicyEnforcer ct_policy_enforcer; + params.ct_policy_enforcer = &ct_policy_enforcer; params.proxy_service = proxy_service.get(); params.ssl_config_service = ssl_config_service.get(); params.http_server_properties = &http_server_properties; @@ -815,8 +851,14 @@ TEST_P(HttpStreamFactoryTest, QuicLossyProxyMarkedAsBad) { params.client_socket_factory = &socket_factory; MockHostResolver host_resolver; params.host_resolver = &host_resolver; + MockCertVerifier cert_verifier; + params.cert_verifier = &cert_verifier; TransportSecurityState transport_security_state; params.transport_security_state = &transport_security_state; + MultiLogCTVerifier ct_verifier; + params.cert_transparency_verifier = &ct_verifier; + CTPolicyEnforcer ct_policy_enforcer; + params.ct_policy_enforcer = &ct_policy_enforcer; params.proxy_service = proxy_service.get(); params.ssl_config_service = ssl_config_service.get(); params.http_server_properties = &http_server_properties; @@ -891,10 +933,16 @@ TEST_P(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) { HostPortPair proxy_host("http_proxy", 80); CapturePreconnectsHttpProxySocketPool* http_proxy_pool = new CapturePreconnectsHttpProxySocketPool( - session_deps.host_resolver.get(), session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); CapturePreconnectsSSLSocketPool* ssl_conn_pool = - new CapturePreconnectsSSLSocketPool(session_deps.host_resolver.get(), - session_deps.cert_verifier.get()); + new CapturePreconnectsSSLSocketPool( + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetSocketPoolForHTTPProxy(proxy_host, http_proxy_pool); @@ -942,7 +990,10 @@ TEST_P(HttpStreamFactoryTest, QuicDisablePreConnectIfZeroRtt) { HttpNetworkSessionPeer peer(session.get()); CapturePreconnectsTransportSocketPool* transport_conn_pool = new CapturePreconnectsTransportSocketPool( - session_deps.host_resolver.get(), session_deps.cert_verifier.get()); + session_deps.host_resolver.get(), session_deps.cert_verifier.get(), + session_deps.transport_security_state.get(), + session_deps.cert_transparency_verifier.get(), + session_deps.ct_policy_enforcer.get()); std::unique_ptr mock_pool_manager( new MockClientSocketPoolManager); mock_pool_manager->SetTransportSocketPool(transport_conn_pool); @@ -1031,12 +1082,22 @@ TEST_P(HttpStreamFactoryTest, PrivacyModeUsesDifferentSocketPoolGroup) { SpdySessionDependencies session_deps( GetParam(), ProxyService::CreateDirect()); - StaticSocketDataProvider socket_data; - socket_data.set_connect_data(MockConnect(ASYNC, OK)); - session_deps.socket_factory->AddSocketDataProvider(&socket_data); - - SSLSocketDataProvider ssl(ASYNC, OK); - session_deps.socket_factory->AddSSLSocketDataProvider(&ssl); + StaticSocketDataProvider socket_data_1; + socket_data_1.set_connect_data(MockConnect(ASYNC, OK)); + session_deps.socket_factory->AddSocketDataProvider(&socket_data_1); + StaticSocketDataProvider socket_data_2; + socket_data_2.set_connect_data(MockConnect(ASYNC, OK)); + session_deps.socket_factory->AddSocketDataProvider(&socket_data_2); + StaticSocketDataProvider socket_data_3; + socket_data_3.set_connect_data(MockConnect(ASYNC, OK)); + session_deps.socket_factory->AddSocketDataProvider(&socket_data_3); + + SSLSocketDataProvider ssl_1(ASYNC, OK); + session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_1); + SSLSocketDataProvider ssl_2(ASYNC, OK); + session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_2); + SSLSocketDataProvider ssl_3(ASYNC, OK); + session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_3); std::unique_ptr session( SpdySessionDependencies::SpdyCreateSession(&session_deps)); @@ -1084,6 +1145,10 @@ TEST_P(HttpStreamFactoryTest, GetLoadState) { SpdySessionDependencies session_deps( GetParam(), ProxyService::CreateDirect()); + // Force asynchronous host resolutions, so that the LoadState will be + // resolving the host. + session_deps.host_resolver->set_synchronous_mode(false); + StaticSocketDataProvider socket_data; socket_data.set_connect_data(MockConnect(ASYNC, OK)); session_deps.socket_factory->AddSocketDataProvider(&socket_data); @@ -1517,9 +1582,12 @@ class HttpStreamFactoryBidirectionalQuicTest crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details_); crypto_client_stream_factory_.set_handshake_mode( MockCryptoClientStream::CONFIRM_HANDSHAKE); + params_.cert_verifier = &cert_verifier_; params_.quic_crypto_client_stream_factory = &crypto_client_stream_factory_; params_.quic_supported_versions = test::SupportedVersions(GetParam()); params_.transport_security_state = &transport_security_state_; + params_.cert_transparency_verifier = &ct_verifier_; + params_.ct_policy_enforcer = &ct_policy_enforcer_; params_.host_resolver = &host_resolver_; params_.proxy_service = proxy_service_.get(); params_.ssl_config_service = ssl_config_service_.get(); @@ -1557,10 +1625,13 @@ class HttpStreamFactoryBidirectionalQuicTest MockClientSocketFactory socket_factory_; std::unique_ptr session_; test::MockRandom random_generator_; + MockCertVerifier cert_verifier_; ProofVerifyDetailsChromium verify_details_; MockCryptoClientStreamFactory crypto_client_stream_factory_; HttpServerPropertiesImpl http_server_properties_; TransportSecurityState transport_security_state_; + MultiLogCTVerifier ct_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; MockHostResolver host_resolver_; std::unique_ptr proxy_service_; scoped_refptr ssl_config_service_; diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc index 51ac9b060038d8..f982c1e0b6d55b 100644 --- a/net/proxy/proxy_script_fetcher_impl_unittest.cc +++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc @@ -19,7 +19,9 @@ #include "net/base/load_flags.h" #include "net/base/network_delegate_impl.h" #include "net/base/test_completion_callback.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/disk_cache/disk_cache.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_cache.h" @@ -68,6 +70,9 @@ class RequestContext : public URLRequestContext { storage_.set_cert_verifier(base::WrapUnique(new MockCertVerifier)); storage_.set_transport_security_state( base::WrapUnique(new TransportSecurityState)); + storage_.set_cert_transparency_verifier( + base::WrapUnique(new MultiLogCTVerifier)); + storage_.set_ct_policy_enforcer(base::WrapUnique(new CTPolicyEnforcer)); storage_.set_proxy_service(ProxyService::CreateFixed(no_proxy)); storage_.set_ssl_config_service(new SSLConfigServiceDefaults); storage_.set_http_server_properties( @@ -77,6 +82,8 @@ class RequestContext : public URLRequestContext { params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); params.transport_security_state = transport_security_state(); + params.cert_transparency_verifier = cert_transparency_verifier(); + params.ct_policy_enforcer = ct_policy_enforcer(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); params.http_server_properties = http_server_properties(); diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc index 48b408be1578df..46cc6ea2859e98 100644 --- a/net/quic/crypto/proof_verifier_chromium.cc +++ b/net/quic/crypto/proof_verifier_chromium.cc @@ -150,7 +150,13 @@ ProofVerifierChromium::Job::Job( cert_verify_flags_(cert_verify_flags), next_state_(STATE_NONE), start_time_(base::TimeTicks::Now()), - net_log_(net_log) {} + net_log_(net_log) { + DCHECK(proof_verifier_); + DCHECK(verifier_); + DCHECK(policy_enforcer_); + DCHECK(transport_security_state_); + DCHECK(cert_transparency_verifier_); +} ProofVerifierChromium::Job::~Job() { base::TimeTicks end_time = base::TimeTicks::Now(); @@ -211,7 +217,7 @@ QuicAsyncStatus ProofVerifierChromium::Job::VerifyProof( return QUIC_FAILURE; } - if (cert_transparency_verifier_ && !cert_sct.empty()) { + if (!cert_sct.empty()) { // Note that this is a completely synchronous operation: The CT Log Verifier // gets all the data it needs for SCT verification and does not do any // external communication. @@ -303,11 +309,10 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { const CertVerifyResult& cert_verify_result = verify_details_->cert_verify_result; const CertStatus cert_status = cert_verify_result.cert_status; - verify_details_->ct_verify_result.ct_policies_applied = - (result == OK && policy_enforcer_ != nullptr); + verify_details_->ct_verify_result.ct_policies_applied = result == OK; verify_details_->ct_verify_result.ev_policy_compliance = ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; - if (result == OK && policy_enforcer_) { + if (result == OK) { if ((cert_verify_result.cert_status & CERT_STATUS_IS_EV)) { ct::EVPolicyCompliance ev_policy_compliance = policy_enforcer_->DoesConformToCTEVPolicy( @@ -334,8 +339,7 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) { verify_details_->ct_verify_result.verified_scts, net_log_); } - if (transport_security_state_ && - (result == OK || + if ((result == OK || (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && !transport_security_state_->CheckPublicKeyPins( HostPortPair(hostname_, port_), @@ -440,7 +444,12 @@ ProofVerifierChromium::ProofVerifierChromium( : cert_verifier_(cert_verifier), ct_policy_enforcer_(ct_policy_enforcer), transport_security_state_(transport_security_state), - cert_transparency_verifier_(cert_transparency_verifier) {} + cert_transparency_verifier_(cert_transparency_verifier) { + DCHECK(cert_verifier_); + DCHECK(ct_policy_enforcer_); + DCHECK(transport_security_state_); + DCHECK(cert_transparency_verifier_); +} ProofVerifierChromium::~ProofVerifierChromium() { STLDeleteElements(&active_jobs_); diff --git a/net/quic/crypto/proof_verifier_chromium_test.cc b/net/quic/crypto/proof_verifier_chromium_test.cc index 1c48d3f01e4acd..733e781952d1d8 100644 --- a/net/quic/crypto/proof_verifier_chromium_test.cc +++ b/net/quic/crypto/proof_verifier_chromium_test.cc @@ -103,7 +103,8 @@ const char kLogDescription[] = "somelog"; class ProofVerifierChromiumTest : public ::testing::Test { public: ProofVerifierChromiumTest() - : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, + : ct_policy_enforcer_(false /*is_ev*/), + verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/, BoundNetLog())) {} void SetUp() override { @@ -198,6 +199,9 @@ class ProofVerifierChromiumTest : public ::testing::Test { } protected: + TransportSecurityState transport_security_state_; + MockCTPolicyEnforcer ct_policy_enforcer_; + std::unique_ptr ct_verifier_; std::vector> log_verifiers_; std::unique_ptr verify_context_; @@ -210,7 +214,8 @@ class ProofVerifierChromiumTest : public ::testing::Test { // verification fails. TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) { MockCertVerifier dummy_verifier; - ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, + ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_, + &transport_security_state_, ct_verifier_.get()); std::unique_ptr callback( @@ -228,7 +233,8 @@ TEST_F(ProofVerifierChromiumTest, ValidSCTList) { ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); MockCertVerifier cert_verifier; - ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, + ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, + &transport_security_state_, ct_verifier_.get()); std::unique_ptr callback( @@ -247,7 +253,8 @@ TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_)); MockCertVerifier cert_verifier; - ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, + ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, + &transport_security_state_, ct_verifier_.get()); std::unique_ptr callback( @@ -264,7 +271,8 @@ TEST_F(ProofVerifierChromiumTest, InvalidSCTList) { // signature fails. TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { FailsTestCertVerifier cert_verifier; - ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr, + ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_, + &transport_security_state_, ct_verifier_.get()); std::unique_ptr callback( @@ -276,37 +284,6 @@ TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) { ASSERT_EQ(QUIC_FAILURE, status); } -// Tests that EV certificates are left as EV if there is no certificate -// policy enforcement. -TEST_F(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) { - scoped_refptr test_cert = GetTestServerCertificate(); - ASSERT_TRUE(test_cert); - - CertVerifyResult dummy_result; - dummy_result.verified_cert = test_cert; - dummy_result.cert_status = CERT_STATUS_IS_EV; - - MockCertVerifier dummy_verifier; - dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK); - - ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr, - ct_verifier_.get()); - - std::unique_ptr callback( - new DummyProofVerifierCallback); - QuicAsyncStatus status = proof_verifier.VerifyProof( - kTestHostname, kTestPort, kTestConfig, QUIC_VERSION_25, "", certs_, "", - GetTestSignature(), verify_context_.get(), &error_details_, &details_, - callback.get()); - ASSERT_EQ(QUIC_SUCCESS, status); - - ASSERT_TRUE(details_.get()); - ProofVerifyDetailsChromium* verify_details = - static_cast(details_.get()); - EXPECT_EQ(dummy_result.cert_status, - verify_details->cert_verify_result.cert_status); -} - // Tests that the certificate policy enforcer is consulted for EV // and the certificate is allowed to be EV. TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) { @@ -323,7 +300,8 @@ TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) { MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, - nullptr, ct_verifier_.get()); + &transport_security_state_, + ct_verifier_.get()); std::unique_ptr callback( new DummyProofVerifierCallback); @@ -356,7 +334,8 @@ TEST_F(ProofVerifierChromiumTest, StripsEVIfNotAllowed) { MockCTPolicyEnforcer policy_enforcer(false /*is_ev*/); ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, - nullptr, ct_verifier_.get()); + &transport_security_state_, + ct_verifier_.get()); std::unique_ptr callback( new DummyProofVerifierCallback); @@ -390,7 +369,8 @@ TEST_F(ProofVerifierChromiumTest, IgnoresPolicyEnforcerIfNotEV) { FailsTestCTPolicyEnforcer policy_enforcer; ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, - nullptr, ct_verifier_.get()); + &transport_security_state_, + ct_verifier_.get()); std::unique_ptr callback( new DummyProofVerifierCallback); @@ -434,8 +414,10 @@ TEST_F(ProofVerifierChromiumTest, PKPEnforced) { kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, pin_hashes, GURL()); - ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, - &transport_security_state, nullptr); + MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); + ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, + &transport_security_state, + ct_verifier_.get()); std::unique_ptr callback( new DummyProofVerifierCallback); @@ -474,8 +456,10 @@ TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) { kTestHostname, base::Time::Now() + base::TimeDelta::FromSeconds(10000), true, expected_hashes, GURL()); - ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, - &transport_security_state_fail, nullptr); + MockCTPolicyEnforcer policy_enforcer(true /*is_ev*/); + ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer, + &transport_security_state_fail, + ct_verifier_.get()); std::unique_ptr callback( new DummyProofVerifierCallback); diff --git a/net/quic/quic_end_to_end_unittest.cc b/net/quic/quic_end_to_end_unittest.cc index 6212e8dec3c037..87ca6fe040a269 100644 --- a/net/quic/quic_end_to_end_unittest.cc +++ b/net/quic/quic_end_to_end_unittest.cc @@ -17,6 +17,7 @@ #include "net/base/test_data_directory.h" #include "net/base/upload_bytes_element_reader.h" #include "net/base/upload_data_stream.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mapped_host_resolver.h" @@ -118,6 +119,7 @@ class QuicEndToEndTest : public ::testing::TestWithParam { params_.cert_verifier = &cert_verifier_; params_.transport_security_state = &transport_security_state_; params_.cert_transparency_verifier = cert_transparency_verifier_.get(); + params_.ct_policy_enforcer = &ct_policy_enforcer_; params_.proxy_service = proxy_service_.get(); params_.ssl_config_service = ssl_config_service_.get(); params_.http_auth_handler_factory = auth_handler_factory_.get(); @@ -251,6 +253,7 @@ class QuicEndToEndTest : public ::testing::TestWithParam { std::unique_ptr channel_id_service_; TransportSecurityState transport_security_state_; std::unique_ptr cert_transparency_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; scoped_refptr ssl_config_service_; std::unique_ptr proxy_service_; std::unique_ptr auth_handler_factory_; diff --git a/net/quic/quic_network_transaction_unittest.cc b/net/quic/quic_network_transaction_unittest.cc index 7be9d646915cd2..9da9915ad63299 100644 --- a/net/quic/quic_network_transaction_unittest.cc +++ b/net/quic/quic_network_transaction_unittest.cc @@ -16,6 +16,7 @@ #include "net/base/chunked_upload_data_stream.h" #include "net/base/test_completion_callback.h" #include "net/base/test_data_directory.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" @@ -511,6 +512,7 @@ class QuicNetworkTransactionTest params_.cert_verifier = &cert_verifier_; params_.transport_security_state = &transport_security_state_; params_.cert_transparency_verifier = cert_transparency_verifier_.get(); + params_.ct_policy_enforcer = &ct_policy_enforcer_; params_.socket_performance_watcher_factory = &test_socket_performance_watcher_factory_; params_.proxy_service = proxy_service_.get(); @@ -654,6 +656,7 @@ class QuicNetworkTransactionTest MockCertVerifier cert_verifier_; TransportSecurityState transport_security_state_; std::unique_ptr cert_transparency_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; TestSocketPerformanceWatcherFactory test_socket_performance_watcher_factory_; scoped_refptr ssl_config_service_; std::unique_ptr proxy_service_; @@ -2186,6 +2189,7 @@ class QuicNetworkTransactionWithDestinationTest params.cert_verifier = &cert_verifier_; params.transport_security_state = &transport_security_state_; params.cert_transparency_verifier = cert_transparency_verifier_.get(); + params.ct_policy_enforcer = &ct_policy_enforcer_; params.socket_performance_watcher_factory = &test_socket_performance_watcher_factory_; params.ssl_config_service = ssl_config_service_.get(); @@ -2359,6 +2363,7 @@ class QuicNetworkTransactionWithDestinationTest MockCertVerifier cert_verifier_; TransportSecurityState transport_security_state_; std::unique_ptr cert_transparency_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; TestSocketPerformanceWatcherFactory test_socket_performance_watcher_factory_; scoped_refptr ssl_config_service_; std::unique_ptr proxy_service_; diff --git a/net/quic/quic_stream_factory_test.cc b/net/quic/quic_stream_factory_test.cc index 16a61b3b7c9b2d..3aeaf1c953a2b6 100644 --- a/net/quic/quic_stream_factory_test.cc +++ b/net/quic/quic_stream_factory_test.cc @@ -11,6 +11,7 @@ #include "base/threading/thread_task_runner_handle.h" #include "net/base/test_data_directory.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_response_headers.h" @@ -312,7 +313,7 @@ class QuicStreamFactoryTestBase { DCHECK(!factory_); factory_.reset(new QuicStreamFactory( net_log_.net_log(), &host_resolver_, &socket_factory_, - &http_server_properties_, cert_verifier_.get(), nullptr, + &http_server_properties_, cert_verifier_.get(), &ct_policy_enforcer_, channel_id_service_.get(), &transport_security_state_, cert_transparency_verifier_.get(), /*SocketPerformanceWatcherFactory*/ nullptr, @@ -485,6 +486,7 @@ class QuicStreamFactoryTestBase { std::unique_ptr channel_id_service_; TransportSecurityState transport_security_state_; std::unique_ptr cert_transparency_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; std::unique_ptr scoped_mock_network_change_notifier_; std::unique_ptr factory_; diff --git a/net/quic/test_tools/crypto_test_utils_chromium.cc b/net/quic/test_tools/crypto_test_utils_chromium.cc index 121db431beeed2..2c04b812a17daa 100644 --- a/net/quic/test_tools/crypto_test_utils_chromium.cc +++ b/net/quic/test_tools/crypto_test_utils_chromium.cc @@ -18,6 +18,7 @@ #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/ct_verifier.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/multi_log_ct_verifier.h" @@ -50,14 +51,16 @@ class TestProofVerifierChromium : public ProofVerifierChromium { std::unique_ptr cert_verifier, std::unique_ptr transport_security_state, std::unique_ptr cert_transparency_verifier, + std::unique_ptr ct_policy_enforcer, const std::string& cert_file) : ProofVerifierChromium(cert_verifier.get(), - nullptr, + ct_policy_enforcer.get(), transport_security_state.get(), cert_transparency_verifier.get()), cert_verifier_(std::move(cert_verifier)), transport_security_state_(std::move(transport_security_state)), - cert_transparency_verifier_(std::move(cert_transparency_verifier)) { + cert_transparency_verifier_(std::move(cert_transparency_verifier)), + ct_policy_enforcer_(std::move(ct_policy_enforcer)) { // Load and install the root for the validated chain. scoped_refptr root_cert = ImportCertFromFile(GetTestCertsDirectory(), cert_file); @@ -73,6 +76,7 @@ class TestProofVerifierChromium : public ProofVerifierChromium { std::unique_ptr cert_verifier_; std::unique_ptr transport_security_state_; std::unique_ptr cert_transparency_verifier_; + std::unique_ptr ct_policy_enforcer_; }; } // namespace @@ -104,11 +108,13 @@ ProofVerifier* ProofVerifierForTestingInternal(bool use_real_proof_verifier) { if (use_real_proof_verifier) { return new TestProofVerifierChromium( std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), - base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); + base::WrapUnique(new MultiLogCTVerifier), + base::WrapUnique(new CTPolicyEnforcer), "quic_root.crt"); } return new TestProofVerifierChromium( std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), - base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); + base::WrapUnique(new MultiLogCTVerifier), + base::WrapUnique(new CTPolicyEnforcer), "quic_root.crt"); } // static diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h index 10affda136ac2c..0dde938613b2c2 100644 --- a/net/socket/ssl_client_socket.h +++ b/net/socket/ssl_client_socket.h @@ -41,13 +41,7 @@ class X509Certificate; // This struct groups together several fields which are used by various // classes related to SSLClientSocket. struct SSLClientSocketContext { - SSLClientSocketContext() - : cert_verifier(NULL), - channel_id_service(NULL), - transport_security_state(NULL), - cert_transparency_verifier(NULL), - ct_policy_enforcer(NULL) {} - + SSLClientSocketContext() = default; SSLClientSocketContext(CertVerifier* cert_verifier_arg, ChannelIDService* channel_id_service_arg, TransportSecurityState* transport_security_state_arg, @@ -61,11 +55,11 @@ struct SSLClientSocketContext { ct_policy_enforcer(ct_policy_enforcer_arg), ssl_session_cache_shard(ssl_session_cache_shard_arg) {} - CertVerifier* cert_verifier; - ChannelIDService* channel_id_service; - TransportSecurityState* transport_security_state; - CTVerifier* cert_transparency_verifier; - CTPolicyEnforcer* ct_policy_enforcer; + CertVerifier* cert_verifier = nullptr; + ChannelIDService* channel_id_service = nullptr; + TransportSecurityState* transport_security_state = nullptr; + CTVerifier* cert_transparency_verifier = nullptr; + CTPolicyEnforcer* ct_policy_enforcer = nullptr; // ssl_session_cache_shard is an opaque string that identifies a shard of the // SSL session cache. SSL sockets with the same ssl_session_cache_shard may // resume each other's SSL sessions but we'll never sessions between shards. diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc index bcd66037690e80..10bda9110ba2ed 100644 --- a/net/socket/ssl_client_socket_impl.cc +++ b/net/socket/ssl_client_socket_impl.cc @@ -519,6 +519,8 @@ SSLClientSocketImpl::SSLClientSocketImpl( net_log_(transport_->socket()->NetLog()), weak_factory_(this) { DCHECK(cert_verifier_); + DCHECK(transport_security_state_); + DCHECK(policy_enforcer_); } SSLClientSocketImpl::~SSLClientSocketImpl() { @@ -616,10 +618,6 @@ int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label, } int SSLClientSocketImpl::Connect(const CompletionCallback& callback) { - // It is an error to create an SSLClientSocket whose context has no - // TransportSecurityState. - DCHECK(transport_security_state_); - // Although StreamSocket does allow calling Connect() after Disconnect(), // this has never worked for layered sockets. CHECK to detect any consumers // reconnecting an SSL socket. @@ -1330,8 +1328,7 @@ int SSLClientSocketImpl::DoVerifyCertComplete(int result) { } const CertStatus cert_status = server_cert_verify_result_.cert_status; - if (transport_security_state_ && - (result == OK || + if ((result == OK || (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && !transport_security_state_->CheckPublicKeyPins( host_and_port_, server_cert_verify_result_.is_issued_by_known_root, @@ -1379,9 +1376,6 @@ void SSLClientSocketImpl::UpdateServerCert() { } void SSLClientSocketImpl::VerifyCT() { - if (!cert_transparency_verifier_) - return; - const uint8_t* ocsp_response_raw; size_t ocsp_response_len; SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len); @@ -1405,34 +1399,32 @@ void SSLClientSocketImpl::VerifyCT() { server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, &ct_verify_result_, net_log_); - ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); + ct_verify_result_.ct_policies_applied = true; ct_verify_result_.ev_policy_compliance = ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; - if (policy_enforcer_) { - if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { - scoped_refptr ev_whitelist = - SSLConfigService::GetEVCertsWhitelist(); - ct::EVPolicyCompliance ev_policy_compliance = - policy_enforcer_->DoesConformToCTEVPolicy( - server_cert_verify_result_.verified_cert.get(), - ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); - ct_verify_result_.ev_policy_compliance = ev_policy_compliance; - if (ev_policy_compliance != - ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && - ev_policy_compliance != - ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && - ev_policy_compliance != - ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { - server_cert_verify_result_.cert_status |= - CERT_STATUS_CT_COMPLIANCE_FAILED; - server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; - } - } - ct_verify_result_.cert_policy_compliance = - policy_enforcer_->DoesConformToCertPolicy( - server_cert_verify_result_.verified_cert.get(), + if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) { + scoped_refptr ev_whitelist = + SSLConfigService::GetEVCertsWhitelist(); + ct::EVPolicyCompliance ev_policy_compliance = + policy_enforcer_->DoesConformToCTEVPolicy( + server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_); + ct_verify_result_.ev_policy_compliance = ev_policy_compliance; + if (ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { + server_cert_verify_result_.cert_status |= + CERT_STATUS_CT_COMPLIANCE_FAILED; + server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV; + } } + ct_verify_result_.cert_policy_compliance = + policy_enforcer_->DoesConformToCertPolicy( + server_cert_verify_result_.verified_cert.get(), + ct_verify_result_.verified_scts, net_log_); } void SSLClientSocketImpl::OnHandshakeIOComplete(int result) { diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index 92e0407130bfca..710527c9319099 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -14,7 +14,9 @@ #include "net/base/load_timing_info_test_util.h" #include "net/base/net_errors.h" #include "net/base/test_completion_callback.h" -#include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_auth_handler_factory.h" #include "net/http/http_network_session.h" @@ -78,7 +80,8 @@ class SSLClientSocketPoolTest public ::testing::WithParamInterface { protected: SSLClientSocketPoolTest() - : transport_security_state_(new TransportSecurityState), + : cert_verifier_(new MockCertVerifier), + transport_security_state_(new TransportSecurityState), proxy_service_(ProxyService::CreateDirect()), ssl_config_service_(new SSLConfigServiceDefaults), http_auth_handler_factory_( @@ -127,9 +130,9 @@ class SSLClientSocketPoolTest void CreatePool(bool transport_pool, bool http_proxy_pool, bool socks_pool) { pool_.reset(new SSLClientSocketPool( - kMaxSockets, kMaxSocketsPerGroup, NULL /* cert_verifier */, - NULL /* channel_id_service */, NULL /* transport_security_state */, - NULL /* cert_transparency_verifier */, NULL /* ct_policy_enforcer */, + kMaxSockets, kMaxSocketsPerGroup, cert_verifier_.get(), + NULL /* channel_id_service */, transport_security_state_.get(), + &ct_verifier_, &ct_policy_enforcer_, std::string() /* ssl_session_cache_shard */, &socket_factory_, transport_pool ? &transport_socket_pool_ : NULL, socks_pool ? &socks_socket_pool_ : NULL, @@ -163,6 +166,8 @@ class SSLClientSocketPoolTest params.host_resolver = &host_resolver_; params.cert_verifier = cert_verifier_.get(); params.transport_security_state = transport_security_state_.get(); + params.cert_transparency_verifier = &ct_verifier_; + params.ct_policy_enforcer = &ct_policy_enforcer_; params.proxy_service = proxy_service_.get(); params.client_socket_factory = &socket_factory_; params.ssl_config_service = ssl_config_service_.get(); @@ -178,6 +183,8 @@ class SSLClientSocketPoolTest MockCachingHostResolver host_resolver_; std::unique_ptr cert_verifier_; std::unique_ptr transport_security_state_; + MultiLogCTVerifier ct_verifier_; + CTPolicyEnforcer ct_policy_enforcer_; const std::unique_ptr proxy_service_; const scoped_refptr ssl_config_service_; const std::unique_ptr http_auth_handler_factory_; diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index ad710632692da9..4536438515d45c 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -713,10 +713,23 @@ class SSLClientSocketTest : public PlatformTest { SSLClientSocketTest() : socket_factory_(ClientSocketFactory::GetDefaultFactory()), cert_verifier_(new MockCertVerifier), - transport_security_state_(new TransportSecurityState) { + transport_security_state_(new TransportSecurityState), + ct_verifier_(new MockCTVerifier), + ct_policy_enforcer_(new MockCTPolicyEnforcer) { cert_verifier_->set_default_result(OK); context_.cert_verifier = cert_verifier_.get(); context_.transport_security_state = transport_security_state_.get(); + context_.cert_transparency_verifier = ct_verifier_.get(); + context_.ct_policy_enforcer = ct_policy_enforcer_.get(); + + EXPECT_CALL(*ct_verifier_, Verify(_, _, _, _, _)) + .WillRepeatedly(Return(OK)); + EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCertPolicy(_, _, _)) + .WillRepeatedly( + Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); + EXPECT_CALL(*ct_policy_enforcer_, DoesConformToCTEVPolicy(_, _, _, _)) + .WillRepeatedly( + Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); } protected: @@ -808,6 +821,8 @@ class SSLClientSocketTest : public PlatformTest { ClientSocketFactory* socket_factory_; std::unique_ptr cert_verifier_; std::unique_ptr transport_security_state_; + std::unique_ptr ct_verifier_; + std::unique_ptr ct_policy_enforcer_; SSLClientSocketContext context_; std::unique_ptr sock_; TestNetLog log_; diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc index eaa36b9276d804..0145d88ecc9569 100644 --- a/net/socket/ssl_server_socket_unittest.cc +++ b/net/socket/ssl_server_socket_unittest.cc @@ -48,6 +48,9 @@ #include "net/base/net_errors.h" #include "net/base/test_data_directory.h" #include "net/cert/cert_status_flags.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_policy_status.h" +#include "net/cert/ct_verifier.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/mock_client_cert_verifier.h" #include "net/cert/x509_certificate.h" @@ -79,6 +82,42 @@ const char kWrongClientCertFileName[] = "client_2.pem"; const char kWrongClientPrivateKeyFileName[] = "client_2.pk8"; const char kClientCertCAFileName[] = "client_1_ca.pem"; +class MockCTVerifier : public CTVerifier { + public: + MockCTVerifier() = default; + ~MockCTVerifier() override = default; + + int Verify(X509Certificate* cert, + const std::string& stapled_ocsp_response, + const std::string& sct_list_from_tls_extension, + ct::CTVerifyResult* result, + const BoundNetLog& net_log) override { + return net::OK; + } + + void SetObserver(Observer* observer) override {} +}; + +class MockCTPolicyEnforcer : public CTPolicyEnforcer { + public: + MockCTPolicyEnforcer() = default; + ~MockCTPolicyEnforcer() override = default; + ct::CertPolicyCompliance DoesConformToCertPolicy( + X509Certificate* cert, + const SCTList& verified_scts, + const BoundNetLog& net_log) override { + return ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; + } + + ct::EVPolicyCompliance DoesConformToCTEVPolicy( + X509Certificate* cert, + const ct::EVCertsWhitelist* ev_whitelist, + const SCTList& verified_scts, + const BoundNetLog& net_log) override { + return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS; + } +}; + class FakeDataChannel { public: FakeDataChannel() @@ -330,7 +369,9 @@ class SSLServerSocketTest : public PlatformTest { : socket_factory_(ClientSocketFactory::GetDefaultFactory()), cert_verifier_(new MockCertVerifier()), client_cert_verifier_(new MockClientCertVerifier()), - transport_security_state_(new TransportSecurityState) {} + transport_security_state_(new TransportSecurityState), + ct_verifier_(new MockCTVerifier), + ct_policy_enforcer_(new MockCTPolicyEnforcer) {} void SetUp() override { PlatformTest::SetUp(); @@ -384,6 +425,8 @@ class SSLServerSocketTest : public PlatformTest { SSLClientSocketContext context; context.cert_verifier = cert_verifier_.get(); context.transport_security_state = transport_security_state_.get(); + context.cert_transparency_verifier = ct_verifier_.get(); + context.ct_policy_enforcer = ct_policy_enforcer_.get(); client_socket_ = socket_factory_->CreateSSLClientSocket( std::move(client_connection), host_and_pair, client_ssl_config_, @@ -466,6 +509,8 @@ class SSLServerSocketTest : public PlatformTest { std::unique_ptr cert_verifier_; std::unique_ptr client_cert_verifier_; std::unique_ptr transport_security_state_; + std::unique_ptr ct_verifier_; + std::unique_ptr ct_policy_enforcer_; std::unique_ptr server_context_; std::unique_ptr server_private_key_; scoped_refptr server_cert_; diff --git a/net/spdy/spdy_test_util_common.cc b/net/spdy/spdy_test_util_common.cc index 4a22b8ff59978b..ae397b758c453e 100644 --- a/net/spdy/spdy_test_util_common.cc +++ b/net/spdy/spdy_test_util_common.cc @@ -16,7 +16,9 @@ #include "base/strings/string_number_conversions.h" #include "base/strings/string_split.h" #include "net/base/host_port_pair.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/mock_cert_verifier.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/http/http_cache.h" #include "net/http/http_network_session.h" #include "net/http/http_network_transaction.h" @@ -331,11 +333,18 @@ crypto::ECSignatureCreator* MockECSignatureCreatorFactory::Create( } SpdySessionDependencies::SpdySessionDependencies(NextProto protocol) + : SpdySessionDependencies(protocol, ProxyService::CreateDirect()) {} + +SpdySessionDependencies::SpdySessionDependencies( + NextProto protocol, + std::unique_ptr proxy_service) : host_resolver(new MockCachingHostResolver), cert_verifier(new MockCertVerifier), channel_id_service(nullptr), transport_security_state(new TransportSecurityState), - proxy_service(ProxyService::CreateDirect()), + cert_transparency_verifier(new MultiLogCTVerifier), + ct_policy_enforcer(new CTPolicyEnforcer), + proxy_service(std::move(proxy_service)), ssl_config_service(new SSLConfigServiceDefaults), socket_factory(new MockClientSocketFactory), http_auth_handler_factory( @@ -368,38 +377,6 @@ SpdySessionDependencies::SpdySessionDependencies(NextProto protocol) host_resolver->set_synchronous_mode(true); } -SpdySessionDependencies::SpdySessionDependencies( - NextProto protocol, - std::unique_ptr proxy_service) - : host_resolver(new MockHostResolver), - cert_verifier(new MockCertVerifier), - channel_id_service(nullptr), - transport_security_state(new TransportSecurityState), - proxy_service(std::move(proxy_service)), - ssl_config_service(new SSLConfigServiceDefaults), - socket_factory(new MockClientSocketFactory), - http_auth_handler_factory( - HttpAuthHandlerFactory::CreateDefault(host_resolver.get())), - http_server_properties(new HttpServerPropertiesImpl), - enable_ip_pooling(true), - enable_ping(false), - enable_user_alternate_protocol_ports(false), - enable_npn(false), - enable_priority_dependencies(true), - enable_spdy31(true), - enable_quic(false), - enable_alternative_service_for_insecure_origins(true), - protocol(protocol), - session_max_recv_window_size( - SpdySession::GetDefaultInitialWindowSize(protocol)), - stream_max_recv_window_size( - SpdySession::GetDefaultInitialWindowSize(protocol)), - time_func(&base::TimeTicks::Now), - enable_alternative_service_with_different_host(true), - net_log(NULL) { - DCHECK(next_proto_is_spdy(protocol)) << "Invalid protocol: " << protocol; -} - SpdySessionDependencies::~SpdySessionDependencies() {} // static @@ -426,6 +403,9 @@ HttpNetworkSession::Params SpdySessionDependencies::CreateSessionParams( params.channel_id_service = session_deps->channel_id_service.get(); params.transport_security_state = session_deps->transport_security_state.get(); + params.cert_transparency_verifier = + session_deps->cert_transparency_verifier.get(); + params.ct_policy_enforcer = session_deps->ct_policy_enforcer.get(); params.proxy_service = session_deps->proxy_service.get(); params.ssl_config_service = session_deps->ssl_config_service.get(); params.http_auth_handler_factory = diff --git a/net/spdy/spdy_test_util_common.h b/net/spdy/spdy_test_util_common.h index d45c4d076e8a2b..e5f908f50f36b0 100644 --- a/net/spdy/spdy_test_util_common.h +++ b/net/spdy/spdy_test_util_common.h @@ -42,6 +42,8 @@ class GURL; namespace net { class BoundNetLog; +class CTVerifier; +class CTPolicyEnforcer; class HostPortPair; class SpdySession; class SpdySessionKey; @@ -190,6 +192,8 @@ struct SpdySessionDependencies { std::unique_ptr cert_verifier; std::unique_ptr channel_id_service; std::unique_ptr transport_security_state; + std::unique_ptr cert_transparency_verifier; + std::unique_ptr ct_policy_enforcer; std::unique_ptr proxy_service; scoped_refptr ssl_config_service; std::unique_ptr socket_factory; diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc index 837e0744d9cc70..721ec9aaccd3ba 100644 --- a/net/url_request/url_request_context.cc +++ b/net/url_request/url_request_context.cc @@ -29,6 +29,7 @@ URLRequestContext::URLRequestContext() cookie_store_(nullptr), transport_security_state_(nullptr), cert_transparency_verifier_(nullptr), + ct_policy_enforcer_(nullptr), http_transaction_factory_(nullptr), job_factory_(nullptr), throttler_manager_(nullptr), @@ -57,6 +58,7 @@ void URLRequestContext::CopyFrom(const URLRequestContext* other) { set_cookie_store(other->cookie_store_); set_transport_security_state(other->transport_security_state_); set_cert_transparency_verifier(other->cert_transparency_verifier_); + set_ct_policy_enforcer(other->ct_policy_enforcer_); set_http_transaction_factory(other->http_transaction_factory_); set_job_factory(other->job_factory_); set_throttler_manager(other->throttler_manager_); diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h index 1b00b0549a25aa..498c7dfdcc8512 100644 --- a/net/url_request/url_request_context.h +++ b/net/url_request/url_request_context.h @@ -31,6 +31,7 @@ namespace net { class CertVerifier; class ChannelIDService; class CookieStore; +class CTPolicyEnforcer; class CTVerifier; class HostResolver; class HttpAuthHandlerFactory; @@ -164,6 +165,11 @@ class NET_EXPORT URLRequestContext cert_transparency_verifier_ = verifier; } + CTPolicyEnforcer* ct_policy_enforcer() const { return ct_policy_enforcer_; } + void set_ct_policy_enforcer(CTPolicyEnforcer* enforcer) { + ct_policy_enforcer_ = enforcer; + } + const URLRequestJobFactory* job_factory() const { return job_factory_; } void set_job_factory(const URLRequestJobFactory* job_factory) { job_factory_ = job_factory; @@ -260,6 +266,7 @@ class NET_EXPORT URLRequestContext CookieStore* cookie_store_; TransportSecurityState* transport_security_state_; CTVerifier* cert_transparency_verifier_; + CTPolicyEnforcer* ct_policy_enforcer_; HttpTransactionFactory* http_transaction_factory_; const URLRequestJobFactory* job_factory_; URLRequestThrottlerManager* throttler_manager_; diff --git a/net/url_request/url_request_context_builder.cc b/net/url_request/url_request_context_builder.cc index 972d32c0b6a816..a6e71b29b780dd 100644 --- a/net/url_request/url_request_context_builder.cc +++ b/net/url_request/url_request_context_builder.cc @@ -21,6 +21,8 @@ #include "net/base/network_delegate_impl.h" #include "net/base/sdch_manager.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/cookies/cookie_monster.h" #include "net/dns/host_resolver.h" #include "net/http/http_auth_handler_factory.h" @@ -223,6 +225,7 @@ void URLRequestContextBuilder::SetHttpNetworkSessionComponents( params->cert_verifier = context->cert_verifier(); params->transport_security_state = context->transport_security_state(); params->cert_transparency_verifier = context->cert_transparency_verifier(); + params->ct_policy_enforcer = context->ct_policy_enforcer(); params->proxy_service = context->proxy_service(); params->ssl_config_service = context->ssl_config_service(); params->http_auth_handler_factory = context->http_auth_handler_factory(); @@ -386,6 +389,10 @@ std::unique_ptr URLRequestContextBuilder::Build() { storage->set_cert_verifier(CertVerifier::CreateDefault()); } + storage->set_cert_transparency_verifier( + base::MakeUnique()); + storage->set_ct_policy_enforcer(base::MakeUnique()); + if (throttling_enabled_) { storage->set_throttler_manager( base::WrapUnique(new URLRequestThrottlerManager())); diff --git a/net/url_request/url_request_context_storage.cc b/net/url_request/url_request_context_storage.cc index 6865edb919a89e..08c8f29cd17483 100644 --- a/net/url_request/url_request_context_storage.cc +++ b/net/url_request/url_request_context_storage.cc @@ -11,6 +11,8 @@ #include "net/base/proxy_delegate.h" #include "net/base/sdch_manager.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_verifier.h" #include "net/cookies/cookie_store.h" #include "net/dns/host_resolver.h" #include "net/http/http_auth_handler_factory.h" @@ -104,6 +106,18 @@ void URLRequestContextStorage::set_transport_security_state( transport_security_state_ = std::move(transport_security_state); } +void URLRequestContextStorage::set_cert_transparency_verifier( + std::unique_ptr cert_transparency_verifier) { + context_->set_cert_transparency_verifier(cert_transparency_verifier.get()); + cert_transparency_verifier_ = std::move(cert_transparency_verifier); +} + +void URLRequestContextStorage::set_ct_policy_enforcer( + std::unique_ptr ct_policy_enforcer) { + context_->set_ct_policy_enforcer(ct_policy_enforcer.get()); + ct_policy_enforcer_ = std::move(ct_policy_enforcer); +} + void URLRequestContextStorage::set_http_network_session( std::unique_ptr http_network_session) { http_network_session_ = std::move(http_network_session); diff --git a/net/url_request/url_request_context_storage.h b/net/url_request/url_request_context_storage.h index 88077498d966a6..a38fd130736ecc 100644 --- a/net/url_request/url_request_context_storage.h +++ b/net/url_request/url_request_context_storage.h @@ -16,6 +16,8 @@ namespace net { class CertVerifier; class ChannelIDService; class CookieStore; +class CTPolicyEnforcer; +class CTVerifier; class FtpTransactionFactory; class HostResolver; class HttpAuthHandlerFactory; @@ -64,6 +66,10 @@ class NET_EXPORT URLRequestContextStorage { void set_cookie_store(std::unique_ptr cookie_store); void set_transport_security_state( std::unique_ptr transport_security_state); + void set_cert_transparency_verifier( + std::unique_ptr cert_transparency_verifier); + void set_ct_policy_enforcer( + std::unique_ptr ct_policy_enforcer); void set_http_network_session( std::unique_ptr http_network_session); void set_http_transaction_factory( @@ -105,6 +111,8 @@ class NET_EXPORT URLRequestContextStorage { std::unique_ptr http_user_agent_settings_; std::unique_ptr cookie_store_; std::unique_ptr transport_security_state_; + std::unique_ptr cert_transparency_verifier_; + std::unique_ptr ct_policy_enforcer_; // Not actually pointed at by the URLRequestContext, but may be used (but not // owned) by the HttpTransactionFactory. diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc index 1b2cb59434f5f7..2da0f0b8795ce2 100644 --- a/net/url_request/url_request_test_util.cc +++ b/net/url_request/url_request_test_util.cc @@ -17,7 +17,8 @@ #include "base/threading/worker_pool.h" #include "net/base/host_port_pair.h" #include "net/cert/cert_verifier.h" -#include "net/cert/ct_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/dns/mock_host_resolver.h" #include "net/http/http_network_session.h" #include "net/http/http_response_headers.h" @@ -56,11 +57,7 @@ const int kStageDestruction = 1 << 10; TestURLRequestContext::TestURLRequestContext() : TestURLRequestContext(false) {} TestURLRequestContext::TestURLRequestContext(bool delay_initialization) - : initialized_(false), - client_socket_factory_(nullptr), - proxy_delegate_(nullptr), - ct_policy_enforcer_(nullptr), - context_storage_(this) { + : context_storage_(this) { if (!delay_initialization) Init(); } @@ -81,9 +78,18 @@ void TestURLRequestContext::Init() { context_storage_.set_proxy_service(ProxyService::CreateDirect()); if (!cert_verifier()) context_storage_.set_cert_verifier(CertVerifier::CreateDefault()); - if (!transport_security_state()) + if (!transport_security_state()) { context_storage_.set_transport_security_state( base::WrapUnique(new TransportSecurityState())); + } + if (!cert_transparency_verifier()) { + context_storage_.set_cert_transparency_verifier( + base::WrapUnique(new MultiLogCTVerifier())); + } + if (!ct_policy_enforcer()) { + context_storage_.set_ct_policy_enforcer( + base::WrapUnique(new CTPolicyEnforcer)); + } if (!ssl_config_service()) context_storage_.set_ssl_config_service(new SSLConfigServiceDefaults()); if (!http_auth_handler_factory()) { @@ -119,8 +125,7 @@ void TestURLRequestContext::Init() { params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); params.cert_transparency_verifier = cert_transparency_verifier(); - if (ct_policy_enforcer()) - params.ct_policy_enforcer = ct_policy_enforcer(); + params.ct_policy_enforcer = ct_policy_enforcer(); params.transport_security_state = transport_security_state(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h index 49a12f5fc994cf..54e45fd9e84103 100644 --- a/net/url_request/url_request_test_util.h +++ b/net/url_request/url_request_test_util.h @@ -85,13 +85,13 @@ class TestURLRequestContext : public URLRequestContext { context_storage_.set_sdch_manager(std::move(sdch_manager)); } - CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; } - void set_ct_policy_enforcer(CTPolicyEnforcer* ct_policy_enforcer) { - ct_policy_enforcer_ = ct_policy_enforcer; + void SetCTPolicyEnforcer( + std::unique_ptr ct_policy_enforcer) { + context_storage_.set_ct_policy_enforcer(std::move(ct_policy_enforcer)); } private: - bool initialized_; + bool initialized_ = false; // Optional parameters to override default values. Note that values that // point to other objects the TestURLRequestContext creates will be @@ -99,11 +99,9 @@ class TestURLRequestContext : public URLRequestContext { std::unique_ptr http_network_session_params_; // Not owned: - ClientSocketFactory* client_socket_factory_; + ClientSocketFactory* client_socket_factory_ = nullptr; - ProxyDelegate* proxy_delegate_; - - CTPolicyEnforcer* ct_policy_enforcer_; + ProxyDelegate* proxy_delegate_ = nullptr; protected: URLRequestContextStorage context_storage_; diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index 91bca58a540aa9..dee4fe92985e23 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -58,6 +58,7 @@ #include "net/base/upload_data_stream.h" #include "net/base/upload_file_element_reader.h" #include "net/base/url_util.h" +#include "net/cert/ct_policy_enforcer.h" #include "net/cert/ct_policy_status.h" #include "net/cert/ct_verifier.h" #include "net/cert/ct_verify_result.h" @@ -6491,7 +6492,7 @@ TEST_F(URLRequestTestHTTP, ExpectCTHeader) { context.set_network_delegate(&network_delegate); context.set_cert_verifier(&cert_verifier); context.set_cert_transparency_verifier(&ct_verifier); - context.set_ct_policy_enforcer(&ct_policy_enforcer); + context.set_ct_policy_enforcer(std::move(&ct_policy_enforcer)); context.Init(); // Now send a request to trigger the violation. @@ -8837,6 +8838,9 @@ TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) { params.host_resolver = default_context_.host_resolver(); params.cert_verifier = default_context_.cert_verifier(); params.transport_security_state = default_context_.transport_security_state(); + params.cert_transparency_verifier = + default_context_.cert_transparency_verifier(); + params.ct_policy_enforcer = default_context_.ct_policy_enforcer(); params.proxy_service = default_context_.proxy_service(); params.ssl_config_service = default_context_.ssl_config_service(); params.http_auth_handler_factory = @@ -9226,7 +9230,9 @@ class HTTPSOCSPTest : public HTTPSRequestTest { } void SetUp() override { - SetupContext(&context_); + context_.SetCTPolicyEnforcer( + base::MakeUnique()); + SetupContext(); context_.Init(); scoped_refptr root_cert = @@ -9269,11 +9275,31 @@ class HTTPSOCSPTest : public HTTPSRequestTest { } protected: + class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer { + public: + AllowAnyCertCTPolicyEnforcer() = default; + ~AllowAnyCertCTPolicyEnforcer() override = default; + + ct::CertPolicyCompliance DoesConformToCertPolicy( + X509Certificate* cert, + const SCTList& verified_scts, + const BoundNetLog& net_log) override { + return ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; + } + + ct::EVPolicyCompliance DoesConformToCTEVPolicy( + X509Certificate* cert, + const ct::EVCertsWhitelist* ev_whitelist, + const SCTList& verified_scts, + const BoundNetLog& net_log) override { + return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS; + } + }; // SetupContext configures the URLRequestContext that will be used for making // connetions to testserver. This can be overridden in test subclasses for // different behaviour. - virtual void SetupContext(URLRequestContext* context) { - context->set_ssl_config_service(new TestSSLConfigService( + virtual void SetupContext() { + context_.set_ssl_config_service(new TestSSLConfigService( true /* check for EV */, true /* online revocation checking */, false /* require rev. checking for local anchors */, @@ -9460,8 +9486,8 @@ TEST_F(HTTPSOCSPTest, MAYBE_RevokedStapled) { class HTTPSHardFailTest : public HTTPSOCSPTest { protected: - void SetupContext(URLRequestContext* context) override { - context->set_ssl_config_service(new TestSSLConfigService( + void SetupContext() override { + context_.set_ssl_config_service(new TestSSLConfigService( false /* check for EV */, false /* online revocation checking */, true /* require rev. checking for local anchors */, @@ -9497,8 +9523,8 @@ TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) { class HTTPSEVCRLSetTest : public HTTPSOCSPTest { protected: - void SetupContext(URLRequestContext* context) override { - context->set_ssl_config_service(new TestSSLConfigService( + void SetupContext() override { + context_.set_ssl_config_service(new TestSSLConfigService( true /* check for EV */, false /* online revocation checking */, false /* require rev. checking for local anchors */, @@ -9682,8 +9708,8 @@ TEST_F(HTTPSEVCRLSetTest, ExpiredCRLSetAndRevokedNonEVCert) { class HTTPSCRLSetTest : public HTTPSOCSPTest { protected: - void SetupContext(URLRequestContext* context) override { - context->set_ssl_config_service(new TestSSLConfigService( + void SetupContext() override { + context_.set_ssl_config_service(new TestSSLConfigService( false /* check for EV */, false /* online revocation checking */, false /* require rev. checking for local anchors */, diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc index 64579a6e9dc09d..303aea253d1457 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator.cc +++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc @@ -22,6 +22,9 @@ #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_policy_status.h" +#include "net/cert/ct_verifier.h" #include "net/cert/x509_certificate.h" #include "net/http/transport_security_state.h" #include "net/socket/client_socket_handle.h" @@ -62,6 +65,45 @@ class FailingCertVerifier : public net::CertVerifier { } }; +// A CTVerifier which ignores Certificate Transparency information. +class IgnoresCTVerifier : public net::CTVerifier { + public: + IgnoresCTVerifier() = default; + ~IgnoresCTVerifier() override = default; + + int Verify(net::X509Certificate* cert, + const std::string& stapled_ocsp_response, + const std::string& sct_list_from_tls_extension, + net::ct::CTVerifyResult* result, + const net::BoundNetLog& net_log) override { + return net::OK; + } + + void SetObserver(Observer* observer) override {} +}; + +// A CTPolicyEnforcer that accepts all certificates. +class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer { + public: + IgnoresCTPolicyEnforcer() = default; + ~IgnoresCTPolicyEnforcer() override = default; + + net::ct::CertPolicyCompliance DoesConformToCertPolicy( + net::X509Certificate* cert, + const net::SCTList& verified_scts, + const net::BoundNetLog& net_log) override { + return net::ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; + } + + net::ct::EVPolicyCompliance DoesConformToCTEVPolicy( + net::X509Certificate* cert, + const net::ct::EVCertsWhitelist* ev_whitelist, + const net::SCTList& verified_scts, + const net::BoundNetLog& net_log) override { + return net::ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; + } +}; + // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed // to net::SSLClientSocket and net::SSLServerSocket. class NetStreamSocketAdapter : public net::StreamSocket { @@ -240,6 +282,8 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( } else { transport_security_state_.reset(new net::TransportSecurityState); cert_verifier_.reset(new FailingCertVerifier); + ct_verifier_.reset(new IgnoresCTVerifier); + ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer); net::SSLConfig::CertAndStatus cert_and_status; cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; @@ -259,6 +303,8 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( net::SSLClientSocketContext context; context.transport_security_state = transport_security_state_.get(); context.cert_verifier = cert_verifier_.get(); + context.cert_transparency_verifier = ct_verifier_.get(); + context.ct_policy_enforcer = ct_policy_enforcer_.get(); std::unique_ptr socket_handle( new net::ClientSocketHandle); socket_handle->SetSocket( diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.h b/remoting/protocol/ssl_hmac_channel_authenticator.h index 818882edbfee10..c76341c84f1550 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator.h +++ b/remoting/protocol/ssl_hmac_channel_authenticator.h @@ -16,6 +16,8 @@ namespace net { class CertVerifier; +class CTPolicyEnforcer; +class CTVerifier; class DrainableIOBuffer; class GrowableIOBuffer; class SSLServerContext; @@ -93,6 +95,8 @@ class SslHmacChannelAuthenticator : public ChannelAuthenticator, std::string remote_cert_; std::unique_ptr transport_security_state_; std::unique_ptr cert_verifier_; + std::unique_ptr ct_verifier_; + std::unique_ptr ct_policy_enforcer_; std::unique_ptr socket_; DoneCallback done_callback_; diff --git a/remoting/signaling/xmpp_signal_strategy.cc b/remoting/signaling/xmpp_signal_strategy.cc index 4e25ccbf9fe0f2..00fe3edb5799ae 100644 --- a/remoting/signaling/xmpp_signal_strategy.cc +++ b/remoting/signaling/xmpp_signal_strategy.cc @@ -21,6 +21,8 @@ #include "base/timer/timer.h" #include "jingle/glue/proxy_resolving_client_socket.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/client_socket_handle.h" @@ -120,6 +122,8 @@ class XmppSignalStrategy::Core : public XmppLoginHandler::Delegate { // Used by the |socket_|. std::unique_ptr cert_verifier_; std::unique_ptr transport_security_state_; + std::unique_ptr cert_transparency_verifier_; + std::unique_ptr ct_policy_enforcer_; std::unique_ptr socket_; std::unique_ptr writer_; @@ -294,9 +298,13 @@ void XmppSignalStrategy::Core::StartTls() { cert_verifier_ = net::CertVerifier::CreateDefault(); transport_security_state_.reset(new net::TransportSecurityState()); + cert_transparency_verifier_.reset(new net::MultiLogCTVerifier()); + ct_policy_enforcer_.reset(new net::CTPolicyEnforcer()); net::SSLClientSocketContext context; context.cert_verifier = cert_verifier_.get(); context.transport_security_state = transport_security_state_.get(); + context.cert_transparency_verifier = cert_transparency_verifier_.get(); + context.ct_policy_enforcer = ct_policy_enforcer_.get(); socket_ = socket_factory_->CreateSSLClientSocket( std::move(socket_handle),