diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-26 13:56:57 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-26 13:56:57 +0000 |
| commit | 98f397e9a7720f1476e37b0966c9ad70ea4deebc (patch) | |
| tree | 9e7374a3d50f0abc764343981c8b071850ff3c8d /net/socket/ssl_host_info.cc | |
| parent | abf23550d6399dc647c984f9135447f658bbaf35 (diff) | |
| download | chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.zip chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.tar.gz chromium_src-98f397e9a7720f1476e37b0966c9ad70ea4deebc.tar.bz2 | |
net: always save certs and trigger verify in SSLHostInfo.
(This is still behind --enable-snap-start because the SSLHostInfo's
don't get created without it.)
Have ssl_client_socket_nss always save certificates to the SSLHostInfo
and have the SSLHostInfo kick off a validation as soon as possible if
it has the certificates.
For now the validation just primes the OCSP cache and isn't tied into
anything else. In future patches, the SSL socket will compare the
actual certificates against the predicted certificates and avoid a
second validation if they match.
BUG=none
TEST=none
http://codereview.chromium.org/3968003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63887 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_host_info.cc')
| -rw-r--r-- | net/socket/ssl_host_info.cc | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/net/socket/ssl_host_info.cc b/net/socket/ssl_host_info.cc index 9056fef..ec97b66 100644 --- a/net/socket/ssl_host_info.cc +++ b/net/socket/ssl_host_info.cc @@ -4,6 +4,10 @@ #include "net/socket/ssl_host_info.h" +#include "base/string_piece.h" +#include "net/base/cert_verifier.h" +#include "net/base/ssl_config_service.h" +#include "net/base/x509_certificate.h" #include "net/socket/ssl_client_socket.h" #include "net/socket/ssl_host_info.pb.h" @@ -16,7 +20,16 @@ SSLHostInfo::State::State() SSLHostInfo::State::~State() {} -SSLHostInfo::SSLHostInfo() { +SSLHostInfo::SSLHostInfo( + const std::string& hostname, + const SSLConfig& ssl_config) + : hostname_(hostname), + cert_valid_(false), + rev_checking_enabled_(ssl_config.rev_checking_enabled), + verify_ev_cert_(ssl_config.verify_ev_cert), + callback_(new CancelableCompletionCallback<SSLHostInfo>( + ALLOW_THIS_IN_INITIALIZER_LIST(this), + &SSLHostInfo::VerifyCallback)) { state_.npn_valid = false; } @@ -67,6 +80,7 @@ bool SSLHostInfo::Parse(const std::string& data) { state->certs.clear(); state->server_hello.clear(); state->npn_valid = false; + cert_valid_ = false; if (!proto.ParseFromString(data)) return false; @@ -81,6 +95,26 @@ bool SSLHostInfo::Parse(const std::string& data) { state->npn_protocol = proto.npn_protocol(); } + if (state->certs.size() > 0) { + std::vector<base::StringPiece> der_certs(state->certs.size()); + for (size_t i = 0; i < state->certs.size(); i++) + der_certs[i] = state->certs[i]; + cert_ = X509Certificate::CreateFromDERCertChain(der_certs); + if (cert_.get()) { + int flags = 0; + if (verify_ev_cert_) + flags |= X509Certificate::VERIFY_EV_CERT; + if (rev_checking_enabled_) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; + verifier_.reset(new CertVerifier); + VLOG(1) << "Kicking off validation for " << hostname_; + if (verifier_->Verify(cert_.get(), hostname_, flags, + &cert_verify_result_, callback_) == OK) { + cert_valid_ = true; + } + } + } + return true; } @@ -102,6 +136,18 @@ std::string SSLHostInfo::Serialize() const { return proto.SerializeAsString(); } +bool SSLHostInfo::cert_valid() const { + return cert_valid_; +} + +const CertVerifyResult& SSLHostInfo::cert_verify_result() const { + return cert_verify_result_; +} + +void SSLHostInfo::VerifyCallback(int rv) { + cert_valid_ = rv == OK; +} + SSLHostInfoFactory::~SSLHostInfoFactory() {} } // namespace net |