diff options
| author | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-31 20:15:57 +0000 |
|---|---|---|
| committer | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-31 20:15:57 +0000 |
| commit | 18fb0c3b499607a6890c844f5bba2019159b26d0 (patch) | |
| tree | 7a31b3c0bea4c24af258ba0dbcce84df5a00137f /net/socket | |
| parent | f6a37b54c1e97fa7774d9b12aacc5848bcd02aea (diff) | |
| download | chromium_src-18fb0c3b499607a6890c844f5bba2019159b26d0.zip chromium_src-18fb0c3b499607a6890c844f5bba2019159b26d0.tar.gz chromium_src-18fb0c3b499607a6890c844f5bba2019159b26d0.tar.bz2 | |
Support SHA-256 in public key pins for HTTPS.
The HTTP-based Public Key Pinning Internet Draft
(tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this.
Per wtc, give the *Fingeprint* types more meaningful *HashValue* names.
Cleaning up lint along the way.
BUG=117914
TEST=net_unittests, unit_tests TransportSecurityPersisterTest
Review URL: https://chromiumcodereview.appspot.com/10545166
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149261 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 16 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 2 |
2 files changed, 11 insertions, 7 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 46facf1..3ae7539 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -131,8 +131,8 @@ static bool IsOCSPStaplingSupported() { #elif defined(USE_NSS) typedef SECStatus (*CacheOCSPResponseFromSideChannelFunction)( - CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, - SECItem *encodedResponse, void *pwArg); + CERTCertDBHandle* handle, CERTCertificate* cert, PRTime time, + SECItem* encodedResponse, void* pwArg); // On Linux, we dynamically link against the system version of libnss3.so. In // order to continue working on systems without up-to-date versions of NSS we @@ -2763,10 +2763,14 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->connection_status = core_->state().ssl_connection_status; ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; - for (std::vector<SHA1Fingerprint>::const_iterator - i = side_pinned_public_keys_.begin(); - i != side_pinned_public_keys_.end(); i++) { - ssl_info->public_key_hashes.push_back(*i); + // TODO(palmer) TODO(agl): Do side pins need to be in both SHA1 and SHA256 + // forms? If consumers of side pins only care about SHA1, it is OK to put + // them only in the HASH_VALUE_SHA1 vector. + HashValueVector& sha1_hashes = + ssl_info->public_key_hashes[HASH_VALUE_SHA1]; + for (HashValueVector::const_iterator i = side_pinned_public_keys_.begin(); + i != side_pinned_public_keys_.end(); ++i) { + sha1_hashes.push_back(*i); } ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index ba34a2c..f8f602f 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -157,7 +157,7 @@ class SSLClientSocketNSS : public SSLClientSocket { CompletionCallback user_connect_callback_; CertVerifyResult server_cert_verify_result_; - std::vector<SHA1Fingerprint> side_pinned_public_keys_; + HashValueVector side_pinned_public_keys_; CertVerifier* const cert_verifier_; scoped_ptr<SingleRequestCertVerifier> verifier_; |