diff options
| author | vandebo@chromium.org <vandebo@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-31 20:38:18 +0000 |
|---|---|---|
| committer | vandebo@chromium.org <vandebo@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-31 20:38:18 +0000 |
| commit | 5fb0c3fa351ea22371db00d3db97d02f3b399780 (patch) | |
| tree | f94e4e491e52b3a34f7508723752b3234c8bf76b /net/socket | |
| parent | 034548ddd7d9d59c1b022618dfb418c3ce44ae52 (diff) | |
| download | chromium_src-5fb0c3fa351ea22371db00d3db97d02f3b399780.zip chromium_src-5fb0c3fa351ea22371db00d3db97d02f3b399780.tar.gz chromium_src-5fb0c3fa351ea22371db00d3db97d02f3b399780.tar.bz2 | |
Revert 149261 - Support SHA-256 in public key pins for HTTPS.
Broke the compile on CrOS. Looks like const-ness problem:
net/socket/ssl_client_socket_nss.cc: In member function 'int net::SSLClientSocketNSS::DoVerifyCertComplete(int)':
net/socket/ssl_client_socket_nss.cc:3458:error: no matching function for call to 'net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(std::vector<std::vector<net::HashValue, std::allocator<net::HashValue> >, std::allocator<std::vector<net::HashValue, std::allocator<net::HashValue> > > >&)'
./net/base/transport_security_state.h:94: note: candidates are: bool net::TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(const net::HashValueVector&) const
The HTTP-based Public Key Pinning Internet Draft
(tools.ietf.org/html/draft-ietf-websec-key-pinning) requires this.
Per wtc, give the *Fingeprint* types more meaningful *HashValue* names.
Cleaning up lint along the way.
BUG=117914
TEST=net_unittests, unit_tests TransportSecurityPersisterTest
Review URL: https://chromiumcodereview.appspot.com/10545166
TBR=palmer@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10827104
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149268 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 16 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 2 |
2 files changed, 7 insertions, 11 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 3ae7539..46facf1 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -131,8 +131,8 @@ static bool IsOCSPStaplingSupported() { #elif defined(USE_NSS) typedef SECStatus (*CacheOCSPResponseFromSideChannelFunction)( - CERTCertDBHandle* handle, CERTCertificate* cert, PRTime time, - SECItem* encodedResponse, void* pwArg); + CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, + SECItem *encodedResponse, void *pwArg); // On Linux, we dynamically link against the system version of libnss3.so. In // order to continue working on systems without up-to-date versions of NSS we @@ -2763,14 +2763,10 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->connection_status = core_->state().ssl_connection_status; ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; - // TODO(palmer) TODO(agl): Do side pins need to be in both SHA1 and SHA256 - // forms? If consumers of side pins only care about SHA1, it is OK to put - // them only in the HASH_VALUE_SHA1 vector. - HashValueVector& sha1_hashes = - ssl_info->public_key_hashes[HASH_VALUE_SHA1]; - for (HashValueVector::const_iterator i = side_pinned_public_keys_.begin(); - i != side_pinned_public_keys_.end(); ++i) { - sha1_hashes.push_back(*i); + for (std::vector<SHA1Fingerprint>::const_iterator + i = side_pinned_public_keys_.begin(); + i != side_pinned_public_keys_.end(); i++) { + ssl_info->public_key_hashes.push_back(*i); } ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index f8f602f..ba34a2c 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -157,7 +157,7 @@ class SSLClientSocketNSS : public SSLClientSocket { CompletionCallback user_connect_callback_; CertVerifyResult server_cert_verify_result_; - HashValueVector side_pinned_public_keys_; + std::vector<SHA1Fingerprint> side_pinned_public_keys_; CertVerifier* const cert_verifier_; scoped_ptr<SingleRequestCertVerifier> verifier_; |