From 98f397e9a7720f1476e37b0966c9ad70ea4deebc Mon Sep 17 00:00:00 2001 From: "agl@chromium.org" Date: Tue, 26 Oct 2010 13:56:57 +0000 Subject: net: always save certs and trigger verify in SSLHostInfo. (This is still behind --enable-snap-start because the SSLHostInfo's don't get created without it.) Have ssl_client_socket_nss always save certificates to the SSLHostInfo and have the SSLHostInfo kick off a validation as soon as possible if it has the certificates. For now the validation just primes the OCSP cache and isn't tied into anything else. In future patches, the SSL socket will compare the actual certificates against the predicted certificates and avoid a second validation if they match. BUG=none TEST=none http://codereview.chromium.org/3968003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63887 0039d316-1c4b-4281-b951-d872f2087c98 --- net/socket/ssl_host_info.cc | 48 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) (limited to 'net/socket/ssl_host_info.cc') diff --git a/net/socket/ssl_host_info.cc b/net/socket/ssl_host_info.cc index 9056fef..ec97b66 100644 --- a/net/socket/ssl_host_info.cc +++ b/net/socket/ssl_host_info.cc @@ -4,6 +4,10 @@ #include "net/socket/ssl_host_info.h" +#include "base/string_piece.h" +#include "net/base/cert_verifier.h" +#include "net/base/ssl_config_service.h" +#include "net/base/x509_certificate.h" #include "net/socket/ssl_client_socket.h" #include "net/socket/ssl_host_info.pb.h" @@ -16,7 +20,16 @@ SSLHostInfo::State::State() SSLHostInfo::State::~State() {} -SSLHostInfo::SSLHostInfo() { +SSLHostInfo::SSLHostInfo( + const std::string& hostname, + const SSLConfig& ssl_config) + : hostname_(hostname), + cert_valid_(false), + rev_checking_enabled_(ssl_config.rev_checking_enabled), + verify_ev_cert_(ssl_config.verify_ev_cert), + callback_(new CancelableCompletionCallback( + ALLOW_THIS_IN_INITIALIZER_LIST(this), + &SSLHostInfo::VerifyCallback)) { state_.npn_valid = false; } @@ -67,6 +80,7 @@ bool SSLHostInfo::Parse(const std::string& data) { state->certs.clear(); state->server_hello.clear(); state->npn_valid = false; + cert_valid_ = false; if (!proto.ParseFromString(data)) return false; @@ -81,6 +95,26 @@ bool SSLHostInfo::Parse(const std::string& data) { state->npn_protocol = proto.npn_protocol(); } + if (state->certs.size() > 0) { + std::vector der_certs(state->certs.size()); + for (size_t i = 0; i < state->certs.size(); i++) + der_certs[i] = state->certs[i]; + cert_ = X509Certificate::CreateFromDERCertChain(der_certs); + if (cert_.get()) { + int flags = 0; + if (verify_ev_cert_) + flags |= X509Certificate::VERIFY_EV_CERT; + if (rev_checking_enabled_) + flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; + verifier_.reset(new CertVerifier); + VLOG(1) << "Kicking off validation for " << hostname_; + if (verifier_->Verify(cert_.get(), hostname_, flags, + &cert_verify_result_, callback_) == OK) { + cert_valid_ = true; + } + } + } + return true; } @@ -102,6 +136,18 @@ std::string SSLHostInfo::Serialize() const { return proto.SerializeAsString(); } +bool SSLHostInfo::cert_valid() const { + return cert_valid_; +} + +const CertVerifyResult& SSLHostInfo::cert_verify_result() const { + return cert_verify_result_; +} + +void SSLHostInfo::VerifyCallback(int rv) { + cert_valid_ = rv == OK; +} + SSLHostInfoFactory::~SSLHostInfoFactory() {} } // namespace net -- cgit v1.1