namespace net {
+ProofVerifyDetails* ProofVerifyDetailsChromium::Clone() const {
+ ProofVerifyDetailsChromium* other = new ProofVerifyDetailsChromium;
+ other->cert_verify_result = cert_verify_result;
+ return other;
+}
+
// A Job handles the verification of a single proof. It is owned by the
// ProofVerifier. If the verification can not complete synchronously, it
// will notify the ProofVerifier upon completion.
*error_details = "Failed to create certificate chain. Certs are empty.";
DLOG(WARNING) << *error_details;
verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
- verify_details->reset(verify_details_.release());
+ *verify_details = verify_details_.Pass();
return QUIC_FAILURE;
}
*error_details = "Failed to create certificate chain";
DLOG(WARNING) << *error_details;
verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
- verify_details->reset(verify_details_.release());
+ *verify_details = verify_details_.Pass();
return QUIC_FAILURE;
}
*error_details = "Failed to verify signature of server config";
DLOG(WARNING) << *error_details;
verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
- verify_details->reset(verify_details_.release());
+ *verify_details = verify_details_.Pass();
return QUIC_FAILURE;
}
next_state_ = STATE_VERIFY_CERT;
switch (DoLoop(OK)) {
case OK:
- verify_details->reset(verify_details_.release());
+ *verify_details = verify_details_.Pass();
return QUIC_SUCCESS;
case ERR_IO_PENDING:
callback_.reset(callback);
return QUIC_PENDING;
default:
*error_details = error_details_;
- verify_details->reset(verify_details_.release());
+ *verify_details = verify_details_.Pass();
return QUIC_FAILURE;
}
}
void ProofVerifierChromium::Job::OnIOComplete(int result) {
int rv = DoLoop(result);
if (rv != ERR_IO_PENDING) {
- scoped_ptr<ProofVerifierCallback> callback(callback_.release());
+ scoped_ptr<ProofVerifierCallback> callback(callback_.Pass());
// Callback expects ProofVerifyDetails not ProofVerifyDetailsChromium.
- scoped_ptr<ProofVerifyDetails> verify_details(verify_details_.release());
+ scoped_ptr<ProofVerifyDetails> verify_details(verify_details_.Pass());
callback->Run(rv == OK, error_details_, &verify_details);
// Will delete |this|.
proof_verifier_->OnJobComplete(this);
int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
verifier_.reset();
-#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
- // TODO(wtc): The following code was copied from ssl_client_socket_nss.cc.
- // Convert it to a new function that can be called by both files. These
- // variables simulate the arguments to the new function.
const CertVerifyResult& cert_verify_result =
verify_details_->cert_verify_result;
- bool sni_available = true;
- const std::string& host = hostname_;
- TransportSecurityState* transport_security_state = transport_security_state_;
- std::string* pinning_failure_log = &verify_details_->pinning_failure_log;
-
- // Take care of any mandates for public key pinning.
- //
- // Pinning is only enabled for official builds to make sure that others don't
- // end up with pins that cannot be easily updated.
- //
- // TODO(agl): We might have an issue here where a request for foo.example.com
- // merges into a SPDY connection to www.example.com, and gets a different
- // certificate.
-
- // Perform pin validation if, and only if, all these conditions obtain:
- //
- // * a TransportSecurityState object is available;
- // * the server's certificate chain is valid (or suffers from only a minor
- // error);
- // * the server's certificate chain chains up to a known root (i.e. not a
- // user-installed trust anchor); and
- // * the build is recent (very old builds should fail open so that users
- // have some chance to recover).
- //
const CertStatus cert_status = cert_verify_result.cert_status;
- if (transport_security_state &&
+ if (transport_security_state_ &&
(result == OK ||
(IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
- cert_verify_result.is_issued_by_known_root &&
- TransportSecurityState::IsBuildTimely()) {
- if (transport_security_state->HasPublicKeyPins(host, sni_available)) {
- if (!transport_security_state->CheckPublicKeyPins(
- host,
- sni_available,
- cert_verify_result.public_key_hashes,
- pinning_failure_log)) {
- LOG(ERROR) << *pinning_failure_log;
- result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
- UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
- TransportSecurityState::ReportUMAOnPinFailure(host);
- } else {
- UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
- }
- }
+ !transport_security_state_->CheckPublicKeyPins(
+ hostname_,
+ true, /* sni_available */
+ cert_verify_result.is_issued_by_known_root,
+ cert_verify_result.public_key_hashes,
+ &verify_details_->pinning_failure_log)) {
+ result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
}
-#endif
- if (result <= ERR_FAILED) {
+ if (result != OK) {
+ std::string error_string = ErrorToString(result);
error_details_ = StringPrintf("Failed to verify certificate chain: %s",
- ErrorToString(result));
+ error_string.c_str());
DLOG(WARNING) << error_details_;
- result = ERR_FAILED;
}
// Exit DoLoop and return the result to the caller to VerifyProof.
}
bool ProofVerifierChromium::Job::VerifySignature(const string& signed_data,
- const string& signature,
- const string& cert) {
+ const string& signature,
+ const string& cert) {
StringPiece spki;
if (!asn1::ExtractSPKIFromDERCert(cert, &spki)) {
DLOG(WARNING) << "ExtractSPKIFromDERCert failed";