More fixes to a backported patch for certificate transparency
This commit is contained in:
parent
be81360432
commit
f341b670a0
@ -1,6 +1,73 @@
|
|||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-03 22:08:28.931786496 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-03 22:15:24.743555759 +0200
|
||||||
|
@@ -17,6 +17,7 @@
|
||||||
|
#include "chrome/common/pref_names.h"
|
||||||
|
#include "chrome/test/base/in_process_browser_test.h"
|
||||||
|
#include "components/prefs/pref_service.h"
|
||||||
|
+#include "services/network/public/cpp/network_service_buildflags.h"
|
||||||
|
#include "services/network/public/mojom/network_context.mojom.h"
|
||||||
|
#include "services/network/public/mojom/network_service.mojom.h"
|
||||||
|
#include "testing/gmock/include/gmock/gmock.h"
|
||||||
|
@@ -297,3 +298,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont
|
||||||
|
INSTANTIATE_TEST_SUITE_P(,
|
||||||
|
SystemNetworkContextManagerStubResolverBrowsertest,
|
||||||
|
::testing::Values(false, true));
|
||||||
|
+
|
||||||
|
+class SystemNetworkContextManagerCertificateTransparencyBrowsertest
|
||||||
|
+ : public SystemNetworkContextManagerBrowsertest,
|
||||||
|
+ public testing::WithParamInterface<base::Optional<bool>> {
|
||||||
|
+ public:
|
||||||
|
+ SystemNetworkContextManagerCertificateTransparencyBrowsertest() {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ GetParam());
|
||||||
|
+ }
|
||||||
|
+ ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::nullopt);
|
||||||
|
+ }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#if BUILDFLAG(IS_CT_SUPPORTED)
|
||||||
|
+IN_PROC_BROWSER_TEST_P(
|
||||||
|
+ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
|
||||||
|
+ CertificateTransparencyConfig) {
|
||||||
|
+ network::mojom::NetworkContextParamsPtr context_params =
|
||||||
|
+ g_browser_process->system_network_context_manager()
|
||||||
|
+ ->CreateDefaultNetworkContextParams();
|
||||||
|
+
|
||||||
|
+ const bool kDefault =
|
||||||
|
+#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
|
||||||
|
+ !defined(OS_ANDROID)
|
||||||
|
+ true;
|
||||||
|
+#else
|
||||||
|
+ false;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ EXPECT_EQ(GetParam().value_or(kDefault),
|
||||||
|
+ context_params->enforce_chrome_ct_policy);
|
||||||
|
+ EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty());
|
||||||
|
+
|
||||||
|
+ if (GetParam().value_or(kDefault)) {
|
||||||
|
+ bool has_google_log = false;
|
||||||
|
+ bool has_disqualified_log = false;
|
||||||
|
+ for (const auto& ct_log : context_params->ct_logs) {
|
||||||
|
+ has_google_log |= ct_log->operated_by_google;
|
||||||
|
+ has_disqualified_log |= ct_log->disqualified_at.has_value();
|
||||||
|
+ }
|
||||||
|
+ EXPECT_TRUE(has_google_log);
|
||||||
|
+ EXPECT_TRUE(has_disqualified_log);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+INSTANTIATE_TEST_SUITE_P(
|
||||||
|
+ ,
|
||||||
|
+ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
|
||||||
|
+ ::testing::Values(base::nullopt, true, false));
|
||||||
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
|
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
|
||||||
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
|
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
|
||||||
+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
|
+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 22:13:26.451198970 +0200
|
||||||
@@ -4,11 +4,13 @@
|
@@ -4,11 +4,13 @@
|
||||||
|
|
||||||
#include "chrome/browser/net/system_network_context_manager.h"
|
#include "chrome/browser/net/system_network_context_manager.h"
|
||||||
@ -23,52 +90,205 @@ diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manage
|
|||||||
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
|
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
|
||||||
#include "net/dns/public/util.h"
|
#include "net/dns/public/util.h"
|
||||||
#include "net/net_buildflags.h"
|
#include "net/net_buildflags.h"
|
||||||
@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
|
@@ -81,6 +84,20 @@
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
|
||||||
|
+constexpr bool kCertificateTransparencyEnabled =
|
||||||
|
+#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
|
||||||
|
+ !defined(OS_ANDROID)
|
||||||
|
+ // Certificate Transparency is only enabled if:
|
||||||
|
+ // - Desktop (!OS_ANDROID); OS_IOS does not use this file
|
||||||
|
+ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
|
||||||
|
+ // - The build in reliably updatable (GOOGLE_CHROME_BUILD)
|
||||||
|
+ true;
|
||||||
|
+#else
|
||||||
|
+ false;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+bool g_enable_certificate_transparency = kCertificateTransparencyEnabled;
|
||||||
|
+
|
||||||
|
// The global instance of the SystemNetworkContextmanager.
|
||||||
|
SystemNetworkContextManager* g_system_network_context_manager = nullptr;
|
||||||
|
|
||||||
|
@@ -686,14 +703,35 @@ SystemNetworkContextManager::CreateDefau
|
||||||
|
|
||||||
bool http_09_on_non_default_ports_enabled = false;
|
bool http_09_on_non_default_ports_enabled = false;
|
||||||
#if !defined(OS_ANDROID)
|
#if !defined(OS_ANDROID)
|
||||||
- // CT is only enabled on Desktop platforms for now.
|
- // CT is only enabled on Desktop platforms for now.
|
||||||
|
- network_context_params->enforce_chrome_ct_policy = true;
|
||||||
|
- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
|
||||||
|
- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
|
||||||
|
- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
|
||||||
|
- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
|
||||||
|
- log_info->name = ct_log.log_name;
|
||||||
|
- network_context_params->ct_logs.push_back(std::move(log_info));
|
||||||
+
|
+
|
||||||
+#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
|
+ if (g_enable_certificate_transparency) {
|
||||||
+ !defined(OS_IOS)
|
+ network_context_params->enforce_chrome_ct_policy = true;
|
||||||
+ // Certificate Transparency is only enabled if:
|
+ network_context_params->ct_log_update_time = base::GetBuildTime();
|
||||||
+ // - Desktop (!OS_ANDROID, !OS_IOS)
|
|
||||||
+ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
|
|
||||||
+ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
|
|
||||||
network_context_params->enforce_chrome_ct_policy = true;
|
|
||||||
+ network_context_params->ct_log_update_time = base::GetBuildTime();
|
|
||||||
+
|
+
|
||||||
+ std::vector<std::string> operated_by_google_logs =
|
+ std::vector<std::string> operated_by_google_logs =
|
||||||
+ certificate_transparency::GetLogsOperatedByGoogle();
|
+ certificate_transparency::GetLogsOperatedByGoogle();
|
||||||
+ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
|
+ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
|
||||||
+ certificate_transparency::GetDisqualifiedLogs();
|
+ certificate_transparency::GetDisqualifiedLogs();
|
||||||
for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
|
+ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
|
||||||
// TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
|
+ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
|
||||||
network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
|
+ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
|
||||||
log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
|
+ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
|
||||||
log_info->name = ct_log.log_name;
|
+ log_info->name = ct_log.log_name;
|
||||||
+
|
+
|
||||||
+ std::string log_id = crypto::SHA256HashString(log_info->public_key);
|
+ std::string log_id = crypto::SHA256HashString(log_info->public_key);
|
||||||
+ log_info->operated_by_google =
|
+ log_info->operated_by_google =
|
||||||
+ std::binary_search(std::begin(operated_by_google_logs),
|
+ std::binary_search(std::begin(operated_by_google_logs),
|
||||||
+ std::end(operated_by_google_logs), log_id);
|
+ std::end(operated_by_google_logs), log_id);
|
||||||
+ auto it = std::lower_bound(
|
+ auto it = std::lower_bound(
|
||||||
+ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
|
+ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
|
||||||
+ [](const auto& disqualified_log, const std::string& log_id) {
|
+ [](const auto& disqualified_log, const std::string& log_id) {
|
||||||
+ return disqualified_log.first < log_id;
|
+ return disqualified_log.first < log_id;
|
||||||
+ });
|
+ });
|
||||||
+ if (it != std::end(disqualified_logs) && it->first == log_id) {
|
+ if (it != std::end(disqualified_logs) && it->first == log_id) {
|
||||||
+ log_info->disqualified_at = it->second;
|
+ log_info->disqualified_at = it->second;
|
||||||
|
+ }
|
||||||
|
+ network_context_params->ct_logs.push_back(std::move(log_info));
|
||||||
+ }
|
+ }
|
||||||
network_context_params->ct_logs.push_back(std::move(log_info));
|
|
||||||
}
|
}
|
||||||
+#endif
|
|
||||||
|
|
||||||
const base::Value* value =
|
const base::Value* value =
|
||||||
g_browser_process->policy_service()
|
@@ -756,6 +794,12 @@ SystemNetworkContextManager::GetHttpAuth
|
||||||
|
return CreateHttpAuthDynamicParams(g_browser_process->local_state());
|
||||||
|
}
|
||||||
|
|
||||||
|
+void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::Optional<bool> enabled) {
|
||||||
|
+ g_enable_certificate_transparency =
|
||||||
|
+ enabled.value_or(kCertificateTransparencyEnabled);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
network::mojom::NetworkContextParamsPtr
|
||||||
|
SystemNetworkContextManager::CreateNetworkContextParams() {
|
||||||
|
// TODO(mmenke): Set up parameters here (in memory cookie store, etc).
|
||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h 2019-09-03 22:08:28.931786496 +0200
|
||||||
|
@@ -158,6 +158,12 @@ class SystemNetworkContextManager {
|
||||||
|
static network::mojom::HttpAuthDynamicParamsPtr
|
||||||
|
GetHttpAuthDynamicParamsForTesting();
|
||||||
|
|
||||||
|
+ // Enables Certificate Transparency and enforcing the Chrome Certificate
|
||||||
|
+ // Transparency Policy. For test use only. Use base::nullopt_t to reset to
|
||||||
|
+ // the default state.
|
||||||
|
+ static void SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::Optional<bool> enabled);
|
||||||
|
+
|
||||||
|
private:
|
||||||
|
class URLLoaderFactoryForSystem;
|
||||||
|
|
||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
|
||||||
|
@@ -4834,7 +4834,7 @@ IN_PROC_BROWSER_TEST_P(SSLPolicyTestComm
|
||||||
|
browser()->tab_strip_model()->GetActiveWebContents()->GetTitle());
|
||||||
|
}
|
||||||
|
|
||||||
|
-IN_PROC_BROWSER_TEST_F(PolicyTest,
|
||||||
|
+IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
|
||||||
|
CertificateTransparencyEnforcementDisabledForCas) {
|
||||||
|
net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
|
||||||
|
https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
|
||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
|
||||||
|
@@ -8,6 +8,7 @@
|
||||||
|
#include "base/callback.h"
|
||||||
|
#include "base/run_loop.h"
|
||||||
|
#include "base/test/scoped_feature_list.h"
|
||||||
|
+#include "chrome/browser/net/system_network_context_manager.h"
|
||||||
|
#include "chrome/browser/profiles/profile.h"
|
||||||
|
#include "chrome/browser/ssl/cert_verifier_browser_test.h"
|
||||||
|
#include "chrome/browser/ui/browser.h"
|
||||||
|
@@ -27,7 +28,17 @@ namespace {
|
||||||
|
// received by a server.
|
||||||
|
class ExpectCTBrowserTest : public CertVerifierBrowserTest {
|
||||||
|
public:
|
||||||
|
- ExpectCTBrowserTest() : CertVerifierBrowserTest() {}
|
||||||
|
+ ExpectCTBrowserTest() : CertVerifierBrowserTest() {
|
||||||
|
+ // Expect-CT reporting depends on actually enforcing Certificate
|
||||||
|
+ // Transparency.
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ~ExpectCTBrowserTest() override {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::nullopt);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
void SetUpOnMainThread() override {
|
||||||
|
run_loop_ = std::make_unique<base::RunLoop>();
|
||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
|
||||||
|
@@ -457,6 +457,13 @@ class SecurityStateTabHelperTest : publi
|
||||||
|
SecurityStateTabHelperTest()
|
||||||
|
: https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
|
||||||
|
https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir());
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ~SecurityStateTabHelperTest() override {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::nullopt);
|
||||||
|
}
|
||||||
|
|
||||||
|
void SetUpOnMainThread() override {
|
||||||
|
diff -up chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc
|
||||||
|
--- chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc 2019-09-03 22:08:28.934786531 +0200
|
||||||
|
@@ -2008,8 +2008,14 @@ class CertificateTransparencySSLUITest :
|
||||||
|
public:
|
||||||
|
CertificateTransparencySSLUITest()
|
||||||
|
: CertVerifierBrowserTest(),
|
||||||
|
- https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}
|
||||||
|
- ~CertificateTransparencySSLUITest() override {}
|
||||||
|
+ https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ true);
|
||||||
|
+ }
|
||||||
|
+ ~CertificateTransparencySSLUITest() override {
|
||||||
|
+ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||||||
|
+ base::nullopt);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
void SetUpOnMainThread() override {
|
||||||
|
CertVerifierBrowserTest::SetUpOnMainThread();
|
||||||
|
diff -up chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h
|
||||||
|
--- chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-08-26 21:02:14.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-03 22:08:28.934786531 +0200
|
||||||
|
@@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne
|
||||||
|
|
||||||
|
void SetClockForTesting(const base::Clock* clock) { clock_ = clock; }
|
||||||
|
|
||||||
|
+ // TODO(https://crbug.com/999240): These are exposed to allow end-to-end
|
||||||
|
+ // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is
|
||||||
|
+ // correctly constructed). When either this issue or https://crbug.com/848277
|
||||||
|
+ // are fixed, the configuration can be tested independently, and these can
|
||||||
|
+ // be removed.
|
||||||
|
+ const std::vector<std::string>& operated_by_google_logs_for_testing() {
|
||||||
|
+ return operated_by_google_logs_;
|
||||||
|
+ }
|
||||||
|
+ const std::vector<std::pair<std::string, base::TimeDelta>>&
|
||||||
|
+ disqualified_logs_for_testing() {
|
||||||
|
+ return disqualified_logs_;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
private:
|
||||||
|
// Returns true if the log identified by |log_id| (the SHA-256 hash of the
|
||||||
|
// log's DER-encoded SPKI) has been disqualified, and sets
|
||||||
diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
|
diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
|
||||||
--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
||||||
+++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
|
+++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 22:17:27.977834857 +0200
|
||||||
@@ -35,6 +35,7 @@
|
@@ -35,6 +35,7 @@
|
||||||
#include "components/prefs/pref_registry_simple.h"
|
#include "components/prefs/pref_registry_simple.h"
|
||||||
#include "components/prefs/pref_service.h"
|
#include "components/prefs/pref_service.h"
|
||||||
@ -115,12 +335,16 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
|
|||||||
scoped_refptr<const net::CTLogVerifier> log_verifier =
|
scoped_refptr<const net::CTLogVerifier> log_verifier =
|
||||||
net::CTLogVerifier::Create(log->public_key, log->name);
|
net::CTLogVerifier::Create(log->public_key, log->name);
|
||||||
if (!log_verifier) {
|
if (!log_verifier) {
|
||||||
@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
|
@@ -1924,6 +1927,17 @@ URLRequestContextOwner NetworkContext::A
|
||||||
ct_verifier->AddLogs(ct_logs);
|
ct_verifier->AddLogs(ct_logs);
|
||||||
builder->set_ct_verifier(std::move(ct_verifier));
|
builder->set_ct_verifier(std::move(ct_verifier));
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+ if (params_->enforce_chrome_ct_policy) {
|
+ if (params_->enforce_chrome_ct_policy) {
|
||||||
|
+ std::sort(std::begin(operated_by_google_logs),
|
||||||
|
+ std::end(operated_by_google_logs));
|
||||||
|
+ std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
|
||||||
|
+
|
||||||
+ builder->set_ct_policy_enforcer(
|
+ builder->set_ct_policy_enforcer(
|
||||||
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
|
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
|
||||||
+ params_->ct_log_update_time, disqualified_logs,
|
+ params_->ct_log_update_time, disqualified_logs,
|
||||||
@ -129,9 +353,118 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
|
|||||||
#endif // BUILDFLAG(IS_CT_SUPPORTED)
|
#endif // BUILDFLAG(IS_CT_SUPPORTED)
|
||||||
|
|
||||||
const base::CommandLine* command_line =
|
const base::CommandLine* command_line =
|
||||||
|
diff -up chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context_unittest.cc
|
||||||
|
--- chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
||||||
|
+++ chromium-76.0.3809.132/services/network/network_context_unittest.cc 2019-09-03 22:20:22.382888089 +0200
|
||||||
|
@@ -2,6 +2,7 @@
|
||||||
|
// Use of this source code is governed by a BSD-style license that can be
|
||||||
|
// found in the LICENSE file.
|
||||||
|
|
||||||
|
+#include <algorithm>
|
||||||
|
#include <map>
|
||||||
|
#include <memory>
|
||||||
|
#include <string>
|
||||||
|
@@ -38,10 +39,12 @@
|
||||||
|
#include "base/threading/thread_task_runner_handle.h"
|
||||||
|
#include "base/time/default_clock.h"
|
||||||
|
#include "base/time/default_tick_clock.h"
|
||||||
|
+#include "base/time/time.h"
|
||||||
|
#include "build/build_config.h"
|
||||||
|
#include "components/network_session_configurator/browser/network_session_configurator.h"
|
||||||
|
#include "components/network_session_configurator/common/network_switches.h"
|
||||||
|
#include "components/prefs/testing_pref_service.h"
|
||||||
|
+#include "crypto/sha2.h"
|
||||||
|
#include "mojo/public/cpp/bindings/interface_request.h"
|
||||||
|
#include "mojo/public/cpp/bindings/strong_binding.h"
|
||||||
|
#include "mojo/public/cpp/system/data_pipe_utils.h"
|
||||||
|
@@ -113,6 +116,11 @@
|
||||||
|
#include "url/scheme_host_port.h"
|
||||||
|
#include "url/url_constants.h"
|
||||||
|
|
||||||
|
+#if BUILDFLAG(IS_CT_SUPPORTED)
|
||||||
|
+#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
|
||||||
|
+#include "services/network/public/mojom/ct_log_info.mojom.h"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#if BUILDFLAG(ENABLE_REPORTING)
|
||||||
|
#include "net/network_error_logging/network_error_logging_service.h"
|
||||||
|
#include "net/reporting/reporting_cache.h"
|
||||||
|
@@ -5566,6 +5574,72 @@ TEST_F(NetworkContextTest, BlockAllCooki
|
||||||
|
EXPECT_EQ("None", response_body);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if BUILDFLAG(IS_CT_SUPPORTED)
|
||||||
|
+TEST_F(NetworkContextTest, CertificateTransparencyConfig) {
|
||||||
|
+ mojom::NetworkContextParamsPtr params = CreateContextParams();
|
||||||
|
+ params->enforce_chrome_ct_policy = true;
|
||||||
|
+ params->ct_log_update_time = base::Time::Now();
|
||||||
|
+
|
||||||
|
+ // The log public keys do not matter for the test, so invalid keys are used.
|
||||||
|
+ // However, because the log IDs are derived from the SHA-256 hash of the log
|
||||||
|
+ // key, the log keys are generated such that qualified logs are in the form
|
||||||
|
+ // of four digits (e.g. "0000", "1111"), while disqualified logs are in the
|
||||||
|
+ // form of four letters (e.g. "AAAA", "BBBB").
|
||||||
|
+
|
||||||
|
+ for (int i = 0; i < 6; ++i) {
|
||||||
|
+ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
|
||||||
|
+ // Shift to ASCII '0' (0x30)
|
||||||
|
+ log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
|
||||||
|
+ log_info->name = std::string(4, 0x30 + static_cast<char>(i));
|
||||||
|
+ log_info->operated_by_google = i % 2;
|
||||||
|
+
|
||||||
|
+ params->ct_logs.push_back(std::move(log_info));
|
||||||
|
+ }
|
||||||
|
+ for (int i = 0; i < 3; ++i) {
|
||||||
|
+ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
|
||||||
|
+ // Shift to ASCII 'A' (0x41)
|
||||||
|
+ log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
|
||||||
|
+ log_info->name = std::string(4, 0x41 + static_cast<char>(i));
|
||||||
|
+ log_info->operated_by_google = false;
|
||||||
|
+ log_info->disqualified_at = base::TimeDelta::FromSeconds(i);
|
||||||
|
+
|
||||||
|
+ params->ct_logs.push_back(std::move(log_info));
|
||||||
|
+ }
|
||||||
|
+ std::unique_ptr<NetworkContext> network_context =
|
||||||
|
+ CreateContextWithParams(std::move(params));
|
||||||
|
+
|
||||||
|
+ net::CTPolicyEnforcer* request_enforcer =
|
||||||
|
+ network_context->url_request_context()->ct_policy_enforcer();
|
||||||
|
+ ASSERT_TRUE(request_enforcer);
|
||||||
|
+
|
||||||
|
+ // Completely unsafe if |enforce_chrome_ct_policy| is false.
|
||||||
|
+ certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
|
||||||
|
+ reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
|
||||||
|
+ request_enforcer);
|
||||||
|
+
|
||||||
|
+ EXPECT_TRUE(std::is_sorted(
|
||||||
|
+ policy_enforcer->operated_by_google_logs_for_testing().begin(),
|
||||||
|
+ policy_enforcer->operated_by_google_logs_for_testing().end()));
|
||||||
|
+ EXPECT_TRUE(
|
||||||
|
+ std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
|
||||||
|
+ policy_enforcer->disqualified_logs_for_testing().end()));
|
||||||
|
+
|
||||||
|
+ EXPECT_THAT(
|
||||||
|
+ policy_enforcer->operated_by_google_logs_for_testing(),
|
||||||
|
+ ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"),
|
||||||
|
+ crypto::SHA256HashString("3333"),
|
||||||
|
+ crypto::SHA256HashString("5555")}));
|
||||||
|
+ EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
|
||||||
|
+ ::testing::UnorderedElementsAre(
|
||||||
|
+ ::testing::Pair(crypto::SHA256HashString("AAAA"),
|
||||||
|
+ base::TimeDelta::FromSeconds(0)),
|
||||||
|
+ ::testing::Pair(crypto::SHA256HashString("BBBB"),
|
||||||
|
+ base::TimeDelta::FromSeconds(1)),
|
||||||
|
+ ::testing::Pair(crypto::SHA256HashString("CCCC"),
|
||||||
|
+ base::TimeDelta::FromSeconds(2))));
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
} // namespace
|
||||||
|
|
||||||
|
} // namespace network
|
||||||
diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
|
diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
|
||||||
--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
||||||
+++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
|
+++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 22:08:28.936786554 +0200
|
||||||
@@ -4,6 +4,8 @@
|
@@ -4,6 +4,8 @@
|
||||||
|
|
||||||
module network.mojom;
|
module network.mojom;
|
||||||
@ -148,7 +481,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
|
|||||||
+
|
+
|
||||||
+ // Whether or not the log should should be considered a Google Log for the
|
+ // Whether or not the log should should be considered a Google Log for the
|
||||||
+ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
|
+ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
|
||||||
+ bool operated_by_google;
|
+ bool operated_by_google = false;
|
||||||
+
|
+
|
||||||
+ // If set, the time since the Unix Epoch when the log was disqualified. This
|
+ // If set, the time since the Unix Epoch when the log was disqualified. This
|
||||||
+ // is used to determine the "once or currently qualified" status of the log.
|
+ // is used to determine the "once or currently qualified" status of the log.
|
||||||
@ -157,7 +490,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
|
|||||||
};
|
};
|
||||||
diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
|
diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
|
||||||
--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
|
||||||
+++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
|
+++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 22:08:28.936786554 +0200
|
||||||
@@ -238,15 +238,6 @@ struct NetworkContextParams {
|
@@ -238,15 +238,6 @@ struct NetworkContextParams {
|
||||||
[EnableIf=is_android]
|
[EnableIf=is_android]
|
||||||
bool check_clear_text_permitted = false;
|
bool check_clear_text_permitted = false;
|
||||||
|
Loading…
Reference in New Issue
Block a user