Support OCSP checking (including stapled) See RFC 6960.
See also https://codereview.chromium.org/1849773002/
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8673b818ef73ebd85f0637d2710fd38259533edf commit 8673b818ef73ebd85f0637d2710fd38259533edf Author: Eric Roman <eroman@chromium.org> Date: Wed Sep 20 18:57:31 2017 Combine two OCSP checking implementations into one. Merges CheckOCSP (cert_verify_proc.cc) and GetOCSPCertStatus (ocsp.cc) into CheckOCSPNoSignatureCheck (ocsp.cc). The consequence of this merge for cert_verify_proc.cc are: * More complete matching of certificate ID - previously only checked the serial number, whereas now it checks the issuer name and SPKI hash too. * Less tolerant of parsing failures. Previously would keep searching for match if any OCSPSingleResponse or OCSPCertID failed parsing, now short-circuits. Bug: 629249 , 649000 Change-Id: I27bbadfc09193529ba029eb16a929d483dee9065 Reviewed-on: https://chromium-review.googlesource.com/673544 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#503219} [modify] https://crrev.com/8673b818ef73ebd85f0637d2710fd38259533edf/net/cert/cert_verify_proc.cc [modify] https://crrev.com/8673b818ef73ebd85f0637d2710fd38259533edf/net/cert/internal/ocsp.cc [modify] https://crrev.com/8673b818ef73ebd85f0637d2710fd38259533edf/net/cert/internal/ocsp.h [modify] https://crrev.com/8673b818ef73ebd85f0637d2710fd38259533edf/net/cert/internal/ocsp_unittest.cc [modify] https://crrev.com/8673b818ef73ebd85f0637d2710fd38259533edf/net/url_request/url_request_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dac9751b7e8ec31fc13ec00788f8cbb25aa9580f commit dac9751b7e8ec31fc13ec00788f8cbb25aa9580f Author: Eric Roman <eroman@chromium.org> Date: Thu Sep 21 20:29:42 2017 Add initial OCSP signature checking. This is based on svaldez's work in https://codereview.chromium.org/1849773002/. Bug: 649000 , 620005 Change-Id: I53eca60688eacb3e2b8472532e14af7c0af8e34e Reviewed-on: https://chromium-review.googlesource.com/676324 Reviewed-by: Steven Valdez <svaldez@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#503549} [modify] https://crrev.com/dac9751b7e8ec31fc13ec00788f8cbb25aa9580f/net/cert/cert_verify_proc.cc [modify] https://crrev.com/dac9751b7e8ec31fc13ec00788f8cbb25aa9580f/net/cert/internal/ocsp.cc [modify] https://crrev.com/dac9751b7e8ec31fc13ec00788f8cbb25aa9580f/net/cert/internal/ocsp.h [modify] https://crrev.com/dac9751b7e8ec31fc13ec00788f8cbb25aa9580f/net/cert/internal/ocsp_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e51f63c5272363ce2a2804a79d29470923466451 commit e51f63c5272363ce2a2804a79d29470923466451 Author: Eric Roman <eroman@chromium.org> Date: Mon Sep 25 19:29:22 2017 Add a TODO for checking OCSP extensions. Bug: 649000 Change-Id: I25c32ee4c4dbbfbcfa6908f9ac1abca983998bc1 Reviewed-on: https://chromium-review.googlesource.com/679864 Reviewed-by: Steven Valdez <svaldez@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#504128} [modify] https://crrev.com/e51f63c5272363ce2a2804a79d29470923466451/net/cert/internal/ocsp.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ff24262a383007569fd90fb15367f45c9d3dfc3b commit ff24262a383007569fd90fb15367f45c9d3dfc3b Author: Eric Roman <eroman@chromium.org> Date: Mon Sep 25 21:49:44 2017 Rename OCSP test file to "malformed_request.pem". This matches the name in the generator script. Bug: 649000 Change-Id: Id9470ea73c270c4251c476ae2af787aea2b425c3 Reviewed-on: https://chromium-review.googlesource.com/679863 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#504174} [modify] https://crrev.com/ff24262a383007569fd90fb15367f45c9d3dfc3b/net/BUILD.gn [modify] https://crrev.com/ff24262a383007569fd90fb15367f45c9d3dfc3b/net/cert/internal/ocsp_unittest.cc [add] https://crrev.com/ff24262a383007569fd90fb15367f45c9d3dfc3b/net/data/ocsp_unittest/malformed_request.pem [delete] https://crrev.com/6249d0f717f34d94ebdf2d2d7a5144850c776c98/net/data/ocsp_unittest/malformed_status.pem
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3 commit bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3 Author: Eric Roman <eroman@chromium.org> Date: Tue Sep 26 00:02:15 2017 Pretty-print the OCSP response data and certificates in test files. Bug: 649000 Change-Id: Iafa20e38efb6a83082c186d56902589ca310cb10 Reviewed-on: https://chromium-review.googlesource.com/680002 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#504223} [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/annotate_test_data.py [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/bad_ocsp_type.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/bad_signature.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/bad_status.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/good_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/good_response_next_update.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/good_response_sha256.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/has_extension.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/has_single_extension.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/has_version.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/malformed_request.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/missing_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/multiple_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/no_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/ocsp_extra_certs.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/ocsp_sign_direct.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/ocsp_sign_indirect.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/other_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/responder_id.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/responder_name.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/revoke_response.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/revoke_response_reason.pem [modify] https://crrev.com/bce9c6b1b7783d9b8be74ac78cf6a126cd60d5f3/net/data/ocsp_unittest/unknown_response.pem
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf commit bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf Author: Eric Roman <eroman@chromium.org> Date: Tue Sep 26 00:11:55 2017 Add code to encode an OCSPRequest. Bug: 649000 Change-Id: Iad772c39ccd86c9bcc8bf9c9f87b2f1ef12bde57 Reviewed-on: https://chromium-review.googlesource.com/682757 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#504228} [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/cert/internal/ocsp.cc [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/cert/internal/ocsp.h [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/cert/internal/ocsp_unittest.cc [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/annotate_test_data.py [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/bad_ocsp_type.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/bad_signature.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/bad_status.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/good_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/good_response_next_update.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/good_response_sha256.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/has_extension.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/has_single_extension.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/has_version.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/make_ocsp.py [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/malformed_request.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/missing_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/multiple_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/no_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/ocsp_extra_certs.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/ocsp_sign_bad_indirect.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/ocsp_sign_direct.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/ocsp_sign_indirect.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/ocsp_sign_indirect_missing.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/other_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/responder_id.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/responder_name.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/revoke_response.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/revoke_response_reason.pem [modify] https://crrev.com/bc2c9db3d68c50ee7dfffb2c1e15b4d149d653bf/net/data/ocsp_unittest/unknown_response.pem
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395 commit 227a7f3a571f2b5dc5feddf76fdd41a8df9f7395 Author: Eric Roman <eroman@chromium.org> Date: Mon Oct 09 22:46:45 2017 Extract CertVerifyProcAndroid::SetCertNetFetcher() and related functions. This global will also be used for CertVerifyProcBuiltin integration. Bug: 649017 , 649000 Change-Id: I72f58a2dc32ea67fd6fde269cc2aab1a0db294bd Reviewed-on: https://chromium-review.googlesource.com/706177 Reviewed-by: Matt Mueller <mattm@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#507514} [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/chrome/browser/io_thread.cc [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/BUILD.gn [add] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/cert/cert_net_fetcher.cc [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/cert/cert_net_fetcher.h [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/cert/cert_verify_proc_android.cc [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/cert/cert_verify_proc_android.h [modify] https://crrev.com/227a7f3a571f2b5dc5feddf76fdd41a8df9f7395/net/cert/cert_verify_proc_android_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2c047b68a16c30577f4bfc0f9297c2ab66c27be8 commit 2c047b68a16c30577f4bfc0f9297c2ab66c27be8 Author: Eric Roman <eroman@chromium.org> Date: Tue Oct 10 23:54:27 2017 Add a function that encodes an OCSP request into a URL. Bug: 649000 Change-Id: Ia4e2e0e8d8a260bcdd0cda40fd8485daf61d5cbd Reviewed-on: https://chromium-review.googlesource.com/707744 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#507829} [modify] https://crrev.com/2c047b68a16c30577f4bfc0f9297c2ab66c27be8/net/cert/internal/ocsp.cc [modify] https://crrev.com/2c047b68a16c30577f4bfc0f9297c2ab66c27be8/net/cert/internal/ocsp.h [modify] https://crrev.com/2c047b68a16c30577f4bfc0f9297c2ab66c27be8/net/cert/internal/ocsp_unittest.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d commit f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d Author: Eric Roman <eroman@chromium.org> Date: Wed Oct 11 01:25:02 2017 Add a mechanism for CertPathBuilderDelegate to add custom information to processed paths. This also changes the signature for CertPathBuilderDelegate::CheckPathAfterVerification() so delegates have access to the newly added |delegate_data|, as well as |user_constrained_policy_set| (used by subsequent CLs). Bug: 649017 , 649000 Change-Id: Id8dda3f1ee5ca06c23c8dd97308c126cd1143393 Reviewed-on: https://chromium-review.googlesource.com/707926 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Luke Halliwell <halliwell@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#507848} [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_cert_validator.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_crl.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/components/cast_certificate/cast_crl.h [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/cert_verify_proc_builtin.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder.h [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/simple_path_builder_delegate.cc [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/cert/internal/simple_path_builder_delegate.h [modify] https://crrev.com/f9fd613e9755de1d3ef3c4950285d39ac0dd7e0d/net/tools/cert_verify_tool/verify_using_path_builder.cc
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1b628daa479bc9e4c08eba1f23e7c6236be8e84a commit 1b628daa479bc9e4c08eba1f23e7c6236be8e84a Author: Eric Roman <eroman@chromium.org> Date: Thu Oct 19 19:52:04 2017 Check EV and OCSP revocation in CertVerifyProcBuiltin. Bug: 649017 , 649000 , 762380 Change-Id: Ic80908a4b883fbae23ba60f67c422d95478836db Reviewed-on: https://chromium-review.googlesource.com/721850 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#510165} [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/cert_verify_proc_builtin.cc [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/internal/common_cert_errors.cc [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/internal/common_cert_errors.h [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/internal/revocation_checker.cc [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/cert/internal/revocation_checker.h [modify] https://crrev.com/1b628daa479bc9e4c08eba1f23e7c6236be8e84a/net/url_request/url_request_unittest.cc
Still some follow-up work to do (policy around timeouts, max number of fetches, and an explicit OCSP cache), but the main functionality should be in.
Comment 1 by eroman@chromium.org
, Sep 21 2016