New issue
Advanced search Search tips

Issue 803871 link

Starred by 2 users
Status: Verified
Owner:
rsleevi@chromium.org
Closed: May 2018
Cc:
certific...@googlegroups.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Proj-Servicification

Blocking:
issue 769401



Sign in to add a comment

No certificate_transparency::TreeStateTracker observing CTVerifier in network service

Project Member Reported by robpercival@chromium.org, Jan 19 2018 
The CTVerifier created by IOThread is observed by a TreeStateTracker (https://cs.chromium.org/chromium/src/chrome/browser/io_thread.cc?l=550&rcl=7eae1bfd98044958313b126967a24977e26b1be2) as is the CTVerifier created by ProfileIOData (https://cs.chromium.org/chromium/src/chrome/browser/profiles/profile_io_data.cc?l=1178&rcl=b86cf40509d59742d8917fde6d03fe195a7432d8). This results in verified Signed Certificate Timestamps (SCTs) being forwarded to those TreeStateTrackers, and the appropriate auditing can take place.

However, the network service seems to create its own CTVerifier but no accompanying TreeStateTracker (https://cs.chromium.org/chromium/src/net/url_request/url_request_context_builder.cc?l=492&rcl=b86cf40509d59742d8917fde6d03fe195a7432d8) so verified SCTs cannot be audited.

Comment 1 by rsleevi@chromium.org, May 3 2018

Owner: rsleevi@chromium.org
Status: Started (was: Untriaged)
Project Member

Comment 2 by bugdroid1@chromium.org, May 9 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/84d795bcd1775f4c89690dad60ad5c9838166ccf

commit 84d795bcd1775f4c89690dad60ad5c9838166ccf
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed May 09 07:06:00 2018

Refactor Certificate Transparency initialization for S13N

Chrome is currently experimenting with using DNS as part of
ensuring the Certificate Transparency logs provide globally
consistent views. When using the Network Service, certificate
verification is performed in the service/context, rather than
the browser context, meaning that the consistency proof
checking also needs to be moved into the Network Service.

However, Certificate Transparency support is also being moved
up into Chrome proper, rather than as part of //net, in order
to ensure the ecosystem does not prematurely ossify.

This CL moves the DNS portion from //chrome, and in particular,
the IOThread, into the Network Service, while moving
initialization of the logs up from //net and into //chrome, by
way of explicit parameters in the NetworkContextParams. If the
set of logs are not supplied, no CT support is initialized, and
if they are supplied, then log consistency checking is enabled if
the base::Feature is enabled.

Bug:  702062 ,  769401 ,  803871 ,  835849 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I8befb033255366d8431922e29e18879d3cf1b7dc
Reviewed-on: https://chromium-review.googlesource.com/1020304
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557112}
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/BUILD.gn
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/component_updater/sth_set_component_installer.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/component_updater/sth_set_component_installer.h
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/component_updater/sth_set_component_installer_unittest.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/io_thread.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/io_thread.h
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/io_thread_browsertest.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/net/default_network_context_params.cc
[delete] https://crrev.com/5bc74f5fff976f92f3b9ff3a71c9d1d8ffc58802/chrome/browser/net/sth_distributor_provider.cc
[delete] https://crrev.com/5bc74f5fff976f92f3b9ff3a71c9d1d8ffc58802/chrome/browser/net/sth_distributor_provider.h
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/profiles/profile_io_data.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/browser/profiles/profile_io_data.h
[delete] https://crrev.com/5bc74f5fff976f92f3b9ff3a71c9d1d8ffc58802/chrome/browser/ssl/certificate_transparency_browsertest.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/chrome/test/BUILD.gn
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/net/cert/signed_certificate_timestamp.h
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/BUILD.gn
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/network_context.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/network_context.h
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/network_context_cert_transparency_unittest.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/network_service.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/network_service.h
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/BUILD.gn
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/digitally_signed.typemap
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/digitally_signed_mojom_traits.cc
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/digitally_signed_mojom_traits.h
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/digitally_signed_mojom_traits_unittest.cc
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/signed_tree_head.typemap
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/signed_tree_head_mojom_traits.cc
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/signed_tree_head_mojom_traits.h
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/signed_tree_head_mojom_traits_unittest.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/cpp/typemaps.gni
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/mojom/BUILD.gn
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/mojom/ct_log_info.mojom
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/mojom/digitally_signed.mojom
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/mojom/network_service.mojom
[add] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/public/mojom/signed_tree_head.mojom
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/services/network/url_request_context_builder_mojo.cc
[modify] https://crrev.com/84d795bcd1775f4c89690dad60ad5c9838166ccf/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

Comment 3 by rsleevi@chromium.org, May 9 2018

Status: Verified (was: Started)

Sign in to add a comment