Make SignedExchangeHandler support Certificate Transparency
I'm taking over this from horo@.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4c759a7fd5d97e906d672e813b754cb014aa5d0b commit 4c759a7fd5d97e906d672e813b754cb014aa5d0b Author: Kunihiko Sakamoto <ksakamoto@chromium.org> Date: Tue Apr 10 03:01:04 2018 Introduce SignedExchangeCertificateChain In preparation to add support for the new cert format, this patch introduces SignedExchangeCertificateChain class that contains all information of a certificate chain. Certificate parsing code in SignedExchangeCertFetcher is moved to this new class. Pure refactoring, no behavior change. Bug: 815024 , 815025 Change-Id: Iacb592279c9fef7afb40cb303ef81eebb4be34a3 Reviewed-on: https://chromium-review.googlesource.com/1002339 Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#549400} [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/BUILD.gn [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_cert_fetcher.cc [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_cert_fetcher.h [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_cert_fetcher_unittest.cc [add] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_certificate_chain.cc [add] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_certificate_chain.h [rename] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_certificate_chain_fuzzer.cc [add] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_certificate_chain_unittest.cc [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_handler.cc [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_handler.h [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/browser/web_package/signed_exchange_handler_unittest.cc [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/BUILD.gn [rename] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/data/fuzzer_corpus/signed_exchange_certificate_chain_data/1 [rename] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/data/fuzzer_corpus/signed_exchange_certificate_chain_data/2 [rename] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/data/fuzzer_corpus/signed_exchange_certificate_chain_data/3 [rename] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/data/fuzzer_corpus/signed_exchange_certificate_chain_data/4 [modify] https://crrev.com/4c759a7fd5d97e906d672e813b754cb014aa5d0b/content/test/fuzzer/BUILD.gn
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3f83270002b069388219fcc00c1ee93c020dea76 commit 3f83270002b069388219fcc00c1ee93c020dea76 Author: Kunihiko Sakamoto <ksakamoto@chromium.org> Date: Mon May 14 03:08:08 2018 Add support for new signed-exchange cert chain format This adds a parser for the CBOR certificate chain format defined in [1]. SignedExchangeCertificateChain::Parse() takes a version enum and selects a parser to use. For now, the new parser is used only by tests. [1] https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cert-chain-format Bug: 815024 , 815025 Change-Id: Ia554ad3d086dbecd20294bdb6db03f37b60d67d9 Reviewed-on: https://chromium-review.googlesource.com/1002412 Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Cr-Commit-Position: refs/heads/master@{#558182} [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_cert_fetcher.cc [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_certificate_chain.cc [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_certificate_chain.h [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_certificate_chain_fuzzer.cc [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_certificate_chain_unittest.cc [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_consts.h [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/browser/web_package/signed_exchange_handler_unittest.cc [add] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/test/data/fuzzer_corpus/signed_exchange_certificate_chain_data/wildcard_example.org.public.pem.cbor [modify] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/test/data/htxg/README [add] https://crrev.com/3f83270002b069388219fcc00c1ee93c020dea76/content/test/data/htxg/wildcard_example.org.public.pem.cbor
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf commit ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf Author: Tsuyoshi Horo <horo@chromium.org> Date: Tue Jun 05 09:35:41 2018 Check the validity URL is same-origin with the request url Bug: 815025 Change-Id: I0e86a6c5ec60df66682e4dcb97e62f1a4e7d0903 Reviewed-on: https://chromium-review.googlesource.com/1075833 Commit-Queue: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#564421} [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/browser/web_package/signed_exchange_envelope.cc [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/browser/web_package/signed_exchange_envelope.h [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/browser/web_package/signed_exchange_envelope_unittest.cc [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/test/data/htxg/README [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/test/data/htxg/test.example.com_invalid_test.htxg [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/test/data/htxg/test.example.org_hello.txt.htxg [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/content/test/data/htxg/test.example.org_test.htxg [add] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/third_party/WebKit/LayoutTests/http/tests/loading/htxg/htxg-invalid-validity-url.html [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/README.md [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-cert-not-found.sxg [add] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-invalid-validity-url.sxg [modify] https://crrev.com/ecc9de85f7a77e62e01ebf66e5d03d30d179b9bf/third_party/WebKit/LayoutTests/http/tests/loading/htxg/resources/htxg-location.sxg
Ah, sorry. The Bug id of the cl #6 should be 803774. This is not related to Certificate Transparency.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f25e82e49a1d44d9e947b2f1bdeaacedfae411ba commit f25e82e49a1d44d9e947b2f1bdeaacedfae411ba Author: Kunihiko Sakamoto <ksakamoto@chromium.org> Date: Mon Jun 25 02:37:22 2018 Add CT verification for Signed Exchange This patch implements Certificate Transparency verification for signed exchanges. The logic in SignedExchangeHandler::VerifyCT() is basically the same as SSLClientSocketImpl::VerifyCT(), but uses OCSP and SCT extracted from CBOR cert chain. Bug: 815025 Change-Id: I2b35c460bb69509419e80767ae35ed2b16c2a4ee Reviewed-on: https://chromium-review.googlesource.com/1056776 Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org> Cr-Commit-Position: refs/heads/master@{#569950} [modify] https://crrev.com/f25e82e49a1d44d9e947b2f1bdeaacedfae411ba/content/browser/web_package/signed_exchange_envelope.cc [modify] https://crrev.com/f25e82e49a1d44d9e947b2f1bdeaacedfae411ba/content/browser/web_package/signed_exchange_handler.cc [modify] https://crrev.com/f25e82e49a1d44d9e947b2f1bdeaacedfae411ba/content/browser/web_package/signed_exchange_handler.h [modify] https://crrev.com/f25e82e49a1d44d9e947b2f1bdeaacedfae411ba/content/browser/web_package/signed_exchange_handler_unittest.cc
Comment 1 by horo@chromium.org
, Feb 23 2018