New issue
Advanced search Search tips

Issue 861849 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
emaxx@chromium.org
pmarko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

chrome.platformKeys.verifyTLSServerCertificate does not respect Enterprise policies

Project Member Reported by rsleevi@chromium.org, Jul 9 
While working on cleaning up how CRLSets and SSLConfigs are populated through the stack, I noticed that the https://developer.chrome.com/extensions/platformKeys#method-verifyTLSServerCertificate method doesn't respect Enterprise-provided settings, such as SHA-1, revocation checking, or legacy Symantec support.

I'm filing this issue because I'll be changing the API to also no longer respect CRLSets, as they'll be explicitly configured on the SSLConfig. Per the method documentation, this is documented as an acceptable change, but filing this so we can track enabling full support (which will be easier in M70)

Comment 1 by hunyadym@chromium.org, Jul 10

Labels: Enterprise-Triaged

Comment 2 by emaxx@chromium.org, Aug 16 

I was trying to look at the real-world usages of this API in the existing extensions, but, sadly, looks like the corresponding code search feature was broken without any plans to fix it...

But I agree that the documentation has been not promising any specific behavior regarding CRLSets et al., so doing these changes should be OK.
Thanks for filing the tracking bug.
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 20 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b369d717da1996c2ead6fd86a1111e0d82260f32

commit b369d717da1996c2ead6fd86a1111e0d82260f32
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon Aug 20 16:43:22 2018

Move CRLSets to being part of CertVerifier::Config

This moves the handling for CRLSets out of the
CertVerifier::Verify() set of parameters and makes it an
explicit part of the CertVerifier::Config.

Notification for CRLSet changes are now plumbed through
the NetworkService to all of its NetworkContexts, rather
than being a singleton on the SSLConfigService.

In the process, this disables CRLSets for the
chrome.platformKeys.verifyTLSServerCertificate API, but
that is consistent with that API not observing other user
or system configuration settings, and is part of the
documented "subject to change at any time".

TBR: jamiewalch@chromium.org
Bug: 861849,  854635 
Cq-Include-Trybots: luci.chromium.try:linux_mojo;master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Change-Id: I818be91106274c736e074fc81947c5cb51c57564
Reviewed-on: https://chromium-review.googlesource.com/1132706
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Derek Cheng <imcheng@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Peter Beverloo <peter@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Reviewed-by: Joshua Pawlicki <waffles@chromium.org>
Reviewed-by: Helen Li <xunjieli@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584474}
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/android_webview/browser/net/aw_url_request_context_getter_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/chromeos/policy/policy_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/chromeos/policy/policy_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/chromeos/policy/policy_cert_verifier_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/chromeos/policy/user_network_configuration_updater_factory_browsertest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/component_updater/crl_set_component_installer.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/component_updater/crl_set_component_installer.h
[add] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/component_updater/crl_set_component_installer_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/extensions/api/platform_keys/verify_trust_api.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/io_thread.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/net/trial_comparison_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/net/trial_comparison_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/net/trial_comparison_cert_verifier_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/browser/profiles/profile_io_data.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/chrome/test/BUILD.gn
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/components/cast_channel/cast_socket.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/components/cronet/ios/Cronet.mm
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/content/browser/web_package/signed_exchange_handler.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/content/browser/web_package/signed_exchange_handler_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/google_apis/gcm/tools/mcs_probe.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/caching_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/caching_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/caching_cert_verifier_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/crl_set.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/mock_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/mock_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/multi_threaded_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/multi_threaded_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert/multi_threaded_cert_verifier_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/cert_net/nss_ocsp_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/data/ssl/certificates/crlset_by_root_subject_no_spki.raw
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/data/ssl/scripts/crlsetutil.py
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/data/ssl/scripts/generate-test-certs.sh
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/quic/crypto/proof_verifier_chromium.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/quic/crypto/proof_verifier_chromium_test.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/socket/ssl_client_socket_impl.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/ssl/ssl_config_service.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/ssl/ssl_config_service.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/remoting/protocol/ssl_hmac_channel_authenticator.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/BUILD.gn
[add] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/crl_set_distributor.cc
[add] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/crl_set_distributor.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ignore_errors_cert_verifier.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ignore_errors_cert_verifier.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ignore_errors_cert_verifier_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/network_context.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/network_service.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/network_service.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/network_service_unittest.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/public/mojom/BUILD.gn
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/public/mojom/network_service.mojom
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ssl_config_service_mojo.cc
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ssl_config_service_mojo.h
[modify] https://crrev.com/b369d717da1996c2ead6fd86a1111e0d82260f32/services/network/ssl_config_service_mojo_unittest.cc

Sign in to add a comment