diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-08-08 11:05:03 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2016-09-14 08:15:45 +0000 |
commit | a6e29d8c3ea8a3f2530761f5db1ae1f620655d6a (patch) | |
tree | a11527f272356d1ae3365126cd0bc08a333a8f20 | |
parent | f1e2b2d80366b43ba638290bca55272b000b3ce1 (diff) |
Certificate transparency
Adds certificate errors and services to handle enforcing of certificate
transparency. No logs are used though.
Change-Id: If7f954487e1a9a3b0ff68e33ff3766f49ea89b0a
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
7 files changed, 20 insertions, 1 deletions
diff --git a/src/core/certificate_error_controller.cpp b/src/core/certificate_error_controller.cpp index 65bba733a..18835a5c7 100644 --- a/src/core/certificate_error_controller.cpp +++ b/src/core/certificate_error_controller.cpp @@ -66,6 +66,7 @@ ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateNonUniqueName, net::ER ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateWeakKey, net::ERR_CERT_WEAK_KEY) ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateNameConstraintViolation, net::ERR_CERT_NAME_CONSTRAINT_VIOLATION) ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateValidityTooLong, net::ERR_CERT_VALIDITY_TOO_LONG) +ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateTransparencyRequired, net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED) ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateErrorEnd, net::ERR_CERT_END) void CertificateErrorControllerPrivate::accept(bool accepted) @@ -174,6 +175,8 @@ QString CertificateErrorController::errorString() const return getQStringForMessageId(IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION); case CertificateValidityTooLong: return getQStringForMessageId(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION); + case CertificateTransparencyRequired: + return getQStringForMessageId(IDS_CERT_ERROR_CERTIFICATE_TRANSPARENCY_REQUIRED_DESCRIPTION); case CertificateUnableToCheckRevocation: // Deprecated in Chromium. default: break; diff --git a/src/core/certificate_error_controller.h b/src/core/certificate_error_controller.h index 27f18946f..554281644 100644 --- a/src/core/certificate_error_controller.h +++ b/src/core/certificate_error_controller.h @@ -71,8 +71,9 @@ public: CertificateWeakKey = -211, CertificateNameConstraintViolation = -212, CertificateValidityTooLong = -213, + CertificateTransparencyRequired = -214, - CertificateErrorEnd = -214 // not an error, just an enum boundary + CertificateErrorEnd = -215 // not an error, just an enum boundary }; CertificateError error() const; diff --git a/src/core/url_request_context_getter_qt.cpp b/src/core/url_request_context_getter_qt.cpp index 591fed9b5..25f7e36e6 100644 --- a/src/core/url_request_context_getter_qt.cpp +++ b/src/core/url_request_context_getter_qt.cpp @@ -40,6 +40,7 @@ #include "url_request_context_getter_qt.h" #include "base/command_line.h" +#include "base/memory/ptr_util.h" #include "base/strings/string_util.h" #include "base/threading/worker_pool.h" #include "base/threading/sequenced_worker_pool.h" @@ -48,6 +49,9 @@ #include "content/public/common/content_switches.h" #include "net/base/cache_type.h" #include "net/cert/cert_verifier.h" +#include "net/cert/ct_log_verifier.h" +#include "net/cert/ct_policy_enforcer.h" +#include "net/cert/multi_log_ct_verifier.h" #include "net/disk_cache/disk_cache.h" #include "net/dns/host_resolver.h" #include "net/dns/mapped_host_resolver.h" @@ -225,6 +229,8 @@ void URLRequestContextGetterQt::generateStorage() Q_ASSERT(proxyConfigService); m_storage->set_cert_verifier(net::CertVerifier::CreateDefault()); + m_storage->set_cert_transparency_verifier(base::WrapUnique(new net::MultiLogCTVerifier())); + m_storage->set_ct_policy_enforcer(base::WrapUnique(new net::CTPolicyEnforcer)); std::unique_ptr<net::HostResolver> host_resolver(net::HostResolver::CreateDefaultResolver(NULL)); @@ -435,6 +441,8 @@ net::HttpNetworkSession::Params URLRequestContextGetterQt::generateNetworkSessio network_session_params.http_server_properties = m_urlRequestContext->http_server_properties(); network_session_params.ignore_certificate_errors = m_ignoreCertificateErrors; network_session_params.host_resolver = m_urlRequestContext->host_resolver(); + network_session_params.cert_transparency_verifier = m_urlRequestContext->cert_transparency_verifier(); + network_session_params.ct_policy_enforcer = m_urlRequestContext->ct_policy_enforcer(); return network_session_params; } diff --git a/src/webengine/api/qquickwebenginecertificateerror.cpp b/src/webengine/api/qquickwebenginecertificateerror.cpp index 622fe8614..855e61817 100644 --- a/src/webengine/api/qquickwebenginecertificateerror.cpp +++ b/src/webengine/api/qquickwebenginecertificateerror.cpp @@ -197,6 +197,9 @@ QUrl QQuickWebEngineCertificateError::url() const \value WebEngineCertificateError.CertificateValidityTooLong The certificate has a validity period that is too long. (Added in 5.7) + \value WebEngineCertificateError.CertificateTransparencyRequired + Certificate Transparency was required for this connection, but the server + did not provide CT information that complied with the policy. (Added in 5.8) */ QQuickWebEngineCertificateError::Error QQuickWebEngineCertificateError::error() const { diff --git a/src/webengine/api/qquickwebenginecertificateerror_p.h b/src/webengine/api/qquickwebenginecertificateerror_p.h index d04dc2c62..27b2efa14 100644 --- a/src/webengine/api/qquickwebenginecertificateerror_p.h +++ b/src/webengine/api/qquickwebenginecertificateerror_p.h @@ -84,6 +84,7 @@ public: CertificateWeakKey = -211, CertificateNameConstraintViolation = -212, CertificateValidityTooLong = -213, + CertificateTransparencyRequired = -214, }; Q_ENUM(Error) diff --git a/src/webenginewidgets/api/qwebenginecertificateerror.cpp b/src/webenginewidgets/api/qwebenginecertificateerror.cpp index 289bb7ec0..a0641c9dd 100644 --- a/src/webenginewidgets/api/qwebenginecertificateerror.cpp +++ b/src/webenginewidgets/api/qwebenginecertificateerror.cpp @@ -104,6 +104,8 @@ QWebEngineCertificateError::~QWebEngineCertificateError() \value CertificateWeakKey The certificate contains a weak key. \value CertificateNameConstraintViolation The certificate claimed DNS names that are in violation of name constraints. \value CertificateValidityTooLong The certificate has a validity period that is too long. (Added in Qt 5.7) + \value CertificateTransparencyRequired Certificate Transparency was required for this connection, but the server + did not provide CT information that complied with the policy. (Added in Qt 5.8) */ /*! diff --git a/src/webenginewidgets/api/qwebenginecertificateerror.h b/src/webenginewidgets/api/qwebenginecertificateerror.h index 7cb6341bc..82ac281be 100644 --- a/src/webenginewidgets/api/qwebenginecertificateerror.h +++ b/src/webenginewidgets/api/qwebenginecertificateerror.h @@ -70,6 +70,7 @@ public: CertificateWeakKey = -211, CertificateNameConstraintViolation = -212, CertificateValidityTooLong = -213, + CertificateTransparencyRequired = -214, }; Error error() const; |