Certificate transparency

Adds certificate errors and services to handle enforcing of certificate transparency. No logs are used though. Change-Id: If7f954487e1a9a3b0ff68e33ff3766f49ea89b0a Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-08-08 11:05:03 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2016-09-14 08:15:45 +0000
commit: a6e29d8c3ea8a3f2530761f5db1ae1f620655d6a (patch)
tree: a11527f272356d1ae3365126cd0bc08a333a8f20
parent: f1e2b2d80366b43ba638290bca55272b000b3ce1 (diff)
7 files changed, 20 insertions, 1 deletions
diff --git a/src/core/certificate_error_controller.cpp b/src/core/certificate_error_controller.cpp
index 65bba733a..18835a5c7 100644
--- a/src/core/certificate_error_controller.cpp
+++ b/src/core/certificate_error_controller.cpp
@@ -66,6 +66,7 @@ ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateNonUniqueName, net::ER
 ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateWeakKey, net::ERR_CERT_WEAK_KEY)
 ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateNameConstraintViolation, net::ERR_CERT_NAME_CONSTRAINT_VIOLATION)
 ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateValidityTooLong, net::ERR_CERT_VALIDITY_TOO_LONG)
+ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateTransparencyRequired, net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)
 ASSERT_ENUMS_MATCH(CertificateErrorController::CertificateErrorEnd, net::ERR_CERT_END)
 
 void CertificateErrorControllerPrivate::accept(bool accepted)
@@ -174,6 +175,8 @@ QString CertificateErrorController::errorString() const
         return getQStringForMessageId(IDS_CERT_ERROR_NAME_CONSTRAINT_VIOLATION_DESCRIPTION);
     case CertificateValidityTooLong:
         return getQStringForMessageId(IDS_CERT_ERROR_VALIDITY_TOO_LONG_DESCRIPTION);
+    case CertificateTransparencyRequired:
+        return getQStringForMessageId(IDS_CERT_ERROR_CERTIFICATE_TRANSPARENCY_REQUIRED_DESCRIPTION);
     case CertificateUnableToCheckRevocation: // Deprecated in Chromium.
     default:
         break;
diff --git a/src/core/certificate_error_controller.h b/src/core/certificate_error_controller.h
index 27f18946f..554281644 100644
--- a/src/core/certificate_error_controller.h
+++ b/src/core/certificate_error_controller.h
@@ -71,8 +71,9 @@ public:
         CertificateWeakKey = -211,
         CertificateNameConstraintViolation = -212,
         CertificateValidityTooLong = -213,
+        CertificateTransparencyRequired = -214,
 
-        CertificateErrorEnd = -214 // not an error, just an enum boundary
+        CertificateErrorEnd = -215 // not an error, just an enum boundary
     };
 
     CertificateError error() const;
diff --git a/src/core/url_request_context_getter_qt.cpp b/src/core/url_request_context_getter_qt.cpp
index 591fed9b5..25f7e36e6 100644
--- a/src/core/url_request_context_getter_qt.cpp
+++ b/src/core/url_request_context_getter_qt.cpp
@@ -40,6 +40,7 @@
 #include "url_request_context_getter_qt.h"
 
 #include "base/command_line.h"
+#include "base/memory/ptr_util.h"
 #include "base/strings/string_util.h"
 #include "base/threading/worker_pool.h"
 #include "base/threading/sequenced_worker_pool.h"
@@ -48,6 +49,9 @@
 #include "content/public/common/content_switches.h"
 #include "net/base/cache_type.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mapped_host_resolver.h"
@@ -225,6 +229,8 @@ void URLRequestContextGetterQt::generateStorage()
     Q_ASSERT(proxyConfigService);
 
     m_storage->set_cert_verifier(net::CertVerifier::CreateDefault());
+    m_storage->set_cert_transparency_verifier(base::WrapUnique(new net::MultiLogCTVerifier()));
+    m_storage->set_ct_policy_enforcer(base::WrapUnique(new net::CTPolicyEnforcer));
 
     std::unique_ptr<net::HostResolver> host_resolver(net::HostResolver::CreateDefaultResolver(NULL));
 
@@ -435,6 +441,8 @@ net::HttpNetworkSession::Params URLRequestContextGetterQt::generateNetworkSessio
     network_session_params.http_server_properties       = m_urlRequestContext->http_server_properties();
     network_session_params.ignore_certificate_errors    = m_ignoreCertificateErrors;
     network_session_params.host_resolver                = m_urlRequestContext->host_resolver();
+    network_session_params.cert_transparency_verifier   = m_urlRequestContext->cert_transparency_verifier();
+    network_session_params.ct_policy_enforcer           = m_urlRequestContext->ct_policy_enforcer();
 
     return network_session_params;
 }
diff --git a/src/webengine/api/qquickwebenginecertificateerror.cpp b/src/webengine/api/qquickwebenginecertificateerror.cpp
index 622fe8614..855e61817 100644
--- a/src/webengine/api/qquickwebenginecertificateerror.cpp
+++ b/src/webengine/api/qquickwebenginecertificateerror.cpp
@@ -197,6 +197,9 @@ QUrl QQuickWebEngineCertificateError::url() const
     \value  WebEngineCertificateError.CertificateValidityTooLong
             The certificate has a validity period that is too long.
             (Added in 5.7)
+    \value  WebEngineCertificateError.CertificateTransparencyRequired
+            Certificate Transparency was required for this connection, but the server
+            did not provide CT information that complied with the policy. (Added in 5.8)
 */
 QQuickWebEngineCertificateError::Error QQuickWebEngineCertificateError::error() const
 {
diff --git a/src/webengine/api/qquickwebenginecertificateerror_p.h b/src/webengine/api/qquickwebenginecertificateerror_p.h
index d04dc2c62..27b2efa14 100644
--- a/src/webengine/api/qquickwebenginecertificateerror_p.h
+++ b/src/webengine/api/qquickwebenginecertificateerror_p.h
@@ -84,6 +84,7 @@ public:
         CertificateWeakKey = -211,
         CertificateNameConstraintViolation = -212,
         CertificateValidityTooLong = -213,
+        CertificateTransparencyRequired = -214,
     };
     Q_ENUM(Error)
 
diff --git a/src/webenginewidgets/api/qwebenginecertificateerror.cpp b/src/webenginewidgets/api/qwebenginecertificateerror.cpp
index 289bb7ec0..a0641c9dd 100644
--- a/src/webenginewidgets/api/qwebenginecertificateerror.cpp
+++ b/src/webenginewidgets/api/qwebenginecertificateerror.cpp
@@ -104,6 +104,8 @@ QWebEngineCertificateError::~QWebEngineCertificateError()
     \value CertificateWeakKey The certificate contains a weak key.
     \value CertificateNameConstraintViolation The certificate claimed DNS names that are in violation of name constraints.
     \value CertificateValidityTooLong The certificate has a validity period that is too long. (Added in Qt 5.7)
+    \value CertificateTransparencyRequired Certificate Transparency was required for this connection, but the server
+            did not provide CT information that complied with the policy. (Added in Qt 5.8)
 */
 
 /*!
diff --git a/src/webenginewidgets/api/qwebenginecertificateerror.h b/src/webenginewidgets/api/qwebenginecertificateerror.h
index 7cb6341bc..82ac281be 100644
--- a/src/webenginewidgets/api/qwebenginecertificateerror.h
+++ b/src/webenginewidgets/api/qwebenginecertificateerror.h
@@ -70,6 +70,7 @@ public:
         CertificateWeakKey = -211,
         CertificateNameConstraintViolation = -212,
         CertificateValidityTooLong = -213,
+        CertificateTransparencyRequired = -214,
     };
 
     Error error() const;
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-08-08 11:05:03 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2016-09-14 08:15:45 +0000
commit	a6e29d8c3ea8a3f2530761f5db1ae1f620655d6a (patch)
tree	a11527f272356d1ae3365126cd0bc08a333a8f20
parent	f1e2b2d80366b43ba638290bca55272b000b3ce1 (diff)