Add arguments to ProofVerifier::VerifyCertChain for stapled OCSP response and SignedCertificateTimestampList.
gfe-relnote: n/a - protected by existing disabled flag --quic_supports_tls_handshake
PiperOrigin-RevId: 247224979
Change-Id: I5ff6668c186eabf117b1605c86b65b0938ff3c38
diff --git a/quic/core/crypto/proof_verifier.h b/quic/core/crypto/proof_verifier.h
index e6605bb..5388c12 100644
--- a/quic/core/crypto/proof_verifier.h
+++ b/quic/core/crypto/proof_verifier.h
@@ -103,6 +103,8 @@
virtual QuicAsyncStatus VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
diff --git a/quic/core/quic_crypto_client_handshaker_test.cc b/quic/core/quic_crypto_client_handshaker_test.cc
index c2046b1..92cfab1 100644
--- a/quic/core/quic_crypto_client_handshaker_test.cc
+++ b/quic/core/quic_crypto_client_handshaker_test.cc
@@ -49,6 +49,8 @@
QuicAsyncStatus VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
diff --git a/quic/core/tls_client_handshaker.cc b/quic/core/tls_client_handshaker.cc
index 3f2a725..1087844 100644
--- a/quic/core/tls_client_handshaker.cc
+++ b/quic/core/tls_client_handshaker.cc
@@ -340,12 +340,22 @@
std::string(reinterpret_cast<const char*>(CRYPTO_BUFFER_data(cert)),
CRYPTO_BUFFER_len(cert)));
}
+ const uint8_t* ocsp_response_raw;
+ size_t ocsp_response_len;
+ SSL_get0_ocsp_response(ssl(), &ocsp_response_raw, &ocsp_response_len);
+ std::string ocsp_response(reinterpret_cast<const char*>(ocsp_response_raw),
+ ocsp_response_len);
+ const uint8_t* sct_list_raw;
+ size_t sct_list_len;
+ SSL_get0_signed_cert_timestamp_list(ssl(), &sct_list_raw, &sct_list_len);
+ std::string sct_list(reinterpret_cast<const char*>(sct_list_raw),
+ sct_list_len);
ProofVerifierCallbackImpl* proof_verify_callback =
new ProofVerifierCallbackImpl(this);
QuicAsyncStatus verify_result = proof_verifier_->VerifyCertChain(
- server_id_.host(), certs, verify_context_.get(),
+ server_id_.host(), certs, ocsp_response, sct_list, verify_context_.get(),
&cert_verify_error_details_, &verify_details_,
std::unique_ptr<ProofVerifierCallback>(proof_verify_callback));
switch (verify_result) {
diff --git a/quic/core/tls_handshaker_test.cc b/quic/core/tls_handshaker_test.cc
index f0b8e84..e710d7b 100644
--- a/quic/core/tls_handshaker_test.cc
+++ b/quic/core/tls_handshaker_test.cc
@@ -47,17 +47,20 @@
QuicAsyncStatus VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
std::unique_ptr<ProofVerifierCallback> callback) override {
if (!active_) {
- return verifier_->VerifyCertChain(hostname, certs, context, error_details,
+ return verifier_->VerifyCertChain(hostname, certs, ocsp_response,
+ cert_sct, context, error_details,
details, std::move(callback));
}
pending_ops_.push_back(QuicMakeUnique<VerifyChainPendingOp>(
- hostname, certs, context, error_details, details, std::move(callback),
- verifier_.get()));
+ hostname, certs, ocsp_response, cert_sct, context, error_details,
+ details, std::move(callback), verifier_.get()));
return QUIC_PENDING;
}
@@ -92,6 +95,8 @@
public:
VerifyChainPendingOp(const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
@@ -99,6 +104,8 @@
ProofVerifier* delegate)
: hostname_(hostname),
certs_(certs),
+ ocsp_response_(ocsp_response),
+ cert_sct_(cert_sct),
context_(context),
error_details_(error_details),
details_(details),
@@ -111,7 +118,8 @@
// runs the original callback after asserting that the verification ran
// synchronously.
QuicAsyncStatus status = delegate_->VerifyCertChain(
- hostname_, certs_, context_, error_details_, details_,
+ hostname_, certs_, ocsp_response_, cert_sct_, context_,
+ error_details_, details_,
QuicMakeUnique<FailingProofVerifierCallback>());
ASSERT_NE(status, QUIC_PENDING);
callback_->Run(status == QUIC_SUCCESS, *error_details_, details_);
@@ -120,6 +128,8 @@
private:
std::string hostname_;
std::vector<std::string> certs_;
+ std::string ocsp_response_;
+ std::string cert_sct_;
const ProofVerifyContext* context_;
std::string* error_details_;
std::unique_ptr<ProofVerifyDetails>* details_;
diff --git a/quic/quartc/quartc_crypto_helpers.cc b/quic/quartc/quartc_crypto_helpers.cc
index 93023e7..4653000 100644
--- a/quic/quartc/quartc_crypto_helpers.cc
+++ b/quic/quartc/quartc_crypto_helpers.cc
@@ -60,6 +60,8 @@
QuicAsyncStatus InsecureProofVerifier::VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
diff --git a/quic/quartc/quartc_crypto_helpers.h b/quic/quartc/quartc_crypto_helpers.h
index 2dba7ac..1436aeb 100644
--- a/quic/quartc/quartc_crypto_helpers.h
+++ b/quic/quartc/quartc_crypto_helpers.h
@@ -88,6 +88,8 @@
QuicAsyncStatus VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
diff --git a/quic/test_tools/quic_test_client.cc b/quic/test_tools/quic_test_client.cc
index 61553c8..497dd8a 100644
--- a/quic/test_tools/quic_test_client.cc
+++ b/quic/test_tools/quic_test_client.cc
@@ -92,6 +92,8 @@
QuicAsyncStatus VerifyCertChain(
const std::string& hostname,
const std::vector<std::string>& certs,
+ const std::string& ocsp_response,
+ const std::string& cert_sct,
const ProofVerifyContext* context,
std::string* error_details,
std::unique_ptr<ProofVerifyDetails>* details,
@@ -629,8 +631,8 @@
epoll_server()->set_timeout_in_us(old_timeout_us);
}
if (trigger && !trigger()) {
- VLOG(1) << "Client WaitUntil returning with trigger returning false."
- << QuicStackTrace();
+ QUIC_VLOG(1) << "Client WaitUntil returning with trigger returning false."
+ << QuicStackTrace();
return false;
}
return true;
diff --git a/quic/tools/quic_client_bin.cc b/quic/tools/quic_client_bin.cc
index 27fe8e7..8b30d96 100644
--- a/quic/tools/quic_client_bin.cc
+++ b/quic/tools/quic_client_bin.cc
@@ -86,6 +86,8 @@
quic::QuicAsyncStatus VerifyCertChain(
const std::string& /*hostname*/,
const std::vector<std::string>& /*certs*/,
+ const std::string& /*ocsp_response*/,
+ const std::string& /*cert_sct*/,
const quic::ProofVerifyContext* /*context*/,
std::string* /*error_details*/,
std::unique_ptr<quic::ProofVerifyDetails>* /*details*/,
