OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
6 | 6 |
| 7 #include <set> |
| 8 |
7 #include "base/base64.h" | 9 #include "base/base64.h" |
8 #include "base/json/json_reader.h" | 10 #include "base/json/json_reader.h" |
9 #include "base/json/json_writer.h" | 11 #include "base/json/json_writer.h" |
10 #include "base/logging.h" | 12 #include "base/logging.h" |
11 #include "base/memory/scoped_ptr.h" | 13 #include "base/memory/scoped_ptr.h" |
12 #include "base/sha2.h" | 14 #include "base/sha2.h" |
13 #include "base/string_number_conversions.h" | 15 #include "base/string_number_conversions.h" |
14 #include "base/string_tokenizer.h" | 16 #include "base/string_tokenizer.h" |
15 #include "base/string_util.h" | 17 #include "base/string_util.h" |
16 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
17 #include "base/values.h" | 19 #include "base/values.h" |
18 #include "googleurl/src/gurl.h" | 20 #include "googleurl/src/gurl.h" |
19 #include "net/base/dns_util.h" | 21 #include "net/base/dns_util.h" |
| 22 #include "net/base/x509_cert_types.h" |
| 23 #include "net/base/x509_certificate.h" |
20 | 24 |
21 namespace net { | 25 namespace net { |
22 | 26 |
23 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year | 27 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year |
24 | 28 |
25 TransportSecurityState::TransportSecurityState() | 29 TransportSecurityState::TransportSecurityState() |
26 : delegate_(NULL) { | 30 : delegate_(NULL) { |
27 } | 31 } |
28 | 32 |
29 void TransportSecurityState::EnableHost(const std::string& host, | 33 void TransportSecurityState::EnableHost(const std::string& host, |
30 const DomainState& state) { | 34 const DomainState& state) { |
31 const std::string canonicalized_host = CanonicalizeHost(host); | 35 const std::string canonicalized_host = CanonicalizeHost(host); |
32 if (canonicalized_host.empty()) | 36 if (canonicalized_host.empty()) |
33 return; | 37 return; |
34 | 38 |
| 39 // TODO(cevans) -- we likely want to permit a host to override a built-in, |
| 40 // for at least the case where the override is stricter (i.e. includes |
| 41 // subdomains, or includes certificate pinning). |
35 bool temp; | 42 bool temp; |
36 if (IsPreloadedSTS(canonicalized_host, &temp)) | 43 if (IsPreloadedSTS(canonicalized_host, &temp)) |
37 return; | 44 return; |
38 | 45 |
39 char hashed[base::SHA256_LENGTH]; | 46 char hashed[base::SHA256_LENGTH]; |
40 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); | 47 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
41 | 48 |
42 // Use the original creation date if we already have this host. | 49 // Use the original creation date if we already have this host. |
43 DomainState state_copy(state); | 50 DomainState state_copy(state); |
44 DomainState existing_state; | 51 DomainState existing_state; |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
121 // include_subdomains is. | 128 // include_subdomains is. |
122 if (i == 0) | 129 if (i == 0) |
123 return true; | 130 return true; |
124 | 131 |
125 return j->second.include_subdomains; | 132 return j->second.include_subdomains; |
126 } | 133 } |
127 | 134 |
128 return false; | 135 return false; |
129 } | 136 } |
130 | 137 |
| 138 bool TransportSecurityState::IsAcceptableCertificate(const std::string& host, |
| 139 X509Certificate* cert) { |
| 140 DomainState state; |
| 141 if (!IsEnabledForHost(&state, host)) |
| 142 return true; |
| 143 |
| 144 if (state.cert_pins.empty()) |
| 145 return true; |
| 146 |
| 147 std::set<std::string> fingerprints; |
| 148 X509Certificate::OSCertHandles cert_chain; |
| 149 X509Certificate::GetCertChainFromCert(cert->os_cert_handle(), &cert_chain); |
| 150 { |
| 151 X509Certificate::OSCertHandles::const_iterator i; |
| 152 for (i = cert_chain.begin(); i != cert_chain.end(); ++i) { |
| 153 // TODO(cevans): we also want to match on fingerprints of various subsets |
| 154 // of the certificate, such as SubjectPublicKeyInfos, to enable a site |
| 155 // to seamlessly add SANs or have multiple pseudo-identical certs with |
| 156 // different expiries. |
| 157 net::SHA1Fingerprint fingerprint = |
| 158 X509Certificate::CalculateFingerprint(*i); |
| 159 fingerprints.insert(fingerprint.GetString()); |
| 160 } |
| 161 } |
| 162 X509Certificate::DestroyCertChain(&cert_chain); |
| 163 std::vector<std::string>::const_iterator pins_iter; |
| 164 for (pins_iter = state.cert_pins.begin(); |
| 165 pins_iter != state.cert_pins.end(); ++pins_iter) { |
| 166 std::string cert_lock = *pins_iter; |
| 167 if (fingerprints.find(cert_lock) != fingerprints.end()) |
| 168 return true; |
| 169 } |
| 170 return false; |
| 171 } |
| 172 |
131 void TransportSecurityState::DeleteSince(const base::Time& time) { | 173 void TransportSecurityState::DeleteSince(const base::Time& time) { |
132 bool dirtied = false; | 174 bool dirtied = false; |
133 | 175 |
134 std::map<std::string, DomainState>::iterator i = enabled_hosts_.begin(); | 176 std::map<std::string, DomainState>::iterator i = enabled_hosts_.begin(); |
135 while (i != enabled_hosts_.end()) { | 177 while (i != enabled_hosts_.end()) { |
136 if (i->second.created >= time) { | 178 if (i->second.created >= time) { |
137 dirtied = true; | 179 dirtied = true; |
138 enabled_hosts_.erase(i++); | 180 enabled_hosts_.erase(i++); |
139 } else { | 181 } else { |
140 i++; | 182 i++; |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
305 break; | 347 break; |
306 case DomainState::MODE_SPDY_ONLY: | 348 case DomainState::MODE_SPDY_ONLY: |
307 state->SetString("mode", "spdy-only"); | 349 state->SetString("mode", "spdy-only"); |
308 break; | 350 break; |
309 default: | 351 default: |
310 NOTREACHED() << "DomainState with unknown mode"; | 352 NOTREACHED() << "DomainState with unknown mode"; |
311 delete state; | 353 delete state; |
312 continue; | 354 continue; |
313 } | 355 } |
314 | 356 |
| 357 ListValue* pins = new ListValue; |
| 358 std::vector<std::string>::const_iterator pin_strings; |
| 359 for (pin_strings = i->second.cert_pins.begin(); |
| 360 pin_strings != i->second.cert_pins.end(); |
| 361 ++pin_strings) |
| 362 pins->Append(new StringValue(*pin_strings)); |
| 363 state->Set("cert_pins", pins); |
| 364 |
315 toplevel.Set(HashedDomainToExternalString(i->first), state); | 365 toplevel.Set(HashedDomainToExternalString(i->first), state); |
316 } | 366 } |
317 | 367 |
318 base::JSONWriter::Write(&toplevel, true /* pretty print */, output); | 368 base::JSONWriter::Write(&toplevel, true /* pretty print */, output); |
319 return true; | 369 return true; |
320 } | 370 } |
321 | 371 |
322 bool TransportSecurityState::Deserialise(const std::string& input, | 372 bool TransportSecurityState::Deserialise(const std::string& input, |
323 bool* dirty) { | 373 bool* dirty) { |
324 enabled_hosts_.clear(); | 374 enabled_hosts_.clear(); |
(...skipping 17 matching lines...) Expand all Loading... |
342 std::string mode_string; | 392 std::string mode_string; |
343 double created; | 393 double created; |
344 double expiry; | 394 double expiry; |
345 | 395 |
346 if (!state->GetBoolean("include_subdomains", &include_subdomains) || | 396 if (!state->GetBoolean("include_subdomains", &include_subdomains) || |
347 !state->GetString("mode", &mode_string) || | 397 !state->GetString("mode", &mode_string) || |
348 !state->GetDouble("expiry", &expiry)) { | 398 !state->GetDouble("expiry", &expiry)) { |
349 continue; | 399 continue; |
350 } | 400 } |
351 | 401 |
| 402 ListValue* pins_list; |
| 403 std::vector<std::string> cert_pins; |
| 404 if (state->GetList("cert_pins", &pins_list)) { |
| 405 size_t num_pins = pins_list->GetSize(); |
| 406 for (size_t i = 0; i < num_pins; ++i) { |
| 407 std::string pin_string; |
| 408 if (pins_list->GetString(i, &pin_string)) |
| 409 cert_pins.push_back(pin_string); |
| 410 } |
| 411 } |
| 412 |
352 DomainState::Mode mode; | 413 DomainState::Mode mode; |
353 if (mode_string == "strict") { | 414 if (mode_string == "strict") { |
354 mode = DomainState::MODE_STRICT; | 415 mode = DomainState::MODE_STRICT; |
355 } else if (mode_string == "opportunistic") { | 416 } else if (mode_string == "opportunistic") { |
356 mode = DomainState::MODE_OPPORTUNISTIC; | 417 mode = DomainState::MODE_OPPORTUNISTIC; |
357 } else if (mode_string == "spdy-only") { | 418 } else if (mode_string == "spdy-only") { |
358 mode = DomainState::MODE_SPDY_ONLY; | 419 mode = DomainState::MODE_SPDY_ONLY; |
359 } else { | 420 } else { |
360 LOG(WARNING) << "Unknown TransportSecurityState mode string found: " | 421 LOG(WARNING) << "Unknown TransportSecurityState mode string found: " |
361 << mode_string; | 422 << mode_string; |
(...skipping 11 matching lines...) Expand all Loading... |
373 created_time = base::Time::Now(); | 434 created_time = base::Time::Now(); |
374 } | 435 } |
375 | 436 |
376 if (expiry_time <= current_time) { | 437 if (expiry_time <= current_time) { |
377 // Make sure we dirty the state if we drop an entry. | 438 // Make sure we dirty the state if we drop an entry. |
378 dirtied = true; | 439 dirtied = true; |
379 continue; | 440 continue; |
380 } | 441 } |
381 | 442 |
382 std::string hashed = ExternalStringToHashedDomain(*i); | 443 std::string hashed = ExternalStringToHashedDomain(*i); |
383 if (hashed.empty()) | 444 if (hashed.empty()) { |
| 445 dirtied = true; |
384 continue; | 446 continue; |
| 447 } |
385 | 448 |
386 DomainState new_state; | 449 DomainState new_state; |
387 new_state.mode = mode; | 450 new_state.mode = mode; |
388 new_state.created = created_time; | 451 new_state.created = created_time; |
389 new_state.expiry = expiry_time; | 452 new_state.expiry = expiry_time; |
390 new_state.include_subdomains = include_subdomains; | 453 new_state.include_subdomains = include_subdomains; |
| 454 new_state.cert_pins = cert_pins; |
391 enabled_hosts_[hashed] = new_state; | 455 enabled_hosts_[hashed] = new_state; |
392 } | 456 } |
393 | 457 |
394 *dirty = dirtied; | 458 *dirty = dirtied; |
395 return true; | 459 return true; |
396 } | 460 } |
397 | 461 |
398 TransportSecurityState::~TransportSecurityState() { | 462 TransportSecurityState::~TransportSecurityState() { |
399 } | 463 } |
400 | 464 |
(...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
493 *include_subdomains = kPreloadedSTS[j].include_subdomains; | 557 *include_subdomains = kPreloadedSTS[j].include_subdomains; |
494 return true; | 558 return true; |
495 } | 559 } |
496 } | 560 } |
497 } | 561 } |
498 | 562 |
499 return false; | 563 return false; |
500 } | 564 } |
501 | 565 |
502 } // namespace | 566 } // namespace |
OLD | NEW |