| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
| 6 | 6 |
| 7 #include <set> |
| 8 |
| 7 #include "base/base64.h" | 9 #include "base/base64.h" |
| 8 #include "base/json/json_reader.h" | 10 #include "base/json/json_reader.h" |
| 9 #include "base/json/json_writer.h" | 11 #include "base/json/json_writer.h" |
| 10 #include "base/logging.h" | 12 #include "base/logging.h" |
| 11 #include "base/memory/scoped_ptr.h" | 13 #include "base/memory/scoped_ptr.h" |
| 12 #include "base/sha2.h" | 14 #include "base/sha2.h" |
| 13 #include "base/string_number_conversions.h" | 15 #include "base/string_number_conversions.h" |
| 14 #include "base/string_tokenizer.h" | 16 #include "base/string_tokenizer.h" |
| 15 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 16 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
| 17 #include "base/values.h" | 19 #include "base/values.h" |
| 18 #include "googleurl/src/gurl.h" | 20 #include "googleurl/src/gurl.h" |
| 19 #include "net/base/dns_util.h" | 21 #include "net/base/dns_util.h" |
| 22 #include "net/base/x509_cert_types.h" |
| 23 #include "net/base/x509_certificate.h" |
| 20 | 24 |
| 21 namespace net { | 25 namespace net { |
| 22 | 26 |
| 23 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year | 27 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year |
| 24 | 28 |
| 25 TransportSecurityState::TransportSecurityState() | 29 TransportSecurityState::TransportSecurityState() |
| 26 : delegate_(NULL) { | 30 : delegate_(NULL) { |
| 27 } | 31 } |
| 28 | 32 |
| 29 void TransportSecurityState::EnableHost(const std::string& host, | 33 void TransportSecurityState::EnableHost(const std::string& host, |
| 30 const DomainState& state) { | 34 const DomainState& state) { |
| 31 const std::string canonicalized_host = CanonicalizeHost(host); | 35 const std::string canonicalized_host = CanonicalizeHost(host); |
| 32 if (canonicalized_host.empty()) | 36 if (canonicalized_host.empty()) |
| 33 return; | 37 return; |
| 34 | 38 |
| 39 // TODO(cevans) -- we likely want to permit a host to override a built-in, |
| 40 // for at least the case where the override is stricter (i.e. includes |
| 41 // subdomains, or includes certificate pinning). |
| 35 bool temp; | 42 bool temp; |
| 36 if (IsPreloadedSTS(canonicalized_host, &temp)) | 43 if (IsPreloadedSTS(canonicalized_host, &temp)) |
| 37 return; | 44 return; |
| 38 | 45 |
| 39 char hashed[base::SHA256_LENGTH]; | 46 char hashed[base::SHA256_LENGTH]; |
| 40 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); | 47 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
| 41 | 48 |
| 42 // Use the original creation date if we already have this host. | 49 // Use the original creation date if we already have this host. |
| 43 DomainState state_copy(state); | 50 DomainState state_copy(state); |
| 44 DomainState existing_state; | 51 DomainState existing_state; |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 121 // include_subdomains is. | 128 // include_subdomains is. |
| 122 if (i == 0) | 129 if (i == 0) |
| 123 return true; | 130 return true; |
| 124 | 131 |
| 125 return j->second.include_subdomains; | 132 return j->second.include_subdomains; |
| 126 } | 133 } |
| 127 | 134 |
| 128 return false; | 135 return false; |
| 129 } | 136 } |
| 130 | 137 |
| 138 bool TransportSecurityState::IsAcceptableCertificate(const std::string& host, |
| 139 X509Certificate* cert) { |
| 140 DomainState state; |
| 141 if (!IsEnabledForHost(&state, host)) |
| 142 return true; |
| 143 |
| 144 if (state.cert_pins.empty()) |
| 145 return true; |
| 146 |
| 147 std::set<std::string> fingerprints; |
| 148 X509Certificate::OSCertHandles cert_chain; |
| 149 X509Certificate::GetCertChainFromCert(cert->os_cert_handle(), &cert_chain); |
| 150 { |
| 151 X509Certificate::OSCertHandles::const_iterator i; |
| 152 for (i = cert_chain.begin(); i != cert_chain.end(); ++i) { |
| 153 // TODO(cevans): we also want to match on fingerprints of various subsets |
| 154 // of the certificate, such as SubjectPublicKeyInfos, to enable a site |
| 155 // to seamlessly add SANs or have multiple pseudo-identical certs with |
| 156 // different expiries. |
| 157 net::SHA1Fingerprint fingerprint = |
| 158 X509Certificate::CalculateFingerprint(*i); |
| 159 fingerprints.insert(fingerprint.GetString()); |
| 160 } |
| 161 } |
| 162 X509Certificate::DestroyCertChain(&cert_chain); |
| 163 std::vector<std::string>::const_iterator pins_iter; |
| 164 for (pins_iter = state.cert_pins.begin(); |
| 165 pins_iter != state.cert_pins.end(); ++pins_iter) { |
| 166 std::string cert_lock = *pins_iter; |
| 167 if (fingerprints.find(cert_lock) != fingerprints.end()) |
| 168 return true; |
| 169 } |
| 170 return false; |
| 171 } |
| 172 |
| 131 void TransportSecurityState::DeleteSince(const base::Time& time) { | 173 void TransportSecurityState::DeleteSince(const base::Time& time) { |
| 132 bool dirtied = false; | 174 bool dirtied = false; |
| 133 | 175 |
| 134 std::map<std::string, DomainState>::iterator i = enabled_hosts_.begin(); | 176 std::map<std::string, DomainState>::iterator i = enabled_hosts_.begin(); |
| 135 while (i != enabled_hosts_.end()) { | 177 while (i != enabled_hosts_.end()) { |
| 136 if (i->second.created >= time) { | 178 if (i->second.created >= time) { |
| 137 dirtied = true; | 179 dirtied = true; |
| 138 enabled_hosts_.erase(i++); | 180 enabled_hosts_.erase(i++); |
| 139 } else { | 181 } else { |
| 140 i++; | 182 i++; |
| (...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 305 break; | 347 break; |
| 306 case DomainState::MODE_SPDY_ONLY: | 348 case DomainState::MODE_SPDY_ONLY: |
| 307 state->SetString("mode", "spdy-only"); | 349 state->SetString("mode", "spdy-only"); |
| 308 break; | 350 break; |
| 309 default: | 351 default: |
| 310 NOTREACHED() << "DomainState with unknown mode"; | 352 NOTREACHED() << "DomainState with unknown mode"; |
| 311 delete state; | 353 delete state; |
| 312 continue; | 354 continue; |
| 313 } | 355 } |
| 314 | 356 |
| 357 ListValue* pins = new ListValue; |
| 358 std::vector<std::string>::const_iterator pin_strings; |
| 359 for (pin_strings = i->second.cert_pins.begin(); |
| 360 pin_strings != i->second.cert_pins.end(); |
| 361 ++pin_strings) |
| 362 pins->Append(new StringValue(*pin_strings)); |
| 363 state->Set("cert_pins", pins); |
| 364 |
| 315 toplevel.Set(HashedDomainToExternalString(i->first), state); | 365 toplevel.Set(HashedDomainToExternalString(i->first), state); |
| 316 } | 366 } |
| 317 | 367 |
| 318 base::JSONWriter::Write(&toplevel, true /* pretty print */, output); | 368 base::JSONWriter::Write(&toplevel, true /* pretty print */, output); |
| 319 return true; | 369 return true; |
| 320 } | 370 } |
| 321 | 371 |
| 322 bool TransportSecurityState::Deserialise(const std::string& input, | 372 bool TransportSecurityState::Deserialise(const std::string& input, |
| 323 bool* dirty) { | 373 bool* dirty) { |
| 324 enabled_hosts_.clear(); | 374 enabled_hosts_.clear(); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 342 std::string mode_string; | 392 std::string mode_string; |
| 343 double created; | 393 double created; |
| 344 double expiry; | 394 double expiry; |
| 345 | 395 |
| 346 if (!state->GetBoolean("include_subdomains", &include_subdomains) || | 396 if (!state->GetBoolean("include_subdomains", &include_subdomains) || |
| 347 !state->GetString("mode", &mode_string) || | 397 !state->GetString("mode", &mode_string) || |
| 348 !state->GetDouble("expiry", &expiry)) { | 398 !state->GetDouble("expiry", &expiry)) { |
| 349 continue; | 399 continue; |
| 350 } | 400 } |
| 351 | 401 |
| 402 ListValue* pins_list; |
| 403 std::vector<std::string> cert_pins; |
| 404 if (state->GetList("cert_pins", &pins_list)) { |
| 405 size_t num_pins = pins_list->GetSize(); |
| 406 for (size_t i = 0; i < num_pins; ++i) { |
| 407 std::string pin_string; |
| 408 if (pins_list->GetString(i, &pin_string)) |
| 409 cert_pins.push_back(pin_string); |
| 410 } |
| 411 } |
| 412 |
| 352 DomainState::Mode mode; | 413 DomainState::Mode mode; |
| 353 if (mode_string == "strict") { | 414 if (mode_string == "strict") { |
| 354 mode = DomainState::MODE_STRICT; | 415 mode = DomainState::MODE_STRICT; |
| 355 } else if (mode_string == "opportunistic") { | 416 } else if (mode_string == "opportunistic") { |
| 356 mode = DomainState::MODE_OPPORTUNISTIC; | 417 mode = DomainState::MODE_OPPORTUNISTIC; |
| 357 } else if (mode_string == "spdy-only") { | 418 } else if (mode_string == "spdy-only") { |
| 358 mode = DomainState::MODE_SPDY_ONLY; | 419 mode = DomainState::MODE_SPDY_ONLY; |
| 359 } else { | 420 } else { |
| 360 LOG(WARNING) << "Unknown TransportSecurityState mode string found: " | 421 LOG(WARNING) << "Unknown TransportSecurityState mode string found: " |
| 361 << mode_string; | 422 << mode_string; |
| (...skipping 11 matching lines...) Expand all Loading... |
| 373 created_time = base::Time::Now(); | 434 created_time = base::Time::Now(); |
| 374 } | 435 } |
| 375 | 436 |
| 376 if (expiry_time <= current_time) { | 437 if (expiry_time <= current_time) { |
| 377 // Make sure we dirty the state if we drop an entry. | 438 // Make sure we dirty the state if we drop an entry. |
| 378 dirtied = true; | 439 dirtied = true; |
| 379 continue; | 440 continue; |
| 380 } | 441 } |
| 381 | 442 |
| 382 std::string hashed = ExternalStringToHashedDomain(*i); | 443 std::string hashed = ExternalStringToHashedDomain(*i); |
| 383 if (hashed.empty()) | 444 if (hashed.empty()) { |
| 445 dirtied = true; |
| 384 continue; | 446 continue; |
| 447 } |
| 385 | 448 |
| 386 DomainState new_state; | 449 DomainState new_state; |
| 387 new_state.mode = mode; | 450 new_state.mode = mode; |
| 388 new_state.created = created_time; | 451 new_state.created = created_time; |
| 389 new_state.expiry = expiry_time; | 452 new_state.expiry = expiry_time; |
| 390 new_state.include_subdomains = include_subdomains; | 453 new_state.include_subdomains = include_subdomains; |
| 454 new_state.cert_pins = cert_pins; |
| 391 enabled_hosts_[hashed] = new_state; | 455 enabled_hosts_[hashed] = new_state; |
| 392 } | 456 } |
| 393 | 457 |
| 394 *dirty = dirtied; | 458 *dirty = dirtied; |
| 395 return true; | 459 return true; |
| 396 } | 460 } |
| 397 | 461 |
| 398 TransportSecurityState::~TransportSecurityState() { | 462 TransportSecurityState::~TransportSecurityState() { |
| 399 } | 463 } |
| 400 | 464 |
| (...skipping 92 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 493 *include_subdomains = kPreloadedSTS[j].include_subdomains; | 557 *include_subdomains = kPreloadedSTS[j].include_subdomains; |
| 494 return true; | 558 return true; |
| 495 } | 559 } |
| 496 } | 560 } |
| 497 } | 561 } |
| 498 | 562 |
| 499 return false; | 563 return false; |
| 500 } | 564 } |
| 501 | 565 |
| 502 } // namespace | 566 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6793026:
Initial support for HSTS certificate locking. This isn't a finished work, but (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/